Policy on the Security Requirements for Protecting University Data at Rest

Background and Reason for the Policy: Increasingly computing and storage devices including desktops, notebooks, palmtops, PDAs, IPods®, Blackberry® devices, cell phone with internet-browsing capabilities, diskettes, magnetic tapes, external/removable hard drives, flash cards, thumb drives, compact disks, digital video disks, etc. are becoming part of the toolset for University employees. While these devices provide for greater flexibility and efficiency in accomplishing University business, they present data security challenges to the University.

There have been an increased number of reported incidents involving lost and stolen devices both at the University of Connecticut and at other institutions of higher education.  This loss or theft presents two problems to the University - the loss of the physical asset (the device) and exposure of sensitive data that might have been stored on the device to unauthorized access and disclosure.

Purpose of Policy: The purpose of this policy is to ensure that the University is in compliance with federal and state privacy laws and regulations requiring the safeguarding of University Data stored on computing devices. This policy enhances other existing University data and security policies (see itpolicy.uconn.edu) and should be read together with other related policies to ensure a full understanding of this policy.

Expected Institutional Outcome: It is expected that compliance with this policy will reduce the exposure of University Data to unauthorized access and disclosure.  

Definitions:

Approved Device:  Either a University-owned device or a privately owned/funded device that has been approved for use with University Data.

Approved Software-based Security Mechanisms:  Site licensed security software including encryption, anti-virus, anti-spyware, firewalls and intrusion detection software that is available on the standard HuskyPC computer image.

Data at Rest:  Any data that is stored on a device as opposed to data that is traversing a network.

Computing Devices:  The term "computing devices" refers to computing and telecommunications devices that can execute programs. This definition includes, but is not limited to, desktops, notebooks, palmtops, PDAs, IPods®, BlackBerry® devices, and cell phones with internet browsing capability.

Encryption:  An algorithmic process of encoding data to make it unintelligible except to users with the keys to decode the data. 

Key:  A mathematical variable required to encrypt and to decrypt the algorithms of encoded data.

Mobile Computing Devices:  Computing Devices which are portable in nature.

Storage Devices:  The term "storage devices" refers to a device capable of recording and storing data and includes but is not limited to computing devices, diskettes, magnetic tapes, external/removable hard drives, flash cards (e.g. SD, Compact Flash), thumb drives (USB keys), jump drives, compact disks, digital video disks, etc.

Sensitive University Data: University Data that includes information that personally identifies individuals and any other data that is identified by law, regulation, policy or practice as confidential or registered confidential. (See Sensitive Data Checklist for specific data included in this category.)

University Data: Items of information that are collected, maintained, and utilized by the University for the purpose of carrying out institutional business subject to or limited by any overriding contractual or statutory regulations. University Data may be stored either electronically or on paper and may be of many forms (including but not limited to: text, graphics, images, sound, or video). Research data, scholarly work of faculty or students, and intellectual property that do not contain personally-identifiable information or other data protected by law or University policy are not covered by this policy. An individual's own personally identifiable information is not covered by this policy.

Applicability of Policy: This policy applies to all employees of the University of Connecticut, at all campuses, whether permanent, non-permanent or student, full or part-time; graduate assistants with teaching and/or research responsibilities; and all consultants or contracted individuals retained by the University. This policy covers Computing and Storage Devices (herein referred to as "devices") whether those devices be University-owned or privately owned/funded.

Policy Statement: All users of University Data are required to adhere to the following security requirements in order to protect University Data. These requirements apply to University Data that is under the stewardship of the University and do not pertain to an individual's own personal information.

1. The storage of Sensitive University Data on any device used for University of Connecticut business shall be: 
   • Limited to the minimum data necessary to perform the business function necessitating storage on the specific device;
   • Stored only for the time period required to perform the business function;
   • Limited to those devices that permit passwords and encryption

2. Users of University Data are discouraged from storing Sensitive University Data on personally-owned devices. If the user of University Data does store Sensitive University Data on such devices, he/she will be responsible for ensuring that the Sensitive University Data has been adequately protected and agrees to comply with all security requirements for the protection of such devices.
3. Any computing device, including non-University-owned devices, that may be used by any user of University Data for the storage of University Data must be reasonably protected from any and all forms of unauthorized access and disclosure, and configured with properly updated software-based security mechanisms appropriate for that device. Users of University Data shall not bypass or disable these security mechanisms under any circumstances. Users shall not implement any security mechanisms on University-owned devices that have not been approved by the University and/or their Department.
4. Whenever feasible, users of University Data will use a secure remote data access method to access Sensitive University Data from outside of the University's network rather than store the Sensitive University Data on mobile computing devices.
5. Users of University Data in the possession of University-owned laptop computing devices during transport or use in public places, meeting rooms and other unprotected areas must not leave these devices unattended at any time, and must take all reasonable and appropriate precautions to protect these devices from unauthorized physical access, tampering, loss or theft including implementing an auto locking mechanism that requires a password that conforms to University password requirements.
6. Users of University Data will be responsible for immediately notifying their department in the event that a University-owned or personally-owned device containing Sensitive University Data is lost, stolen or misplaced and/or the user has determined unauthorized access has occurred.  Upon such notification, the department will notify the Director of IT Security and the University Police.
7. All University Data stored on any University-owned desktop or laptop (except those intended for public access or classroom use) must be encrypted using University-approved methods that will begin being implemented March 2009.  Once the UConn implementation has been completed, any University-owned desktop or laptop in which the stored University Data has not been encrypted using a University approved method must be surplused unless the device has been approved for exemption from the encryption process. (See Encryption Exemption Process website.)
8. Each department or user of University Data must ensure that authorized University personnel have access to all encrypted University Data.
9. Users of University Data are forbidden from using public access devices for accessing or storing other individuals' Sensitive University Data.
10. Except when using a secure remote access method, users of University Data are forbidden from using unsecured wireless access points for accessing other individual's Sensitive University Data.
11. Users of University Data are forbidden from using peer-to-peer file sharing software on any (University-owned or personally-owned) device used for accessing or storing Sensitive University Data.

Responsibilities:

Each department is responsible for appointing a security contact who will act as liaison between UITS and the department to ensure that appropriate safeguards to protect University Data are implemented in the department. UITS will provide clear guidelines and recommendations to assist the departmental contact in identifying areas where data security problems may exist.

All Users of University Data are responsible for implementing the appropriate security measures for any device (University-owned or personally-owned) that is used to access and/or store University Data. Any questions and/or concerns about appropriate security measures should be directed to the department's designated security contact.

Any User of University Data who does not encrypt the University Data on his/her University-owned computer (desktop and/or laptop) by the time the encryption rollout has been completed and has not been granted an exemption by either their Dean and Provost or the Chief Operating Officer, may be subject to disciplinary procedures.

Enforcement and Review:

The President and/or his designee(s) has overall responsibility for implementation and enforcement of this policy.

The President and/or his designee(s) will review this policy on a bi-annual basis and respond to formal complaints resulting from the implementation of this policy.

Any individual who suspects a violation of this policy may report it to the Compliance Office in the Office of Audit, Compliance and Ethics at (860) 486-4526, or anonymously through the Reportline (https://www.compliance-helpline.com/uconncares.jsp).

Violations of this policy may result in appropriate disciplinary measures in accordance with University Laws and Bylaws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the University of Connecticut Student Conduct Code.

Effective:  May 1, 2009