|
Sensitive Information Protection Policy
Policy
Rationale
Standards & Procedures
Revisions
Approval Dates
(Summary
of Changes/Additions/Deletions)
POLICY:
Information systems
storing or serving sensitive information should be operated on secured
systems within the environment of the University Computing and Communications
Services (UCCS) institutional operations center.
Rationale:
The rising frequency
of security incident involving network-attached devices significantly
increases the probability that sensitive data if not properly authorized
and protected may be exposed to unauthorized viewing or modification. Addressing the potential of identify theft
of information about individuals has become an increasing concern
of the institution. Established procedures for protection and release
of sensitive information must be followed regardless of the platform
that data is being stored or processed on.
Standards
& Procedures:
Standards:
Compliance. Deans and Vice President are responsible
for monitoring compliance by their respective users with this policy
and associated standards by: (1) directing compliance with the Internet
Services Registration policy; and (2) directing reviews of, and action
on, reports on compliance with this policy that are generated by University
Computing and Communications Services (UCCS) or the University Auditing
and Advisory Services.
Sensitive
Information on Serving Devices. Sensitive
Information is defines as any combination of the following data records:
- Social Security Account Number
- Personal identification numbers which may be used other than Social Security
Number
- Information protected by the Health Insurance Portability and Accountability
Act of 1996 (HIPAA)
- Information protected by the Family Educational Rights and Privacy Act
(FERPA)
- Credit card account numbers
- Bank account numbers
- Lists of computer
systems ids and/or passwords
The Georgia State University Data Stewardship
and Access Policy for University Information specifies
policy regarding propriety and coordination of both accessing and
sharing of institutional information by faculty and staff. The Designated Data Steward for the particular
data in question is defined in that policy as the person responsible
for delegating authority for viewing and sharing such information.
Sensitive
Information on Desktops/Laptops/Workstations. Storage
of sensitive information on devices that are not used or configured
to operate as serving devices is acceptable if the user responsible
for the device takes proper care to isolate and protect files containing
that information from inadvertent or unauthorized access or viewing. Assistance with securing sensitive information
may be obtained from departmental IT staff or the University Information
Security Officer.
Alternative
Locations for Serving Devices. Alternative locations must be reviewed and
approved by the University Information Security Officer. Such exceptions will be made only after the
Information Security Officer has determined that the server providing
sensitive information to the campus network and/or to the Internet
is secured through reasonable procedures.
Procedures:
Secure
Your Workstation
Revisions:
Revised
for compliance
with ISAT Senate Committee recommended formatting (January 2003).
Approval Date(s):
Reviewed by IST:
Reviewed by Information Security Subcommittee:
Reviewed by ISAT Senate Committee:
Approved by: University Administrative Council
Approved on: September 11, 2002
Version number: 2.0.0
Effective Date: September 11, 2002
SUMMARY OF CHANGES/ADDITIONS/DELETIONS
This policy was
originally adopted by the University Administrative Council on September 11, 2002. This revision re-validates the intent of the policy. This
revision places the original policy into the ISAT Senate Committee
recommended format for clarity and ease of reference and update.
|