• About
• Services
• People
• Units
• Initiatives
• Policies
• Contact
• IS&T Home

• Students
• Faculty
• IT Staff
• Staff

• Help Center
• Workstations
• Classrooms and Labs
• IT Procurement Review

Information Protection and Access Policy

Policy
Rationale
Responsibility
Standards & Procedures
Revisions
Approval Dates
(Summary of Changes/Additions/Deletions)

Policy

Information systems storing, processing, or serving confidential data will be secured.  Appropriate and relevant levels of access to university data will be provisioned and revoked in accordance with existing federal or state law laws, university policies, rules, and regulations.

Rationale

The rising frequency of security incident involving network-attached devices significantly increases the probability of major disruptions to the internal computer systems of the university. Statistics indicate that a very large percentage of potentially damaging incidents can be avoided by the use of existing anti-virus detection and elimination procedures. Establishing policy centrally and issuing standards and utilities from a central authority allows for rapid incident response and continuous update of protection methods.

All University data that has been classified as “confidential” must have an identified Data Steward.  Data Stewards have the primary responsibility for the privacy and security of the university data under his/her responsibility.  Furthermore, all data users, not just Data Stewards, administrators, or processors, are responsible for the security and privacy of the data they access, transmit, and store as prescribed in university policy.

Standards & Procedures

Standards

Data Categories. All university information data elements exist in one of three categories: Confidential, Sensitive, or Unrestricted (derived from Board of Regents definitions).

Confidential Data. Data for which the highest levels of restriction should apply due to the risk or harm that may result from disclosure or inappropriate use. 

Examples of Confidential Data: Social Security Numbers, Credit Card Information, Electronic Protected Health Information.

Sensitive Data. Data for which users must obtain specific authorization to access since the data's unauthorized disclosure, alteration, or destruction may cause perceivable damage to the institution.

Examples of Sensitive Data: Date of Birth, University Email, Purchasing Data, Student Grades.

Unrestricted Data. No access restrictions. Available to the general public.

Data Stewardship and Access Procedures. Data Stewards are responsible for ensuring that a security review has been successfully completed prior to granting access to confidential data elements and for ensuring that access privileges are revoked for terminated employees in a timely manner.  Data Stewards are also responsible for annually submitting a signed Protected Data Elements Report which includes details about their confidential data elements so that users are aware of the definitions, restrictions, or interpretations, and other issues which ensure the correct use of data.  Moreover, the Protected Data Elements Report must be updated and resubmitted by the Data Steward whenever there are changes to their confidential data elements.  Examples of documented changes include reclassification, additional confidential data, and/or major system modifications.  This Protected Data Elements Report includes information such as:

• Data element name
• Data element description
• Data element location(s) and/or system(s)
• Data element classification (Sensitive or Confidential)

Social Security Numbers.  The University is required to collect SSNs from students, staff and faculty for legitimate business and reporting purposes.  SSNs are classified as “confidential” and the university does not request, collect, store or otherwise utilize social security numbers except when required by “business necessity”.  Moreover, a social security number shall not be used as the primary identifier for a students, staff or faculty member in any university database system.

• Data Access Request Form (For requests other than SSNs)
• Data Steward Security Review Procedure
• Data Steward Protected Data Elements Report
• Instructions on How to Secure Campus Systems
• SSN Access Request Form (For SSN access only)

Revisions

Approval Date(s)

Reviewed by Information Security Subcommittee: 8/16/07
Reviewed by ISAT Senate Committee:
Approved by: University Administrative Council
Approved on: 7 November 2007
Version number: 1.0.0
Effective Date: 7 November 2007

Summary of Changes/Additions/Deletions

This policy supersedes the Data Stewardship and Access Policy, the Internet Services (Server) Registration Policy, and the Sensitive Information Protection Policy.