UF IT Standards for Confidentiality of Restricted Data Authority This standard was enacted by the UF Senior Vice President for Administration and the UF Interim Chief Information Officer on July 10, 2008 [16]. It was approved by the UF Chief Privacy Officer and UF General Counsel. Who Should Know This Deans, Directors, Department Chairs IT Workers authorized to implement security controls to protect Restricted Data Users authorized to access Restricted Data Summary These standards define terms important for understanding protection of Restricted Data. Only the electronic and technological aspects of protecting Restricted Data confidentiality are addressed. Roles are defined and their relationship to data protection is explained. Definitions Restricted Data Restricted Data Type Data Principal Data Custodian Data User Data, which if disclosed to unauthorized users, may have very significant adverse operational or strategic impact on an individual, a group or institution. This classification includes, but is not limited to, data restricted by law and legal contracts. Data commonly called private data usually falls in this classification. Examples include, but are not limited to, social security numbers, credit card numbers, bank account numbers, drivers license number, student grades, and medical records. Restricted Data is categorized into groups sharing common characteristics, protection requirements and use limitations [12,13,14]. For instance, Student Educational Records [11] is a Restricted Data Type that includes biographical data, grades, coursework, disciplinary information, financial information, and information about internships. Protection requirements regarding authorization, recoverability, and limitations for use on portable devices and removable media may vary for each Restricted Data Type. Unit administrators (Deans, Directors, and Department Chairs, also called DDD) with authority to direct action as needed to protect UF Restricted Data and enforce UF and unit data security policies, standards, and procedures. Professional IT workers who provide technical facilities and support services to Data Principals and Data Users. Data Custodians implement security controls to protect data. Anyone authorized to access, create or alter Restricted Data. Purpose and Scope These standards are intended to convey the specifications for protection of Restricted Data. Other data may also need protection and is addressed by other UF regulations. These standards address only data confidentiality. Other UF regulations address data integrity or availability. These standards address only the electronic and technological aspects of data security. Security of paper documents, physical security of servers and network infrastructure, and many other aspects of general data security are addressed by other UF regulations. Identification of Restricted Data Types and their use limitations are covered in other standards [12, 13, 14]. Data Principal Standards 1. Deans, Directors, Department Chairs are Data Principals. They enforce UF and unit policies and procedures for creating, altering, transmitting and storing Restricted Data used under their direction. 2. Data Principals must formally authorize and document Data Custodians in their unit who implement security controls. They coordinate with Data Custodians to ensure effective security controls are implemented. 3. Data Principals must formally authorize and document Data Users in their unit who access, create, alter or delete Restricted Data. They must ensure Data Users comply with their responsibilities to protect Restricted Data. 4. Data Principals must formally authorize and document IT devices that are used with Restricted Data. 5. Data Principals must ensure that appropriate awareness material is available to Data Custodians and Data Users explaining their obligations to protect the data. Data Principals must ensure Data Custodians and Data Users attend data security training provided and required by UF. Compliance and/or training certification may also be required. 6. If loss or unauthorized exposure of Restricted Data is discovered, the incident must be immediately reported to the UF Privacy Office [3]. For detailed incident response procedures, see the UF IT Security Incident Response Procedures, Standards and Guidelines [15]. Data Custodian Standards 1. IT workers who implement controls to protect Restricted Data must be authorized by the Data Principal (Dean, Director, or Department Chair) in their unit. 2. Data Custodians should assist the Data Principal in their unit with cost-effectiveness evaluation of security controls. 3. Data Custodians are accountable for their actions regarding Restricted Data handling. They may be subject to penalties and disciplinary action, both within and outside the university. Violations will be handled through the university disciplinary procedures applicable to the relevant Unit or IT worker. 4. Data Custodians must maintain an accountability of who is authorized to access Restricted Data and at least annually revalidate the access requirements. 5. Data Custodians must document, implement, and verify that server, operating system, network, workstation, and application controls are commensurate with the following requirements to protect Restricted Data confidentiality. a. Restricted Data must reside on an appropriately secured host [4]. b. Locations where Restricted Data resides must be appropriately secured [5]. July 10, 2008 2 c. Restricted Data must be available only to those who are authorized and authenticated. Access controls should be based on the minimum necessary and least privilege principles. d. Facilities must be available for users to securely store and transmit Restricted Data preventing unauthorized access [7]. e. Restricted Data must be rendered unreadable prior to disposal [6, 8]. Disposal must be consistent with Florida record retention requirements [2]. f. Encryption needs for the data must be addressed according to contractual and regulatory requirements such as HIPAA [10], Florida Statute 817.5681 [1], and the Payment Card Industry standards [9]. g. Use of access logs must be addressed according to contractual and regulatory requirements such as HIPAA [10] and the Payment Card Industry standards [9]. 6. If loss or unauthorized exposure of Restricted Data is discovered, the incident must be immediately reported to the Data Principal and the UF Privacy Office [3]. For detailed incident response procedures, see the UF IT Security Incident Response Procedures, Standards and Guidelines [15]. Data User Standards 1. Data Users must be authorized to access Restricted Data by the Data Principal (Dean, Director, or Department Chair) in their unit. 2. Data Users must comply with applicable UF and unit policies, standards and procedures to manage UF Restricted Data. UF training is available to help users understand their responsibilities. Compliance and/or training certification may be required. 3. Restricted Data Users are accountable for their actions regarding Restricted Data handling [12, 13]. They may be subject to penalties and disciplinary action, both within and outside the university. Violations will be handled through the university disciplinary procedures applicable to the relevant Unit or employee. 4. Restricted Data must be created, altered or deleted using only computers and applications approved by the Level 2 Unit ISM. 5. If loss or unauthorized exposure of Restricted Data is discovered, Data Users must immediately report the incident to the Data Principal and the UF Privacy Office [3], usually through their supervisor. Bibliography [1] Florida Statute 817.5681: http://www.leg.state.fl.us/statutes/index.cfm?App_mode=Display_Statute&Search_String=&URL =Ch0817/SEC5681.HTM&Title=-%3E2006-%3ECh0817-%3ESection%205681#0817.5681 [2] Florida Statute 119, Public Records: http://www.flsenate.gov/Statutes/index.cfm?App_mode=Display_Statute&URL=Ch0119/titl0119. htm [3] The UF Privacy Office: http://privacy.ufl.edu/ [4] UF Network and Host Security Standard: http://www.it.ufl.edu/policies/security/uf-it-secnetwork.html [5] UF IT Physical Security Standard: http://www.it.ufl.edu/policies/security/uf-it-secphysical.html [6] UF Media Reuse and Data Destruction Standard: http://www.it.ufl.edu/policies/security/documents/ITworker_draft/disposal.pdf [7] UF Guidelines for IT Workers Regarding Encryption of Stored Data: http://www.it.ufl.edu/policies/security/documents/ITworker_draft/encryption.pdf July 10, 2008 3 [8] Asset Management Services, Data Destruction Recommendations: http://fa.ufl.edu/am/destroy-data.asp [9] Payment Card Industry Data Security Standard (PCI DSS): https://www.pcisecuritystandards.org/tech/index.htm [10] Health Insurance Portability and Accountability Act, HIPAA: http://aspe.hhs.gov/admnsimp/pl104191.htm, http://privacy.health.ufl.edu/ [11] Family Educational Rights and Privacy Act: http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html [12] Standards for Private Educational Record Data Use Limitations: <link> [13] Standards for Personally Identifiable Information Use Limitations: <link> [14] Standards for Financial Account Information Use Limitations: <link> [15] UF IT Security Incident Response Procedures, Standards and Guidelines, http://www.it.ufl.edu/policies/security/uf-it-sec-incident-response.html [16] DDD announcement of this standard, http://lists.ufl.edu/cgi-bin/wa?A2=ind08&L=DDD-L&P=R35323&I=-3 July 10, 2008 4