There are several state and federal regulations that govern the handling, usage and security of sensitive data stewarded by the University. If you use a personally-owned computer or a University-owned computer not managed by CIS for University work then you are responsible for properly securing it in accordance with University policy to comply with federal and state data privacy regulations.
If you use a University-managed computer issued to you by CIS, then your security settings are managed for you.
Data classified as Internalor higher shall be accessed or maintained on personally owned devices only when necessary for the performance of University-related duties and activities. University employees shall take all required, reasonable, and prudent actions necessary to ensure the security and retention of sensitive institutional data.
Regardless of the presence of sensitive or regulated Institutional Data, your computer may contain personal and private information, such as financial or medical information, notes, photos, contacts, documents, or saved passwords, that you wish to protect from theft or accidental loss. As such, taking security precautions as described below also safeguards your personal information.
Entities Affected By This Policy
All University employees.
Reason for Policy
This policy directs members of the University community who access or maintain sensitive Institutional Data to meet their shared obligation and responsibility to secure such data by properly self-managing the privacy and security settings on their personally owned device.
Effective Date: March 1, 2020 Last Updated: March 1, 2020
Permission to Use Un-Managed Devices
Departments shall decide on a unit-by-unit basis whether to allow University employees, agents, affiliates or workforce members to use personally owned devices to access or maintain sensitive Institutional Data. Deans and department heads authorizing the use of personal devices are responsible to communicate the boundaries of personal use and raise awareness of appropriate regulations and risk.
University employees shall maintain up-to-date, device-appropriate security safeguards and follow the policies, standards, and guidance provided by the University, as well as comply with appropriate safeguards required by state and federal regulations. In addition, the University or individual units may require that specific security settings and/or software be put in place and maintained on the device to protect sensitive Institutional Data.
Most regulations require the securing of devices used to store data. Securing your devices doesn’t just mean keeping them in a safe place. It means setting a strong password, encrypting file storage, keeping your software up-to-date, backing up your data, choosing appropriate privacy and access settings, deciding what networks to connect to, and more.
Encrypt File Storage of your personal computer to protect sensitive data in the event the device is lost or stolen
Keep your operating system and other software up-to-date.Software updates include patches for newly identified vulnerabilities and other important security updates.
Back up your data. Computer hardware wears out or fails. Devices can be lost or stolen. The University offers several file storage options, including OneDrive for Business, that you can use. Check the Regulated Data Chartto see which services are appropriate for certain types of sensitive data.Institutional Data must be backed up or stored on protected University provided services.
Choose web browser security settings that protect your privacy and enhance security.
Put a sticker on your computerwith your name and contact information so somebody who finds your lost computer can reach you.
Travel safely with technology.Protect your privacy and the University's sensitive data when you're away from home. Don't leave devices unattended in unsecured locations like your car or public spaces.
Use anti-virus software. Use anti-virus and anti-malware software to protect your personally-owned computer.
All mobile devices accessing University employee email are required to have a pass-code or use bio-metric security (finger print, facial-recognition, etc) enabled to protect against unauthorized access.
USB Stick / External Storage
All external storage containing Institutional Data classified as Internalor higher must be encrypted to prevent exposure of sensitive data.
Records Requests and eDiscovery
Records or data maintained by the University or University employees and affiliates may be the subject of document requests (e.g., Freedom of Information Act or Family Educational Rights and Privacy Act) or document production (e.g., warrants, subpoenas, court orders, etc.). University employees, agents, and affiliates may be required to produce records, data, and the devices on which they are stored upon request of the University.
In the course of an incident investigation, the University may be required to inspect any personally owned device, storage media, or cloud platform (e.g., Google Drive, DropBox) that may contain Institutional Data related to the incident. Any access to a personally owned device will be carried out in accordance with relevant University protocols, and legal or law enforcement requirements.
Any records request requires the written approval of the president, the provost, or the area vice president.
Data Return / Deletion
Users shall return and then delete Institutional Data maintained on personally owned devices upon request from the University or when their role or employment status changes such that they are no longer an authorized user of that data.
Personal devices that access or maintain sensitive Institutional Data and that are lost, stolen, have been subject to unauthorized access, or otherwise compromised must be reported to Computer and Information Systems or the Office of Risk Management within 24 hours.
The University characterizes certain activities related to misuse of sensitive data as unethical and unacceptable. Violations of this policy may result in disciplinary action up to and including restricting the ability to use a personally owned device for work-related activities, lost of data and systems access, dismissal, and/or legal action.