URP: I.19.U Data Access Policy

Tags techurp

Overview

The Data Access and Classification Policy provides a framework for managing  data assets based on value and associated risks and for applying the appropriate levels of protection as required by state and federal law as well as proprietary, ethical, operational, and privacy considerations. All TWU data, whether electronic or printed, should be classified. The data owner, who is responsible for data classification, may consult with the Data Standards and Integrity Committee on the classification of data as confidential, agency-sensitive, or public. Consistent use of data classification reinforces with users the expected level of protection of TWU data assets in accordance with TWU security policies.

Purpose

The purpose of the Data Access and Classification Policy is to provide a foundation for the development and implementation of necessary security controls to protect information according to its value and/or risk. Security standards, which define these security controls and requirements, may include: document marking/labeling, release procedures, privacy, transmission requirements, printing protection, computer display protections, storage requirements, destruction methods, physical security requirements, access controls, backup requirements, transport procedures, encryption requirements, and incident reporting procedures.

Scope

The Data Access and Classification Policy apply equally to all individuals who use or handle any TWU Information Resource.  This includes any TWU data created, sent, printed, received, or stored on systems-owned, leased, administered, or authorized by TWU.  Data protection is the responsibility of the TWU owners, designated custodians, and users.

Definitions

Access: The physical or logical capability to interact with, or otherwise make use of information resources.

Control: A safeguard or protective action, device, policy, procedure, technique, or other measure prescribed to meet security requirements (ie confidentiality, integrity, and availability) that may be specified for an information system.

Production System: A production system is a system being used for current operations.  A production system is different than a test or development system, which are not used for operational purposes.

Classification:

  • Confidential Data Classification: Applies to the most sensitive business information that must be protected from unauthorized disclosure or public release, based on state or federal law (i.e. Texas Public Information Act and other constitutional, statutory, judicial, and legal agreement requirements).
  • Agency Sensitive Data Classification: Applies to less-sensitive business information that is intended for use within TWU. Its unauthorized disclosure could adversely impact TWU or its students, strategic partners, and/or employees.
  • Public Data Classification: Applies to information that has been approved by TWU management or the State of Texas for release to the public. By definition, there is no such thing as unauthorized disclosure of this information and it may be disseminated without potential harm.
  • Business Functional Data Classification: Applies to data relating to items, components, or processes that are sufficient to enable physical and functional processing of operations. Examples of data are: meta data (i.e., data defining other data), size, configuration, department structures, characteristics, functional characteristics, and performance requirements.

Production Information: Production information includes all electronic information used within or in support of a mission critical business function. 

Data Owner: Data owners are designated members of the TWU management team who act as stewards and supervise the ways in which certain types of information are used and protected.

Data Custodian: Data custodians provide physical, technical, and procedural safeguards for the information resources.

Data User: Data users use the resources only for defined purposes.

Information Resource Manager (IRM): Is a designated position required by the State of Texas for each institution of higher education. The IRM oversees the acquisition and use of information technology within a state agency or university. The IRM ensures that all information resources are acquired appropriately, implemented effectively, and comply with regulations and agency policies. The designated IRM at TWU is the Associate Provost for Technology and CIO.

Information Security Officer (ISO): Is a designated position required by the State of Texas for each institution of higher education.  The ISO is responsible for monitoring the effectiveness of information resources security controls. The ISO also administers the institution’s information security program. The designated ISO at TWU is the Director of Technology Infrastructure.

Policy

The Data Access policy specifies the responsibilities of users.  Users are categorized into three types: user, owner, and custodian.  TWU maintains many systems that contain various types of data (e.g., financial, student, employee). The owners of each type of data are specified by their position title. Finally, the policy states the proper control, use, and security of data.

Data User Responsibility

All TWU employees who come into contact with sensitive TWU internal information are expected to familiarize themselves with this data classification policy and to consistently use these same ideas in their daily TWU business activities. Sensitive information is either confidential or agency sensitive information, and both of which are defined in this document. Although this policy provides overall guidance, to achieve consistent information protection, TWU employees are expected to apply and extend these concepts to fit the needs of day-to-day operations. The data classification system, as defined in this document, is based on the concept of need to know.  This term means that information is not disclosed to any person who does not have a legitimate and demonstrable business need to receive the information.  This concept, when combined with the policies defined in this document, will protect TWU information from unauthorized disclosure, use, modification and deletion.

 

Data Owner Responsibilities

Data Owners and his/her designated representative are responsible for the following:

  • Approving access and formally assigning custody of an information resources asset
  • Determining information resource asset values
  • Specifying data control requirements and conveying them to data users and data custodians
  • Specifying appropriate controls, based on a risk assessment, to protect the state’s information resources from unauthorized modification, deletion, or disclosure.  Controls shall extend to information resources and services outsourced by TWU.
  • Confirming that controls are in place to ensure the confidentiality, integrity, and availability of data
  • Assigning custody of information resources assets and provide appropriate authority to implement security controls and procedures
  • Reviewing access lists based on documented risk management decisions
  • Approving, justifying, documenting and accountable for exceptions to security controls.  The data owner shall coordinate exceptions to security controls with the Information Security Officer or Information Resource manager
  • Classifying business functional information

Data Custodian Responsibilities

Data Custodians, including third party entities providing outsourced information resource services to TWU:

  • Implementing controls as specified by data owners
  • Providing physical, technical, and procedural safeguards for information resources
  • Assisting owners in evaluating the cost-effectiveness of controls and monitoring
  • Implementing monitoring techniques and procedures for detecting, reporting and investigating incidents

Owners

Type of Data

Data Owner

Academic Program Application Data

Program Director

Alumni Data

Director of Institutional Development

Applicant Data (Pre-admission)

Director, Admissions Processing

Audit Data

Director of Internal Audits

Board of Regent Data

General Counsel

Budget Data

Director of Budget

Career Services

Director of Career Services

Dental Clinic Data

Dental Hygiene Program Director

Donor Data

Director of Institutional Development

Employee Data

Director of Human Resources Professional Services

Facilities Data

Director of Physical Plant

General Ledger Data

Controller

Identification and Food Service Data

Director of Food Service and ID Systems

Institutional Research Data

Assistant Provost of Insitutional Research and Data Management

Library Data

Dean of Libraries

Payroll Data

Director of Human Resources Employee Services

Public Safety Data

Director of Public Saftey

Purchasing Data

Director of Procurement Services

Research Data

Primary Investigator

Student Academic Data (Post-admission)

Registrar

Student Disciplinary Data

Director, Civility and Community Standards

Student Financial Aid Data

Director of Financial Aid

Student Health Data

Director of Student Health Services

Student Housing Data

Director of University Housing

Technology Infrastructure and Security Data

Information Security Officer

Treasury Data

Controller

 

Access Control

Each of the policy requirements set forth in this document are based on the concept of need to know. If an employee is unclear how the requirements set forth in this policy should be applied to any particular circumstance, he or she must conservatively apply the need to know concept. That is to say that information must be disclosed only to those people who have a legitimate business need for the information.

The proper controls shall be in place to authenticate the identity of users and to validate each user’s authorization before allowing the user to access information or services on the system.  Data used for authentication shall be protected from unauthorized access.  Controls shall be in place to ensure that only personnel with the proper authorization and a need to know are granted access to TWU systems and their resources.  Remote access shall be controlled through identification and authentication mechanisms.

Access to TWU sensitive information will be provided only after documented authorization of the Data Owner has been obtained.  Access requests will be presented to the data owner using an access request form. Access request forms can be found on the Office of Technology web site under the heading Access and Logins.  Custodians of the involved information will refer all requests for access to the relevant Owners or their delegates.  After receiving approval from the data owner, custodians will grant the approved access.  Special needs for other access privileges will be dealt with on a request-by-request basis.  The list of individuals with access to confidential or agency sensitive data must be reviewed periodically for accuracy by the relevant data owner.

All data on a production system must have a designated owner.  Owners are responsible assigning appropriate sensitivity classifications to production information.  Owners do not legally own the information entrusted to their care. 

Use of Data

Data classified as confidential must not be stored on a personal computer, portable computer, personal digital assistant, or any other single-user system.

If agency sensitive information is going to be stored on a personal computer, portable computer, personal digital assistant, or any other single-user system, the system must conform to data access control safeguards approved by the data custodian and the data owner.  When these users are not currently accessing or otherwise actively using the restricted information on such a machine, they must not leave the machine without logging off, invoking a password protected screen saver, or otherwise restricting access to the restricted information.

If agency sensitive data is to be transmitted over any external communication network (i.e. the internet), it must be sent in an approved encrypted form. Such transmissions include, but are not limited to electronic mail systems. All such transmissions must use a virtual public network or similar access controls as approved by the data custodian.  Departments transmitting sensitive data will receive annual reviews to validate encryption protocols and procedures. Training on secure transmission will be provided by the Technology Infrastructure department.

Before any agency sensitive information may be transferred from one computer to another, the person making the transfer must ensure that access controls on the destination computer are commensurate with access controls on the originating computer. If comparable security cannot be provided with the destination system’s access controls, then the information must not be transferred.

Storage media containing sensitive (i.e. confidential or agency sensitive) information shall be completely empty before reassigning that medium to a different user or disposing of it when no longer used.  Simply deleting the data from the media is not sufficient.  Texas Administrative Code requires that a method must be used that complies with the Department of Defense 5220.22-M standard.  The appropriate data custodian is responsible for ensuring compliance with this standard. Training on secure data storage and deletion will be provided by the Technology Infrastructure department. "Texas Woman's University classifies data that is regulated by The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) and The Health Insurance Portability and Accountability Act (HIPAA) of 1996, 45 C.F.R. 160 , as confidential data."

 

Physical Security

Access to the data center must be physically secured in a reasonable and appropriate manner.  Physically secured is defined as locked in a location that denies access to unauthorized personnel.  All network equipment (routers, switches, etc.) and servers located in any TWU facility must be secured when no TWU personnel, or authorized contractors, are present. 

Exception

Information owned or under the control of the United States Government must comply with the federal classification authority and federal protection requirements.

Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Supporting Information

(This Policy is supported by the following Policy Standard)

TWU Policy 9.01 Computer and Software Acceptable Use Policy

References                                                

National/Federal

Copyright Act of 1976

Foreign Corrupt Practices Act of 1977

Computer Fraud and Abuse Act of 1986

Computer Security Act of 1987

The Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Gramm-Leach-Bliley Act of 1999

Sarbanes-Oxley Act of 2002

Family Education Rights and Privacy Act of 1974

Uniform Trade Secrets Act

 

Texas

Texas Administrative Code, Title 1, Part 10, Chapter 202, Subchapter C, Rule 202.71 – Information Security Standards

Texas Business and Commerce Code, Chapter 48 – Consumer Protection Against Computer Spyware Act

Texas Business and Commerce Code, Chapter 521 – Unauthorized Use of Identifying Information

Texas Government Code, Chapter 441 – Libraries and Archives

Texas Government Code, Chapter 552 – Public Information Act Texas

Texas Government Code, Chapter 2054 – Information Resources Management Act

Texas Penal Code, Chapter 33 – Computer Crimes

Texas Penal Code, Chapters 33A – Telecommunications Crimes

Links

(This page contains links to other sites outside of Texas Woman’s University.  TWU is not responsible for the privacy practices or the content of such web sites.)

TWU Security Office (infosec@twu.edu)

Payment Card Industry Data Security Standard (https://www.pcisecuritystandards.org/)

DIR Practices for Protecting Information Resources Assets (http://dir.state.tx.us/pubs/)

DIR Standards Review and Recommendations Publications (http://dir.state.tx.us/pubs/)

 

Details

Article ID: 84725
Created
Mon 8/12/19 1:55 PM
Modified
Tue 4/28/20 9:45 AM