1. Data Stewardship
Data Stewards are expected to create, communicate and enforce Data Maintenance and Control Methods. Data Stewards are also expected to have knowledge of functions in their areas and the data and information used in support of those functions. Vice Presidents are accountable for the ultimate data management and stewardship in their respective areas of responsibility, and are the default Data Stewards for all University Data. Recognized Data Stewards are listed in the Attached Approval Table.
2. Data Maintenance and Control Method
Data Stewards will develop and maintain Data Maintenance and Control Methods for their assigned systems.
When authorizing and assigning access controls defined in the Data Maintenance and Control Methods involving Confidential Data, Data Stewards will restrict user privileges to the least access necessary to perform job functions based on job role and responsibility.
If the system is a University Provided Data System, University Technology Services will provide, upon request, guidance and services for the tasks identified in the Data Maintenance and Control Method.
If the system is provided by a Hosted Solution, the Data Steward must still verify that the Data Maintenance and Control Method used by the Hosted Solution provider meets current University technology standards. Further, ongoing provisions for meeting current University technology and security standards must be included in the service contract.
Review of Hosted Solutions must include University Technology Services and Office of Legal Affairs prior to final solution selection and purchase.
3. Data Custodianship
Data Custodians will use data in compliance with the established Data Maintenance and Control Method. Failure to process or handle Data in compliance with the established method for a system will be considered a violation of OU AP&P #890 Use of University Information Technology Resources, and sanctions defined in that policy may apply.
4. Data Usage
In all cases, Data provided to the University will be used in accordance with the Privacy Statement accessed from the University home page www.oakland.edu, and within the guidelines provided to those giving Data to the University (guidelines provided by the Data source).
Data will be released in accordance with University policies (such as OU AP&P #470 Release of Student Educational Records). Requests for information from external agencies (such as Freedom of Information Act requests, subpoenas, law enforcement agency requests, or any other request for Data from an external source) must be directed to the Office of Legal Affairs and processed in accordance with existing policies, particularly Section 7.1 Authorized Use in OU AP&P #890 Use of University Information Technology Resources.
Standards for secure file transmissions, or Data exchanges, must be evaluated by University Technology Services when a system other than a University Provided Data System is selected or when a Hosted Solution is utilized. Specific contract language may be required. The Office of Legal Affairs must be consulted regarding such language.
Unencrypted authorization and Data transmission are not acceptable.
Data Used in the pursuit of teaching, learning, research and administration must be managed to preserve integrity and trust. This is the responsibility of all who use Data.
Communications of Confidential Data via end-user messaging technologies (i.e., email, instant messaging, chat or other communication methods) is prohibited.
5. Storing data
Data cannot be stored on a system other than a University Provided Data System without the advance permission of the Data Steward and demonstrated legitimate need.
Data cannot be stored on a University-provided mobile computing device without the advance permission of the Data Steward and demonstrated legitimate need.
Data must be stored on devices and at locations approved by Data Stewards. If information technology resources (computers, printers and other items defined in OU AP&P #890 Use of University Information Technology Resources) are stored at an off-campus location, the location must be approved by Property Management prior to using such resources to store University Data.
New technology sometimes enables the storage of Data on fax machines, copiers, cell phones, point-of-sale devices and other electronic equipment. Data Stewards are responsible for discovery of stored Data and removal of the Data prior to release of the equipment.
Data should be stored in encrypted formats whenever possible. Confidential Data must be stored in encrypted formats. Encryption strategies should be reviewed with University Technology Services in advance to avoid accidental Data lockouts.
When approving Mobile Computing Device Usage, Data Stewards must verify that those using Mobile Computing Devices can provide information about what Data were stored on the device (such as a copy of the last backup) in the event the device is lost or stolen.
In all cases, Data storage must comply with University retention policies. Data Usage in a Hosted Solution system must have specific retention standards written in the service contract. The Office of Legal Affairs must be consulted regarding such language.
Provisions for the return of all University Data in the event of contract termination must be included in the contract, when Data are stored on a Hosted Solution. The Office of Legal Affairs must be consulted regarding such language. Current security standards (such as controlled access, personal firewalls, antivirus, fully updated and patched operating systems, etc.) will be evaluated when a system other than a University Provided Data System is selected and must be covered in contract language. The Office of Legal Affairs must be consulted regarding such language.
Data stored on Mobile Computing Devices must be protected by current security standard methods (such as controlled access, firewalls, antivirus, fully updated and patched operating systems, etc.).
University standard procedures for the protection and safeguarding of Confidential Data and Operation Critical Data must be applied equally and without exception to University Provided Data Systems, Mobile Computing Devices and systems other than University Provided Data Systems, such as Hosted Solutions.
6. Systems and network data
Systems and network Data, generated through systems or network administration, logs or other system recording activities, cannot be used, or captured, gathered, analyzed or disseminated, without the advance permission of the Chief Information Officer, University Technology Services.
7. Value of data
In all cases where Data are to be processed through a Hosted Solution, the following assessment must be done:
- The value of the Data must be determined in some tangible way.
- Signature approval from the Data Steward’s division vice president or appropriate party with the ability to authorize activity at the level of the value of the Data must be obtained.
Failure to follow the guidelines contained in this document will be considered inappropriate use of a University information technology resource and therefore a violation of OU AP&P #890 Use of University Information Technology Resources. Sanctions will follow the steps identified in that policy.
9. Data Security Breach Review Panel
A Data Security Breach Review Panel (Panel) comprised of the following members will be established:
Assistant Vice-President and Controller, Finance & Administration
Chief Information Officer University Technology Services
Chief of Police, Public Safety
Director of University Communications and Marketing
University Risk Manager
If unauthorized access to Confidential Data is discovered, a member of the Panel must be contacted, who will then convene the Panel. This contact with the Panel must be initiated as soon as possible after the breach in order to assist the University in meeting its legal obligations, and may be initiated by the Data Steward, by the user of the Data, by the owner of a missing or stolen laptop or storage device, or by anyone who has become aware of unauthorized Data access.
Examples of potential data security breaches that require notification include, but are not limited to:
- Theft or loss of a laptop, desktop computer, or storage device used to store Confidential Data
- Unauthorized access to a Database system or hack of a University system or website.
The Panel will:
- Review the situation and assess the potential for Data exposure. It is expected that the owner of the system in question will be able to identify the Confidential Data that were stored on that system.
- Perform digital forensics necessary to assess the threat and take steps to limit the breach.
- Develop and implement a response plan to ensure the University’s compliance with all legal and other obligations in regards to the breach.