Policy 7.4 Information Asset Management
SCOPE: FACULTY, STAFF, STUDENTS, AND GUESTS
1. POLICY STATEMENTS
1.1. Information that is sensitive or confidential must be protected from unauthorized access or modification. Data that is essential to critical university functions must be protected from loss, contamination, or destruction.
1.2. Information must be identified and assigned the appropriate data classification in order to be protected appropriately.
1.3. Appropriate roles and responsibilities must be identified to facilitate data protection.
2. ROLES AND RESPONSIBILITIES
2.1. Information Owner (Owner)
2.1.1. LIT (and consequently the state of Texas) is the legal owner of all the institutional information assets. As a practical matter, specific ownership responsibilities is delegated to those with day-to-day oversight of the information asset. Ownership of data, information, and records (all hereinafter referred to as information) maintained in the manual and automated information and records systems of LIT is identified in the following table.
|Information Type||Information Owner|
|Faculty Records||Vice President of Student & Academic Success|
|Current and Former Student Information||Registrar|
|Financial Information||Chief Business Officer|
|Donor Information||Executive Director of Development|
|Prospective Student Information||Vice President of Student & Academic Success|
|Student Financial Information||Director of Financial Aid|
|Information Security||Information Security Officer|
|Unit Administrative Information||Unit Head|
2.1.2. Ownership responsibility for network, hardware, and software assets is assigned to the party accountable for the assets, as documented in LIT inventory, procurement, and licensing records.
2.1.3. Owners are required to classify information under their authority, with the concurrence of the IRM, in accordance with this policy.
2.1.4. Owners are required to coordinate data security control requirements with the ISO and convey said requirements to information custodians.
2.2. Information Custodian
2.2.1. The LIT Information Technology department is, by default, the custodian of all information resources for which it has system administration responsibilities. LIT Information Technology has the authority to implement required security controls.
2.2.2. In consultation with the IRM and ISO, custodians are specifically responsible for:
a) Implementing required security controls specified by the owner or as specified by LIT’s policies, procedures, and standards.
b) Providing owners with information to facilitate the evaluation of the cost-effectiveness of controls and monitoring.
c) Adhering to monitoring techniques and procedures, approved by the ISO, for detecting, reporting, and investigating incidents.
d) Providing information necessary to support appropriate employee information security training. e) Ensuring information is recoverable in accordance with risk management decisions.
2.3.1. Users of information resource shall use them only for their specified purpose. Users must comply with LIT policies, procedures, security bulletins, and alerts issued by LIT Information Technology to prevent unauthorized or accidental disclosure, modification, or destruction of information.
2.3.2. Employee users are responsible for ensuring the privacy and security of the information they access in the normal course of their work. They are also responsible for the security of any computing equipment used in the normal course of work.
2.3.3. Employee users are authorized to use only those information resources that are appropriate and consistent with their job functions and must not violate or compromise the privacy or security of any data or systems accessible via LIT’s computer network. See 7.1 Appropriate Use for additional information.
3.1. All information stored, processed, or transmitted using LIT’s information systems shall be identified and assigned the appropriate classification of Public, Sensitive, or Confidential.
3.2. Information that meets the criteria for Regulated shall be assigned that classification as well.
3.3. Assigned classifications shall be included in an information asset inventory maintained by LIT Information Technology.
3.4. All information must be reviewed and classified prior to prior to being posted on a publicly accessible information system (e.g., public website) to ensure nonpublic information is not included.
4. STANDARDS FOR HANDLING CONFIDENTIAL AND SENSITIVE INFORMATION
4.1. Confidential information must not be disclosed to the public under any circumstances other than those specifically authorized by law.
4.2. Social security numbers, driver’s license numbers, and other widely used government-issued identification numbers shall not be captured, stored, or used as a personal identifier unless such use is required by an external, governmental, or regulatory system that is authorized for use at LIT. The LIT ID number should be used in lieu of such prohibited identifiers in situations where personal names or other identifiers do not assure uniqueness. Where use of such numbers is required and authorized, owners, custodians, and users shall store these numbers only in authorized locations.
4.3. No data subject to PCI Data Security Standards (i.e., payment cardholder data) shall be stored on any device connected to the campus network unless that device has been specifically authorized by both the CFO and the IRM to be used for processing payment transactions. Authorized devices shall store data for no longer than is necessary to authorize a transaction using that information.
4.4. Confidential or sensitive information shall be retained only as long as the information is needed to conduct LIT business. It is the responsibility of owners, custodians, and users to perform periodic reviews to ensure confidential and sensitive information stored on LIT information resources is removed when no longer needed, subject to records retention requirements.
4.5. Confidential and sensitive information shall not be shared, exposed or transmitted via any peer-to-peer (P2P) file sharing software.
4.6. Confidential information shall not be transmitted over public networks (i.e.; Internet) without encryption.
4.7. Confidential information shall be encrypted when accessed from outside the institutional network. Acceptable methods of encryption include SSL, TLS, SSH, sFTP, and VPN.
4.8. Confidential information shall be stored only in authorized locations. It shall not be stored:
4.8.1. In any location external to the campus network except those that have been authorized by the IRM.
4.8.2. On portable devices without encryption or other compensating controls approved by the ISO.
4.8.3. On removable media without encryption. Removal media includes, but is not limited to, USB flash drives, portable/external hard drives, tapes, and CDs/DVDs.
4.9. Confidential information should not be stored on personally-owned devices or media. If such storage is required, the confidential information must be encrypted or protected by other compensating controls with the advice and authorization of the ISO.
4.10. Unauthorized or accidental disclosure of confidential information shall be reported to the ISO and appropriate supervisory personnel immediately upon discovery
4.11. When confidential information from another institution of higher education or state agency is received by LIT in connection with the transaction of official business, LIT shall maintain the confidentiality of the information in accordance with the conditions imposed by the providing agency or institution.
4.12. Encryption requirements for information storage and transmission, as well as for portable devices, removable media, and encryption key management, shall be based on documented risk management decisions.
5. TRANSFER, DISPOSAL, OR DESTRUCTION OF INFORMATION ASSETS
5.1. LIT Information Technology is responsible for disposal of all electronic storage media (e.g., hard drives, DVDs, CDs, USB drives, backup tapes) or devices containing electronic media (e.g., computers, portable devices, printers, copiers, medical equipment, processing equipment).
5.2. Units that purchase or maintain their own electronic storage media or devices containing electronic media shall coordinate disposal with LIT Information Technology.
5.3. Prior to the sale, transfer or disposal of old, obsolete, damaged, non-functional, or otherwise unneeded electronic storage media or devices containing electronic media, the following actions must be taken:
5.4. Data must be permanently removed using an approved method commensurate with the security classification of the data.
5.5. Electronic state records shall be destroyed in accordance with §441.185 Government Code.
6. AUTHORITY AND RESPONSIBILITY
Questions related to this policy should be addressed to the IRM at firstname.lastname@example.org.