Last Reviewed: October 6, 2022
Last Revised: October 6, 2022
- Introduction
Security and compliance are ongoing, mission-critical business processes of the University and are an integral part of the obligations of all members of the University community. The data security measures included in this standard is designed to provide data resiliency against the current and rapidly changing threat landscape and a sound foundation from which to address external compliance regulations, both legal and contractual.
This policy applies to anyone who accesses, uses, or controls University computer and data resources, including, but not limited to, faculty, administrators, staff, researchers, students, those working on behalf of the University, guests, contractors, consultants, visitors, and/or individuals authorized by affiliated institutions and organizations.
- POLICY OVERVIEW
All access to data is granted to employees as part of their job role at the University, based on the principle of “minimum necessary.” The data security standard defines the minimum-security requirements that must be applied to the data types defined in Policy IT 13.10.051 - Data Classification. Some data elements, such as credit card numbers and protected health information, are regulated data and have additional security requirements defined in external standards. GDPR-related data also requires heightened awareness and oversight. In addition, access and use of university data is covered by the IT 13.10.050 - Institutional Data Management Policy.
- POLICY Process
This policy outlines the security measures for protecting data classified as Public, Internal, Confidential, and Restricted. See Policy IT 13.10.051 – Data Classification.
- Requirements for Handling Public Data
- Access control: Access to data classified as Public is generally available to the public. The use, access, or alteration of public data will not be restricted so long as its release to the public will not hurt the University or an individual community member. The public has implicit permission to use the data that is made publicly available.
- Protection: Public data will be protected from unauthorized modification or misuse (integrity). Applicable system security standards will be implemented for systems that store, process, or transmit Public Data.
- Sharing: Public data may be freely shared and released publicly without obtaining permission from a Data Steward.
- Retention: Public data may be stored for as long as necessary; there are no policies governing the retention of public data.
- Incident notification: If there is a potential security incident that may place Public data at risk of unauthorized modification, the Information Security Office (ISO) must be notified
- Requirements for Handling Internal Data
- Access control: Access to data classified as Internal must be provided on a least-privilege basis.
- Protection: Internal data does not need to be encrypted unless specifically requested. Applicable system security standards will be implemented for systems that store, process, or transmit Internal data.
- Sharing: Internal data can be shared among university employees. It may be made available to non-University entities based on business needs and approval.
- Retention: Internal data should only be stored for as long as necessary to accomplish the documented business process. See University Policy RISK 1.10.025 – Records Management.
- Incident notification: If there is a potential security incident that may place Internal data at risk of unauthorized access, the Information Security Office (ISO) must be notified.
- Requirements for Handling Confidential Data
- Labeling: No special requirements. Some documents should be labeled as “Confidential.”
- Access control: Access to Confidential data must be provided on a least-privilege basis. No person or system should be given access to the data unless required by a business process. When access is required, the data steward must grant permission to use the data.
- Protection: Confidential data must be encrypted and securely disposed of. Applicable system security standards will be implemented for systems that store, process, or transmit Confidential data.
- Sharing: Confidential data may be shared among university employees according to a well-defined business process approved by the data steward. It may be released publicly only according to well-defined business processes and with the permission of the data steward.
- Retention: Confidential data should only be stored for as long as necessary to accomplish the documented business process. See University Policy RISK 1.10.025 – Records Management.
- Incident notification: If there is a potential security incident that may place Confidential data at risk of unauthorized access, the University Office of Information Security must be notified.
- Requirements for Handling Restricted Data
- Labeling: Must be marked as “Restricted.”
- Collection: Can be collected only when all of the following conditions are met:
- The data is not available from another authoritative source; and
- The data is required by a business process; and
- Permission has been granted to collect the data from the appropriate data steward; or if the data is requested by the University Office of General Counsel in response to litigation.
- Access control: Individuals must be granted access to Restricted data on a least-privilege basis. No person or system may access the data unless a documented business process is required. When access is required, the data steward must grant permission to use the data.
- Access auditing: Access auditing for files containing Restricted data should be enabled.
- Sharing: Access to Restricted data can be granted only by a data steward. No individual may share Restricted data with another individual to whom a data steward has not given access.
- Idle access: Devices that can be used to access Restricted data must automatically lock after some period of inactivity, using screensaver passwords, automatic logout, or similar controls.
- Protection:
- Transmission – Restricted data must be encrypted during transmission with a method that meets the following requirements.
- Cryptographic algorithm(s) are listed in FIPS 140-2 Annex A, the list of approved security functions.
- Cryptographic key lengths meet best practices for length, given current computer processing capabilities.
- Both the source and destination of the transmission must be verified.
- Storage – Restricted data must be encrypted using robust, public cryptographic algorithms and reasonable key lengths given current computer processing capabilities. Keys must be stored securely, and access to them must be provided on a least-privilege basis (see ISO 11568 for recommendations on securing keys). If one-way hashing is used instead of reversible encryption, salted hashes must be used.
- Encrypt files containing Restricted data using different keys or passwords than those used for system login.
- Encrypt data stored in databases.
- In addition to filing and database encryption, implement full-disk encryption on all workstations and portable devices that contain high-risk data.
- Transmission – Restricted data must be encrypted during transmission with a method that meets the following requirements.
- Applicable system security standards will be implemented for systems that store, process, or transmit Restricted data
- Retention: Restricted data should only be stored for as long as necessary to accomplish the documented business process. See University Policy RISK 1.10.025 – Records Management.
- Destruction: When Restricted data is no longer needed, it should be destroyed by applicable policies, using methods resistant to data-recovery attempts such as cryptographic data destruction utilities, on-site physical device destruction, or NAID-certified data destruction service.
- Incident Notification: If there is a potential security incident that may place Restricted data at risk of unauthorized access, the University IT Office of Information Security must be notified. See also University Policy IT 2.30.064 – Data Breach Protocol.
- Labeling: Must be marked as “Restricted.”
- For security, privacy, and regulatory reasons, those creating, managing, or storing research data must be especially attuned to its classification and appropriate security measures. Research data classified as Confidential or Restricted must be stored on University-controlled devices and systems, not personal devices or personally acquired services. The appropriate University units must vet data sharing agreements. Researchers must ensure that data is secured and available only to those approved for access.
- Especially when working or traveling in the European Union, heightened care must be taken concerning General Data Protection Regulation (GDPR)-impacted data. Special attention should be paid particularly to human subject research (that is, research concerning identified or identifiable individuals). Anonymization of the data is preferred; pseudonymization presents a greater risk, although it is acceptable. The appropriate University Data Steward or the individual Principal Investigator of the research project should advise about sharing the data.
- Requirements for Handling Public Data
- DEFINITIONS