University Policy Details
Title: Device and Media Control
Author: University Information Technology Services
Effective Date: 08/31/2008
Applies To: Employees
Last Reviewed Date: 11/18/2008
Description: Device and Media Control
For More Information Contact: Director of IT Security, Policy and QualityAssurance
Contact Telephone Number: 860-486-4357

 Device and Media Control

 

Background and Reasons for the Policy: The University of Connecticut views University Data, in all its forms and throughout its life cycle, as an asset of the University. University Data must be protected to comply with the policies of the University and to meet requirements of Federal and State laws such as the:

  •    Family Rights and Privacy Act (FERPA)
  •    Health Insurance Portability and Accountability Act (HIPAA)
  •    Electronic Communications Privacy Act (ECPA)
  •    Gramm-Leach-Bliley Act (GLBA)
  •    Children's Online Privacy Protection Act (COPPA)
  •    Freedom of Information Action (FOIA)
  •   Connecticut Personal Data Act

Purpose of Policy: The purpose of this policy is to ensure that each area within the University has implemented appropriate processes for managing devices used to store electronic data.

Expected Institutional Outcome: This policy will improve the University community's ability to protect data that is stored electronically on the various devices and media used by the University.

Applicability of Policy: This policy applies to all users of electronic storage devices and media that are used within the University's computer network.  Any department within the University that stores, uses, or transmits University Data or electronic data that is subject to State or Federal regulations that require security protections for data covered by those regulations will need to document its procedures for compliance with this policy.  The policy is also recommended for all departments that have other data that should be protected from unauthorized disclosure, interrupted availability, or damage.

Definitions:

University Data: Items of information that are collected, maintained, and utilized by the University for the purpose of carrying out institutional business subject to or limited by any overriding contractual or statutory regulations. University Data may be stored either electronically or on paper and may be of many forms (including but not limited to: text, graphics, images, sound, or video). Research data, scholarly work of faculty or students, and intellectual property that do not contain personally identifiable information or other data protected by law or University policy are not covered by this policy.


Policy Statement: Each impacted department within the University will develop processes and controls for protecting data that is stored electronically on devices or media that are under its control.  At a minimum, these processes will include:

  1. Data Disposal. Process(es) for disposal of data when equipment is discontinued or transferred to another user or unit.  In such instances, data and electronic media must be rendered unreadable.  The steps taken for the destruction of data and media should be documented.  See the data removal procedures at http://itpolicy.uconn.edu/policydocs/datawipe.html.
  2. Media Re-use. Electronic storage media that will be re-used must be re-formatted or the data must be purged as specified in University procedures. 
  3. Media Repair or Replacement. Electronic storage media that will be repaired or replaced must be handled as specified in University procedures.  When media repair/replacement activities are being done by third-party vendors, the procedures must prevent unauthorized disclosure of confidential data.
  4. Hardware / Media Movement. University process(es) for recording the transfer of computer hardware and electronic storage media from one location to another.  See the Surplus Property Policy and Procedures in the University Policies e-Library. 
  5. Data Backup. Process(es) for creating backup copies of important data prior to moving equipment, safely storing those copies, and using those copies to re-create the working versions of data files that are damaged. 

Responsibilities: University officials with delegated responsibilities for data as defined in the Policy on Roles and Responsibilities with Respect to University Data are responsible for the security of the information technology resources (including the facility, equipment, software and data) that are within their control and/or protection.  They are also responsible for ensuring that they remain knowledgeable about regulatory and University security requirements impacting their data.  They may delegate the security responsibilities for those resources to administrators who they may appoint to manage the resources for them.

Departments and units must adhere to the Responsibilities of Individual Departments and Units policy when developing required processes.  The University's security policies set a minimum level of protection for information technology resources.  The processes and technologies instituted by departments must achieve that level of protection.  They may provide additional protections as needed when stricter requirements apply to the departments or operating units.  When designing or implementing security policies, procedures, or technical solutions that respond to unique departmental needs, the departments should ensure that they are in compliance with the Physical Network Access policy.

Enforcement and Review:

The Chief Information has overall responsibility for this policy. The Chief Information Officer will review this policy on a bi-annual basis and respond to formal complaints resulting from the implementation of this policy.

Any individual who suspects a violation of this policy may report it to the Compliance Office in the Office of Audit, Compliance and Ethics at (860) 486-4526, or anonymously through the Reportline (https://www.compliance-helpline.com/uconncares.jsp). Violations of this policy may result in appropriate disciplinary measures in accordance with University Laws and Bylaws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the University of Connecticut Student Conduct Code.

Policy Implementation Guidelines: Departments required to implement these processes should also refer to http://itpolicy.uconn.edu/, where UITS maintains a set of documents for policies, procedures, guidelines, and standards that provide additional detail.



Last updated: August 2008