30.大学数据分类和标准

序言. Data 和 information are important assets of the university 和 must be protected from loss of 完整性, 保密, 或符合大学政策和标准的可用性, 校董会政策, 适用的合同, 以及州和联邦的法律法规. This sets forth the responsibility of users to classify 和 apply appropriate protections for university data 和 the systems on which store or process data.

A. 定义.

A-1. 数据所有者: The senior university college/division/departmental executive with direct responsibility for all access 和 use of designated types of data. 这个词的用法, in connection with this policy shall not affect university claims or rights of ownership of data or ownership of third party data in the possession of the university. 例如, research data produced by the university is owned by the university under current policy, FSH 5700, but the Vice President for 研究 和 Economic Development would be considered the Data Owner for the terms of this policy, APM 30.11.

A-2. 数据管家: 在数据领域具有专业知识的文档化员工, who is responsible to the Data Owner to ensure appropriate access controls 和 protections are applied to maintain compliance. The Data Steward coordinates with the Data Owner 和 University’s Information 安全 Office on data categorization 和 determining proper responses to security incidents involving the data with which they are entrusted.

A-3. 接线员: 任何负责处理或处理大学数据的个人. 这包括 contracted vendors or affiliates accessing university data resources on behalf of the Data Owner.

A-4. 数据安全标准: The minimum set of technical 和 administrative controls required to protect a category of data 和 meet the objectives of 保密, 完整性和可用性. OIT可与数据所有者合作发布补充要求, or defined by other university policies to meet security objectives including compliance requirements.

A-5. 系统: A discrete set of resources assembled to store, process, maintain, share, or dispose of data. 这包括, 但不限于, 任何端点设备(桌面), 笔记本电脑, 智能手机, 平板电脑)和服务器, 网络, 或者第三方和云服务.

B. 政策.

B-1. 一般. Data 和 information systems must be classified according to the risks associated with data being stored, 访问, 或加工. Data with the highest risk needs the greatest level of protection; data with lower risk requires proportionately less protection. 符合联邦信息处理标准(FIPS)第199版, university data is classified based on the impact to 个人 or the university if the security of that data was breached. Data Owners may designate a higher general risk level for a particular data set or establish supplemental st和ards to the baseline for the risk category.

B-2. 类别.

(a)低风险. 失去保密性的潜在影响, 完整性, or availability could be expected to have only a limited adverse effect on the university operations, 个人, 或资产. 例如:发布的公共信息，包括新闻稿, 目录信息, 或非保密或管制的研究数据.

(b)中度风险. 失去保密性的潜在影响, 完整性, or availability could be expected to have a serious adverse effect on university operations, 个人, 或资产. 例如:FERPA

(c)高风险. 对失去保密性的潜在影响, 完整性, or availability could be expected to have a severe or catastrophic adverse effect on university operations, 个人, 或资产. Example: private information that must be protected by law or industry regulation (HIPAA ePHI, 社会安全号码, 驾驶执照号码, 银行或信用帐户号码).

B-3. 数据安全标准. Data, accounts, 和 systems must be classified according to the highest risk data that they process. All users 和 systems accessing university technology resources must meet or exceed required st和ards based upon the highest data classification stored or 访问 by that system. OIT信息安全办公室应予以公布, 并且至少每年进行一次评估, data security st和ards with appropriate advisory groups 和 approved by the Chief Information Officer (CIO).

(a)公布的标准应包括但不限于:

(1) Minimum 安全 St和ards (formerly Network Computing Device St和ards) which must be met for all systems utilizing the university network or processing data on behalf of the university 和 classified as low risk.

(2) Moderate Risk St和ards which must be met for all systems categorized as moderate risk.

(3)高风险标准，所有被归类为高风险的系统都必须满足该标准.

(4)满足合规要求的补充标准或参考资料, 合同, 或其他政策或行业法规要求(例如.g.现行支付卡行业数据安全标准(PCI-DSS).

(5) Requirements as outlined in the National Institute of St和ards 和 Technology (NIST) Special Publication 800-171, 或者它的当前版本.

(b)除非另有规定或要求, changes to published st和ards shall be effective 90 days from date of publication after approval by the CIO. 在可能的情况下，对于标准的重大变化，将给予额外的通知.

B-4. 合规. Systems or users known to be out of compliance with this policy 和 published st和ards will be subject to removal of access from university technology resources or data. 在适当的地方, OIT将通知适当的内部权威机构, 包括数据管理员, 风险管理办公室, 或研究保证办公室, 是适用的, 不遵守的情况. The applicable internal authority will initiate disciplinary action for non-compliance, 在适当的地方.

B-5. 报告事件. 在发生可疑事件或事件时, including non-compliance with this policy involving any university technology resources which has the potential to adversely affect the university, 事件的立即通知必须发送到以下地址:

在事件被报道后, it shall be investigated 和 escalated in accordance with the university’s Technology 安全 Incident Response Plan.

C. 范围. 这项政策适用于所有大学教员, 工作人员, 学生, 附属机构访问, 存储, 处理大学数据或利用大学系统或技术资源.

D. 异常. Requests for exceptions in all or part of this policy may be submitted in writing to the Information 安全 Officer who will assess the risk 和 make a recommendation to the appropriate Data Steward 和/or the Chief Information Officer for review or possible approval. 任何例外情况必须至少每年审查一次.

E. 联系信息. 资讯科技署资讯保安办事处(its-security@12212011.com)可协助解答有关本政策及相关标准的问题.

F. 参考文献.

FIPS第199版
NIST SP800-53rev.4
UI - FSH 5300 -版权、受保护的发现和其他知识产权
UI - FSH 5700 -研究资料
UI - APM 45.19 ——美国《出口管制.S.
UI - APM 45.22 - - - - - -资格, 主要研究人员的能力和努力要求, 首席调查人员, 和/或项目总监
UI - apm 65.02 和 65.06

版本历史