ITS recommends using the Storage Wizard to best determine where to store high risk (confidential) data. Generally, this information should be stored in Office 365 (including OneDrive and SharePoint), department file shares, or the Data Core system. Storing information in these systems helps reduce the likelihood of data loss or a data breach.
Storing WCM data securely
Per the ITS 11.06 – Device Encryption policy, all devices tagged by ITS and used for WCM purposes must be encrypted. External storage devices, such as USB flash drives and external hard drives, used for storing high risk data must also be encrypted. These devices can easily be lost or stolen.
Examples of removable storage devices include, but are not limited to, flash drives, external hard drives, memory cards, and optical discs. Strong hardware- or software-based encryption algorithms such as the Advanced Encryption Standard (AES) with at least 256-bit keys should be used. Examples of compliant encryption software for removable storage devices include Apple FileVault 2, Microsoft BitLocker, LUKS (for Linux systems), and VeraCrypt (open source). When encrypted removable storage devices are used to share high risk data, the encryption password must be shared separately and in a secure manner, such as encrypted email.
Purchasing a flash drive or hard drive
If you are considering purchasing a flash drive or external hard drive, please determine if you can store the information through one of the recommended options from the Storage Wizard instead. If you still need to use an external storage device, check with ITS Security (its-security@med.cornell.edu) to determine if the device meets the requirements above. If you lose a flash drive or hard drive, report it immediately to the Service Desk and indicate when and where the device was lost or stolen.