Data Security and Classification Guidelines

Data Security and Classification Guidelines

(Doc. T97-010)

The University relies heavily on its electronic data processing systems and the data stored in them to meet its educational, research, informational and operational needs. It is essential that these systems be protected from misuse and that both the computer systems and all data be accessed and maintained in a secure environment. Data should be used responsibly and ethically.

I. Purpose

These Guidelines are issued pursuant to the Board of Trustees' Policy Statement on Electronic Data Security, Electronic Mail and Computer Policy Development (Doc. T97-010, adopted February 5, 1997) and:

  • Outline responsibilities related to data security, signature imaging and documentation at the University of Massachusetts (the University);
  • Provide guidelines for the security, access and confidentiality of the University's data; and
  • Provide methods for monitoring and enforcing these Guidelines.

II. Scope

Campus procedures regarding data security and classification shall:

  • Comply with and be based on the laws of the Commonwealth of Massachusetts, the United States and other regulatory agencies. This includes all applicable federal and state laws which govern the privacy and confidentiality of data, including the Electronic Communications Privacy Act of 1986, Family Educational Rights and Privacy Act of 1974 (as amended), 20 U.S.C. 1232g, and the regulations promulgated thereunder, 34 C.F.R., Part 99; the Massachusetts Fair Information Practices Act, M.G.L. c66A, and the Massachusetts Public Records Act, M.G.L. c. 66, section 10. Additionally, campus procedures may impose certain restrictions which are not specifically covered by state and federal law, or other regulations;
  • Apply to all data created and maintained by the Campuses (i.e. student, research, financial, payroll/personnel, etc.) except where superseded by grant or other contracts, or by federal Copyright Law;
  • Include all University data regardless of the medium on which it resides (e.g., paper; fiche; in electronic form on tape, cartridge, disk, CD-ROM, or hard drive; etc.) and regardless of form (e.g., text, graphics, video, voice, etc.);
  • Apply to all authorized users of the University of Massachusetts;
  • Refer to all data as defined in the Definitions Addendum to these Guidelines.

Electronic mail message security and confidentiality are addressed in the University Electronic Mail Guidelines.

III. Responsibilities

The President, together with the Chancellors, will issue guidelines which will:

  • Define what categories of individuals (e.g., full time, part-time, staff, students, economic partners, other educational institutions, general public, etc.) may access University data;
  • Determine what data are considered "institutional data" for the University.

The President shall appoint a Common Services central security specialist responsible for data and computer security planning, oversight, and coordination between campuses for centralized application systems and institutional data issues.

Campus procedures regarding data security and classification shall establish mechanisms to:

  • Determine which University department(s) shall be responsible for data security, which includes but is not limited to: monitoring and enforcing University/Campus data security policies, guidelines and procedures; coordinating or performing audits of data security; coordinating or performing incident investigations when a data security issue arises; and developing security awareness programs and training;
  • Appoint a campus central security specialist responsible for data and computer security planning, oversight, and coordination;
  • Appoint data custodians who are responsible for the day to day oversight of data as outlined below;
  • Determine which University department(s) shall be responsible for signature imaging records and documentation;
  • Assign data dissemination responsibilities.

Campus procedures regarding data security and classification shall require that central campus security specialists are responsible for:

  • Ensuring that audit trails exist for access and modification to Restricted and Confidential data, and other data as deemed appropriate;
  • Ensuring that a backup plan allowing for recovery of the data in the event of a disaster has been developed, tested and implemented;
  • Establishing when and ensuring that the level of risk to University data is assessed;
  • Ensuring that data are appropriately secured;
  • Reviewing and approving application systems changes which may affect the accessibility and security of the data;
  • Ensuring that a campus security awareness program has been developed and implemented.

Campus procedures regarding data security and classification shall require that data custodians are responsible for:

  • Knowing and understanding the data for which they are responsible;
  • Evaluating and ensuring the data has been appropriately classified based on: state and federal law, regulatory agency requirements and any contractual obligations; University policies/guidelines; and the confidentiality, criticality and sensitivity of the data;
  • Understanding the impact their design and access decisions have on the information and business needs of the users of the data. University policy may restrict or dictate the Data Custodian's role regarding data design and control (e.g., a policy indicating how access to Institutional Data should be handled would take precedent over individual Data Custodian decisions/determinations). Additionally, data custodians should make every attempt to support, not impede, University information and business needs;
  • Reviewing and approving application systems changes which may affect the accessibility and security of the data in their control, in conjunction with the central campus security specialist;
  • Determining, within any University policy/guidelines or Campus procedures, how data will be made available;
  • Ensuring that the accuracy of the data is maintained;
  • Determining and approving, within University policy/guidelines or Campus procedures,which individuals can access the data; ensuring that only these approved users have access to the data; and periodically reviewing whether any changes are needed;
  • Ensuring that all logon/operator IDs for individuals with access to University systems have been deleted when: an authorized user has terminated employment, graduated or withdrawn from the University, and when a "courtesy account" is inactive or no longer needed;
  • Designating, if needed, a security administrator(s) responsible for the day to day tasks related to data security (e.g., maintaining security access tables, developing security awareness training, etc.).

Campus procedures regarding data security and classification shall require that authorized users are responsible for:

  • Knowing and complying with University policies/guidelines, Campus procedures and application data security requirements;
  • Safeguarding the integrity, accuracy and confidentiality of University data as outlined in this or other University policies/guidelines, Campus procedures, or federal/state/local regulations;
  • Properly creating, accessing, using and disposing of University data based on the data's classification;
  • Backing up their personal/instructional data.

IV. Data Security

Campus standards regarding data security and classification shall require that:

  • University data are protected in a manner which is commensurate with its classification and value;
  • The cost of data security is commensurate with the classification and value of the data being secured;
  • To the extent necessary, information is safeguarded by security systems designed for the protection of, detection of, and recovery from the misuse of information resources. Such security systems will ensure the quality, integrity, and availability of University data;
  • Restricted and Confidential data contain audit trails to monitor access and modification, and is appropriately backed up to allow for recovery;
  • University data, regardless of medium and/or form, will be disseminated by officially designated offices only;
  • All job or course specific access granted to an authorized user will be removed when that user transfers from one department to another or when a course is completed. All computer access granted to an authorized user will be removed when that user terminates employment, graduates, or withdraws from the University, or when their courtesy account is inactive/unneeded;
  • Individuals observing data security violations should report such violations to the appropriate data custodian and, in the case of employees, their direct supervisor;
  • If required by law or regulation, the University will promptly report data security violations to external authorities. If no such requirement exists, the President, together with the appropriate campus Chancellor(s) will weigh the pros and cons of external disclosure before reporting these violations. Representatives from University Counsel, University Audit, and security should assist University management in their determination of the pros and cons of disclosure.

V. Data Classification

Campus standards regarding data security and classification shall require that University data classifications are adhered to. Five levels of data classification have been established. The data classifications DO NOT apply to correspondence or memorandum EXCEPT when the correspondence/memorandum contains other than unclassified data.

The data classifications determine how the data will be secured, managed, retained, and disposed of. Dissemination of University data to external sources is dictated by the Family Educational Rights and Privacy Act of 1974 (as amended), 20 U.S.C. 1232g, and the regulations promulgated thereunder, 34 C.F.R., Part 99; the Massachusetts Fair Information Practices Act, M.G.L. c66A, and the Massachusetts Public Records Act, M.G.L. c. 66, section 10. Assignment of data into the following classifications shall be performed in accordance with the requirements of the foregoing laws.

  • Unclassified – data that does not fall into any of the other data classifications noted below. This data may be made generally available without specific data custodian approval.
  • Operational Use Only – data whose loss, corruption or unauthorized disclosure would not necessarily result in any business, financial or legal loss BUT which is made available to data custodian approved users only.
  • Private – data whose disclosure would not result in any business, financial or legal loss BUT involves issues of personal credibility, reputation, or other issues of personal privacy.
  • Restricted – data whose loss, corruption or unauthorized disclosure would tend to impair the business or research functions of the University, or result in any business, financial, or legal loss.
  • Confidential – data whose loss, corruption or unauthorized disclosure would be a violation of federal or state laws/regulations or University contracts.

Campus procedures regarding data security and classification shall require that data, regardless of medium and/or form, will be:

  • Identified as to its classification (i.e. Unclassified, Operational Use Only, Private, Restricted or Confidential);
  • Accessed, used and disposed of in a manner commensurate with the data's classification and with University Records Management, Disposition and Retention Polices/Guidelines/Schedules and Campus procedures;
  • Made secure against unauthorized creation, updating, processing, outputting, and distribution;
  • Appropriately secured and not accessible to non-approved users when not in use.

Campus procedures regarding data security and classification shall require that:

  • Aggregates of data should be classified as to the most secure classification level (e.g. when data of mixed classification exist in the same database, file, report, etc., the classification of that database, file, or report should be that of the highest level of classification).
  • Databases containing Operational Use Only, Private, Restricted or Confidential data should be secured. Extracts of Operational, Private, Restricted or Confidential data should be secured at the same level as the file/database from which the data was extracted.
  • Reports containing Operational Use Only, Private, Restricted or Confidential data should be disposed of properly. Paper and microfiche/film should be shredded. Disks/ hard drives should be erased so as to be irretrievable.

VI. Data Access and Use

Undefined or unclear guidelines or procedures shall not be construed to imply access authorization.

Campus procedures regarding data security and classification shall require that:

  • Only authorized users have access to University data;
  • Access to data other than unclassified data is denied unless the user has obtained explicit approval by the data custodian;
  • Access to data classified as Private, Restricted or Confidential should be based on legal requirements or on a need to know; job function; or course requirement basis;
  • Access to data is given to authorized users. This access should not be shared, transferred or delegated (e.g., authorized users should not log on, access data and then let others use that data);
  • Vendors, contractors, consultants and external auditors needing access to University data have read, and acknowledge in writing that their firm has read, understood and will comply with the University Data Security and Classification Guidelines and Campus procedures;
  • Authorized users act in a manner which will ensure the data they are authorized to access is protected from unauthorized access, unauthorized use, invalid changes (e.g., putting a Q in a grade field), destruction, or improper dissemination;
  • Authorized users will use their access to University data for approved purposes only;
  • Authorized users logoff University computer systems if they will not be accessing data for an extended time;
  • Authorized users will not use University applications and their data in illegal activities;
  • Authorized users are prohibited from viewing or accessing data, in any medium and/or form, for which they are not approved;
  • Classified data are not copied without prior approval;
  • Authorized users understand the data they are accessing and the level of protection required;
  • Authorized users set file protections correctly when they create or copy a file;
  • Authorized users periodically "refresh" downloaded data to ensure they are working with accurate, up-to-date data.

VII. Signature Imaging

Data custodians should understand that signature imaging is not a secure method of authorization. Custodians should seek the level of secure authorization most appropriate for their data's classification.

Each new use of any electronic authorization process or signature imaging within a computer application must be approved by the Chancellor of the campus instituting the new procedure.

The system controls for each new electronic authorization process or signature imaging are subject to review by the University Auditor's Office.

When signature imaging is used, campus procedures should require that:

  • A signature card with the employee's/student's handwritten signature and access authorizations for any individual using signature imaging will be centrally maintained at each campus.
  • An electronic record of each signature and document must be retained for a minimum of seven years, unless an alternate time period is specified by law or other university policy.

VIII. Compliance And Enforcement

Campus procedures regarding data security and classification should require that any individual found misusing data, divulging confidential data or otherwise violating these Guidelines may be denied or given limited (i.e., to allow for the performance of required academic or employment related tasks) access to data and/or University computer systems, and shall be subject to reprimand, suspension, dismissal, or other disciplinary action.