Authority: Issued by the Chancellor. Changes or exceptions to administrative regulations issued by the Chancellor may only be made by the Chancellor.
History: First Issued: January 19, 1990. Last Revised: August 19, 2008. Additional History Information.
Related Policies:
NCSU POL08.00.1 -Computer Use Policy
NCSU REG08.00.2 - Computer Use Regulation
NCSU REG01.25.11 - Process for Requesting Access to Social Security Numbers
Additional References:
Confidentiality of Computer Data at NC State
N.C. Gen. State. § 14-453 (1999) - computer-related crimes
North Carolina Identity Theft Protection Act (2005 SB-1048)
Information Security Acknowledgement Form
List of Data Categories & University Data Trustees, Stewards, and Custodians
Data Classifications Examples
NCSU Policies Rules and Regulations Website
Office of Legal Affairs Website
Contact Info: Vice Chancellor for Information Technology; Director of Security & Compliance, Office of Information Technology (919-513-1194)
1. Introduction
1.1. Purpose of this Regulation
The purpose of this Regulation is to assign responsibility for custody and security of University Data. This Regulation applies to all University Data, and to all administrative and user-developed computing systems that may access or utilize University Data.
This Regulation governs the management and accessibility of University Data regardless of the environment where the data reside. This includes the central mainframe, college or departmental mini-computers, data servers, individual personal computers, and data residing in any other media (paper printouts, microfiche, tapes, digital storage devices, laptop computer disk drives, etc.).
The Data Classification Standard section of this document defines the classification levels assigned to different types of University Data according to confidentiality. Identification and classification of University Data allow the appropriate degree of protection to be applied. Another goal of this document is to apply University security controls consistently for data of similar sensitivity across various University colleges and departments.
1.2. Definition of Terms
1.2.1. University Data:
“University Data” is defined as all information content related to the business of NC State University that exists in electronic or digital form, and also such information that exists in other forms (e.g. ink on paper). “Data” includes but is not limited to text, graphics, video, audio, still images, databases, and spreadsheets.
1.2.2. Access:
“Access” to data is the ability to view, retrieve, alter, or create data.
1.3. Limitations:
This document does not address confidentiality as it relates to release of University information under Public Records law or other legal requirements such as subpoenas, court orders or special exceptions to privacy laws.
2. Authority over Data
2.1. NC State University Authority and Rights
The University has authority over use of the University's physical computer assets. NC State University is the legal custodian of all University data.
2.2. Chancellor's Delegation of Responsibility
The Chancellor delegates responsibility for data management at the University as specified in Section 3 below. The Chancellor and Chancellor's designees are responsible for protecting University data at the level appropriate for its sensitivity.
3. Data Management
The current full list of Data Trustees, Data Stewards, and Data Custodians is shown in the List of Data Categories & University Data Trustees, Stewards, and Custodians document.
3.1. Data Trustee
3.1.1. Definition
Data Trustees have oversight responsibility for data management related to university functions managed/administered/run by the units and personnel reporting to them.
3.1.2. List of Data Trustees
3.1.2a. Provost and Executive Vice Chancellor
3.1.2b. Vice Chancellor for Finance and Business
3.1.2c. Vice Chancellor for Student Affairs
3.1.2d. Vice Chancellor for University Advancement
3.1.2e. Vice Chancellor for Research and Graduate Studies
3.1.2f. Vice Chancellor for Extension, Engagement and Economic Development
3.1.2g. Vice Chancellor and General Counsel
3.1.2h. Vice Chancellor for Information Technology
3.1.2i. Director of Athletics
3.1.3. Resolution of Data Disputes
It may be necessary to resolve data control or access issues when the responsible Data Stewards cannot agree as to how the data should be used. If this occurs, the appropriate Data Trustees shall meet to resolve any disputes. All disputes not resolved at this level will be sent to the Chancellor for final disposition.
3.2. Data Stewards
3.2.1. Selection of Data Stewards
Each Data Trustee will assign Data Stewards to be responsible for data management within his or her unit.
3.2.2. Duties of Data Stewards
Data Stewards have the primary responsibility for the accuracy, privacy, and security of the University Data under his/her responsibility. All University Data must have an identified Data Steward. Specific responsibilities of Data Stewards include:
3.2.2a. Requests for access to data
Data Stewards shall be responsible for evaluation, approval or disapproval of requests for access to data within their assigned oversight.
3.2.2b. Degree of access
Data Stewards are responsible for determining the degree of access (interactive query only, interactive update, downloading of specific data to User, etc.) to be granted to specific Users, and for assuring compliance with access security standards.
3.2.2c. Defining data elements
Data Stewards shall be responsible for defining or describing each data element, to the extent required by public records law, for which they have oversight. This definition shall be done in coordination with the Office of Information Technology.
3.2.2d. Value of data
Data Stewards should give consideration to the value of data in terms of its confidentiality and criticality to the conduct of University business. Security plans and procedures shall be implemented with emphasis dictated by the determined data value.
3.2.2e. Request for modification to the data
Data Stewards are the initiation point for any request for modification to the data for which they have responsibility.
3.2.2f. Security of data
Data Stewards are responsible for ensuring security of University Data under their stewardship. At a minimum, Data Stewards should ensure that:
· Each general Data Category is classified according to the University Data Classification Standard listed below in Section 6.
· Data is protected according to University Policies, Regulations, Rules and Standards.
· Classification levels are reassessed at least once every 3 years based on changing sensitivities, usage, regulations, or legislation.
· Classification levels and associated protection of replica data remains consistent with the original data (e.g., database extracts with sensitive data should carry the same protection as the original database).
3.3. Data Custodian
Data Custodians are people who are assigned specific data management responsibilities by the Data Stewards. Data Custodians typically will manage access rights to data they oversee. Each Data Custodian may delegate specific custodial responsibilities for different subsets of data under his/her custody.
4. User Responsibilities
4.1. User of University Data
Users of University Data include but are not limited to the following categories:
· University employees
· Volunteers
· Contractors
· Vendors
· Partners
· Students
Individual University Users play a critical role in ensuring the security of University Data. Ultimately, only the User can prevent unauthorized access and ensure responsible use of the data. Proper use of data, including assurance of security and privacy, is a job requirement for all University employees, is a condition of volunteer service, should be included in all University agreements providing access to University Data, and is a condition of enrollment for students.
4.2. Responsibilities
4.2.1. Users are responsible for the following actions:
4.2.1a. Store data under secure conditions appropriate for the data classification level
4.2.1b. Make every reasonable effort to ensure the appropriate level of data privacy is maintained
4.2.1c. Use the data only for the purpose for which access was granted
4.2.1d. Not to share IDs or passwords with other persons
4.2.1e. Securely dispose of sensitive University data
In any disposal of media or devices, Users should use techniques so that unauthorized persons cannot later access sensitive data. Such techniques include, but are not limited to, shredding of documents with sensitive information, erasing data from hard drives with special ‘scrubber' programs, and physically destroying old media containing sensitive data.
4.2.2. Copies of University Data
If University Data is downloaded (e.g. to a college or department) or otherwise made available as a copy, the individual creating or accepting the copy of the data automatically becomes the Data Custodian for the University Data elements in the copy. In this situation, the custodial responsibility for complying with this Data Management regulation and with applicable laws regarding the University Data in the copy resides with the department or unit authorized to receive the University Data in the copy.
4.3. Non-compliance
Users who fail to comply with the requirements of this regulation will be subject to University discipline, and in applicable cases to civil lawsuit liability and to criminal prosecution .
5. Security Administrators
5.1. Role of Security Administrators
Each Data Custodian, in consultation with each relevant Data Steward, appoints Security Administrators. Security Administrators have responsibility for implementing, monitoring and coordinating standards, procedures, and guidelines necessary to administer access to University Data.
5.2. Responsibilities of the Security Administrator
5.2.1. Complying with Data Access Guidelines
Data Stewards will develop Data Access Guidelines to be used by the Security Administrators in approving access for Users of computer systems to University Data.
5.2.2. Implementation of Data Access Guidelines to be followed by Users of online computer systems
Each Security Administrator is responsible for procedures to implement the Guidelines as provided by the appropriate Data Steward to be followed by authorized Users.
5.2.3. Processing requests for access to University Data
The Security Administrator will process Users requests and complete the technical work required to provide access to the User. The Security Administrator is responsible for ensuring that the appropriate Data Steward has authorized access before granting the User access to the data. The Security Administrator and Data Steward work together to ensure the appropriate security measures are followed.
5.2.4. Procedures to confirm the roles of Data Stewards and Users
Each Security Administrator will assure that Data Stewards and Users with access to University computer systems are verified on a regular basis as appropriate authorized Users.
6. Data Classification Standard
The degree of protection required for different types of data is based on the nature of the data and compliance requirements. The following three classification levels, from highest to least, will be used for classifying University data.
6.1. High Security
Data for which unauthorized disclosure or unauthorized modification would result in significant financial loss to the University, or impair its ability to conduct business, or result in a violation of federal or state laws, contractual agreements, government regulations, including, but not limited to, Family Educational Rights and Privacy Act (FERPA), state law on personnel file privacy, Federal Privacy Act, Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), and Payment Card Industry Data Security Standard (PCI DSS). Aspects of this type of governance may be further investigated at the website of the Office of Legal Affairs .
Any collection of data (e.g., a database, memory stick or a filing cabinet) that contains “High Security” data element(s) should also be classified at the High Security Level.
6.2. Moderate Security
Data for which unauthorized disclosure or unauthorized modification would not result in direct financial loss or any legal, contractual, or regulatory violations BUT may otherwise adversely affect the University.
Any collection of data (e.g., a database, memory stick or a filing cabinet) that contains “Moderate Security” data element(s) will also be classified at the Moderate Security Level.
6.3. Normal Security
Data for which disclosure would not cause any adverse impact on the University; however , only appropriate University personnel are allowed to modify the master copy or original data.
6.4. Examples
Examples of data at varying classification levels are shown in the Data Classifications Examples document .
7. Training
The Office of Information Technology staff will provide training in the use of these Data Management Procedures, and security awareness training based on the Data Classification Standard to all University staff, on a regular basis.
