Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Title: Transmission of Sensitive Information Policy
Subject: Information Security 
Policy No: ISO:2013:06
Applies: University-Wide 
Issuing Authority: Senior Vice President for Information Resources and Technology and Chief Information Officer
Responsible Officer: Director of Information Security Officer
Date Adopted: 07/01/2013
Last Revision: 08 10/0804/20182023
Last Review: 08 10/0804/20182023


I.     PURPOSE

This policy is required to comply with

...

regulations related to the protection of sensitive information in transit including, but not limited to Protected Health Information (PHI) and Personal Identifying Information (PII) from unauthorized access and to protect against data breaches. This policy sets forth requirements for the transmission or receipt of sensitive information on the Rowan University network.

II.   ACCOUNTABILITY

Under the direction of the Vice President for Information Resources and Chief Information Officer, the Chief Information Officer and the

...

Information Security Officer shall implement and ensure compliance with this policy. The Vice Presidents, Deans, and other members of management will also implement this policy in their respective areas.

III.  APPLICABILITY

This policy applies to all

...

users accessing the Rowan

...

Network or University information through computing devices owned or managed the University. All University faculty, students, staff, temporary employees, contractors, outside vendors and visitors to campus who have access to University-owned or managed information through computing systems or devices are "

...

users."

IV.  DEFINITIONS

  1. "Encryption" – the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key.
  2. "Personal Identifying Information" (PII) – Personal Identifying Information includes employer tax ID numbers, drivers' license numbers, passport numbers, SSNs, state identification card numbers, credit/debit card numbers, banking account numbers, PIN codes, digital signatures, biometric data, fingerprints, passwords, and any other numbers or info that can be used to access a person's financial resources.
  3. "Protected Health Information" (PHI) – Information covered by the Health Insurance Portability and Accountability Act (HIPAA).
  4. "Public Network" – Any network outside the Rowan University network.
  5. "Secure Backup" (Encryption Recommended) – The process of making a backup copy of information for the purpose of data recovery with security safeguards present to ensure the backup copy of the data remains protected from unauthorized access at all times. This may include physical protections as well as encryption to safeguard the backup information.

V.   REFERENCES

1.  HIPAA http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/

...

Refer to the Rowan University Technology Terms and Definitions for terms and definitions that are used in this policy.

V.  POLICY

  1. All sensitive information including Protected Health Information (PHI), confidential and Personal Identifying Information (PII) (as defined

    below

    in the Information Classification Policy) that is transmitted or received by Rowan University's computer systems, including mobile devices, must be encrypted in accordance with the requirements of the Encryption Policy when transmitted over wireless or

    Public Networks

    public networks, including when transmitted via FTP and electronic mail.

  2. Examples of when encryption is required include, but are not limited to:

    1. A University employee, student, contractor, or vendor sending or receiving the University's PHI, confidential data or PII using his/her home's Internet Service Provider (ISP) connection (e.g.cable company or DSL

      ), unless both (a) using a VPN connection, and (b

      )

      transmitting only to a destination within the campus network

      .

    2. Any transmission of PHI, confidential data or PII sent over any home, public, hotel, or the unsecured campus wireless

      network, unless both (a) using a VPN connection, and (b) transmitting only to a destination within the campus

      network. Use of the

      UNC-Secure

      RowanSecure campus wireless network does not require VPN as long as one is transmitting to a destination within the campus.

    3. A University employee, student, contractor, or vendor sending or receiving the University's PHI, confidential data or PII to a destination address outside the campus network

      . (Encryption is required in this case, even if a VPN connection is used

      .

      )

    4. Any vendor transmissions of PHI or PII sent over the Internet.

    5. Use of a PDA to transmit PHI, confidential data or PII over a

      Public Network

      public network.

  3. Encryption is not required for a University employee who uses an on-campus workstation, with a wired connection to the University network, to transmit a document to another University

    User

    user or to save a document containing PHI, confidential data or PII to his/her University-managed network folder.

VII.  NON-COMPLIANCE AND SANCTIONS

Violation of this policy may subject the violator to disciplinary actions, up to or including termination of employment or dismissal from a school, and may subject the violator to penalties stipulated in applicable state and federal statutes.


By Direction of the CIO:

Mira Lalovic-Hand,
SVP and Chief Information Officer