...
Title: Transmission of Sensitive Information Policy
Subject: Information Security
Policy No: ISO:2013:06
Applies: University-Wide
Issuing Authority: Senior Vice President for Information Resources and Technology and Chief Information Officer
Responsible Officer: Director of Information Security Officer
Date Adopted: 07/01/2013
Last Revision: 08 10/0804/20182023
Last Review: 08 10/0804/20182023
I. PURPOSE
This policy is required to comply with
...
regulations related to the protection of sensitive information in transit including, but not limited to Protected Health Information (PHI) and Personal Identifying Information (PII) from unauthorized access and to protect against data breaches. This policy sets forth requirements for the transmission or receipt of sensitive information on the Rowan University network.
II. ACCOUNTABILITY
Under the direction of the Vice President for Information Resources and Chief Information Officer, the Chief Information Officer and the
...
Information Security Officer shall implement and ensure compliance with this policy. The Vice Presidents, Deans, and other members of management will also implement this policy in their respective areas.
III. APPLICABILITY
This policy applies to all
...
users accessing the Rowan
...
Network or University information through computing devices owned or managed the University. All University faculty, students, staff, temporary employees, contractors, outside vendors and visitors to campus who have access to University-owned or managed information through computing systems or devices are "
...
users."
IV. DEFINITIONS
- "Encryption" – the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key.
- "Personal Identifying Information" (PII) – Personal Identifying Information includes employer tax ID numbers, drivers' license numbers, passport numbers, SSNs, state identification card numbers, credit/debit card numbers, banking account numbers, PIN codes, digital signatures, biometric data, fingerprints, passwords, and any other numbers or info that can be used to access a person's financial resources.
- "Protected Health Information" (PHI) – Information covered by the Health Insurance Portability and Accountability Act (HIPAA).
- "Public Network" – Any network outside the Rowan University network.
- "Secure Backup" (Encryption Recommended) – The process of making a backup copy of information for the purpose of data recovery with security safeguards present to ensure the backup copy of the data remains protected from unauthorized access at all times. This may include physical protections as well as encryption to safeguard the backup information.
V. REFERENCES
1. HIPAA http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/
...
Refer to the Rowan University Technology Terms and Definitions for terms and definitions that are used in this policy.
V. POLICY
All sensitive information including Protected Health Information (PHI), confidential and Personal Identifying Information (PII) (as defined
belowin the Information Classification Policy) that is transmitted or received by Rowan University's computer systems, including mobile devices, must be encrypted in accordance with the requirements of the Encryption Policy when transmitted over wireless or
Public Networkspublic networks, including when transmitted via FTP and electronic mail.
Examples of when encryption is required include, but are not limited to:
A University employee, student, contractor, or vendor sending or receiving the University's PHI, confidential data or PII using his/her home's Internet Service Provider (ISP) connection (e.g.cable company or DSL
), unless both (a) using a VPN connection, and (b)
transmitting only to a destination within the campus network.
Any transmission of PHI, confidential data or PII sent over any home, public, hotel, or the unsecured campus wireless
network, unless both (a) using a VPN connection, and (b) transmitting only to a destination within the campusnetwork. Use of the
UNC-SecureRowanSecure campus wireless network does not require VPN as long as one is transmitting to a destination within the campus.
A University employee, student, contractor, or vendor sending or receiving the University's PHI, confidential data or PII to a destination address outside the campus network
. (Encryption is required in this case, even if a VPN connection is used.
)Any vendor transmissions of PHI or PII sent over the Internet.
Use of a PDA to transmit PHI, confidential data or PII over a
Public Networkpublic network.
Encryption is not required for a University employee who uses an on-campus workstation, with a wired connection to the University network, to transmit a document to another University
Useruser or to save a document containing PHI, confidential data or PII to his/her University-managed network folder.
VII. NON-COMPLIANCE AND SANCTIONS
Violation of this policy may subject the violator to disciplinary actions, up to or including termination of employment or dismissal from a school, and may subject the violator to penalties stipulated in applicable state and federal statutes.
By Direction of the CIO:
Mira Lalovic-Hand,
SVP and Chief Information Officer