NUMBER: 860
SUBJECT: INFORMATION SECURITY
AUTHORIZING BODY: PRESIDENT'S CABINET
RESPONSIBLE OFFICE: UNIVERSITY TECHNOLOGY SERVICES
DATE ISSUED: MARCH, 2005
LAST UPDATE:
RATIONALE: Electronic data are an important university asset that must be protected by appropriate safeguards and managed with respect to data stewardship. This policy defines the required electronic data management environment and assigns responsibility for ensuring data and information security at each level of access and control. It is the responsibility of every university employee who accesses data and information in electronic formats to provide for the security of that data.
POLICY:
1. Background and purpose 2. Definitions 3. Data stewardship 4. Data maintenance and control method 5. Data custodianship 6. Distributing or transferring data 7. Storing data 8. Systems and network data 9. Value of data 10. SanctionsAs new technologies are developed and implemented at the university, issues multiply around data management and security. The use of mobile computing devices such as laptops, personal digital assistants (PDAs) , cell phones, electronic file exchanges, and the growing use of application service providers (see definitions below) increase the vulnerability of university electronic data and information assets. This policy exists with other data or information technology policies to provide comprehensive protection of university technology assets.
2. Definitions
a. Application service provider (“ASP”)
ASP is a technology solution or system where a third-party manages and distributes software-based services and solutions, including data storage, appropriate to that software solution, to customers across a wide area network from a central data center. These are usually web-based solutions where data are sent to off-campus systems and accessed via the Internet. Departments employing ASPs must consult with the General Counsel’s Office and/or the Office of Risk Management prior to contract.
b. Confidential data
Electronic data that are specifically restricted from open disclosure by legal statute are classified as confidential data. Data receiving this classification require a high level of protection against unauthorized disclosure, modification, destruction, and use. Examples of confidential data include, but are not limited to:
i. Student data protected by the Federal Educational Rights and Privacy Act (FERPA, policy #1130);
ii. Medical data (such as data protected by the Health Insurance Portability and Accountability Act);
iii. Research (e.g., information related to a forthcoming or pending patent application, grant applications and proposals, information related to human subjects);
iv. Information access security, such as login passwords, PINS, digitized signatures, and encryption keys;
v. Credit card numbers or banking information;
vi. Personnel file; and
vii. Library records (such as covered by the Michigan Library Privacy Act 455).
c. Data Classifications
All electronic data covered by this policy are assigned one of three classifications: 1. Confidential 2. Operation critical 3. Unrestrictedd. Data custodian
Data custodians are the persons or departments providing operational support for an information system and having responsibility for implementing the data maintenance and control method defined by the data steward.
e. Data maintenance and control method
The process defined and approved by the data steward to handle the following tasks:
i. Identification of valid data sources
ii. Acceptable methods for receiving data from identified sources
iii. Process for the verification of received data
iv. Rules, standards and guidelines for the entry of new data, change of existing data or deletion of data
v. Rules, standards and guidelines for controlled access to data
vi. Process for data integrity verification
vii. Acceptable methods for distributing, releasing, sharing or transferring data
viii. Acceptable data locations
ix. Providing for the security of confidential and Operation critical data
x. Assuring sound methods for handling, processing and disaster recovery of data
f. Data steward
The persons responsible for university functions and who determine data maintenance and control methods are data stewards.
g. Electronic data
Electronic data are distinct pieces of information, intentionally or unintentionally provided to the university in a variety of administrative, academic and business processes. This policy covers all data stored on any electronic media, and within any computer systems defined as a university information technology resource under policy #890. Within this document, “electronic data” and “data” are used interchangeably. This definition does not include course materials and intellectual property.
h. Mobile computing devices
Mobile computing devices are information technology resources (as defined in policy #890) that may leave the general campus location. Samples of such devices include, but are not limited to, laptops, personal digital assistants (PDAs), cell phones, CD/DVD R/W disks, USB devices, flash drives, zip drives, etc.
i. Operation critical data
Data determined to be critical and essential to the successful operation of the university as a whole, and whose loss or corruption would cause a severe detrimental impact to continued operations, are classified as operation critical data. Data receiving this classification requires a high level of protection against accidental distribution, exposure or destruction, and must be covered by high quality disaster recovery and business continuity measures. Data in this category include data stored on enterprise systems such as SunGard SCT Banner 2000 and data passed through networked communications systems. Such data may be released or shared under defined, specific procedures for disclosure, such as departmental guidelines, documented procedures or policies.
j. University provided data systems
University provided data systems are information technology resources, as defined and described in policy #890, owned by Oakland University and used for the storage, maintenance and processing of university data.
k. Unrestricted data
Unrestricted data is information that may be released or shared as needed. Examples are data files for the schedule of classes, or other publicly available data, such as a directory.
l. Usage and data use
Usage and data use are defined as gathering, viewing, storing, sharing, transferring, distributing, modifying, printing and otherwise acting to provide a data maintenance environment.
Recognized data stewards are:
|
TYPES OF DATA |
DEPARTMENT, POSITION RESPONSIBILTY |
|
Aggregate student data |
Office of Institutional Research and Assessment, Director |
|
Alumni, Donor or Development Records |
Division of University Relations, VP Director Development Information Services |
|
Financial records |
Division of Finance, VP or Associate VP |
|
Financial Aid records |
Office of Financial Aid, Director |
|
Graduate student applicant data |
Office of Graduate Study, Executive Director |
|
Human resources for employment data |
University Human Resources, Assistant VP Finance & Administration, Associate VP Academic Affairs, Assistant Vice President Faculty Personnel |
|
Library records |
Kresge Library, Dean |
|
Research data |
Office of Research, Dean Academic unit, Dean Individual faculty member |
|
Student records (of any type) |
Office of the Registrar, Registrar Student Affairs, Assistant VP and Dean of Students |
|
Systems and network logs, security authentication files or information technology resource operational data |
University Technology Services, Assistant VP |
|
Undergraduate student applicant data |
Assistant Vice President, Enrollment Management |
4. Data maintenance and control method
Data stewards will develop and maintain data maintenance and control methods for the systems for their assigned systems.
If the system is a university provided data system, University Technology Services may provide guidance and services for the tasks identified in the data maintenance and control method.
If the system is out-sourced or provided by an ASP, the data steward must still verify that the data maintenance and control method used by the ASP meets current university technology standards. Further, ongoing provisions for meeting current university technology standards must be included in the service contract.
Review of out-sourced or ASP solutions must include University Technology Services and the Office of Risk Management, and may include the General Counsel’s office, where appropriate, prior to final solution selection and purchase.
Data custodians will use data in compliance with the established data maintenance and control method. Failure to process or handle data in compliance with the established method for a system will be considered a violation of policy #890 Use of University Information Technology Resources, and sanctions defined in that policy may apply.
6. Data usage
In all cases, data provided to Oakland University will be used in accordance with the Privacy Statement accessed from the university home page www.oakland.edu, and within the guidelines provided to those giving data to the university.
Data will be released in accordance with university policies (such as policy #470 Release of Student Educational Records).
Standards for secure file transmissions, or data exchanges, must be evaluated by University Technology Services when a system other than a university provided data system is selected, and certain contract language must be included. The General Counsel’s Office and/or the Office of Risk Management must be consulted regarding such language.
Unencrypted authorization and data transmission are not acceptable.
Data used in the pursuit of teaching, learning, research and administration must be managed to preserve integrity and trust. This is the responsibility of all who use data.
7. Storing data
Data cannot be stored on a system other than a university provided data system without the advance permission of the data steward and demonstrated legitimate need.
Data cannot be stored on a university-provided mobile computing device without the advance permission of the data steward and demonstrated legitimate need.
Data should be stored in encrypted formats whenever possible. Encryption strategies should be reviewed with University Technology Services in advance to avoid accidental data lockouts.
When approving mobile computing device usage, data stewards must verify that those using mobile computing devices can provide information about what data were stored on the device (such as a copy of the last backup) in the event the device is lost or stolen.
In all cases, data storage must comply with university retention policies. Data usage on a contracted or ASP system must have specific retention standards written in the service contract. The General Counsel’s Office and/or the Office of Risk Management must be consulted regarding such language.
Provisions for the return of all university data in the event of contract termination must be included in the contract, when data are stored on a contracted system or ASP. The General Counsel’s Office and/or the Office of Risk Management must be consulted regarding such language.
Current security standards (such as controlled access, personal firewalls, antivirus, fully updated and patched operating systems, etc.) will be evaluated when a system other than a university provided data storage system is selected and must be covered in contract language. The General Counsel’s Office and/or the Office of Risk Management must be consulted regarding such language.
Data stored on mobile computing devices must be protected by current security standard methods (such as controlled access, firewalls, antivirus, fully updated and patched operating systems, etc.).
University standard procedures for the protection and safeguarding of confidential and operation critical data must be applied equally and without exception to university provided data systems, mobile computing devices and systems other than university provided data systems, such as ASPs.
Systems and network data, generated through systems administration, logs or other system recording activities, cannot be used, or captured, gathered, analyzed or disseminated, without the advance permission of the Assistant Vice President, University Technology Services.
In all cases where data are to be processed through an ASP or other third-party arrangement, the following assessment must be done:
· The value of the data must be determined in some tangible way.
· Signature approval from the data steward’s division or appropriate party with the ability to authorize activity at the level of the value of the data must be obtained.
10. Sanctions
Failure to follow the guidelines contained in this document will be considered inappropriate use of a university information technology resource and therefore a violation of policy #890. Sanctions will follow the steps identified in that policy.
