Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

Electronic Storage of Highly Sensitive Data Policy

advertisement 
Page 1 of 3
* - indicates a required field.
Electronic Storage of Highly Sensitive Data Policy
* POLICY NAME:
* POLICY TYPE:
Presidential Policy - University Administrative Policy
POLICY #:
E.4.4.
*STATUS:
Active
*CONTACT
OFFICE:
Information Technologies
*OVERSIGHT
EXECUTIVE:
Executive Vice President
*APPLIES TO:
All Faculty and Staff
*PURPOSE:
DEFINITIONS:
*POLICY
STATEMENT:
The purpose of this policy is to define controls to prevent unauthorized
disclosure of highly sensitive data when such data are stored on electronic
devices or media that are easily misplaced or stolen.
The following data is classified as Highly Sensitive Data: Personally identifiable
information including: SSNs, Passport Numbers, Driver’s License Numbers,
financial account numbers (credit card numbers, debit card numbers, banking
account numbers), and full name in conjunction with corresponding full date of
birth.
The University prohibits the storage of highly sensitive data (as defined in the
Data Classification Standard) on any non-network storage device or media.
Prohibited storage media includes storage on desktop computers, laptop
computers, PDAs, cell phones, USB drives, thumb drives, memory cards, CDs,
DVDs, local external hard drives, and other USB devices.
Exceptions to this policy, per a documented business requirement, may be
authorized only by the agency head. In cases where an agency head exception
has been granted in writing, the individual receiving the exception must contact
the Information Technologies Director of Information Security (ISO) for UMW
approved encryption technologies.
NOTE: Designated systems/applications that have been classified by IT as
‘highly sensitive’ are the only appropriate network storage locations with the
additional security requirements and safeguards to ensure protection of highly
sensitive data. For questions or guidance regarding appropriate network
storage locations of highly sensitive data, please contact the Director of
Information Security & ISO by emailing rusler@umw.edu or calling
540.654.2152.
PROCEDURES:
* General
Procedures for
Implementation:
It is the responsibility of individuals to determine if they have highly sensitive
data on any non-network storage device or media, including all desktop
computers, laptop computers, PDAs, cell phones, USB drives, thumb drives,
memory cards, CDs, DVDs, local external hard drives, or other USB devices.
Page 2 of 3
If highly sensitive data are found, you must immediately do one of the
following:
Delete any highly sensitive data from the computer/device;
Contact the ISO for assistance to move the file to a secure, centrally
managed server; or
Obtain agency approval for an exception to policy, allowing you to store
highly sensitive data on your computer/device. Both while waiting for
approval and after receiving approval, the highly sensitive data must be
protected via encryption. Immediately contact the ISO for an approved
data encryption mechanism.
Contact the division of Information Technologies if you require assistance
locating or removing files containing highly sensitive data.
If your computer, laptop, device, or media containing highly sensitive data is
lost or stolen, you must immediately report it to the UMW Campus Police and to
the Director of Information Technology Security. The incident should also be
reported per the University’s IT Security Incident Response Plan.
* Process for
Developing,
Approving, and
Amending
Procedures:
As a result of the required annual review, the CIO or her/his designee will make
appropriate changes to the policy and present them to the University President
for approval. Additional amendments will be handled on a case by case basis at
the discretion of the CIO.
* Publication and
Communication:
The policy is on the UMW website, and security-related activities created and
managed under the authority of this policy are covered in required annual
security awareness training for all employees. Data Stewards and Data Security
Contacts and Information Technology employees complete additional annual
training.
* Monitoring,
Review, and
Reporting:
The policy will be reviewed annually by the CIO or her/his designee. The policy
is part of the Information Security Program and as such is audited annually by
the Auditor of Public Accounts (APA). The ISO will follow up with Data
Stewards and Data Security contacts to ensure policy awareness and
compliance.
RELATED
INFORMATION:
Policy
Background:
* Policy Category:
Information Technology
Category Cross
Reference:
HISTORY:
* Origination Date:
November 10, 2010
Page 3 of 3
* Approved by:
President Richard V. Hurley
* Approval Date:
November 10, 2010
* Effective Date:
November 10, 2010
* Review Process:
The effectiveness of this policy will be reviewed on an annual basis upon
conclusion of the Information Security Program audit. The review will be
conducted by the CIO or her/his designee.
* Next Scheduled
Review:
Spring 2012
Revision History:
Revised: May, 2011, to clarify definition of appropriate network storage locations
Revised: August 9, 2011, to include policy review procedures
Related documents
Group 2 - American Disasters
Group 2 - American Disasters
Intro Beginning Computer Pt 2
Intro Beginning Computer Pt 2
Guidelines for APA Style Oral Presentation of Empirical
Guidelines for APA Style Oral Presentation of Empirical
2-Articulation-and-Pronunciation
2-Articulation-and-Pronunciation
Using the Verbatim Mode Change Tool
Using the Verbatim Mode Change Tool
Download
advertisement