The USDE Handbook for Protection of Sensitive but Unclassified Information includes a section on
identification and marking of sensitive information. In this section, the Department requires that for high-impact information systems, external labels must be affixed to removable information storage media and printed output indicating the distribution limitations, handling caveats, and applicable security markings, if any, of the information. To provide for adequate handling of your school’s sensitive information, you should ensure that all media containing sensitive information are appropriately marked with the sensitivity of the information stored on the media. At a minimum, hardcopy documents and printouts containing sensitive information should have appropriate markings and labels. Labeling should include any special handling instructions.
The term security marking refers to the application/use of human-readable security attributes. The term security labeling refers to the application/use of security attributes with regard to internal data structures within information systems. Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Security marking is generally not required for media containing information determined to be in the public domain or to be publicly releasable. However, some organizations may require markings for public information indicating thatthe information is publicly releasable. Marking of information system media reflects applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
Essentially, information kept in a secure location (i.e. locked file cabinet, etc.) would not need any labeling. However, if the information is ever kept in a more public setting, security could be an issue and the documents containing Personally Identifiable Information (PII) would need to be labeled confidential, sensitive information, etc. If your school handles hard copy PII between different offices, or the documents ever leave your campus, the data would need to have the proper security labeling.
Every school that handles PII must evaluate and determine procedures for protecting sensitive documents. Below is how DJA maintains a secure environment.
– Located in our own facility that is not shared with any other businesses or occupants.
– Protected by an alarm system that includes managed access, video surveillance, and secured monitoring 24 hours a day, every day.
– Doors remain locked during business hours. The building can only be entered by using a coded key fob assigned to each staff member. All visitors must use an intercom system to gain entrance into the building and must sign in at the front office. A visitor’s badge is required.
– All removable media such a USB flash drives, optical disc drives, CDs and DVDs are restricted.
– Use SchoolDocs as a document management system that stores and delivers information in a secure environment and ensures maintenance and documentation of student privacy requirements.
– PII is only sent via email by use ShareFile which is a secure document exchange system.