Topics Map > Human Resource System (HRS) > HRS Security

Securely Digitizing Files for Upload to HRS

Overview

In order to upload various paper documents into HRS, each campus must maintain a solution to digitize these documents. The campus solution for document digitization must adhere to all institutional and UW System policies. Any documents containing Personally Identifiable Information (PII) should be treated as moderate or high risk, depending on the specific information included. More information on how to classify data can be found in UW System Administrative Procedure 1031.A.


UW System Administrative Procedure 1031.B describes the data protections that should be applied to any system that houses or processes moderate or high risk data. Here, we describe the data protections that any system used to digitize documents for storage within HRS must meet to adhere to UW System Administrative Policy 1031 and its associated procedures.

Process Requirements

Access Controls
Any system used to store the digitized documents must allow authentication to authorized users only and must be protected by Multi Factor Authentication. Any storage media containing digitized documents must be encrypted (this includes any backup media). Any system transmission must be encrypted (note, transmission to HRS is already encrypted for you).

Data Storage:

Digitized documents must not be stored on a scanner or other application for longer than necessary on a local workstation.

Network Security:
Digitizing devices (Scanners) and connected hardware must be connected to the campus network and cannot be accessed on an unsecured network. It is assumed that the campus network is compliant with all UW System Administrative policies.

Workstations and Mobile Devices:

Workstations must use password protection and an inactivity timeout of no more than 30 minutes. Personal devices should not be used.

Physical Security:

Data must be masked from casual view to prevent unauthorized access. The system must be locked or logged out when unattended. Any document storage must be in a secured location, including physical copies.

System Security:
Workstations must run an up to date Anti-Virus, such as Cisco AMP, on a regular basis. Operating systems and drivers must be updated regularly.

Media Sanitization and Disposal:

Storage media must be securely destroyed or use a bonded disposal service.


Potential Technical Controls for Workstations uploading HRS data

Each campus may implement their own specific solution to meet the UW System Administration Policies for digitizing documents for upload to HRS.

Below, we have detailed one potential approach to meeting these requirements.

Proposed Technical Controls for Workstations uploading HRS data:

Access Controls

1.    Full encrypted hard drive
  • Example: BitLocker or VeraCrypt
2.    Multi-Factor Authentication must be present for the Desktop login
3.    Users logging into the system must be without admin rights
To the top

Data Storage

1.    USB Direct Connected Document Scanner
  • Scanner must not store documents
  • Must have no network connections

Network Security

1.    Ethernet cable must be locked to workstation and to wall
  • Wireless if equipped must be disabled on the device.
  • Ethernet Lock: such as Panduit Lock-In Device 

Workstations  and Mobile Devices

1.    System should be a desktop
  • If system is backed up the backup must be encrypted.
2.    Operating System, all applications and drivers should be patched/updated monthly
To the top

Physical Security

1.    System should be secured with a Kensington lock or stored in a secured area
  • Secure area – No publicly accessible space
  • If device is in a public area the screen should not be casually viewable.
    • Privacy Filter: such as Privacy Filter for Diagonal Standard Monitors
      • System Lock: such as Kensington

System Security

1.    System should run AMP for Endpoints as the Anti-Virus software
To the top

Media Sanitization and Disposal

1.    Media destruction
  • Drives should be disposed of by DOD 5220.22-M wipe or physical destruction

Additional Recommended Best Practices

1.    Regular removal of sensitive documents

  • Example: End of Day, End of Week sensitive files should be deleted from the system, including the recycling bin. 

2.    Internet access should be limited, system should connect to only HRS

3.    System should not connect to file shares/servers

4.    Scanner USB cable should be locked to desktop USB ports. All other non-needed ports should be disabled

  • Mouse, keyboard and scanner should be only allowed items. All other ports should be locked or plugged.
  • USB Port Lock: such as Kensington USB Port Lock


Additional Resources

Related Links:


    Keywords:
    PFILE, Personnel File, Scanner, scanning, Foreign Nationals 
    Doc ID:
    94536
    Owned by:
    Andrew B. in UW–Shared Services
    Created:
    2019-09-18
    Updated:
    2024-05-14
    Sites:
    UW–Shared Services