Security of Data Classified as Critical Policy

Security of Data Classified as Critical Policy

School of Engineering and Technology

Scope

This Policy applies to all users of School of Engineering and Technology information technology resources regardless of affiliation, and irrespective of whether those resources are accessed from on-campus or off-campus locations. This policy will not supersede any Indiana University developed policies.  

Rationale

The use of information technologies has become critical in support of most if not all Indiana University operations. This dependence has resulted in a very large, very diverse, and very complex technology environment. At the same time, much more data are being stored, accessed, and manipulated electronically, which has resulted in an increased risk of unauthorized disclosure or modification of personal, proprietary, sensitive, or institutional data. It is very important that everyone associated with providing and using these technology services is diligent in their handling of sensitive data and executing due diligence to assure data integrity.

Policy Statement

School of Engineering and Technology organizational units (programs, departments, offices, affiliated groups, etc.) operating technology resources are responsible for ensuring that data classified as Critical at IU are secured to the level set forth by this Policy. The collection of and storing of data classified as Critical at IU are restricted to legitimate business need such as instances where an outside or government agency requires use of the data, where the data cannot be derived from IU central IT systems. 

In these cases, and for data classified as Critical at IU not stored in a secure database, the following standards apply:

  1. The data are to be stored ONLY on the departmental level shared network storage service managed by School of Engineering and Technology Computer Network Center.
  2. The data is to be encrypted using an encryption technology approved by the Computer Network Center.
  3. The storage of data classified as Critical at IU requires Dean level approval.
  4. Any transmission of data classified as Critical at IU is to be encrypted.
  5. Data classified as Critical at IU are not to be stored on removable storage media, on personal network drive space (e.g. H:), or on a user’s personal computer or University issued computer.

Procedures

Identifying and Securing data classified as Critical at IU

  1. It is the responsibility of the data user to determine if their data is the type of data classified as Critical at IU, such as social security numbers or credit card numbers.  
  2. To determine if the keeping of data classified as critical are appropriate, consultation with the Computer Network Center is recommended.
  3. Once the need for keeping data classified as critical are established, the Computer Network Center is to be notified to assist with implementing appropriate encryption/logging technology.
  4. Critical data which is not needed must be electronically shredded utilizing a tool such as Identity Finder or the media properly disposed per the SoET Electronic Media Disposal Policy
  5. This policy serves as notice that twice annually the Computer Network Center will scan for critical data contained within files stored on the network server (H: & G: drives) utilizing a scanning tool such as Identity Finder. If critical data is located, the results will be provided to the data user. In accordance with IU IT Policy Privacy of Electronic Information and Information Technology Resources (IT-07) CNC administrators will avoid opening the files Identity Finder locates; instead, CNC administrators will send the names of the resulting files to the owner of the account or system where the files are stored, directing the owner to review the files and take appropriate action. The file owner is required to immediately address the issue.   

Definitions

A database is a collection of data that is organized so that its contents can easily be accessed, managed, and updated. Typically, the term database refers to the use of special software which organizes data in a specific, and often proprietary, format.

A Data Owner is the individual(s) that can authorize or deny access to certain data, and is responsible for its creation, accuracy, integrity, and timeliness.

Encryption Technology is the coding or scrambling of information so that it can only be decoded and read by someone who has the correct decoding key.

Network Storage is the data storage location managed by Computer Network Center and is commonly referred to as having a drive letter H: and G:, or is storage location setup specifically for a special type of system, such as software which utilizes database technology.

includes all types of devices which store data, such as flash drives, Optical Discs (CD, Blue-Ray or DVD), MP3 players, Memory cards (CompactFlash card, Secure Digital card, Memory Stick), PDAs, externally connected hard drives, floppy disks, electromagnetic tape, or the like.

Data Classified as Critical at IU refers to any data of which the compromise with respect to confidentiality, integrity, and/or availability could have a material adverse effect on University interest or the privacy to which individuals are entitled. Examples of data classified as Critical at IU include social security numbers, credit card numbers, medical or mental health records, certain forms of professional/client privilege, and certain types of institutional data.  See Classifications of Institutional Data.

Sanctions

Indiana University will handle reports of misuse and abuse of information and information technology resources in accordance with existing policies and procedures issued by appropriate authorities. Depending on the individual and circumstances involved this could include the offices of Human Resources, Vice Provost or Vice Chancellor of Faculties (or campus equivalent), Dean of Students (or campus equivalent), Office of the General Counsel, and/or appropriate law enforcement agencies. See policy IT-02, Misuse and Abuse of Information Technology Resources for more detail.

Failure to comply with Indiana University information technology policies may result in sanctions relating to the individual's use of information technology resources (such as suspension or termination of access, or removal of online material); the individual's employment (up to and including immediate termination of employment in accordance with applicable university policy); the individual's studies within the university (such as student discipline in accordance with applicable university policy); civil or criminal liability; or any combination of these.