Policy AD23 USE OF INSTITUTIONAL DATA

Contents

  • Purpose
  • Scope
  • Policy
  • . . . . General
  • . . . . Trusted Networks
  • . . . . . . . . Physical Security
  • . . . . . . . . Access Security
  • . . . . Responsibilities
  • . . . . . . . . For All Institutional Data
  • . . . . . . . . For Computerized Institutional Data
  • Sanctions
  • Cross References

  • PURPOSE:

    To establish policy for the use of University institutional data (which will include paper, film, electronic, etc.) and the responsibilities for the protection of such data.

    SCOPE:

    This policy applies to all University locations, and to all uses of institutional data regardless of the office or format in which the data reside.

    Use of data which are entrusted to the University by other organizations (e.g., foundations and government agencies) is governed by terms and conditions agreed upon with those organizations.

    POLICY:

    1. GENERAL:

    2. TRUSTED NETWORKS:

      Trusted networks are those networks that retrieve, store, maintain or make use of Computerized Institutional Data. Trusted Networks must meet the following high level, minimum security standards. Additional security controls may be required by College/Unit security policies or by security procedures developed by system administrators or operators of computer facilities:

      1. Physical Security
        1. Trusted Network nodes must be secure from uncontrolled access.

        2. There must be controlled access to the devices and services connected physically or logically to the Trusted Network.

        3. Administrators of Trusted Networks will provide connectivity to other networks (Trusted or Untrusted) only with prior approval of the Administrative Information Services Security Officer.

      2. Access Security
        1. Systems on a Trusted Network must have software and/or hardware access controls (at a minimum, passwords). All processes initiated by the system must be uniquely attributable to an account of a distinct system user.

        2. The privacy and the integrity of data must be adequately protected when transmitted on communication channels.

        3. Data stored in network-connected equipment must be protected from unauthorized dissemination.

        4. Local storage of Computerized Institutional Data must be protected with the same granularity of security control provided by the originating host system (i.e., a user is given access only to the data for which that user has access on the originating host system).

    3. RESPONSIBILITIES:

      1. General responsibilities for all institutional data, regardless of format or media:

        The Office Of The President is responsible for setting overall policy regarding institutional data use and protection.

        Deans and Administrative Officers are responsible for ensuring institutional data users within their area of accountability are aware of and comply with their responsibilities as defined in this policy.

        Institutional Data Users are responsible for ensuring that they make use of institutional data services and facilities only as required in the performance of their job functions, and that all use of institutional data services and facilities is authorized in accordance with this policy and Policy AD20.

        University Employees must recognize the importance of institutional data to the conduct of the University's mission, and take action to resolve or report to their management instances in which confidential institutional data are at risk of unauthorized disclosure, dissemination or destruction.

      2. Additional responsibilities for Computerized Institutional Data:

        All provisions of Policy AD20 apply to Institutional Computer and Network Resources. The following responsibilities are in addition to those specified in Policy AD20, and apply specifically to Institutional Computer and Network Resources and access to or use of Computerized Institutional Data.

        The Vice Provost of Information Technology - is responsible for:

        1. Resolving disputes concerning use and stewardship of Computerized Institutional Data.

        Deans and Administrative Officers - are responsible for:

        1. Ensuring major University offices under their cognizance appoint an individual within their staffs to carry out the responsibilities of the Access and Security Representative (ASR) for the unit.
        2. Ensuring mechanisms are in place to validate a system user's need for access to specific Computerized Institutional Data prior to submission of requests for access to the ASR.

        System Users - are responsible for:

        1. Ensuring they understand, agree to and comply with the provisions of this policy applicable to all Institutional Data Users in their handling of Computerized Institutional Data.

        Information Associates - are responsible for:

        1. Ensuring that programs they develop include security protection commensurate with the value of the institutional data used, and that such programs are thoroughly tested.

        Data Stewards - are responsible for:

        1. Specifying the use and protection of Computerized Institutional Data, taking into account the value of the data and applicable legal requirements. A data steward is required for each data element. Under certain circumstances stewardship may be shared. In such cases, mutually agreed-upon procedures will define each data steward's responsibility.

        2. Ensuring that protection requirements have been implemented and that a system user's need for access to specific Computerized Institutional Data has been clearly demonstrated by the access and security representative or information associate before granting such access.

        3. Substantiating reasons in writing for denying or limiting access in those cases where an access and security representative, system user or information associate has been denied access to specific Computerized Institutional Data.

        Data Administrators - are responsible for:

        1. Formulating and executing written agreements on institutional data use and protection between the individual requiring access to Computerized Institutional Data, their access and security representative and the applicable data steward prior to the release of such data to any individual.

        Access and Security Representatives (ASR) - are responsible for:

        1. Requesting access control information (e.g., a User ID and Password), and initial basic capabilities for new system users or information associates.

        2. Requesting access for system users or information associates to needed production applications, both on-line and batch.

        3. Coordinating requests by authorized system users or information associates for access to Computerized Institutional Data for ad hoc reporting and analyses.

        4. Ensuring that all data accessed or received is used in accordance with University policy and agreements reached with the data stewards.

        5. Providing a secure means to inform users of password changes or replacement passwords that have been entrusted to the ASR.

        6. Coordinating access and security procedures for system users transferring to or from other positions within the University.

        7. Ensuring that cessation of access to University Computer and Network Resources by system users terminating employment is promptly requested.

        8. Reporting violations of this policy or other University data access and use policies and agreements to the appropriate computer security officer or system administrator, and to the Security Operations and Services Director. Custodial responsibility for institutional data begins when data are accepted within the access and security representative's organization.

        System administrators - or operators of a computer facility that maintains Computerized Institutional Data are responsible for:

        1. Providing training as required for system users of Institutional Computer and Network Resources in how to access and update Computerized Institutional Data.

        2. Developing and enforcing data access and update standards, as well as acquiring or developing the generalized tools to assist access and security representatives and information associates in conducting their business.

    SANCTIONS:

    Violation of any portion of this Policy may result in initiation of legal action by the University and appropriate disciplinary action, which may include dismissal.

    CROSS REFERENCES:

    Other Policies in this manual should also be referenced, especially the following:

    AD11 - University Policy on Confidentiality of Student Records,

    AD20 - Computer and Network Security,

    AD35 - University Archives and Records Management,

    ADG01 - Glossary of Computer Data and System Terminology,

    ADG02 - Computer Facility Security Guideline, and

    HR60 - Access to Personnel Files.


    Effective Date: April 22, 1997
    Date Approved: April 22, 1997
    Date Published: April 29, 1997; editorial change November 21, 2002

    Most recent changes:

    | top of this policy | GURU policy menu | GURU policy search | GURU home | GURU Tech Support | Penn State website |