University Policies

Page tree

Versions Compared

Old Version 3

changes.mady.by.user Raghu, Rachana

Saved on

compared with

New Version 4

changes.mady.by.user Rowan, James J.

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Under the direction of the President, the Chief Information Officer and the Chief Information Security Officer shall implement and ensure compliance with this policy. The Vice Presidents, Deans, and other members of management will implement this policy in their respective areas.

III. APPLICABILITY

This policy applies to all members of the Rowan community including faculty, staff, non-employees, students, attending physicians, contractors, covered entities, and agents of Rowan, as well as visitors, who have been explicitly and specifically authorized to access and use the University's information systems.

IV. DEFINITIONS

A. Application – A computer program that processes, transmits, or stores University information and which supports decision-making and other organizational functions.  It typically presents as a series of records or transactions.  These records and transactions are generally accessible by more than one user.

...

A. Acceptable Use Policy ISO: 2013:01

B. Mobile Computing and Removable Media Policy ISO: 2013:02

C. Family Educational Rights and Privacy Act (FERPA) 20 U.S.C. 1232g; 34 CFR Part 99

D. Federal Information Security Management Act (FISMA) http://csrc.nist.gov/groups/SMA/fisma

E. Federal Trade Commission http://www.ftc.gov/bcp/edu/microsites/redflagsrule/index.shtml

F. Health Insurance Portability and Accountability Act of 1996 http://www.hhs.gov/ocr/privacy/index.html: Sections: 164.308 (a)(4)(ii)(B), 164.308 (a)(4)(ii)(C), 164.308 (a)(7)(ii)(E), 164.312 (e)(1), 164.312 (e)(2)

G. New Jersey Open Public Records Act Section: N.J.S.A. 47:1A-1.1

H. New Jersey Identity Theft Protection Act Sections: N.J.S.A. 56:8-161, N.J.S.A. 56:8-163

I. Payment Card Industry Sections: PCI DSS v2 7.1, PCI DSS v2 7.2

VII. POLICY

A. All members of the University community have a responsibility to protect the Confidentiality, Integrity, and Availability of information collected, processed, transmitted, stored, or transmitted by the University, irrespective of the medium on which the information resides.

...

B. Information must be classified and handled according to its value, legal requirements, sensitivity, and criticality to the University.  Protection levels must be established and implemented relative to the information’s classification, ensuring against unauthorized access, modification, disclosure, and destruction.  For information governed by law and regulations (such as protected health information, student records, and personally identifiable information), the protection levels must satisfy the data security and data privacy requirements.\

C. Vice Presidents and Deans shall:

  1. Ensure that each business unit in their respective areas of oversight appropriately identify and classify information generated by the business unit.\
  2. Ensure that each member of their business units receives periodic training and awareness about how to handle sensitive information.
  3. Assign business unit managers, senior managers, or designees the role of Data Steward for their respective information.
  4. Ensure that their Data Stewards maintain an inventory of their information assets, including applications.
  5. Annually perform a risk assessment of their applications.
  6. Annually report their aggregate inventory of information assets to the Information Security Office.

D. Data Stewards shall:

  1.  Classify University information under their control as (reference the Definitions Section and EXHIBIT):
    1. CONFIDENTIAL
    2. PRIVATE
    3. INTERNAL
    4. PUBLIC
      They should take into consideration the business needs for sharing or restricting information and the impacts associated with those needs.
  2. Where practicable, clearly label Confidential and Private information.
  3. Establish its criticality using the Office of Information Security’s Business Impact Analysis methodology.
  4. Establish the business unit’s security requirements and expectations for the applications the business unit owns and which contain their information.  For example:
    1. How a user should be authenticated.
    2. How users will be granted access to the application
    3. Revocation procedures of user access privileges.
    4. Procedures for approving requests for access and use of the information in its applications.
    5. Record retention and e-discovery requirements.
  5. Maintain an inventory of their information assets, including all applications that collect, process, transport, store, or transmit their information.  (The ISO’s business impact analysis methodology can assist with this effort.)
  6. At minimum, annually assess and update the Information Classification, based on changing usage, sensitivities, law, or other relevant circumstances.  Changes must be reported to their business unit’s VP or Dean and the application managers.
  7. Establish procedures for data destruction in accordance with the University’s record retention and disposal policies.

E. Confidential and Private information must be collected, processed, transported, stored, or transmitted using only:

  1. Software, hardware, and services whose security is managed by the University (e.g., remote access services, University messaging services, applications, databases, and servers managed by a local school/unit technology organization or IRT).
  2. Third Party managed devices or services that are subject to a contract between the Third Party and the University that contains confidentiality provisions consistent with University policies and standards.

F. External Handling/Security Requirements:

  1. University information in electronic form that is regulated by HIPAA, FERPA, GLBA, or PCI must be encrypted when electronically stored, transmitted, or transported externally.
    Information entrusted to the University by grant-providers or NIH (data-sharing arrangements) must be protected, at a minimum, according to contractual obligations, regulatory requirements, and/or University policy, and relative to the sensitivity of the information.
  2. Data Stewards may establish similar security requirements for non-regulated information at their discretion.

...

H. Prohibited Actions (include, but are not limited to):
All members of the Rowan community must NOT:

  1. Forward University information classified as Confidential or Private to outside or personal email accounts.  (They MAY exchange information via email with authorized third parties, using the University’s messaging services.)
  2. Use services OTHER than the University’s remote access or web portal services to remotely conduct University business that is considered sensitive.
  3. Use devices or services OTHER than University-managed devices or services to collect, process, transport, store, or transmit Confidential or Private information.  (Personal smartphones and removable media that are secured by the University are considered “University-managed.”)
  4. Discuss or post information classified as Confidential, Private, or Internal on social networks (e.g. MySpace, Facebook, LinkedIn), blogs, or any other medium not directly managed by the University and without the explicit consent of management, Legal, and Compliance.
  5. Discuss or share information classified as Confidential or Private with unauthorized parties, including University personnel, regardless of format.

VII. NON-COMPLIANCE SANCTIONS

...