Data Security Policy (Revised)

Introduction

Institutional data is information that supports the mission and operation of Tennessee Tech University. It is a vital asset and is owned by the University. Some institutional data may be distributed across multiple departments or units of the University, as well as outside entities. Institutional data is considered essential, and must comply with legal, regulatory, and administrative requirements.

Departments and units must assess institutional risks and threats to the data for which they are responsible, and accordingly classify its relative sensitivity as Level I (low sensitivity), Level II (moderate sensitivity), or Level III (high sensitivity). Unless otherwise classified, institutional data is Level II. University personnel may not broaden access to institutional data without authorization from the department or unit responsible for the data. This limitation applies to all means of copying, replicating, or otherwise propagating university data.

All data shares to be set up between systems must be requested via ITS to ensure data integrity.

Data Classification

Authorization to access institutional data varies according to its sensitivity (the need for care or caution in handling). For each classification, several data handling requirements are defined to appropriately safeguard the information. It’s important to understand that overall sensitivity of institutional data encompasses not only its confidentiality (need for secrecy), but also the need for integrity and availability. The need for integrity, or trustworthiness, of institutional data should be considered and aligned with institutional risk; that is, what is the impact on the institution should the data not be trustworthy? Finally, the need for availability relates to the impact on the institution’s ability to function should the data not be available for some period of time. There are three classification levels of relative sensitivity which apply to institutional data:

Level I: Low Sensitivity
Access to Level I institutional data may be granted to any requester, or it is published with no restrictions. Public data is not considered sensitive. The integrity of “Public” data should be protected, and the appropriate department or unit must authorize replication or copying of the data in order to ensure it remains accurate over time. The impact on the institution should Level I data not be available is typically low, (inconvenient but not debilitating). Examples of Level I “Public” data include published “white pages” directory information, maps, departmental websites, and academic course descriptions.

Level II: Moderate Sensitivity
Access to Level II institutional data must be requested from, and authorized by, the department or unit who is responsible for the data. Access to internal data may be authorized to individuals based on job classification or responsibilities (“role-based” access), and may also be limited by one’s employing unit or affiliation. Non-Public or Internal data is moderately sensitive in nature. Often, Level II data is used for making decisions, and therefore it’s important this information remain timely and accurate. The risk for negative impact on the institution should this information not be available when needed is typically moderate. Examples of Level II “Non-Public/Internal” institutional data include project information, official university records such as financial reports, human resources information, some research data, unofficial student records (including grade books without SSNs), and budget information.

Level III: High Sensitivity
Access to Level III institutional data must be controlled from creation to destruction, and will be granted only to those persons affiliated with the University who require such access in order to perform their job, or to those individuals permitted by law. Access to confidential/restricted data must be individually requested and then authorized by the department or unit who is responsible for the data. Level III data is highly sensitive and may have personal privacy considerations, or may be restricted by federal or state law. In addition, the negative impact on the institution should this data be incorrect, improperly disclosed, or not available when needed is typically very high. Examples of Level III “Confidential/Restricted” data include official student grades and financial aid data; social security and credit card numbers; individuals’ health information, and human subjects research data that identifies an individual.

Policy Statement

Data Handling Requirements

LEVEL I
Low Sensitivity
(Public Data)
LEVEL II
Moderate Sensitivity
(Non-Public/
Internal Data)
LEVEL III
High Sensitivity
(Confidential/
Restricted Data)
Mailing & Labels
on Printed Reports
None May be sent via Campus Mail; no labels required Must be sent via Confidential envelope; reports must be marked “Confidential”
Electronic Access No controls Role-based authorization Individually authorized, with a confidentiality agreement
Secondary Use As authorized by department or unit As authorized by department or unit Prohibited
Information stored on CD/DVD, tape, floppy, or other archival media See Physical Access controls See Physical Access controls Encryption via approved methods or Physical Access controls
Physical Access Controls (CD/DVD, tape, floppies, paper, or other archival media) No special controls Access-controlled area Access-controlled and monitored area with restricted access or vault; paper archives must be in locked storage facilities with limited key distribution or in locked filing cabinets
External Data
Sharing
No special controls As allowed by TN Law As allowed by Federal regulations; TN Law; FERPA restrictions
Electronic
Communication
No special controls Encryption recommended for external transmission Encryption required for external transmission
Data Tracking None None Social Security Numbers, Credit Cards, and PHI locations must be registered with the appropriate campus entity
Data Disposal No controls Recycle reports; Wipe/erase media Shred reports; DOD-Level Wipe or destruction of
electronic media
Auditing No controls Changes Logins, accesses and changes
Information stored on workstations and mobile devices Password protection recommended Password protected Password protected;  encryption via approved encryption method
Physical Access Controls (workstations, laptops, USB flash drives, servers, PDAs and cell phones) Locked when not in use Access-controlled area; locked when not in use Access-controlled and monitored area; locked when not in use

 

Control Definitions

Each employee must confirm their understanding of and agreement with this Data Security policy by signing the  Confidentiality Agreement.

For information regarding the approved/recommended encryption devices and methods, please see  Encryption Methods

Proposed by Information Technology Services
Interim approval by the President:  January 29, 2008
Revision 1.3 recommended by the Information Technology Committee February 28, 2008.

Complete the Whole Disk Encryption Survey Form to help ITS determine if you need Whole Disk Encryption.

Printable Version pdf_icon_sm of the Data Security Policy-Revised.