14.03 Data Security

Scope

This policy applies to all faculty, staff, and students as well as any other individuals or entities who use data and business systems at the University of Northern Iowa. This policy applies to all university data, even if stored without the use of an IT resource.  Further, this policy applies to all IT resources owned or leased by UNI; to any privately-owned equipment connected to the campus network and includes, but is not limited to, computer equipment, software, operating systems, tablets, phones, multimedia devices, storage media; and the campus network itself.

Securing and protecting data and business systems from misuse or malicious activity is the responsibility of those who manage systems as well as those who use them. Effective security is a team effort involving the participation and support of every member of the University community who accesses and uses data and business systems.

Policy Statement

Every member of the University community is responsible for protecting the security of university data and business systems by adhering to the objectives and requirements stated within published university policies. In addition, individuals are required to comply with the additional security policies, procedures, and practices established by colleges, departments, or other units. If multiple policy statements or security standards are relevant for a specific situation, the most restrictive security standards will apply.

Access to Level II and Level III data, as defined by policy 14.09 University Data Classification, may only be granted to authorized or approved users on a need-to-know basis.   Every user must maintain the confidentiality of level II and III institutional data even if technical security mechanisms fail or are absent. A lack of security measures to protect the confidentiality of information does not imply that such information is public.

IT resources of the University are protected through IT policies, procedures, standards, and actions that meet applicable federal, state, regulatory, contractual, or administrative requirements and support the University of Northern Iowa’s mission, vision, and values. The Chief Information Officer (CIO) or their designee shall publish appropriate procedures and standards to protect the confidentiality, integrity, and availability of IT resources and university data.

All units—from the University level through the college, department, and unit level—must provide opportunities for individuals to learn about their roles in protecting university data and business systems.

Procedures

Data Protection Requirements

The CIO or their designee shall publish security procedures and standards applicable to all university IT resources. The procedures and standards shall be updated regularly as advances in technology occur and will have the full force and effect of this policy.

Some university systems must be protected with a higher level of attention and caution. The classifications found in policy 14.09 University Data Classification will be used to define which business systems require additional attention. Such business systems will have additional security requirements placed upon them by the CIO, the data custodian, or their designee(s). Such requirements will be published by the CIO. Certain systems, such as those necessary for credit card and protected health information, have UNI policies that provide additional requirements.

Unnecessary or High-Risk Storage of University Data

A fundamental principle to reduce the risk of a loss of confidentiality of data is to simply not store the data. As such, transitory/convenience records must not be retained indefinitely. University policy 1.07 Records Retention dictates the retention periods for various types of university data. Transitory/convenience records should be destroyed when they cease to be useful. Digital backup copies of university data must be managed through a central IT service and not at the department or division level. Departments must not attempt to store level III data on IT resources without requesting assistance from IT personnel.

Sensitive Personally Identifiable Information

The CIO or their designee shall publish security procedures and standards applicable to sensitive personally identifiable information (PII) such as social security numbers, passport numbers, driver’s license numbers, credit card numbers, etc. All systems shall be regularly evaluated for the presence of PII. IT will deploy automated solutions where possible to identify PII. As required under this policy and additional UNI policies (14.09, 10.11, 13.12, and 13.16), all sensitive PII must be approved for storage. Systems storing sensitive PII must be reviewed annually to justify continued need for PII storage.

Risk Assessment

Risk assessment is a systematic process used in determining the potential impact of a negative event by evaluating the nature of the information and information systems.  All business systems with level III data are recommended to have risk assessments conducted on a biannual basis. Some selected systems will be designated for conducting a risk assessment at an interval prescribed by the CIO or the data custodian. The results of risk assessments will be placed on file for audit and accountability purposes.

Specific Roles and Responsibilities

Chief Information Officer (CIO)

The Chief Information Officer has responsibility for security oversight of the University's IT resources. Implementation of security policies is assigned to Information Technology and may be delegated throughout the University at the CIO’s discretion. The CIO has the ability to make exceptions to data security procedures in support of the University’s mission.

Data Custodian

The data custodians, as a group, are responsible for recommending and establishing policies, procedures, standards, and guidelines for data administration activities. Data custodians may delegate their role to other university employees. They are also responsible for advising colleges, departments, units, and individuals in security practices relating to university data. The data custodian has authority to authorize or deny access to data.

Data User

The data user, synonymous with user, is the individual, automated application, or process that is authorized by the data custodian to create, enter, edit, and access data, in accordance with the data custodian's policies and procedures.

Users have a responsibility to:

• Maintain the security of passwords; personal identification numbers (PINs); authentication tokens, devices, and certificates; as users will be held accountable for any activities linked to their accounts.
• Use the data only for the purpose specified by the data custodian.
• Comply with controls established by the data custodian.
• Comply with controls implemented by Information Technology departments.
• Follow terms of policy 14.04 Acceptable Use of Information Technology Resources
• Prevent disclosure of confidential or sensitive data.
• Report security incidents that may have breached the confidentiality of data (see UNI policy 14.02 Information Security Incident Response Policy).

Colleges, Departments, and Other Units

Colleges, departments, and other units are responsible for securing any information they create, manage, or store, and for any information they acquire or access from other university systems (e.g., student educational records, personnel records, and business information). This responsibility includes participating in periodic risk assessments, developing and implementing appropriate security practices, and complying with all aspects of this policy.

Individuals Using Personally-Owned Computers and Other Network Devices

Students, faculty, and staff who use personally owned systems to access university IT resources and university data are responsible for the security of their devices. Further, they are responsible for following and implementing necessary security protocols on their personal devices and required to follow all applicable laws, regulations, policies, and procedures directed at the individual user. Data custodians may prohibit the use of personal devices to access data under their purview.

Level III data may not be stored on personally owned systems. (See policy 14.09 University Data Classification and policy 13.23 Mobile Device Encryption Policy)

Third Party Vendors

Third party vendors providing hosted services and vendors providing support, whether on campus or from a remote location, are subject to university security policies and will be required to acknowledge their security obligations in contractual agreements. The vendors are subject to the same auditing and risk assessment requirements as colleges, departments, and other units.

Other Registered Entities

Any entity that is a registered user and connected to the University network is responsible for the security of its computers and network devices. Further, they are responsible for following and implementing necessary security protocols on their personal devices and required to follow all applicable laws, regulations, policies, and procedures directed at the organization or individual user.

Disciplinary Action

Violations of this policy may be referred for disciplinary action as indicated in Policy 14.04 Acceptable Use of Information Technology Resources.

Reporting of Data Security Incidents

A critical component of data security is to address security breaches promptly and with the appropriate level of action. All individuals must follow the Information Security Incident Response Policy (UNI policy 14.02).

Usage of Terms

AVAILABILITY – Availability is the ability to assure that systems work promptly and service is not denied to authorized users. A loss of availability is the disruption of access to or use of information or an information system.

BUSINESS SYSTEM – A business system is any system handling university data, including IT resources and paper-based records.

CONFIDENTIALITY – Confidentiality ensures that confidential information is only disclosed to authorized individuals. A loss of confidentiality, for the purposes of this policy, is the unauthorized disclosure of information.

DATA CUSTODIAN– Data custodians are senior university officials who have planning, management, and policy-level responsibility for data within their functional areas.  A data custodian has the authority to authorize or deny access to data. For example, the Registrar, Director of Human Resource Services, Director of Business Operations, and Director of Admissions, Department Heads, Deans, Vice Presidents, and the University President would all be data custodians. University administrators may act as data custodians for departments under their authority.

INTEGRITY – Integrity is the appropriate maintenance of information and systems. A loss of integrity is the unauthorized modification or destruction of information.

IT RESOURCE – IT resource may include computers, software, servers, network utilization, storage utilization, virtual machine capacity, tablets, phones, multimedia devices, storage devices, wireless spectrum, and any other in-demand resource managed by IT staff.

POTENTIAL IMPACT – Potential impact is the level of adverse effect a loss of confidentiality, integrity, or availability could be expected to have on university operations, university assets, or individuals.

UNIVERSITY DATA – University data are information that supports the mission and operation of the University.  It is a vital asset and is owned by the University.  Some university data are shared across multiple units of the University as well as outside entities.

USER – User includes any faculty, staff, student, developer, contractor, vendor, or visitor as well as any other individual or entity using information, university data, and/or IT resources of the University of Northern Iowa.

Information Technology, approved August 27, 2018 
University Council, approved November 12, 2018 
President and Executive Management Team, approved December 10, 2018