UConn Logo banner
 
University Policies e-Library
 
Search for a Policy
 
Browse UConn Policies
Policies By Title
Policies By Effective Date
Policies By Applies To
 
Browse Department Guidelines/Policies
Policies By Title
Policies By Effective Date
Policies By Department
Policies By Applies To
 
Text Only Version
 
ePolicy Administration
University Policy Details Print View
Title: Electronic Data Security Management
Author: University Information Technology Services
Effective Date: 08/31/2008
Applies To: Employees
Last Reviewed Date: 01/26/2009
Description: Electronic Data Security Management
For More Information Contact: Director of IT Security, Policy and Quality Assurance
Contact Telephone Number: 860-486-4357

Electronic Data Security Management

 

Background and Reasons for the Policy: The University of Connecticut views University Data, in all its forms and throughout its life cycle, as an asset of the University. University Data must be protected to comply with the policies of the University and to meet requirements of Federal and State laws such as the:

  •   Family Rights and Privacy Act (FERPA)
  •   Health Insurance Portability and Accountability Act (HIPAA)
  •   Electronic Communications Privacy Act (ECPA)
  •   Gramm-Leach-Bliley Act (GLBA)
  •   Children's Online Privacy Protection Act (COPPA)
  •   Freedom of Information Action (FOIA)
  •   Connecticut Personal Data Act

Purpose of Policy: The purpose of this policy is to ensure that the University has implemented the major security management processes needed to recognize data security risks at the University and instituted the safeguards needed to protect its information technology resources.

Expected Institutional Outcome: This policy will improve the University community's understanding of the safeguards needed to provide adequate security for electronic data stored, used, or transmitted using the University's computing resources and the effectiveness of the safeguards implemented by the University.

 
Applicability of Policy: Any Data Steward for University Data or electronic data that is subject to State or Federal regulations that require security protections for data covered by those regulations will need to document procedures for compliance with this policy.  Areas that use this data will comply with these procedures.  The policy is also recommended for all departments that have other data that should be protected from unauthorized disclosure, interrupted availability or damage. 

Definitions:

Data Steward: The entity/entities or office/offices that are delegated by the President and/or his designee(s) with the policy-level responsibility for establishing definitions of the data assigned to him/her (i.e. defined portions of University Data) and developing general procedures and guidelines for the management, security and access to those data sets, as appropriate.

 

University Data: Items of information that are collected, maintained, and utilized by the University for the purpose of carrying out institutional business subject to or limited by any overriding contractual or statutory regulations. University Data may be stored either electronically or on paper and may be of many forms (including but not limited to: text, graphics, images, sound, or video). Research data, scholarly work of faculty or students, and intellectual property that do not contain personally identifiable information or other data protected by law or University policy are not covered by this policy. 

 

Policy Statement: Each impacted department within the University will develop processes and controls for managing the security of any non-public data that may be electronically used, stored, or transmitted using equipment or facilities that are under its control, consistent with the requirements defined by Data Stewards. At a minimum, this security management program will include:

  1. Risk Assessment. Each department will develop and implement process(es) for conducting accurate and thorough assessments of the potential risks and vulnerabilities that threaten the confidentiality, integrity, and availability of non-public information held by the department. 
  2. Risk Management:  Each department will develop and implement security measures sufficient to reduce any identified risks and vulnerabilities to a reasonable and appropriate level reflective of the expectations and security of the regulatory requirements.  The University security policies set a minimum level of protection for information technology resources.  The processes and technologies instituted by the department must achieve that level of protection, but may provide additional protections as needed when stricter requirements apply to the departments or operating units.  When designing or implementing security policies, procedures, or technical solutions that respond to unique departmental needs, the department should ensure that they are in compliance with the Physical Network Access policy.
  3. Sanctions:  Each department will use the existing University processes for applying sanctions to people who may violate the University's security policies. 

Violations of University security policies are treated in the same way as a violation of any other University policy.  They will be addressed as indicated by University Laws and Bylaws, General Rules of Conduct For All University Employees, applicable collective bargaining agreements, and the University of Connecticut Student Conduct Code.  The procedures used to apply sanctions when there are violations of University policies are maintained by the University administration.  For further information about the procedures for University staff, contact the local Human Resources representative.  For procedures applicable for students, contact the Vice President for Student Affairs.

Any member of the University community that becomes aware of a violation or deviation from University security policies or who has observed, has knowledge of, or been the victim of, any unauthorized access attempts or other improper usage of University of Connecticut computers, networks, or other information processing equipment should notify the closest lead technical support person for his/her area as soon as possible or should report such violations to the Director of IT Security, Policy and Quality Assurance at (860) 486-8255.

  1. Security Management Audits: Each department will develop, implement, or comply with review process(es) that ensure that the security management processes and controls are in place and are being used effectively.   
  2. Electronic Activity Audits: Data Stewards will develop processes or mechanisms for recording and reporting information about activity that involves data that is accessed, stored, or transmitted by information technology resources (including the facility, equipment, software and data) that are under its control.  Data Stewards may delegate responsibility for implementing these processes to administrators, third-party vendors, or other custodians, but the Data Stewards will still be responsible for ensuring that adequate processes are in place.  Custodians and data users will comply with those processes.  These processes will typically use audit logs, activity reports, or other such mechanisms to document and manage system activity.  These processes and/or mechanisms must be reviewed at intervals commensurate with the associated risk of the information systems or the non-public data contained in the information systems. 

Responsibilities:  University officials with delegated responsibilities for data as defined in the Policy on Roles and Responsibilities with Respect to University Data are responsible for the security of the information technology resources (including the facility, equipment, software and data) that are within their control and/or protection.  They are also responsible for ensuring that they remain knowledgeable about regulatory and University security requirements impacting their data.  They may delegate the security management processes for those resources to the system administrators, third-party vendors, or other custodians who they may appoint to manage the processes for them, but the Data Stewards continue to be responsible for assuring the protection of information technology resources.

Departments and units must adhere to the Responsibilities of Individual Departments and Units policy when developing required processes.  The processes and technologies implemented by the departments must achieve the level of protection required by UITS policies and processes.  They may provide additional protections as needed when stricter requirements apply to the departments or operating units.

Enforcement and Review:

The Chief Information Officer has overall responsibility for this policy.

The Chief Information Officer will review this policy on a bi-annual basis and respond to formal complaints resulting from the implementation of this policy.

Any individual who suspects a violation of this policy may report it to the Compliance Office in the Office of Audit, Compliance and Ethics at (860) 486-4526, or anonymously through the Reportline (https://www.compliance-helpline.com/uconncares.jsp). Violations of this policy may result in appropriate disciplinary measures in accordance with University Laws and Bylaws, General Rules of Conduct for All University Employees, and applicable collective bargaining agreements.

Policy Implementation Guidelines: Departments required to implement these security management processes should also refer to http://itpolicy.uconn.edu/ , where UITS maintains a set of documents for policies, procedures, guidelines, and standards that provide additional detail.

 

 

Last updated: August 2008



 

 

 

 

 

 

 

 

Any questions concerning the University Policies e-Library contact:
UITS Help-Center (860-486-4357) or Email: HelpCenter


       
A-Z INDEX        UCONN HOME        TEXT-ONLY