Electronically Stored (Computer-based) Information |
| Action |
Public |
Sensitive |
Restricted |
| |
|
|
Recommendations
on handling of restricted data doesn't apply to financial restricted accounts. |
| Storage on fixed media with access controls |
No encryption required |
No encryption required |
No encryption required, with the exception of credit card / bank account information. ** |
| Storage on fixed media without access controls, but accessible via the web |
No encryption required |
Not advised. If you must store data via this media, it must be encrypted. |
Not allowed |
| Storage on fixed media without access controls, but not accessible via the web |
No encryption required |
No encryption required |
Not advised. If restricted data must be stored on such devices, the devices must be stored in a secured location when not in use ( EX: Store data on a removable drive and lock in desk when not in use). |
| Storage on removable media |
No encryption required |
No encryption required |
Store in secured location when not in use. |
| Read access to information (includes duplication) |
No special requirement |
Access is not restricted based on the field values. Access
to information is based on roles defined by: Card Services, Financial, HR, Grad School, HFS,
Phy Fac, SMAS, Student Services, UD & PAA |
Access is restricted based on field values. Access
to information is based on roles defined by business areas. Refer to
links located under Sensitive. |
| Create / Update access to information |
Access to information is
based on roles defined by business areas. See above. |
Create/update are not restricted based on
field values. Access is based on roles defined by business areas. See above. |
Create/update are restricted based on field values.
Access is based on roles defined by business areas. See above. |
| Delete access to information |
Access to information is
based on roles defined by business areas. See above. |
Deletes are not restricted based on the field values.
Access is based on roles defined by business areas. See above. |
Deletes are restricted based on field values.
Access is based on roles defined by business areas. See above. |
| |
|
|
|
| ** Note: It is expected that departments move toward encryption over time as new files are created or existing files modified. |
| Print hard copy report of information |
No special requirement |
Unattended printing permitted only if physical access controls are used to prevent unauthorized viewing. |
Unattended printing permitted only if physical access controls are used to prevent unauthorized viewing.
Printouts are to be picked up as soon as possible. |
| Internal labeling of information at the application or screen/display level |
No special requirement |
No special requirement |
If a person has requested their directory information be restricted, that person's chosen restricted directory option must be noticeably displayed along with the information. |
| Disposal of the physical electronic media device (diskettes, tapes, hard disks, etc.), where physical media is not
going to be repurposed for University use. |
No special requirement |
Physical destruction beyond ability to recover. |
Physical destruction beyond ability to recover. |
| Disposal of information where physical media is going to be repurposed for University use. |
No special requirement |
Clear or wipe media according to University Media Disposal policy and Media Disposal Guidelines. |
Sanitize media according to University Media Disposal policy and Media Disposal Guidelines. |
| Data Stewards
& Information Owner review Data Confidentiality for continued applicability |
Review at least annually and whenever significant changes are made to data or systems. |
Review at least annually and whenever significant changes are made to data or systems. |
Review at least annually and whenever significant changes are made to data or systems. |
| Auditing access activity |
No special requirement |
Log all violation attempts; Data Custodian reviews as appropriate. |
Log all access attempts defined in logging policy; Data Custodian to review all access violation attempts and notify Information Owner of suspicious activity. |
| Retention requirements for information access report logs |
No special requirement |
Retain logs for at least 12 months unless another retention period applies under applicable University policy, federal,
state, or local law. |
Retain logs for at least 12 months unless another retention period applies under applicable University policy, federal,
state, or local law. |
