DATA SECURITY POLICY
1. No member of the Current Diary is permitted to electronically store or maintain record of clients,
clients data in any way relating to Current Diary - sponsored activities. Information Technology Services
(ITS) must approve the use of any system or application that electronically processes, stores, or
transmits data.
Paper documents containing client data should be secured in a locked office and stored in a cabinet. In
an open office environment paper documents should be stored in locked cabinets. Paper documents
should not be left in an unsecured office after work hours.
2. The following Confidential data types can only be electronically stored on an ITS managed server and
can only be accessed from an ITS managed computer.
Name
Father Name
Mother Name
Contact Number
Address
In the event that an exception is necessary in order to carry out the business of the Company, the user
must get written approval from both Company as well as the Information Security Officer.
3. It is recommended that all other Confidential data and Restricted data types be electronically stored
or accessed from the one of the following list of devices, in order of preference: ITS managed server,
ITS managed desktop computer, encrypted laptop, encrypted mobile storage device. Any encrypted
device must be encrypted using a process documented and approved by ITS and the administrator of
such system must report to the Information Security Officer on system security related matters.
When handling physical documents containing any Confidential and/or Restricted data types, the
documents must be in your possession at all times; otherwise they should be stored in a secure
location (e.g. room, file cabinet, etc.) to which only specifically-approved individuals have access
through lock and key. When the information is no longer needed, the physical documents must be
shredded using a company-approved device prior to being discarded; or destroyed by a companyapproved
facility.
Confidential data and Restricted data should not be taken or stored off-campus unless the user is
specifically authorized to do so by company and notification of the authorization is sent to the
Information Security Officer.
4. Current Diary reserves the right to electronically scan all company-owned resources and resources
connected to the company network for Confidential data. In event that Confidential data is found in
unauthorized locations, the Information Security Officer will follow-up with the responsible member to
remedy the situation.
5. Confidential data cannot be transmitted through any electronic messaging (i.e. email, instant
messaging, text messaging) even to other authorized users. Confidential data in a physical format
cannot be transmitted through untracked delivery methods.
6. All employees, and staff account passwords must be complex. A complex password is defined as
follows:
At least eight characters long
Cannot contain three or more characters from the user's account name
Must contain 3 of the following categories
Uppercase English letter (A to Z)
Lowercase English letter (a to z)
Number 0 to 9
Non-alphanumeric character (!, #, $, & , =, etc…)
Unicode character
7. Users who are authorized to access or maintain Confidential data or Restricted data must ensure
that it is protected to the extent required by Company policy or law after they obtain it. All data users
are expected to:
Access data only in their conduct of Company business.
Request only the minimum Confidential data or Restricted data necessary to perform their Company
business.
Respect the confidentiality and privacy of individuals whose records they may access.
Observe any ethical restrictions that apply to data to which they have access.
Know and abide by applicable laws or policies with respect to access, use, or disclosure of data.
8. Compliance with these data protection policies is the responsibility of all members of the Current
Diary community. Violations of these policies will be dealt with seriously and will include sanctions, up
to and including termination of employment. Users suspected of violating these policies may be
temporarily denied access to the data as well as Company information technology resources during
investigation of an alleged abuse. Violations may also be subject to prosecution by state and federal
authorities. Suspected violations of Company's data protection policies must be reported to the
Information Security Officer.