ITS: Secure Access and Data Storage Standards
1. Overview
The University of Akron (UA) is committed to protecting the information that it holds. Improper access to, and storage of data presents a significant risk to the university that must be mitigated.
2. Purpose
These Standards outline appropriate methods and mechanisms for securely accessing and properly storing institutional and Protected Institutional Data.
Special care and awareness are required with respect to “Protected Institutional Data.” Protected Institutional Data are any data for which an unwarranted and/or unauthorized disclosure would have an adverse effect on the institution or the individuals to which it pertains. Unauthorized disclosure or mishandling of Protected Institutional Data, in certain circumstances, may be a violation of federal and state law and, under certain egregious circumstances, the institution and its employees could be held personally responsible for damages and/or remediation costs.
In order to perform its business and educational operations, the University routinely must collect and utilize Protected Institutional Data, including: social security numbers (SSN), credit card numbers, bank account information, driver’s license numbers, name, address, birthdate, passwords, Personal Identification Numbers (PINs), and ID pictures. Specific University offices also may maintain other types of Protected Institutional Data, including: medical records, tax returns, donor information, mailing lists, scholarship information, financial information, and proprietary bidding information. These examples are not exhaustive or all-inclusive.
It is the responsibility of all University employees handling any University data to understand what data are sensitive and confidential and to adhere to the following guidelines and any applicable regulations.
3. Scope
These Standards apply to all university stakeholders and external third parties with authorized access to institutional data. Institutional data may exist on any media, including but not limited to: digital media, paper files, photographs, microfiche, etc. These Standards do not apply to data or records that are personal property of a member of the university community.
4. Definitions
- Data Owner – The individual or group who has accountability and authority to make decisions about a specific set of data. The Data Owner is responsible for the function or functions that collect and use the information, determines the levels of protection for the information, makes decisions on appropriate use of the information, and determines the appropriate classification of the information. This role generally falls to a functional academic or administrative area such as the Registrar, Human Resources, or the offices of the CFO and Provost.
- Data Steward – The person who is identified by the Data Owner to act, and to approve or deny access to data, on behalf of the Data Owner.
- Date Custodian – The persons or unit responsible for implementing controls the Data Owner identifies. This role often includes Information Technology Services or departmental technology support.
- Data User – Any person who interacts with the data. This includes people or programs that create, update, read, or delete information.
- Institutional Data – Any information or data that is gathered, analyzed, or published by any department of the University of Akron in support of its mission(s).
- Protected Institutional Data – Any information classified as more restricted than Public Use by the ITS Data Classification Standard.
5. Standards
- Secure Access
- Only authorized users, as determined by the Data Owner and/or Data Steward(s), shall have access to Protected Institutional Data.
- All parties handling Protected Institutional Data must read, understand, and comply with all applicable government regulations, Board Rules, and ITS and HR policies governing the access to, and storage of Protected Institutional Data.
- Transmission of Protected Institutional Data must be encrypted using current encryption standards. Protected Institutional Data sent through email must be encrypted. Please see How to Encrypt Email for a guideline on how to encrypt email.
- Data Storage
- Inventory and identify the Protected Institutional Data under your control. Data Users must maintain the confidentiality of all Protected Institutional Data in accordance with all applicable laws and regulations, ITS Data Classification Standards, and ITS Data Storage Standards.
- Protected Institutional Data should be stored in as few places as possible.
- Protected Institutional Data may only be maintained on systems within the ITS datacenter or University controlled cloud solutions, such as OneDrive, SharePoint, Workday, Slate, etc.
- Protected Institutional Data may not be stored on local workstations or on mobile, external, and/or removable storage devices, including smartphones, tablets, or any other device.
- Protected Institutional Data may not be stored in non-University controlled cloud solutions, such as Dropbox, Box, Egnyte, etc.
- Protected Institutional Data may not be stored on network drives, servers, or applications that have not been specifically approved for this purpose by ITS.
- Purge or delete unused Protected Institutional Data in accordance with UA's Electronic Record Retention Policy, or in a timely manner, to minimize risk of inadvertent disclosure.
- Protected Institutional Data should never be posted to a website, even for short periods of time. Individuals responsible for maintaining web site content must be particularly cognizant and vigilant regarding this matter. If it is determined that Protected Institutional Data has been posted to a public web site, the individual responsible for that website immediately shall remove the Protected Institutional Data and notify the University Chief Information Security Officer (CISO).
- SSNs may not be stored on workstations or removable media. Additionally, SSNs may not be stored on systems or media that are not controlled by ITS or The University of Akron.
- Credit card numbers may not be collected and stored on standalone devices, digital media, or paper media. Processing credit card numbers should be done via ITS-approved secure methods that authorize or deny the transaction in real time, but do not retain or store the credit card number. Collecting credit card numbers via phone calls, websites, or email, and retaining such numbers on paper or in electronic files for periodic processing is bad practice, insecure, and is prohibited. If you need help processing credit cards securely, contact the ITS Help Desk.
- Questions
- Questions regarding what to do with Protected Institutional Data should be directed to the Information Security Team by emailing security@uakron.edu.
6. Standard Compliance
- Roles and Responsibilities
- Each university department/unit is responsible for implementing, monitoring, reviewing and updating its internal policies and practices to ensure compliance with this Standard.
- The Chief Information Security Officer is responsible for enforcing this Standard.
- Non-Compliance
- An employee or student who knowingly violates this Standard or any applicable University policy applicable to data security, and/or in any way intentionally breaches the confidentiality of Protected Institutional Data may be subject to appropriate disciplinary action or sanctions.
- Reporting
- Unauthorized access to, or disclosure of, Protected Institutional Data, including situations in which access is granted or shared erroneously, must be reported to the Chief Information Security Officer (CISO) immediately in accordance with Section 5 "Reporting" of the ITS: Information Security Incident Response Procedure.
7. Related Documents
University Rule 3359-11-08: Policies and Procedures for Student Records
University Rule 3359-11-10: Acceptable Use Policy
University Rule 3359-11-10.3: Information Security and System Integrity Policy
University Rule 3359-11-10.4: Customer Information Security Policy
University Rule 3359-11-10.6: Social Security Number Use Policy
University Rule 3359-11-10.8: Identity Theft Detection, Prevention, and Mitigation Policy
University Rule 3359-11-11.1: Electronic Records Retention
University Rule 3359-11-19: Policies and Procedures for Release, Privacy, and Security of Selected Health Information
ITS: Data Access Policy
ITS: Data Classification Standards
ITS: Information Security Incident Reporting & Response Policy
ITS: Information Security Incident Response Procedure
8. Standard History
Approval Authority: Chief Information Officer
Policy Manager: Chief Information Security Officer
Effective Date: 08/29/2022
Prior Effective Dates: 06/09/2021
Next Review Date: 06/01/2023