Updated
Longwood University Information Security July 2015
Authorization to Store Restricted Data
Procedures for Requesting Authorization to Store Restricted Data
There is a high risk of unauthorized disclosure of restricted data when
such data is not stored on affiliate/centrally-managed systems. The
University strictly limits the circumstances under which restricted
data may be stored on any device or storage media. All of the
requirements that follow must be met when, due to a specific business
need, restricted data must be stored.
Anyone needing to store restricted data must complete the Authorization to Store
Restricted Data – Form. The appropriate Data Owner must approve the request.
Permission, if granted, is for no more than one year and only on the device or media
specified on the Request Form(s).
According to the Data Handling Standards: (1) encryption is required when electronically
storing/transmitting restricted data (unless stored on centrally-managed, University
servers or systems) and (2) physical controls and labels are required when
storing/transmitting non-electronic restricted data.
The workflow is as follows:
1. The requester completes the form, stating the business need, the specific data, and the
requested storage device(s) or media.
2. The requester forwards the form to their supervisor for acknowledgement.
3. If the supervisor affirms the business need, the supervisor forwards the form to the
appropriate Data Owner.
4. The Data Owner approves or denies the request.
5. The Data Owner retains the original and sends copies of the form to the acknowledging
supervisor, Information Security Office and the requester.
6. If authorization is granted to store electronic restricted data, the Information Security Office
will request installation of encryption software on behalf of the requester.
The requester is the user who needs access to store and transmit the restricted data.
Data Owner Quick Reference Guide
Registrar Data
Owner:
Vikki
Levine
Human
Resources Data
Della
Wickizer
Police and Public Bob
Safety Data
Beach
Data Type:
Student Biographical
Information
(when connected to PI)
Employee
Personnel
Files
Police Reports
Description:
Student name, gender, DOB, Age, SSN, citizenship,
marital status, religion, ethnicity.
Performance related information (EWPs/evaluations),
hire and job, new employee files and related information
for (1) Active employees, (2) Termed/Separated
employees, (3) Adjunct employees, (4) Wage employees,
(5) Miscellaneous employees.
Past and present/active and inactive complaint reports,
incident reports, abstract reports.
More information about data owners and their restricted data is available on the Information Security website at:
http://www.longwood.edu/infosec/39035.htm
Updated
Longwood University Information Security July 2015
Authorization to Store Restricted Data
Requester: Click here to enter text.
Department: Click here to enter text.
Check if the approved
encryption solution is installed.
To be completed by:
the Requester (prior to printing for signatures)
Restricted Data Types: Click here to enter text.
Data Storage Device/Media: Choose an item.*
If tagged, please include the following:
*Be sure to follow the Electronic Data Disposal
Standards when this device/media is no longer useful.
Tag: Click here to enter text.
Serial #: Click here to enter text.
Make: Click here to enter text.
Model: Click here to enter text.
The business need for this request is (describe the business need in detail):
Click here to enter text.
I, the requester listed above, request approval to store restricted data. I acknowledge my
responsibility to treat this data with the utmost care and meet all of the requirements
specified in Longwood University’s Data Classification Policy and Data Handling
Standards, including the requirement to encrypt restricted data and/or employ an
approved protection control(s). I understand that authorization is granted for no more
than one year and only on the approved device(s)/media, as detailed above. I
understand that failure to comply with the policy can result in disciplinary action up to
and including termination.
To be completed by:
the Data’s Owner
To be completed by:
the Requester’s
Supervisor
Signature: ___________________________________________________
Date: _________________________
Acknowledgement from Supervisor: I acknowledge this request to store restricted
data and affirm it is necessary to meet the business needs of this department.
Printed Name: Click here to enter text.
Department: Click here to enter text.
Signature: ____________________________________________________
Date: _________________________
Data Owner’s Approval or Denial:
I herby
authorize*
deny
the storage of the aforementioned restricted data on the aforementioned device(s) or
media for the said requester.
Printed Name: Click here to enter text.
Department: Click here to enter text.
Signature: ____________________________________________________
Date: _________________________
*because Data owners may impose additional security controls/protections needed for a type of data, in addition to
the
controls
required
by
the
classification
level
listed
in
the
Data
Handling
Standards
(http://www.longwood.edu/infosec/39042.htm) below are ALL applicable requirements for this request:
____________________________________________________________________________________________
____________________________________________________________________________________________
____________________________________________________________________________________________
____________________________________________________________________________________________
____________________________________________________________________________________________
___________________________________________________________________________________________
To request updates to this form, please contact Jennifer Patterson, Information Security Policy,
Awareness and Training Coordinator at pattersonjl2@longwood.edu. All requests must be in email.