SB Division of Information Technology (DoIT) Homepage

DATA SECURITY D 101

 

Issued by:

Division of Information Technology

 

SCOPE

This policy applies to the creation, collection, use and retention of electronic information for academic, research, employment and administrative purposes.

 

 

POLICY

As a routine matter, data in electronic form is created, collected, used and maintained by members of the University community for various educational, research, public service and health care purposes. Each person with access to University data shall comply with applicable data protection and control procedures, and shall secure that data against inappropriate, unauthorized or illegal use.

 

1. Data Stewardship: The Chief Information Officer (CIO) and designated data custodians for each office of record shall ensure that University data is created, used, maintained, disclosed and disposed of according to applicable law, regulation or University policy. See DoIT 100.

 

A. Data custodians shall develop appropriate access controls to data in the department, division or unit under their supervision, consistent with the data’s confidentiality, sensitivity and use. As a general matter, stewardship for: student information resides with the Office of Registrar; employee information resides with Human Resources; financial aid resides with the Financial Aid Office; medical information resides with Health Information Management, and University information resides with the Public Information Officer.

B. Disclosure or distribution of University data is prohibited unless authorized in writing by the data custodian of the office of record or University counsel. The University maintains audit trail records in accordance with legal requirements, the needs of the University’s Internal Audit Department and disaster recovery procedures.

 

DoIT maintains backups of electronic files. At a minimum, these backups are done once a day. As a general guideline, DoIT maintains daily electronic files for one month, weekly electronic files for three months and monthly electronic files for six months. Data custodians for data maintained by DoIT with special backup retention requirements should consult with DoIT. Data custodians responsible for maintaining ‘stand alone’ servers on which University data is created, collected, used or stored, shall adopt comparable retention guidelines.

 

2. Data Security: All transmissions of confidential data shall be over a secured channel or encrypted.

Each employee who may have access to confidential information shall, as a condition of employment, sign an Information Security Compliance Agreement, which shall be included in the employee’s personnel record.

Managers shall promptly report changes in employee job status or duties involving data access to the appropriate data custodian.

Generally, disclosure of confidential information, including, by way of example only, personnel, student, financial and patient information is prohibited by law. Access to this data is available only to persons with a “need to know” by virtue of their job responsibilities, in accordance with law, or an authorized request.

Data Exchange Agreements with state, local or federal agencies and any lease, permit or contract with a third party that may involve access to University data shall include a statement of compliance with University policies on data security and confidentiality.

 

3. Physical Security: All computers, data storage media and storage repositories that contain confidential information must be secured against loss or tampering.

Portable computing devices such as laptops, hand-held equipment (PDAs) and data storage media pose a significant risk for the exposure of protected information and potential access to the University’s administrative systems. For these reasons, special care must be exercised when utilizing these devices. All protected data stored on portable devices must be encrypted. In addition, the login settings for these devices should never be set for automated login to any University administrative application.


All administrative systems shall have and document backup and recovery procedures. The backup media must be stored in a secure location off site. DoIT shall test these procedures on a periodic basis.

 

4. Penalties for Misuse: The inappropriate or illegal use of University data is a violation of University policy that will subject the violator to disciplinary procedure. Individuals that misuse University information technology resources may lose information technology privileges and be referred for prosecution by state or federal authorities.

 

 

INQUIRIES / REQUESTS

Office of the Chief Information Officer
Room 231, Educational Communications Center
632 – 9085

Office of Institutional Research
Room 310, Administration Building
632 – 7272

Procurement Office
Services and Contracts Division
W-4505 Melville Library
632-6066