University of Iowa policies classify data and emphasize that everyone who works with university data bears responsibility for keeping it safe.

Secure data management is especially important for restricted or critical data—student transcripts, patient records, or other data that could cause significant or severe harm is mishandled. Access to this data should be granted only on a need-to-know basis.

Security is imperative regardless of where you work—on site, at home, or on the road. Different practices may apply based on work location, device usage, and other factors.

Understand the data you work with

Data classification considers confidentiality, integrity, and availability. Any one of these factors can elevate a type of data to restricted or critical status.

More sensitive data requires greater security. Data classified as university-internal or public, by contrast, poses relatively low risk if mishandled.

Get a primer on data classification or review the Institutional Data Policy and data classification guidelines.

Maintain physical security

Security practices apply to data in any form, including paper records or digital files on physical media.

• Office security: If you manage physical records—on campus or elsewhere—lock your office or workspace when unattended.
• Document handing: Store sensitive records in locked cabinets or drawers. Shred unneeded documents/media instead of discarding with regular trash.

Protect devices and networks

Exercise similar care with devices where digital records may be stored or accessed. Use university-managed devices whenever possible. If you must use a personal device or home network, be sure you’re following good security practices.

• Passwords: Use unique passwords for all devices/accounts and change them regularly. Use multifactor authentication (including Two-Step Login/Duo) whenever it’s available.
• Device protection: Encrypt laptops, smartphones, and other devices. Use antivirus/endpoint protection software and keep devices updated.
• Secure networks: Connect only to secure, trusted Wi-Fi networks. Avoid using public Wi-Fi to access or transmit sensitive data.

Manage files safely

• File sharing: Use secure methods such as encrypted email services or authorized cloud storage with access protections whenever sharing files.
• Data backups: Regularly back up important data to secure locations. Ensure backups are encrypted and stored safely.
• Access control: Limit access to sensitive data, authorizing only people who need it for their work. Regularly review and update access permissions.

Look out for phishing and other scams

• Email: Scrutinize unsolicited emails, especially any requesting sensitive information. Remember that “spearphishing” scammers can convincingly pose as a colleague, your boss, or someone else you know. Avoid clicking suspicious links or attachments.
• Verification: Verify the identity of anyone who requests sensitive data. Contact them via official channels to confirm their requests.

Follow university protocols

• Training: Complete all assigned training sessions on data protection and cybersecurity.
• Compliance and reporting: Follow university policies and legal regulations for data protection. Report any data breaches or security incidents immediately to the Information Security and Policy Office.

Promote a culture of security

• Awareness: Encourage colleagues to follow best practices and stay informed about security threats, recommended practices, and incident prevention.
• Communication: Stay in touch with your local IT support or help desk. Consult the Information Security and Policy Office about data-security practices or concerns.

Data security is a shared responsibility. Take proactive steps to protect the data you work with.