Securing Private Data, Computers, and Other Electronic Devices
Last Update: August 2010
Responsible University Officer:
- Vice President for Information Technology
- Vice President for Information Technology
- Updated: August 2010
- Primary Contact : Brian Dahlin
Printed on: . Please go to http://policy.umn.edu for the most current version of the Policy or related document.
All University employees and community members must take appropriate steps to secure any private data they create, possess, or have access to in connection with their University employment, education, or research. This obligation includes maintaining electronic private data only on University computer systems and electronic devices and securing those computers and devices as required by policy.
Maintain Private Data on University Systems
University private data must be stored on University-owned computers unless a contract approved by an authorized University representative exists with the non-University business, person, or entity. Employees must not store University private data on personally owned computers or other personally owned electronic devices.
Appropriately Secure Computers
University computers and devices must be installed and actively maintained on an ongoing basis so that they protect the data stored or accessed through them and meet University compliance requirements and pertinent external regulations. All University computers must meet a basic level of security to protect the integrity of the data and network. Some computers and devices require additional enhanced protection measures.
This provides a baseline level of protection for all devices. Included are requirements for training, authentication, configuration, firewall, anti-virus protection and security patches.
Computers and those servers designated as “critical servers” storing or accessing private or legally or contractually protected data require an enhanced level of security and support. The enhanced security requirements include all the basic requirements plus several additional required protections. Units designated as Health Care Components are required to meet these enhanced security requirements.
Individual University community members who do not comply with this policy may temporarily be denied access to University computing resources and may be subject to other penalties and disciplinary action including University discipline up to and including termination.
Noncompliant devices may be disconnected from the University data network and collegiate/departmental infrastructure until the device is brought into compliance.
In individual cases where it is not possible to meet these security requirements, units must employ compensating controls and protections. Compensating controls and protections must be documented in writing and approved by the head of the department or unit and are subject to audit review. The documentation must include the business reason for the exception, the specific compensating control used to reduce risk, and the specific categories or devices included.
Laws and contractual agreements may impose additional requirements above and beyond the enhanced requirements on computers and electronic devices. See the Additional Contacts section of this policy for guidance on requirements.
Some University departments and units are designated as Health Care Components under HIPAA and as such may be subject to more stringent data privacy and security requirements. In Health Care Components, contracts with a non-University business, person, or entity for the purpose of sharing health information must be approved by the HIPAA compliance office.
Any proposed compensating control exceptions for private data governed by regulations (HIPAA, PCI) must also be approved by the relevant Compliance Officer listed under Additional Contacts.
Colleges or units may designate that their entire unit comply with the enhanced security requirements to simplify device management. University colleges and units may specify additional requirements within their physical or administrative areas of responsibility. Additional requirements may exceed but not be less than those in this policy.
The University Chief Information Officer or delegate may approve exceptions to this policy after consultation with the appropriate compliance office.
REASON FOR POLICY
This policy will help to:
- safeguard private University data and conform to legal and contractual mandates;
- safeguard University computers and electronic devices and the data stored or accessed by these devices from accidental or intentional damage and from alteration or theft of data; and
- designate the appropriate level of security requirements for securing computers and other electronic devices
- Basic Security for Computers and Other Electronic Devices
- Enhanced Security for Computers and Other Electronic Devices
There are no forms associated with this policy.
- A verification that substantiates that a person is who the person says he or she is. For purposes of this policy, people are considered authenticated members of the University community if they have an Internet ID, and that they are able to prove that they know the password associated with that Internet ID listing.
- Compatible with the Active Directory Architecture
- Desktop and laptop computers such as Microsoft Windows and Apple Macintosh computers that can be attached to Active Directory.
- Compensating Control
- An alternate but effective means of meeting the goal or spirit of the requirement.
- Critical Server
- A critical server is important to accomplishing the University/collegiate unit/business unit mission or one which stores legally private or other important non-public data.
- Health Care Component
- Unit(s) of the University that provide health care or are part of the health plan or are designated by the University as health care components covered under HIPAA. These covered health care components include units that provide health care ("Provider Components") and the Health Plan of the University.
- High risk Software Applications
- Those applications that are most used by viruses, trojans, and other malware to compromise University computers. An updated list will be approved quarterly by the CIO and published on the University web site at www.oit.umn.edu/security/topics/patch-high-risk-apps/index.htm.
- Managed by Active Directory
- Configuration options that affect security of University data, software patches and fixes are provided from a central directory based system that also helps automate storage provisioning, access control, policy auditing, and compliance reporting.
- Other Electronic Device
- For the purposes of this policy, devices include items such as cellular phone, personal digital assistant, electronic storage mechanisms and removable media, flash drives, or devices capable of executing computer code.
- Private Data
- University data protected by federal or state law (e.g., FERPA, HIPAA, Minnesota Data Practices Act), regulation, or contract (e.g. Payment Card Industry for credit cards, some research contracts).
- A multi-user computer, which provides some service for other computers connected to it via a network. The most common examples are file servers, web servers, mail servers, and database servers.
- University Community Member
- A University Community Member is a student, faculty or staff member, University guest, volunteers, contractor, or employee of an affiliated entity.
- University Data Network
- The University data network includes University telecommunications facilities such as UM data network with all wired or wireless attached links including departmental networks, ResNet, UM Wireless, academic and administrative network facilities, network facilities serving affiliates or tenants, and coordinate campus networks.
- University-Owned Computers
- All computers, irrespective of the funding source - legislative funding, research grant funding, sponsored funds, gifts, etc.
- User Level Account
- An account or logon ID on a computer that can run programs and applications and use the computer but can’t install programs or change system configuration options.
- University Employee and University Community Member
- Review and comply with this policy and related procedures;
- Notify administrative and technical support staff of legally private data that is stored on computers and other electronic devices;
- Designated Compliance Officers
- Monitor data security compliance.
- Investigate allegations and incidents of non-compliance.
- Recommend appropriate corrective and disciplinary actions.
- Develop and maintain policies related to the compliance requirements.
- Oversee and coordinate breach notification processes.
- Technical Support Staff
- Take reasonable action to secure computers and other electronic devices in accordance with this policy and related procedures.
- Participate and stay informed by participating in campus and University-wide technical and security groups or forums.
- Respond to technical questions from users related to securing computers and electronic devices.
- Campus, College, and Department Administrators
- Create, disseminate and enforce local security requirements to comply with University-wide policies for computers and electronic devices under their control.
- Provide oversight and assure the security of legally or contractually private data created, stored or accessed by staff.
- Designate whether their entire unit must comply with the enhanced security requirements or only relevant parts of the unit. For some units subject to HIPAA regulation, this designation has already been made.
- University Chief Information Officer (CIO)
- Designate individuals who have the responsibility and authority for information technology resources.
- Establish reasonable security policies and measures to protect University data and computers and electronic devices.
- Office of Information Technology (OIT) Security and Assurance
- Delegated authority and responsibility for Information Technology security from the CIO.
- Monitor and notify regarding potential intrusions.
- Review reported and discovered security incidents.
- Establish and publish the criteria upon which a server is determined to be a “critical server” and provide oversight for the vulnerability scan process.
- Provide guidance on information technology security issues.
- Operational responsibility to remove electronic devices from the network and, as appropriate, retrieve equipment and data as part of an investigation.
- Coordinate with the unit administrative and technical/security staff to assure that actions are taken as necessary to protect University resources.
- Coordinate with law enforcement, compliance offices, and with the Office of the General Counsel.
There are no appendices associated with this policy.
FREQUENTLY ASKED QUESTIONS
- Can I use my personally-owned smart phone, PDA, flash drive, iPad, or computer for work?
University private data should not be intentionally stored on these devices. However, they can be used for receiving University email and accessing web pages, which may result in incidental storage of private data. If you do receive legally private data on a personally owned device such as in an email, the data should be deleted as soon as possible.
- If my smart phone or other electronic device only supports use of numbers, not alphabetical and special characters, is that acceptable authentication?
If the electronic device does not support use of complex passwords for authentication, use a non-obvious number sequence. For example, don’t use numbers associated with you such as your employee ID or part of your phone number.
- On my University-owned computer, why do I need to use a password after the screensaver is activated and why is the time so short?
The password helps protect you from malicious use of your computer and the viewing of your display by others when your computer is not attended. For laptops, the screensaver prevents someone such as a thief from using your computer, acting as you, stealing data, etc.
- Are University-owned printers, copiers and multi-function devices (printer/copier/ fax/scanner) covered by this policy?
Yes. For example, if the printer, copier or multi-function device has a hard drive, it may contain old copies of University data previously printed/copied/faxed/scanned that are long forgotten. These files should be securely deleted. If the device has a password and configuration options, it will require additional technical attention to prevent misuse from the Internet.
- Administrative Policy: Acceptable Use of Information Technology Resources
- Administrative Policy: Accepting Revenue Via Payment Cards (Credit Cards PCI)
- Administrative Policy: Administration and Oversight for Protection of Individual Health Information
- Administrative Policy: Managing Student Records (FERPA)
- Administrative Policy: Protection of Individual Health Information by U Health Care Components (HIPAA)
- Administrative Policy: Reporting and Notifying Individuals of Security Breaches
- Administrative Policy: Use and Disclosure of Individual Health Information for Research (HIPAA)
- Health Insurance Portability and Accountability Act (HIPAA)
- Family Educational Rights and Privacy Act (FERPA)
- Gramm-Leach Bliley (GLB)
- Minnesota Data Practices Act
- Payment Card Industry- Data Security Standard (PCI-DSS)
- August 2010