|Title:||Confidential Data, Information Technology|
|Policy Owner:||Information Security Office|
|Applies to:||Students, Employees, Users|
|Campus Applicability:||All University departments at all campuses, except UConn Health|
|Effective Date:||May 16, 2012|
|For More Information, Contact||Chief Information Security Officer|
|Contact Information:||(860) 486-8255|
This policy is available in the Information Security Policy Manual.
The University prohibits unauthorized or anonymous electronic or physical access to information technology (IT) resources that store, transmit, or process any of the following:
- University Confidential or Protected Data
- Personally identifiable information (PII)
- Protected health information (PHI) or electronic protected health information (ePHI)
- Credit Card data
- Any other regulated data.
Confidential Data storage will be limited to the minimum amount, and for the minimum time, required to perform the business function, or as required by law and/or State of Connecticut Data Retention requirements.
University IT resources that are used for storage of Confidential Data shall be clearly marked to indicate they are the property of the University of Connecticut. Servers that store Confidential or Protected Data shall not be used to host other applications or services.
The University prohibits the storage of encrypted or unencrypted Credit Card data in physical or electronic form. Confidential Data may not be stored on personally owned IT resources. Users of portable devices will take extra precautions to ensure the physical possession of the portable device and the protection of the University’s Confidential and Protected Data.
The University’s Confidential or Private Data may not be accessed, transmitted, or stored using public computers or via email.
System Administrators shall implement access controls on all IT resources that store, transmit, or process Confidential or Protected Data, minimally supporting the requirements defined in the Access Control Policy.
Each calendar year, Data Users who are capable of viewing, storing, or transmitting Confidential Data shall complete the Information Security Awareness Training Program.
University employees will perform monthly scans and review results in order to locate and remove PII on each computer under their control. Storage of PII on desktop or laptop computers requires:
- Explicit permission from the Data Steward,
- Separate accounts for all users with strong passwords required for all accounts,
- Whole disk encryption enabled,
- Security logging and file auditing enabled,
- Computer firewall enabled and logging,
- Automatic operating system patching and antivirus software updates,
- Automatic screen lock after a period of inactivity,
- Restricted remote access methods, such as remote desktop and file sharing.
To maintain its confidentiality, Confidential Data shall be encrypted while in transit across open or insecure communication networks, or when stored on IT resources, whenever possible. Stored data may only be encrypted using approved encryption utilities. To ensure that data is available when needed each department or user of encrypted University data will ensure that encryption keys are adequately protected and that procedures are in place to allow data to be recovered by another authorized University employee. In employing encryption as a privacy tool, users must be aware of, and are expected to comply with, Federal Export Control Regulations.
Activity Logging & Review
IT resources that store, access, or transmit Confidential Data shall automatically log activity into electronic log files. Logging includes system, network, application, database, and file activity, whenever available, and includes creation, access, modification, and deletion activity.
Log files shall be retained electronically for the duration necessary to meet the requirements defined by the State Data Retention schedule S6.
Systems and devices that process, store, or transmit data that are protected by federal regulations (e.g., HIPAA) or by industry requirements (e.g., PCI-DSS) must submit system-generated logs to the Information Security Office’s central logging system.
System administrators and/or Data Stewards shall examine electronic logs, access reports, and security incident tracking reports, minimally every 30 days, for access control discrepancies, breaches, and policy violations. Log harvesting, parsing and alerting tools can be used to meet these requirements.
Departments shall take steps to ensure that third-party service providers understand the University’s Confidential Data Policy and protect University’s Confidential Data. No user may give a Third Party access to the University’s Protected or Confidential Data or systems that store or process Protected or Confidential Data without a permission from the Data Steward and a Confidentiality Agreement in place. Access to these resources must be handled as defined in the University’s Access Control Policy.
Each University department that stores, processes, or transmits Confidential Data will maintain a Facility Security Plan that contains the processes necessary to safeguard information technology resources from physical tampering, damage, theft, or unauthorized physical access. Departments will take steps to ensure that all IT resources are protected from reasonable environmental threats and hazards, and opportunities for unauthorized physical access.
Access to areas containing Confidential Data information must be physically restricted. In departments with access to PHI or Credit Card data, all individuals in these areas must wear a University-issued identification badge on their outer garments so that both the picture and information on the badge are clearly visible.
Systems administrators will ensure that all data stored on electronic media is permanently destroyed prior to the disposal or transfer of the equipment. The steps taken for the destruction of data will follow the University computer surplus procedures.
Confidential Data maintained in hard copy form will be properly disposed of using University-approved processes when no longer required for business or legal purposes.
Access to areas such as data centers, computer rooms, telephone equipment closets, and network equipment rooms will be restricted to authorized personnel only. Areas where Confidential Data is stored or processed shall be restricted to authorized personnel and access to these areas shall be logged.
Policy Created: May 16, 2012