The University of Memphis

Data Security Policy



POLICIES

Issued:  October 7, 2016
Responsible Official:  Chief Information Officer
Responsible Office:  Information Technology Services

Policy Statement


Policy

In the course of its operations, the University of Memphis collects and maintains restricted data about students, employees, donors, vendors, and others.  This policy governs the use, control, and access to restricted data defined by statute, regulation, contract, license, or definitions within this policy.  The Data Classification document differentiates the types of University data.

University data must be protected against threats such as malicious misuse, unauthorized intrusions, and/or inadvertent compromise.  Activities outsourced to off-campus entities must comply with the same security requirements as in-house activities.  Each University of Memphis department and employee is responsible for the integrity and security of University data used, controlled, or accessed within their area.  This policy establishes parameters for protection of University data, not the medium or application that the data resides in.  This policy aligns with other established policies and procedures for data security in Institutional Research and the University of Memphis Foundation.

 

 


Responsibilities

The Chief Information Officer (CIO) is responsible for implementing appropriate data security policies, procedures, and technology standards (i.e. hardware and software) for the University.

ITS is responsible for communicating current security standards and procedures to the University community.  These standards and procedures are posted at the ITS Security web page

Department heads, in cooperation with Local Support Providers and ITS, are responsible for ensuring their employees have adequate technical support to understand and implement security standards and procedures.  This responsibility extends to data regardless of the storage medium or originating point of access including, but not limited to, University-owned equipment, personally-owned equipment, and cloud-based services.  Each unit of the University instructs employees about the designated and storage space for saved University data.  In the event of an audit, each unit of the University would be responsible for providing the location of the unit's designated and approved storage.

Employees, in cooperation with their LSP, are responsible for protecting restricted University data to which they have access. In areas not supported by a LSP, ITS will provide assistance to employees.

Employees are responsible for ensuring that appropriate security controls, in accordance with published University standards, are in place to protect restricted University data. This responsibility extends to data regardless of storage media or originating point of access including, but not limited to, University-owned equipment, personally-owned equipment, and cloud-based services. 
    

Personal passwords are established and secured by employees.  In accordance with UM1535 Acceptable Use of Information Technology Resources policy, passwords are not to be disclosed or shared.

The ITS Security web page should be reviewed at the beginning of each academic semester by all users.



Purpose


  The University of Memphis is committed to maintaining the confidentiality of all restricted University data.  The purpose of this policy is to establish classifications for University data and a framework to preserve the integrity of all University data, regardless of the hardware, systems, etc. where the data may reside or from which it is accessed.


Definitions


Cloud-based Service

A vendor-provided service including, but not limited to, storage, analytics, business intelligence, reporting, or other processing, that is not typically located within the University's physical premises.


Data Steward University officials and agents of the University who have designated duties for collection, input, and maintenance responsibilities for data within their functional area.

Encryption

Programs and measures to encode information such that it cannot be decoded and read without knowing an appropriate key. Transforming information using a secret key so that the information is unintelligible to unauthorized parties.

 

Enterprise Information System

Any centralized data storage or distribution system on campus.  Enterprise Information Systems are managed by ITS.


Internal/Limited Access University Data Data that would not expose the University to loss if disclosed, but should be protected.  Internal/Limited access University data includes, but is not limited to, operational data likely to be distributed across organizational units within the University.

Network Any number of computers and portable devices joined together by a physical or wireless communications link that allows information to be passed between computers, irrespective of where those computers are located.  Networks provide the pathways for information traffic and allow employees to access databases and share applications residing on servers.      

Personally Identifiable Information (PII) Data that can be used to uniquely identify an individual.

Portable Devices or Media

Portable devices include laptops, Personal Digital Assistants (PDA), cell phones, tablets, or any other portable technology hardware.  Media includes technology storage mediums such as CDs, DVDs, magnetic tapes, floppy disks, external hard drives, flash drives, and universal serial bus (USB) drives, or any other portable storage media.


Public University Data Data available within the University community and to the general public.

Restricted University Data Data protected by federal or state law or regulations, or by contract.  Restricted University data includes, but is not limited to, data that is protected by the Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act (HIPAA), or the Gramm-Leach Bliley Act (GLBA).

Server An application or hardware that performs services for connected clients as part of a client server architecture.  


Procedures


General Security

In coordination with the Office of Legal Counsel and the Department of Internal Audit, ITS will develop appropriate specific procedures for compliance with this policy and provide education to the University community on the implementation of this policy and such procedures.  Procedures, technology standards, and best practices can be found at the ITS Security web page.

University data must be saved to an appropriate location defined by data storage guidelines based on the data classification except for rare exceptions approved by the Information Security Advisory Committee (ISAC).  Data Stewards may request to store unencrypted restricted data through the CIO office, and the request will be forwarded to ISAC for approval.  The request acceptance or denial will be noted in the minutes of the ISAC meeting following the request.

If ISAC grants permission for University data to be saved and stored on University-owner equipment, personally-owned equipment, or cloud-based services, faculty and staff are personally responsible for encrypting the data with the current ITS standard and for remembering the encryption keys or passwords. Access to saved and stored University data while on campus must be through the University network.

Restricted University data must be protected against physical theft or loss, electronic invasion, or unintentional exposure through a variety of personal and technical means.

Prior to use of restricted University data via laptop computer or other portable storage media, employees are responsible for obtaining appropriate protections for such computers or portable devices, or for verifying that such protections are already in place. The use of unprotected equipment to access or store University data is prohibited, whether or not the equipment is owned or controlled by the University, unless an exception has been granted by the CIO.

All University computers must have recommended operating system patches and updates installed, updated firmware, updated antivirus and antispyware tools installed, and firewalls turned on. Other devices connected to the University's network must utilize appropriate security protections to the extent possible, including updated firmware.


ITS is responsible for the security of all Enterprise Information Systems throughout campus, including but not limited to, enterprise resource planning and associated systems such as Banner, Active Directory, and the UMmail e-mail system.

ITS will audit servers, computers, and portable devices or media for compliance with policies and standards and will deny network access for servers, computers, and portable devices or media out of compliance with current best practices.
     

  


Remote Access

Remote access to restricted University data is available only to authorized employees.  Employees must be authenticated to access restricted University data remotely.  Data must be encrypted during transit.  

Access from off-campus must be via VPN. 


Home Computers

Home computers that are used to access, store, or transmit restricted University data should use current security patches, updated antivirus and antispyware software, and encryption.  In instances where standard security precautions are not free, the employee will incur all costs for security of their home computer.

Employees are responsible for deleting all restricted University data from their computer upon termination of employment.
 

Portable Devices, Media and Cloud-Based Services

Each user in the possession of restricted University data is responsible for protecting the data, regardless of the media or location where the data resides.

Restricted University data may not be stored on any portable device, media or cloud-based service unless protective measures are implemented that safeguard the confidentiality and integrity of the data in the event of theft or loss.  Protective measures must be implemented before restricted University data is stored on portable devices, media or cloud-based service.

Restricted University data stored on portable devices or media must be encrypted with the University's data encryption standard. Cloud-based services shall include equivalent encryption protection through appropriate business agreements.
  


Equipment Disposal

University-owned computers, portable devices and media must have university data securely erased prior to its transfer out of University control, and/or destroyed, using current best practices.


Failure to Comply with this Policy

Failure to comply with this policy may result in limiting or denying access to University data resources.  If, upon investigation by the appropriate University officials, the lack of compliance appears to have been willful and deliberate or if there is repeated lack of compliance, disciplinary action may be taken.

The ITS Security web page should be reviewed at the beginning of each academic semester by all users.
 



Links


Data Classification Document

https://umdrive.memphis.edu/g-itgovernance/ISAC/FY09/Classification%20of%20University%20Data%20Final.docx

 

 


Data Storage Guidelines

http://www.memphis.edu/its/security/data-storage-guidelines.php


Family Educational Rights and Privacy Act (FERPA) www.ed.gov/policy/gen/guid/fpco/ferpa/index.html

Health Insurance Portability and Accountability Act (HIPAA) www.hhs.gov/ocr/hipaa/

Gramm-Leach Bliley Act (GLB) www.ftc.gov/privacy/privacyinitiatives/glbact.html

State of Tennessee Data Security Law

state.tn.us/sos/acts/105/pub/pc0688.pdf


Tennessee Board of Regents Policy on Information Technology

https://policies.tbr.edu/policies/information-technology-resources


UoM Policy - Acceptable Use of Information Technology Resources policies.memphis.edu/UM1535.htm 

UoM Policy - Security and Protection of Electronic Information Resources policies.memphis.edu/UM1566.htm 

UoM Policy - Data Access policies.memphis.edu/UM1337.htm 

UoM - TigerLAN Lab Guidelines umtech.memphis.edu/TigerLAN_Guidelines.htm

UoM - ITS Security Procedures and Best Practices

www.memphis.edu/its/security


Red Flag Policy

http://policies.memphis.edu/UM1714.htm



Revision Dates


  UM1691 -- revised October 7, 2016
UM1691 -- revised October 9, 2014
UM1691 -- revised April 26, 2014
UM1691 -- revised April 17, 2013
UM1691 -- revised November 10, 2009
UM1691 -- issued November 5, 2008 - supercedes policy number 1:2A:03:05


Subject Areas:

Academic Finance General Human Resources Information Technology Research Student Affairs
          XX