University of Minnesota
University Relations
http://www.umn.edu/urelate
612-624-6868
University of Minnesota
POLICY LIBRARY
POLICY
University of Minnesota
University of Minnesota
University M logo on red background
ADMINISTRATIVE POLICY
Home : Information Technology : Acceptable Use and Information Security

Securing Private Data, Computers, and Other Electronic Devices

Effective Date: August 2010
Last Update: August 2010
Responsible University Officer:
  • Vice President for Information Technology
Policy Owner:
  • Vice President for Information Technology
Policy Contact:
CONSULTED WITH: Faculty Consultative Committee

Printed on: . Please go to http://policy.umn.edu for the most current version of the Policy or related document.

POLICY STATEMENT

All University employees and community members must take appropriate steps to secure any private data they create, possess, or have access to in connection with their University employment, education, or research. This obligation includes maintaining electronic private data only on University computer systems and electronic devices and securing those computers and devices as required by policy.

Maintain Private Data on University Systems

University private data must be stored on University-owned computers unless a contract approved by an authorized University representative exists with the non-University business, person, or entity. Employees must not store University private data on personally owned computers or other personally owned electronic devices.

Appropriately Secure Computers

University computers and devices must be installed and actively maintained on an ongoing basis so that they protect the data stored or accessed through them and meet University compliance requirements and pertinent external regulations. All University computers must meet a basic level of security to protect the integrity of the data and network. Some computers and devices require additional enhanced protection measures.

Basic Security
This provides a baseline level of protection for all devices. Included are requirements for training, authentication, configuration, firewall, anti-virus protection and security patches.

Enhanced Security
Computers and those servers designated as “critical servers” storing or accessing private or legally or contractually protected data require an enhanced level of security and support. The enhanced security requirements include all the basic requirements plus several additional required protections. Units designated as Health Care Components are required to meet these enhanced security requirements.

Enforcement

Individual University community members who do not comply with this policy may temporarily be denied access to University computing resources and may be subject to other penalties and disciplinary action including University discipline up to and including termination.

Noncompliant devices may be disconnected from the University data network and collegiate/departmental infrastructure until the device is brought into compliance.

Special Situations

In individual cases where it is not possible to meet these security requirements, units must employ compensating controls and protections. Compensating controls and protections must be documented in writing and approved by the head of the department or unit and are subject to audit review. The documentation must include the business reason for the exception, the specific compensating control used to reduce risk, and the specific categories or devices included.

Laws and contractual agreements may impose additional requirements above and beyond the enhanced requirements on computers and electronic devices. See the Additional Contacts section of this policy for guidance on requirements.

Some University departments and units are designated as Health Care Components under HIPAA and as such may be subject to more stringent data privacy and security requirements. In Health Care Components, contracts with a non-University business, person, or entity for the purpose of sharing health information must be approved by the HIPAA compliance office.

Any proposed compensating control exceptions for private data governed by regulations (HIPAA, PCI) must also be approved by the relevant Compliance Officer listed under Additional Contacts.

Colleges or units may designate that their entire unit comply with the enhanced security requirements to simplify device management. University colleges and units may specify additional requirements within their physical or administrative areas of responsibility. Additional requirements may exceed but not be less than those in this policy.

Exceptions

The University Chief Information Officer or delegate may approve exceptions to this policy after consultation with the appropriate compliance office.

REASON FOR POLICY

This policy will help to:

  • safeguard private University data and conform to legal and contractual mandates;
  • safeguard University computers and electronic devices and the data stored or accessed by these devices from accidental or intentional damage and from alteration or theft of data; and
  • designate the appropriate level of security requirements for securing computers and other electronic devices

PROCEDURES

FORMS/INSTRUCTIONS

There are no forms associated with this policy.

APPENDICES

There are no appendices associated with this policy.

FREQUENTLY ASKED QUESTIONS

  1. Can I use my personally-owned smart phone, PDA, flash drive, iPad, or computer for work?
    University private data should not be intentionally stored on these devices. However, they can be used for receiving University email and accessing web pages, which may result in incidental storage of private data. If you do receive legally private data on a personally owned device such as in an email, the data should be deleted as soon as possible.
  2. If my smart phone or other electronic device only supports use of numbers, not alphabetical and special characters, is that acceptable authentication?
    If the electronic device does not support use of complex passwords for authentication, use a non-obvious number sequence. For example, don’t use numbers associated with you such as your employee ID or part of your phone number.
  3. On my University-owned computer, why do I need to use a password after the screensaver is activated and why is the time so short?
    The password helps protect you from malicious use of your computer and the viewing of your display by others when your computer is not attended. For laptops, the screensaver prevents someone such as a thief from using your computer, acting as you, stealing data, etc.
  4. Are University-owned printers, copiers and multi-function devices (printer/copier/ fax/scanner) covered by this policy?
    Yes. For example, if the printer, copier or multi-function device has a hard drive, it may contain old copies of University data previously printed/copied/faxed/scanned that are long forgotten. These files should be securely deleted. If the device has a password and configuration options, it will require additional technical attention to prevent misuse from the Internet.

     

ADDITIONAL CONTACTS

Subject
Contact
Phone
Fax/Email
Primary Contact(s)
612-625-1505
HIPAA Compliance
Medical Records,PHI
612-626-5844
FERPA Compliance
Student Records
612-625-1064
PCI Compliance Credit Card Data
Accounts Receivable Services
612-625-2392

DEFINITIONS

Authentication
A verification that substantiates that a person is who the person says he or she is. For purposes of this policy, people are considered authenticated members of the University community if they have an Internet ID, and that they are able to prove that they know the password associated with that Internet ID listing.
Compatible with the Active Directory Architecture
Desktop and laptop computers such as Microsoft Windows and Apple Macintosh computers that can be attached to Active Directory.
Compensating Control
An alternate but effective means of meeting the goal or spirit of the requirement.
Critical Server
A critical server is important to accomplishing the University/collegiate unit/business unit mission or one which stores legally private or other important non-public data.
Health Care Component
Unit(s) of the University that provide health care or are part of the health plan or are designated by the University as health care components covered under HIPAA. These covered health care components include units that provide health care ("Provider Components") and the Health Plan of the University.
High risk Software Applications
Those applications that are most used by viruses, trojans, and other malware to compromise University computers. An updated list will be approved quarterly by the CIO and published on the University web site.
Managed by Active Directory
Configuration options that affect security of University data, software patches and fixes are provided from a central directory based system that also helps automate storage provisioning, access control, policy auditing, and compliance reporting.
Other Electronic Device
For the purposes of this policy, devices include items such as cellular phone, personal digital assistant, electronic storage mechanisms and removable media, flash drives, or devices capable of executing computer code.
Private Data
University data protected by federal or state law (e.g., FERPA, HIPAA, Minnesota Data Practices Act), regulation, or contract (e.g. Payment Card Industry for credit cards, some research contracts).
Server
A multi-user computer, which provides some service for other computers connected to it via a network. The most common examples are file servers, web servers, mail servers, and database servers.
University Community Member
A University Community Member is a student, faculty or staff member, University guest, volunteers, contractor, or employee of an affiliated entity.
University Data Network
The University data network includes University telecommunications facilities such as UM data network with all wired or wireless attached links including departmental networks, ResNet, UM Wireless, academic and administrative network facilities, network facilities serving affiliates or tenants, and system campus networks.
University-Owned Computers
All computers, irrespective of the funding source - legislative funding, research grant funding, sponsored funds, gifts, etc.
User Level Account
An account or logon ID on a computer that can run programs and applications and use the computer but can’t install programs or change system configuration options.

RESPONSIBILITIES

University Employee and University Community Member
  • Review and comply with this policy and related procedures;
  • Notify administrative and technical support staff of legally private data that is stored on computers and other electronic devices;
Designated Compliance Officers
  • Monitor data security compliance.
  • Investigate allegations and incidents of non-compliance.
  • Recommend appropriate corrective and disciplinary actions.
  • Develop and maintain policies related to the compliance requirements.
  • Oversee and coordinate breach notification processes.
Technical Support Staff
  • Take reasonable action to secure computers and other electronic devices in accordance with this policy and related procedures.
  • Participate and stay informed by participating in campus and University-wide technical and security groups or forums.
  • Respond to technical questions from users related to securing computers and electronic devices.
Campus, College, and Department Administrators
  • Create, disseminate and enforce local security requirements to comply with University-wide policies for computers and electronic devices under their control.
  • Provide oversight and assure the security of legally or contractually private data created, stored or accessed by staff.
  • Designate whether their entire unit must comply with the enhanced security requirements or only relevant parts of the unit. For some units subject to HIPAA regulation, this designation has already been made.
University Chief Information Officer (CIO)
  • Designate individuals who have the responsibility and authority for information technology resources.
  • Establish reasonable security policies and measures to protect University data and computers and electronic devices.
Office of Information Technology (OIT) Security and Assurance
  • Delegated authority and responsibility for Information Technology security from the CIO.
  • Monitor and notify regarding potential intrusions.
  • Review reported and discovered security incidents.
  • Establish and publish the criteria upon which a server is determined to be a “critical server” and provide oversight for the vulnerability scan process.
  • Provide guidance on information technology security issues.
  • Operational responsibility to remove electronic devices from the network and, as appropriate, retrieve equipment and data as part of an investigation.
  • Coordinate with the unit administrative and technical/security staff to assure that actions are taken as necessary to protect University resources.
  • Coordinate with law enforcement, compliance offices, and with the Office of the General Counsel.

RELATED INFORMATION

Related Policies

Related Laws

HISTORY

Effective:
August 2010

Document Feedback

Did this document successfully answer your questions?

Additional comments: (2000 character limit)

Email Address: (so we can respond to your questions)

© 2014 Regents of the University of Minnesota. All rights reserved.
The University of Minnesota is an equal opportunity educator and employer.
Last modified on May 22, 2014