Utah Valley University
Policies and Procedures
| Title | Private Sensitve Information | Number | 449 |
| Section | Facilities, Operations, and Information Technology | Approval Date | Oct 09,2008 |
| Subsection | Information Technology | Effective Date | Oct 09,2008 |
I. Purpose
- Institutional information technology resources are at risk from potential threats such as human error, accident, system failures, natural disasters, and criminal or malicious action. The purpose of this policy is to secure the private sensitive information of faculty, staff, students, and others affiliated with the institution, and to prevent the loss of critical operational information.
II. References
- Board of
Regent Policy R132 GRAMA Guidelines
- Board of
Regent Policy R341 Computing Systems Programs
- Board of
Regent Policy R343 Information Management
- Board of
Regent Policy R345 Information Technology Resource Security
- The Privacy Act of
1974, 5 U.S.C. § 552a (2000)
- Utah
State Code, Title 63D, Chapter 2,
Governmental Internet Information Privacy Act
- UVU Policy
134 Schedule
for GRAMA and Family Educational Rights Privacy Act (FERPA)
- UVU Policy 445 Institutional Data Management and Access
III. Terms
- Data Custodian: An individual directly responsible for creating, maintaining, and using
data to support the university's operation and its information needs.
- Data Steward: A
senior university official who has planning and policy-level responsibility for
data within their functional areas.
- Encryption:The process of encoding a
message so it can be read only by the sender and the intended recipient
(American Heritage New Dictionary of Cultural Literacy, 3rd Edition,
2005, Houghton Mifflin Company).
- Enterprise
Application Committee (EAC): The
management group for enterprise data and data systems which includes all of the
data stewards or their designee.
- Incident: A confirmed or suspected security breach.
- Incident Response Team: Directed by the Information Security Officer
(ISO) and made up of campus personnel, the Incident Response Team is
responsible for immediate response to any breach of security. The
Incident Response Team is also responsible for determining and disseminating
remedies and preventative measures that develop as a result of responding to
and resolving security breaches.
- Information Security Officer: A senior university
official, assigned by the president, to oversee the security of the
institution’s electronic data.
- Private Sensitive Information (PSI): Private sensitive information includes social security numbers, credit card information, health and medical records, financial records, that give specific information about an individual that is considered private or sensitive and can lead to adverse consequences if disclosed such as identity theft, financial lose, or invasion of privacy. Access to such data is governed by state and federal laws, both in terms of protection of the data, and requirements for disclosing the data to the individual to whom it pertains. It does not include “public information” as defined by GRAMA or directory information as defined by FERPA.
IV. Policy
- Institutional
employees, or anyone else given access to institutional data, must not
knowingly retain on personal computers, servers, portable or other computing or
storage devices; nor should they transmit by electronic means, any private
sensitive information as defined above, unless specifically approved by the
Enterprise Applications Committee (EAC) and registered with the Office of
Information Technology according to the procedures below.
- Employees with PSI access must take reasonable precautions to safeguard the information including, but not limited to, encryption, strong password protection, screen and computer locks, and making screen displays or physical storage devices unavailable to unauthorized personnel.
V. Procedures
- Identifying
PSI
- PSI, secured data and
any other information that must be safeguarded against unauthorized access
should be identified and protected. Anyone
with access to data resources who is uncertain whether or not an IT resource
contains PSI or data that should be secured must seek direction from the
Enterprise Application Committee (EAC), the appropriate data steward or data custodian,
the campus HIPAA Privacy Officer, or the institution's Information Security
Officer (ISO).
- Approval,
Registration, and Securing of PSI Storage or Transmission
- If an individual needs to store, have access to, or transmit PSI for the performance of their duties to conduct the business of the institution, they must obtain permission to do so from the appropriate data steward and the EAC, upon the recommendation of their supervisor or department chair, as appropriate, their director or dean, as appropriate, and the respective vice president. The ISO must be notified that permission has been granted. The ISO will work with the individual, where appropriate, to implement reasonable precautions and provide training to secure the PSI.
- Permission is not required to retain student grades, letters of recommendation, and patentable research findings that are used regularly in the performance of faculty and staff duties. However, if a computer containing such data is readily accessible to unauthorized individuals, the responsible resource owner must take reasonable precautions to secure the data.
- Security procedures must be designed for IT resources that do not necessarily
store, process or transmit PSI, if access to such IT resources provides the
possibility of a breach of security.
- Physical
Security of PSI
- Individuals are responsible for assuring that all electronic information, hard copy information, and hardware devices in their possession are physically protected in accordance with the record classification level as either private or protected data (refer to UVU Policy #134 GRAMA).
- Adherence to security
controls for each work area, including access restrictions, sensitive data
handling procedures, and security plans must be assured.
- Destruction
or “Shredding” of Electronic Media
- Departments and individuals shall destroy private sensitive information, as well as other personal or financial information, as appropriate. PSI will be destroyed on a campus IT resource or on personal computers, servers, or other campus computing devices, using established institutional procedures, when such information is no longer needed for the conduct of business or for legal purposes.
- Data must be “shredded” (meaning over-written with meaningless data) or
the device/IT resource storing the data must be physically destroyed.
- Incident
Management
- All suspected or actual security breaches of institutional or departmental systems must be reported immediately to the institution's Information Security Officer (ISO). The incident must also be reported to the appropriate data steward and data custodian. If the compromised system contains PSI, the incident must be reported to the Assistant Attorney General.
- If PSI has been accessed or compromised by unauthorized persons or organizations, the individual who is responsible for the information must consult with their dean, department head, or supervisor, the ISO, their respective vice president and the Assistant Attorney General to assess the level of threat and/or liability posed to the institution and to those whose PSI was accessed. If a threat/liability exists, reasonable effort will be made to notify the individuals whose PSI was accessed or compromised. If appropriate, those affected will be referred to the ISO for instructions regarding measures to be taken to protect themselves from identity theft.
- One or more members of the Incident Response Team must be technically
qualified to respond to information-related incidents. If necessary, additional
technical support may be sought from outside the campus community.
- Emergency
Action by the ISO and Revocation of Access
- The ISO may discontinue access of any individual who violates this policy, or other IT policies, when continuation of such service threatens the security (including integrity, privacy and availability) of the institution's IT resources.
- The ISO may discontinue access to any network segment or networked device if the continued operation of such segments or devices threatens the security of the institution's IT resources.
- The ISO will notify the supervisor, or the appropriate data steward or his/her designee, to assist in the resolution of non-compliance issues before access is discontinued, unless non-compliance is causing a direct and imminent threat to the institution's IT resources.
- The data steward may discontinue service, or request that the ISO discontinue service, to network segments, network devices, or individuals under his or her jurisdiction, which are not in compliance with this policy. Data stewards will notify, or request that the ISO notify, affected individuals to assist in the resolution of non-compliance issues before service(s) are discontinued, unless non-compliance is causing a direct and imminent threat to the institution's IT resources.
- An individual’s access may be restored as soon as the direct and imminent security threat has been remedied and permission has been granted by the appropriate data steward or vice president, in the case there is no data steward, unless access is revoked.
- The institution reserves the right to revoke access to any IT resource for any individual who violates the institution's policy, or for any other business reasons, in conformance with applicable institutional policies. Staff members may appeal revocation of access to their respective vice president.
- Violation of the institution's
policy may result in disciplinary action, up to and including termination of
employment. Employees may appeal disciplinary actions taken against them
pursuant to institutional policy and in a manner affording due process to
university employees.
- Regular Review of
Security Procedures
- These procedures should be reviewed at regular intervals using best practices designated by the campus ISO.