Network Storage of Files Containing Personally Identifiable Information

ISO Position Paper

Position Title: Network Storage of Files Containing Personally Identifiable Information
or Restricted Data

Position Audience: Princeton IT Professionals

Contact: Information Security Office: InfoSec@princeton.edu

Position Release Date: November 2018


Problem Statement

Personally Identifiable Information (PII)1 and Restricted data within files are often stored on
network shared drives and are not removed when no longer needed.

The unauthorized access to files containing PII and/or Restricted data can lead to financial
penalties and damage to Princeton University’s reputation.

ISO Position

All PII and Restricted data should remain in and be utilized from the appropriate systems of
record.

If there is a need to save a file containing PII and/or Restricted data, it should be stored on a
centrally managed University network storage service for as short a time as possible and never
longer than 30 days.

Additional Information

Please refer to protectourinfo.princeton.edu for additional information on data classifications.

1The National Institute for Standards and Technology (NIST) defines PII as information which
can be used to distinguish or trace the identity of an individual (e.g., name, social security
number, biometric records, etc.) alone, or when combined with other personal or identifying
information which is linked or linkable to a specific individual (e.g., date and place of birth,
mother’s maiden name, etc.).

Data classification: Public