Protection of Sensitive Institutional and Personal Data
Classification of Institutional Data | Relevant Laws | Information Security Advisory Structure |Information Security Policies and Process | Acceptable Use Agreement Form | Computer Security Policies
Information Security is Everyone's Responsibility
While many offices and groups - the Information Security Office, the Office for Policy and Internal Control, Deans, department heads, PIs, data owners & trustees who grant access to data, and others in leadership positions with control of resources - play critical roles in information security and data management, the responsibility for information security extends to everyone who comes in contact with and uses university data.
In order to ensure that employees in your area understand the policies, practices, and procedures that ensure the confidentiality and integrity of UB's information assets, please encourage employees in your unit to view the Information Security: Everyone's Responsibility online tutorial to learn more about protecting sensitive institutional and personal data.
UB faculty and staff will find information about protecting their personal data and their personal computers on the new secure computing web site.
Classification of Institutional Data
UB uses the following classification scheme for institutional data.
- Public data are open, unclassified data, authorized for release to the public.
- Internal data are data intended for use within UB. Access to internal data is granted to UB employees and non-employees with a business need-to-know by the owners and custodians of the data.
- Regulated private data are confidential data subject to privacy laws or regulations, including the NY State Breach Notification Act, HIPAA, Gramm-Leach-Bliley, the Payment Card Industry Data Security Standard, SSN Disclosure Laws, and other legal requirements. Only individuals with approved access and signed confidentiality/acceptable use agreement forms have access to these data.
UB's Data Access and Security Policy defines the assigned roles and responsibilities for protecting UB's non-public information from unauthorized access, disclosure, or misuse.
Regulated private data include the following:
- Social Security Numbers
- Credit and debit card and bank account numbers
- State-issued drivers' license numbers and state-issued non-drivers' identification card numbers
- Protected health information
- Computer passwords, passphrases, PINs and other security/access codes
Inappropriate handling of regulated private data may result in criminal or civil penalties, identity theft, invasion of privacy, and personal financial loss. UB's Regulated Private Data Policy and Standards for Securing Regulated Private Data define the standards for protecting UB's regulated private data from unauthorized access, disclosure, or misuse.
Relevant Laws
The following list of relevant laws are referenced by UB policies, procedures, and best practices.
- Electronic Communication Privacy Act
- FERPA, FERPA Final Rules - December 2008
- Gramm-Leach-Bliley Act of 1999
- HIPAA - Health Insurance Portability and Accountability Act
- UB HIPAA Site
- Payment Card Industry (PCI) Data Security Standard
- UB's PCI Web Site
- FTC Red Flags Rule
- Resources for Creating a Compliance Program for New Federal RedFlags (Identity Theft) Rules
- Digital Millennium Copyright Act (DMCA)
- Student and Exchange Visitor Information System
- USA Patriot Act
Information Security Advisory Structure
The UB Enterprise Information Security Charter, endorsed by UB leadership, presents the framework for information security within the University. It identifies the motivation for information security, describes information security principles and terms, and defines the scope of information security policies and responsibilities of the various security functions. Three groups provide advice to the UB Information Security Officer: the Information Security Risk and Policy Advisory Group (ISRP), the Information Security Data Custodians Council (ISDCC), and the Information Security Technology Advisory Council (ISTAC).
Advisory group charges and membership can be found on the CIO Information Security Advisory Structure web page.
University at Buffalo Information Security and Computer Security Policies, Process, and Procedures
Information Security Policy Process
Description of Process:
- Information Security Policies are developed by the Information Security Risk and Policy Advisory Group, which includes UB executive leadership and faculty , staff, and student representation.
- Draft policies are then vetted/reviewed by key stakeholders and the Executive Technology Advisory Group. Approved policies are sent to the Executive VP for University Support Services who submit the policies to the President for his signature.
- Draft and approved policies are placed on the http://www.itpolicies.buffalo.edu web site with notes on their status.
UB Information Security Policies: Data Access and Protection
UB institutional data that supports the University mission is a vital asset and subject to many federal and state regulations. UB is committed to compliance with privacy and security regulations and the protection of confidential data.
- Protection of Regulated Private Data Policy and Standards for Securing Regulated Private Data
- Policy and Standards for regulated private data, including Social Security Numbers, bank account and credit/debit card numbers, state-issued drivers' license numbers and non-drivers' id numbers, passwords and other computer access protection data, and protected health information, that describe protective measures required for this highly confidential and regulated information.
- Data Security, Access, and Acceptable Use Policy
- The University requires all users of University administrative data to utilize the data in a manner consistent with the University's requirements for security and confidentiality, as well as with state and federal legal protections and laws. Access to University administrative data is granted by data custodians and trustees who are required to develop and maintain clear and consistent procedures for access and use of the data, prevent unauthorized access, and protect restricted, non-public data. Data custodians and trustees also classify University data by level of sensitivity and risk, taking into account federal and state legal protections, contractual agreements, ethical considerations, and strategic worth to the institution.
- Access to Information Form
- Social Security Number Protection Policy
- Social Security Numbers are highly confidential and legally-protected data. UB is committed to maintaining the privacy and confidentiality of an individual's SSN as mandated by law. It is the policy of UB that the use of SSN as a common identifier and primary key to databases be discontinued, except where required for employment, financial aid, and a limited number of other business transactions. Disclosure statements will be provided whenever a SSN is requested, in compliance with the Federal Privacy Act of 1974. Sample disclosure statements are available for use. As a university we must work to reduce or eliminate the use of SSNs for identification purposes and to ensure the SSNs are secured in all university databases and applications.
- Requesting Access to Infosource Data Containing SSNs
- Computer Security Policies
- Domain Name Service Policy: Recording and Registration of Domain Names and Addresses
- UB Computer and Network Usage Policy
- Guidelines and user responsibilities for the use of UB computer and network resources
- UB Identification and Authentication Systems Policies
-
Security Policy for Network Connected Devices
- University network and Internet connectivity can be jeopardized by computers/workstations, servers, and other devices that are not adequately secured and protected from attack by hackers and malicious software. This policy defines responsibilities and the process by which compromised machines may be temporarily disconnected from the network if there is a risk to the network.
- DMCA Policies
- Distribution of copyrighted material, including music, games, and movies, for which you do not have the owner's permission is a violation of federal law (DMCA) and University policy. The DMCA policies provide information on notifying the campus DMCA agent about violations, how UB responds to DMCA notices, and an FAQ which answers questions about the use of the UB network for peer-to-peer file sharing and downloading copyrighted materials.
- NY State Information Security Policy
- This umbrella information security policy is based on ISO 17799 information security standards. The policy sets forth the minimum requirements, responsibilities and accepted behaviors to establish and maintain a secure environment. Although this policy is mandatory for state entities, it is not mandatory for SUNY institutions.
- NYS Cyber Incident Reporting Procedure
- Policy on Email Servers Connected to the Network
- NYS Web Accessibility Policy
- New York State has issued a policy, effective January 14th, 2009, mandating that all state agencies make their web-based information accessible to persons with disabilities.
- NYS Electronic Signatures and Records Act Guidelines
- UB Electronic Commerce Policy (TBD)