071.11 Organizational Security and Data Classification

071.11 Organizational Security and Data Classification

A. Background

Furman University information systems handle personal and confidential information that is protected by state and federal statutes. In order to better comply with such laws, and to better protect the safety and confidentiality of the University information resources, it has become necessary to create a policy outlining the types of protected information, and allocate roles and responsibility for securing that information.

B. Policy

All of Furman’s faculty and staff are responsible for maintaining appropriate security and confidentiality for the University’s information resources. All members of the campus community are expected to comply with University information policies and applicable state and federal laws regarding information security and confidentiality. The University will allocate security roles and responsibilities for classifying University data, establish training programs, and perform periodic security audits to ensure compliance.

C. Guidelines

1. The University allocates information security roles and responsibilities as follows:

a. The University Auditors’ role is to review the University information security polices and procedures to ensure that these policies and procedures adequately protect the University’s information assets. The auditors will conduct periodic reviews of the University’s security policies and procedures, and make appropriate recommendations to University management.

b. Computing and Information Services (CIS) management is responsible for establishing service levels and directing the implementation of appropriate security policies and procedures to protect the University’s information resources. CIS management will maintain a “Service Catalog” listing each University information service and identifying the University Vice President responsible for each information service. The University’s Chief Information Officer will meet annually with each University Vice President to discuss information services’ funding, service levels, and information security.

c. Working within the constraints of existing University resources, each University Vice President is responsible for working with the Chief Information Officer (CIO) to ensure there is appropriate funding for the information resources maintained by their designated areas. Each Vice President will meet with the CIO annually to discuss service levels and security for their information services. It is the responsibility of the Vice President to obtain additional funding if they desire a higher service level or need additional security.

d. Each information service in the Service Catalog will be assigned to a CIS staff member who functions as the “service administrator”. It is the Service Administrator’s responsibility to recommend appropriate security policies and procedures for that service, and to implement security policies and procedures as approved by CIS management. Service Administrators, who are responsible for a domain of university data, are responsible for documenting and enabling user access to that university data, as well as maintain records of authorized data users for highly sensitive data.

e. A department or organizational unit manager, with responsibility for updating and maintaining a portion of the University’s information, functions as a “Data Steward”. It is the Data Steward’s responsibility to authorize security access to enter, update, and maintain the department’s information; and to ensure the accuracy and quality of all data within their area. It is also the Data Steward’s responsibility to ensure that the authorized data processors and data users are adequately trained.

f. "Data Processors” are authorized by data stewards to enter, modify, or delete data. Data processors are responsible for, and accountable for, the completeness, accuracy, and timeliness of the data assigned to them.

g. A “Data User” is any university employee, contractor, affiliate, or duly authorized member of the community who can access internal and/or highly sensitive university data, but does not modify or delete that data. For the purposes of the responsibilities outlined in this policy, data users include all who have the capacity to access University data. All data users, whether they are data stewards, service owners, or processors, are responsible for the security and privacy of the data they access, and are responsible for reporting any data compromises.

a. “Public Use Data” is data intended for general public use. An example is the university's on-line directory.

b. "Internal Use Only Data” is data not generally made available to parties outside the Furman University community. An example is minutes from confidential meetings. These are considered internal use only data and should not be routinely disclosed. This information may be released to parties outside the Furman University community, but such requests must be reviewed by the appropriate University Vice President. Unauthorized distribution of this data to external sources by any university employee is considered an abuse of privileged information.

c. "Highly Sensitive Data” is information prescribed in contractual and/or legal specifications and specified in state and federal law as information that must be protected. Among the types of data included in the category are individual financial records, social security numbers, credit card information, proprietary data, and data protected by law or international agreement.

4. The university forbids the disclosure of internal use only data and/or highly sensitive data in any medium except as approved in advance by a data steward. The use of any internal use only or highly sensitive university data for one’s own personal gain or profit, for the personal gain or profit of others, or to satisfy personal curiosity is strictly prohibited. Each data user will be responsible for the consequence of any misuse of university data.

5. Should a security breach occur, CIS will investigate all the facts related to the situation and make a determination as to whether or not the matter is referred to law enforcement authorities through Public Safety. The Director of Human Resources will review all matters involving university staff. The Dean of Faculty will review all matters involving faculty. The Vice President for Student Life reviews matters involving students. University Counsel will review matters involving individuals not affiliated with the university.

6. All individuals accessing University information at Furman University are required to comply with federal and state laws, and university policies and procedures, regarding data security of highly sensitive data, and to exercise discretion with regard to such data. Any university employee, student, or non-university individual with access to University data who engages in unauthorized use, disclosure, alteration, or destruction of data in violation of this policy will be subject to appropriate disciplinary action, including possible dismissal and/or legal action.

7. In cooperation with department and unit managers, CIS is responsible for managing a University security awareness program for all members of the University community and for consulting with members of the University on information security issues. Security awareness will be a significant component of orientation sessions and training classes offered by CIS. In addition, CIS will offer security awareness materials in print and on the web to instill the importance of appropriate information handling, and to explain the implications of the University’s information security policies.

...........................