Workforce Security - Access to Data

Background and Reasons for the Policy: The University of Connecticut views University data, in all its forms and throughout its life cycle, as an asset of the University. University data must be protected to comply with the policies of the University and to meet requirements of Federal and State laws such as:

• the Family Rights and Privacy Act (FERPA),
• the Health Insurance Portability and Accountability Act (HIPAA),
• the Electronic Communications Privacy Act (ECPA),
• the Gramm-Leach-Bliley Act (GLB),
• the Children's Online Privacy Protection Act (COPPA),
• the Freedom of Information Action (FOIA), and
• the Connecticut Personal Data Act.

Purpose of Policy: The purpose of this policy is to ensure that:

• The University has implemented the safeguards needed to limit access to data at the University to only those people who are authorized to use the data
• The University has implemented the processes needed to ensure that people who are granted access to data on the University's network are only given appropriate access authority
• Each data steward is able to verify the identity and access rights of users that request access to electronic data that is within its responsibility.

Expected Institutional Outcome: This policy will improve the University community's ability to control access to sensitive electronic data stored, used, or transmitted using the University's computing resources.

Applicability of Policy: Any data steward for University data or electronic data that is subject to State or Federal regulations that require security protections for data covered by those regulations will need to document its procedures for compliance with this policy.  Data custodians, acting on behalf of the data stewards, and data users may be required to participate in the implementation of the procedures.  The policy is also recommended for all departments that have other data that should be protected from unauthorized disclosure, interrupted availability, or damage.

Policy Statement: Each impacted department within the University will develop processes and controls for managing and supervising access to data that may be electronically used, stored, or transmitted using information technology resources (including the facility, equipment, software and data) that are under its control.  Permission to access data will be granted to eligible employees, students, and vendors as determined by the data stewards of the data.  At a minimum, this requires departments with sensitive data to document its processes for:

1. Determining Authorization for a User. Data stewards will develop process(es) for reviewing the data access needs for individuals or groups of individuals.  Data custodians and users will use these processes.  These procedures should include levels of supervision that are appropriate for the level of sensitivity of the data.
2. Granting Access for a User. Data stewards will develop process(es) for verifying that data access rights should be granted to individuals or groups of individuals.  Data custodians and users will use these processes.  These procedures should include levels of supervision that are appropriate for the level of sensitivity of the data and consistent with applicable laws and regulations and/or University policies. 
3. Unique User Identification. Data stewards will develop process(es) for assigning unique user identifiers that can be used to track the activities of people that use or attempt to use non-public data.  Data custodians and users will use these processes.  These user identifiers should be consistent with other security mechanisms implemented to protect University data. 
4. Managing User Accounts:  Data stewards will develop process(es) for creating, modifying, suspending, or terminating user accounts that are used to control access to sensitive data.  Data custodians and users will use these processes.  These process(es) should include changes in access rights that result from such things as change in job function, transfer from one work area to another,  termination of employment, change in student status, etc.
5. Authenticating Users. Data stewards will develop processes or mechanisms for reasonably verifying that the person requesting access to non-public electronic data is in fact the person associated with the user identifier presented with the request for access.  Data custodians and users will use these processes.
6. Procedure for Emergency Data Access:  Each department will develop and implement process(es) for accessing non-public data during emergency situations that prohibit normal methods for accessing data.  Distinctions should be made where alternate means of access should be provided versus emergency situations where access should in fact be limited during the emergency period.
7. Automatic Logoff:  Data stewards will develop procedures for automatically logging users off of systems that access non-public data when users have been inactive for a period of time that is longer than acceptable for the sensitivity of the data. 
8. Data Encryption: Data stewards will implement UITS-approved process(es) and technologies that support data encryption/decryption when non-public data must be stored in or transmitted through public areas of the electronic network.   
9. Clearinghouse Functions:  Any department that provides the functions of a "clearinghouse" for processing or distributing non-public information using University computing resources will implement safeguards to ensure that data under the control of the clearinghouse is only available to University users who are authorized for clearinghouse functions.

Responsibilities:
University officials with delegated responsibilities for data as defined in the "Policy on Roles and Responsibilities with Respect to University Data" are responsible for the security of the information technology resources (including the facility, equipment, software and data) that are within their control and/or protection.  They are also responsible for ensuring that they remain knowledgeable about regulatory and UCONN security requirements impacting their data.  They may delegate the security management processes for those resources to the system administrators who they may appoint to manage the resources for them.

Departments and units must adhere to "Responsibilities of Individual Departments and Units" policy when developing required processes.  The University security policies set a minimum level of protection for information technology resources. The processes and technologies instituted by departments must achieve that level of protection.  They may provide additional protections as needed when stricter requirements apply to the departments or operating units.  When designing or implementing security policies, procedures, or technical solutions that respond to unique departmental needs, the departments should ensure that they are in compliance with the "Physical Network Access" policy.

The Vice President for Information Services has overall responsibility for this policy.

The Vice President for Information Services will review this policy on a bi-annual basis and respond to formal complaints resulting from the implementation of this policy.

Policy Implementation Guidelines: Departments required to implement these workforce security processes should also refer to http://itpolicy.uconn.edu/ , where UITS maintains a set of documents for policies, procedures, guidelines, and standards that provide additional detail.

Many of the procedures used to support this policy are currently used by UITS.  For further information about using these procedures as models for developing departmental procedures, departments may contact UITS.

Violations of this policy will result in appropriate disciplinary measures in accordance with University Laws and Bylaws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the University of Connecticut Student Conduct Code.

Last updated: January 18, 2005