UConn Logo banner
 
University Policies e-Library
 
Search for a Policy
 
Browse UConn Policies
Policies By Title
Policies By Effective Date
Policies By Applies To
 
Browse Department Guidelines/Policies
Policies By Title
Policies By Effective Date
Policies By Department
Policies By Applies To
 
Text Only Version
 
ePolicy Administration
University Policy Details Print View
Title: Data Security Training
Author: University Information Technology Services
Effective Date: 08/31/2008
Applies To: Employees
Last Reviewed Date: 12/12/2008
Description: Data Security Training
For More Information Contact: Director of IT Security, Policy and Quality Assurance
Contact Telephone Number: 860-486-4357

Data Security Training

 

Background and Reasons for the Policy: The University of Connecticut views University Data, in all its forms and throughout its life cycle, as an asset of the University. University Data must be protected to comply with the policies of the University and to meet requirements of Federal and State laws such as the:

  •   Family Rights and Privacy Act (FERPA)
  •   Health Insurance Portability and Accountability Act (HIPAA)
  •   Electronic Communications Privacy Act (ECPA)
  •   Gramm-Leach-Bliley Act (GLBA)
  •   Children's Online Privacy Protection Act (COPPA)
  •   Freedom of Information Action (FOIA)
  •   Connecticut Personal Data Act

Purpose of Policy: The purpose of this policy is to ensure that each area within the University provides each of the people within its control with an appropriate awareness of data security issues, and provides the training needed for those people to understand and use the data security safeguards that have been implemented by that department. 

Expected Institutional Outcome: This policy will improve the University community's ability to ensure adequate security for data accessed through University computing resources.

Applicability of Policy: This policy applies to all users of the University's computing resources.  Any department within the University that stores, uses, or transmits University Data or electronic data that is subject to State or Federal regulations that require security protections for data covered by those regulations will need to document its security training program in order to be compliant with this policy.  The policy is also recommended for all departments that have other data that should be protected from unauthorized disclosure, interrupted availability, or damage.

Definitions:

Data Steward: The entity/entities or office/offices that are delegated by the President and/or his designee(s) with the policy-level responsibility for establishing definitions of the data assigned to him/her (i.e. defined portions of University Data) and developing general procedures and guidelines for the management, security and access to those data sets, as appropriate.

 

University Data: Items of information that are collected, maintained, and utilized by the University for the purpose of carrying out institutional business subject to or limited by any overriding contractual or statutory regulations. University Data may be stored either electronically or on paper and may be of many forms (including but not limited to: text, graphics, images, sound, or video). Research data, scholarly work of faculty or students, and intellectual property that do not contain personally identifiable information or other data protected by law or University policy are not covered by this policy.


Policy Statement: Each impacted department within the University will develop processes for providing training to the users of its protected data for the security safeguards implemented by the department.  At a minimum, this will include:

  1. Security Awareness.  Each department will develop and implement process(es) for creating an adequate awareness of electronic data security issues and the needs for safeguards for its data.  The set of data stores, applications, and other computing resources used by a department will determine the set of safeguards covered by the training for a department. 
  2. Security Procedures.  Each department will develop and deliver training material that supports the safeguards it has developed to address its security needs.  Data Stewards for the major systems used at the University (for example, payroll, human resources, student information, etc.) will provide this training for the systems that they support, often as a prerequisite to use of the systems. 

The training material for security procedures also includes common processes for:

  •   Guarding against, detecting, and reporting malicious software
  •   Creating, changing, and protecting passwords
  •   Limiting physical access to computing resources
  •   Monitoring log-in activity
  •   Reporting security vulnerabilities, risks, and incidents
  •   Limiting distribution of data to other persons/entities
  1. Reminders and Updates.  Each department will develop and implement procedures for periodically reminding people who use data and computing resources under the department's control of the security issues and the safeguards that have been implemented.  Such reminders should be considered when there are changes to security requirements, security procedures, data sensitivity, or data uses.
  2. Training Records.  Each department will develop and implement procedures for keeping records of the training provided to people within the department documenting as appropriate such factors as:
  •  the people that required training
  •  the training topics that were required
  •  the people who received training
  •  the date(s) and location(s) of training delivery
  •  the method of training delivery
  •  a summary of the training material delivered

Responsibilities:  University officials with delegated responsibilities for data as defined in the Policy on Roles and Responsibilities with Respect to University Data are responsible for the security of the information technology resources (including the facility, equipment, software and data) that are within their control and/or protection.  They are also responsible for ensuring that they remain knowledgeable about regulatory and University security requirements impacting their data.  They may delegate the security responsibilities for those resources to the system administrators who they may appoint to manage the resources for them.

Departments and units must adhere to the Responsibilities of Individual Departments and Units policy when developing required processes.  The University's security policies set a minimum level of protection for information technology resources.  The processes and technologies instituted by departments must achieve that level of protection.  They may provide additional protections as needed when stricter requirements apply to the departments or operating units.  When designing or implementing security policies, procedures, or technical solutions that respond to unique departmental needs, the departments should ensure that they are in compliance with the Physical Network Access policy.

Enforcement and Review:

The Chief Information Officer has overall responsibility for this policy.

The Chief Information Officer will review this policy on a bi-annual basis and respond to formal complaints resulting from the implementation of this policy.

Any individual who suspects a violation of this policy may report it to the Compliance Office in the Office of Audit, Compliance and Ethics at (860) 486-4526, or anonymously through the Reportline (https://www.compliance-helpline.com/uconncares.jsp). Violations of this policy may result in appropriate disciplinary measures in accordance with University Laws and Bylaws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the University of Connecticut Student Conduct Code.

 Policy Implementation Guidelines: Departments required implement these security training processes should also refer to the documents that are available at http://itpolicy.uconn.edu/ .

 


Last updated: August 2008

 

 

 

 

 

 

 

 

 

Any questions concerning the University Policies e-Library contact:
UITS Help-Center (860-486-4357) or Email: HelpCenter


       
A-Z INDEX        UCONN HOME        TEXT-ONLY