071.11 Organizational Security and Data Classification
|Created by: Donald Pierce on 07/31/2009|
|Category: 0 - General Administration; 70 - Computer Services|
|Originator: Chief Information Officer|
|Current File: 071.11|
|Adoption Date: 11/15/2012|
|Reviewed for Currency: 11/15/2012|
|Date of Origin: 07/31/2009|
|In Archive? 0|
071.11 Organizational Security and Data Classification
Furman University information systems handle personal and confidential information that is protected by state and federal statutes. In order to better comply with such laws, and to better protect the safety and confidentiality of the University information resources, it has become necessary to create a policy outlining the types of protected information, and allocate roles and responsibility for securing that information.
All Furman faculty and staff are responsible for maintaining appropriate security and confidentiality for the University’s information resources. All members of the campus community are expected to comply with university information policies and applicable state and federal laws regarding information security and confidentiality. The University will allocate security roles and responsibilities for classifying university data, establish training programs, and perform periodic security audits to ensure compliance.
1. The University allocates information security roles and responsibilities as follows:
a. The university auditor's role is to review the university information security policies and procedures to ensure that these policies and procedures adequately protect the university’s information assets. The auditors will conduct periodic reviews of the university’s security policies and procedures, and make appropriate recommendations to university management.2. University data is defined as any data required to conduct the operations of the University. University data are classified into three categories: public use data, internal use only data, and highly sensitive data.
b. Information Technology Services (ITS) management is responsible for establishing service levels and directing the implementation of appropriate security policies and procedures to protect the university’s information resources. ITS management will maintain a “Service Catalog” listing each university information service and identifying the University Vice President responsible for each information service. The University’s Chief Information Officer will meet annually with each University Vice President to discuss information services’ funding, service levels, and information security.
c. Working within the constraints of university resources, each University Vice President is responsible for working with the Chief Information Officer (CIO) to ensure there is appropriate funding for the information resources maintained by their designated areas. Each Vice President will meet with the CIO annually to discuss service levels and security for their information services. It is the responsibility of the Vice President to obtain additional funding if they desire a higher service level or need additional security.
d. Each information service in the Service Catalog will be a assigned to an ITS staff member who functions as the “Service Administrator”. It is the Service Administrator’s responsibility to recommend appropriate security policies and procedures for that service, and to implement security policies and procedures as approved by ITS management. Service Administrators, who are responsible for a domain of university data, are responsible for documenting and enabling user access to that university data, as well as maintain records of authorized data users for highly sensitive data.
e. A department or organizational unit manager, with responsibility for updating and maintaining a portion of the university’s information, functions as a “Data Steward”. It is the Data Steward’s responsibility to authorize security access to enter, update, and maintain the department’s information; and to ensure the accuracy and quality of all data within their area. It is also the Data Steward’s responsibility to ensure that the authorized data processors and data users are adequately trained.
f. "Data Processors” are authorized by data stewards to enter, modify, or delete data. Data Processors are responsible for, and accountable for, the completeness, accuracy, and timeliness of the data assigned to them.
g. A “Data User” is any university employee, contractor, affiliate, or duly authorized member of the community who can access internal and/or highly sensitive university data, but does not modify or delete that data. For the purposes of the responsibilities outlined in this policy, Data Users include all who have the capacity to access university data. All Data Users, whether they are Data Stewards, Service Owners, or Processors, are responsible for the security and privacy of the data they access, and are responsible for reporting any data compromises.
a. “Public Use Data” is data intended for general public use. An example is the university's on-line directory.3. Access to university data is provided to university employees for the conduct of university business. Internal use only and highly sensitive university data, as defined by this policy, will be made available to employees who have a genuine need for it. This may include data collected from students, faculty, staff, contractors, members of the community, or those who have no affiliation with the university. Employees accessing such data must observe the requirements for privacy and confidentiality, comply with protection and control procedures, and accurately present the data used in any type of reporting function. Individual units or departments that have stewardship responsibility for portions of internal and highly sensitive university data must establish internal controls to ensure that university policies are enforced. All data users, not just Data Stewards, Administrators, or Processors, are responsible for the security and privacy of the data they access, as prescribed in this policy.
b. "Internal Use Only Data” is data not generally made available to parties outside the Furman University community. An example is minutes from confidential meetings. These are considered internal use only data and should not be routinely disclosed. This information may be released to parties outside the Furman University community, but such requests must be reviewed by the appropriate University Vice President. Unauthorized distribution of this data to external sources by any university employee is considered an abuse of privileged information.
c. "Highly Sensitive Data” is information prescribed in contractual and/or legal specifications and specified in state and federal law as information that must be protected. Among the types of data included in the category are individual financial records, social security numbers, credit card information, proprietary data, and data protected by law or international agreement.
4. The university forbids the disclosure of internal use only data and/or highly sensitive data in any medium except as approved in advance by a data steward. The use of any internal use only or highly sensitive university data for one’s own personal gain or profit, for the personal gain or profit of others, or to satisfy personal curiosity is strictly prohibited. Each data user will be responsible for the consequence of any misuse of university data.
5. Should a security breach occur, ITS will investigate all the facts related to the situation and make a determination as to whether or not the matter is referred to law enforcement authorities through University Police. The Assistant Vice President for Human Resources will review all matters involving university staff. The Vice President for Academic Affairs and Dean will review all matters involving faculty. The Vice President for Student Life reviews matters involving students. University Counsel will review all matters involving individuals not affiliated with the university.
6. All individuals accessing university information at Furman University are required to comply with federal and state laws, and university policies and procedures, regarding data security of highly sensitive data, and to exercise discretion with regard to such data. Any university employee, student, or non-university individual with access to University data who engages in unauthorized use, disclosure, alteration, or destruction of data in violation of this policy will be subject to appropriate disciplinary action, including possible dismissal and/or legal action.
7. In cooperation with department and unit managers, ITS is responsible for managing a university security awareness program for all members of the university community and for consulting with members of the University on information security issues. Security awareness will be a significant component of orientation sessions and training classes offered by ITS. In addition, ITS will offer security awareness materials in print and on the web to instill the importance of appropriate information handling, and to explain the implications of the university’s information security policies.