University Policies

Page tree

Versions Compared

Old Version 2

changes.mady.by.user Raghu, Rachana

Saved on

compared with

New Version 3

changes.mady.by.user Raghu, Rachana

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Under the direction of the President, the Chief Information Officer and the Chief Information Security Officer shall implement and ensure compliance with this policy. The Vice Presidents, Deans, and other members of management will implement this policy in their respective areas.

III. APPLICABILITY

This policy

...

applies to all members of the

...

Rowan community

...

including faculty, staff,

...

non-employees, students, attending physicians, contractors, covered entities, and agents of Rowan, as well as visitors, who have been explicitly and specifically authorized to access and use the University's information systems.

IV. DEFINITIONS

A. Application – A computer program that processes, transmits, or stores University information and which supports decision-making and other organizational functions.  It typically presents as a series of records or transactions.  These records and transactions are generally accessible by more than one user.

...

CC. Risk Assessment – a process used to identify and evaluate risks and their potential impact on the University.

DD. Rowan Community – faculty, staff, non-employees, students, attending physicians, contractors, covered entities, agents, and any other third parties of Rowan University.

V. REFERENCES

A. Acceptable Use Policy ISO: 2013:01

B. Mobile Computing and Removable Media Policy ISO: 2013:02

 C. Family Educational Rights and Privacy Act (FERPA) 20 U.S.C. 1232g; 34 CFR Part 99

 D. Federal Information Security Management Act (FISMA) http://csrc.nist.gov/groups/SMA/fisma

E. Federal Trade Commission Commission http://www.ftc.gov/bcp/edu/microsites/redflagsrule/index.shtml

F. Health Insurance Portability and Accountability Act of 1996 http://www.hhs.gov/ocr/privacy/index.html: Sections: 164.308 (a)(4)(ii)(B), 164.308 (a)(4)(ii)(C), 164.308 (a)(7)(ii)(E), 164.312 (e)(1), 164.312 (e)(2)

 G. New Jersey Open Public Records Act Section: N.J.S.A. 47:1A-1.1

 H. New Jersey Identity Theft Protection Act Sections: N.J.S.A. 56:8-161, N.J.S.A. 56:8-163

 I. Payment Card Industry Sections: PCI DSS v2 7.1, PCI DSS v2 7.2

VII. POLICY

A. All members of the University community have a responsibility to protect the Confidentiality, Integrity, and Availability of information collected, processed, transmitted, stored, or transmitted by the University, irrespective of the medium on which the information resides.

    • Confidentiality – the expectation that only authorized individuals, processes, and systems will have access to the University’s information.
    • Integrity – the expectation that the University’s information will be protected from intentional, unauthorized, or accidental changes.
    • Availability – the expectation that information is accessible by the University when needed.

B. Information must be classified and handled according to its value, legal requirements, sensitivity, and criticality to the University.  Protection levels must be established and implemented relative to the information’s classification, ensuring against unauthorized access, modification, disclosure, and destruction.  For information governed by law and regulations (such as protected health information, student records, and personally identifiable information), the protection levels must satisfy the data security and data privacy requirements.\

...

C.

...

 Vice Presidents and Deans

...

shall:

  1. Ensure that each business unit in their respective areas of oversight appropriately identify and classify information generated by the business unit.\
  2. Ensure that each member of their business units receives periodic training and awareness about how to handle sensitive information.
  3. Assign business unit managers, senior managers, or designees the role of Data Steward for their respective information.
  4. Ensure that their Data Stewards maintain an inventory of their information assets, including applications.
  5. Annually perform a risk assessment of their applications.
  6. Annually report their aggregate inventory of information assets to the Information Security Office.

D. Data Stewards

...

shall:

  1.  
  2. Classify University information under their control as (reference the Definitions Section and EXHIBIT):
    1. CONFIDENTIAL
    2. PRIVATE
    3. INTERNAL
    4. PUBLIC
      They should take into consideration the business needs for sharing or restricting information and the impacts associated with those needs.
  3. Where practicable, clearly label Confidential and Private information.
  4. Establish its criticality using the Office of Information Security’s Business Impact Analysis methodology.
  5. Establish the business unit’s security requirements and expectations for the applications the business unit owns and which contain their information.  For example:
    1. How a user should be authenticated.
    2. How users will be granted access to the application
    3. Revocation procedures of user access privileges.
    4. Procedures for approving requests for access and use of the information in its applications.
    5. Record retention and e-discovery requirements.
  6. Maintain an inventory of their information assets, including all applications that collect, process, transport, store, or transmit their information.  (The ISO’s business impact analysis methodology can assist with this effort.)
  7. At minimum, annually assess and update the Information Classification, based on changing usage, sensitivities, law, or other relevant circumstances.  Changes must be reported to their business unit’s VP or Dean and the application managers.
  8. Establish procedures for data destruction in accordance with the University’s record retention and disposal policies.

E. Confidential and Private information must be collected, processed, transported, stored, or transmitted using only:

  1. Software, hardware, and services whose security is managed by the University (e.g., remote access services, University messaging services, applications, databases, and servers managed by a local school/unit technology organization or IRT).
  2. Third Party managed devices or services that are subject to a contract between the Third Party and the University that contains confidentiality provisions consistent with University policies and standards.

F. External Handling/Security Requirements:

  1. University information in electronic form that is regulated by HIPAA, FERPA, GLBA, or PCI must be encrypted when electronically stored, transmitted, or transported externally.
    Information entrusted to the University by grant-providers or NIH (data-sharing arrangements) must be protected, at a minimum, according to contractual obligations, regulatory requirements, and/or University policy, and relative to the sensitivity of the information.
  2. Data Stewards may establish similar security requirements for non-regulated information at their discretion.

G. Internal Handling/Security Requirements:

  1. Information regulated by HIPAA, FERPA, GLBA, or PCI that is stored on removable media must be encrypted at all times, even when the information is stored or transported within the University’s campus.
  2. Information entrusted to the University by grant-providers or NIH (data-sharing arrangements) must be protected, at minimum, according to contractual obligations, regulatory requirements, and/or University policy, and relative to the sensitivity of the information.

H. Prohibited Actions (include, but are not limited to):
All members of the Rowan community must NOT:

  1. Forward University information classified as Confidential or Private to outside or personal email accounts.  (They MAY exchange information via email with authorized third parties, using the University’s messaging services.)
  2. Use services OTHER than the University’s remote access or web portal services to remotely conduct University business that is considered sensitive.
  3. Use devices or services OTHER than University-managed devices or services to collect, process, transport, store, or transmit Confidential or Private information.  (Personal smartphones and removable media that are secured by the University are considered “University-managed.”)
  4. Discuss or post information classified as Confidential, Private, or Internal on social networks (e.g. MySpace, Facebook, LinkedIn), blogs, or any other medium not directly managed by the University and without the explicit consent of management, Legal, and Compliance.
  5. Discuss or share information classified as Confidential or Private with unauthorized parties, including University personnel
    6. , regardless of format.

B. Responsibilities:

...

  1. , regardless of format

...

  1. Vice Presidents and Deans must exercise due care and control of their school and unit information assets by ensuring compliance with this policy, legal requirements, and fulfilling the specific duties specified in the section on requirements.
  2. Data Stewards must:
    1. Implement this policy
    2. Fulfill the specific duties specified in the section on requirements.
    3. Provide training and awareness about information handling to users with access to their Confidential and Private information.
    4. Annually assess the information classification, criticality, and risk of their information assets, and update it accordingly.
  3. IRT must implement the technical security requirements defined by the Data Steward.

C. Security Incident Reporting

 Unauthorized disclosure, loss or theft of Confidential or Private information must be reported immediately in accordance with the Security Incident Management Policy.

  1. Immediately report loss, theft, or unauthorized access to a manager.  If the information is ePHI, Compliance must be notified.
  2. Report loss or theft of physical assets to Public Safety and the Information Security Office.

VII. NON-COMPLIANCE SANCTIONS

Violation of this policy may subject the violator to disciplinary actions, up to or including termination of employment or dismissal from a school, and may subject the violator to penalties stipulated in applicable state and federal statutes.

 

By Direction of the CIO:

...