General Policies
University Policy Number 1114
Subject: Data Stewardship
Policy
Responsible Parties: University Privacy and Security Team
Procedures: ITU Procedures to Protect Administrative Data
Related Policies: Virginia Freedom of Information Act
http://www.gmu.edu/facstaff/policy/newpolicy/1117gen.html
I. SCOPE
II. POLICY STATEMENT
III. DEFINITIONS
IV. RESPONSIBILITIES
V.TRAINING
VI. EFFECTIVE DATE AND APPROVAL
APPENDIX A
I. SCOPE
Administrative Policy Number 1114 applies to all academic and operational
departments and offices at all George Mason University locations, owned
and leased. The policies and procedures provided herein apply to all University
faculty, staff, students, visitors and contractors.
This policy governs the privacy, security, and confidentiality of university data, especially highly sensitive data, and the responsibilities of institutional units and individuals for such data.
George Mason University maintains data essential to the performance of
university business. These data are valuable assets. State and federal
laws identify the types of data to which access must be restricted. This
policy incorporates federal and state standards and establishes responsibilities
for all elements of university data for confidentiality, integrity, and
availability.
The greatest benefit the university can provide to the community is data
that is shared and used with care. This benefit is diminished through
misuse, misinterpretation, or unnecessary restrictions on access. Although
a large portion of university data is shared with the public, some data
is restricted by the privacy protections mandated by state and federal
laws. To comply with these mandates and protect the university community,
the university has the right and obligation to protect, manage, secure,
and control data under its purview.
III. DEFINITIONS
A. University Data: Any data required to conduct
the operations of the university. University data are divided into three
categories: public use data, internal use only data, and highly sensitive
data.
i. Public Use Data: Data intended for general public use. An example is the university's on-line directory.
ii. Internal Use Only Data: Data not generally made available to parties outside the George Mason community. An example is minutes from nonconfidential meetings. These are considered internal use only data and should not be routinely disclosed. This information may be released to parties outside the George Mason community, but such requests must be reviewed by the Office of University Counsel. Unauthorized distribution of this data to external sources by any university employee is considered an abuse of privileged information.
iii. Highly Sensitive Data: Data prescribed in contractual and/or legal specifications and specified in state and federal law as information that must be protected. Among the types of data included in the category are individual financial records, social security numbers, credit card information and proprietary data protected by law or international agreement.
B. Those responsible for the protection of University data: (Appendix A provides a list, i. – iv. by title)
i. Chief Data Stewards: Senior administrative officers of the university responsible for overseeing all information resources. The Provost (Executive Vice President for Academic Affairs) and the Senior Vice President currently serve as chief data stewards of university data for their respective areas of responsibility.
ii. Data Stewards: Deans, vice presidents, associate vice presidents, directors, managers, or others identified by the chief data stewards to manage a subset of data. The delegation of this authority and responsibility is accomplished by written instructions. Examples of subsets of data include employee, student, auxiliary services, financial, research, and accounting data.
iii. Data Administrators: Individuals responsible for documenting and enabling user access to a domain of university data. Data administrators also maintain records of authorized data users for highly sensitive data. A data administrator may also be a system administrator whose primary functions reside in the Information Technology Unit.
iv. Data Processors: These individuals are authorized by data stewards to enter, modify, or delete data. Data processors are responsible for and accountable for the completeness, accuracy, and timeliness of the data assigned to them.
v. Data Users: Any university employee, contractor, affiliate, or duly authorized member of the community who can access internal and/or highly sensitive university data but does not modify or delete that data. For the purposes of the responsibilities section in this policy, data users include all who have the capacity to access university data. All data users, whether they be data stewards, administrators, or processors, are responsible for the security and privacy of the data they access, as prescribed in this policy.
vi. Privacy and Security Compliance Team: A select group of deans, directors, coordinators, vice presidents, and other employees, representing their respective departments, who, under the leadership of the Chief of Staff, are responsible for developing policies and providing direction for overall institutional data management.
vii. Customer: any employee, student, or individual not associated with the university from whom highly sensitive data is collected.
IV. RESPONSIBILITIES
A. General.
Access to University data is provided to University employees for the
conduct of University business. Internal use only and highly sensitive
university data, as defined by this policy, will be made available to
employees who have a genuine need for it. This may include data collected
from students, faculty, staff, contractors, members of the community,
or those who have no affiliation with the university. Employees accessing
such data must observe the requirements for privacy and confidentiality,
comply with protection and control procedures, and accurately present
the data used in any type of reporting function. Individual units or departments
that have stewardship responsibility for portions of internal and highly
sensitive university data must establish internal controls to ensure that
university policies are enforced. All data users, not just data stewards,
administrators, or processors, are responsible for the security and privacy
of the data they access, as prescribed in this policy.
B. Compliance
i. The university forbids the disclosure of internal use only data and/or highly sensitive data in any medium except as approved in advance by a data steward. The use of any internal use only or highly sensitive university data for one’s own personal gain or profit, for the personal gain or profit of others, or to satisfy personal curiosity is strictly prohibited. Each data user will be responsible for the consequence of any misuse of university data.
ii. Should a security breach occur, the CSIRT-Exec will investigate all the facts related to the situation and make a determination as to whether or not the matter is referred to law enforcement authorities through the University Police Department. The Assistant Vice President for Human Resources will review all matters involving university employees. The Dean of Students reviews matters involving students. University Counsel will review matters involving individuals not affiliated with the university.
iii. All individuals accessing university data at George Mason University are required to comply with federal and state laws and university policies and procedures regarding data security of highly sensitive data and to exercise discretion with regard to such data. Any university employee, student or non-university individual with access to university data who engages in unauthorized use, disclosure, alteration, or destruction of data in violation of this policy will be subject to appropriate disciplinary action, including possible dismissal and/or legal action.
C. Responsibilities: Authorization for access to and the maintenance and security of all University data, particularly highly sensitive data is delegated to specific individuals within their respective areas of responsibility.
i. Responsibilities of chief data stewards:
a. Establish policies and direction for the overall security and privacy of all University data and particularly highly sensitive data within their respective areas of responsibility.
b. Identify and appoint data stewards for units within their areas of responsibility.
c. Appoint appropriate representative individuals to the Privacy and Security Compliance Team.ii. Responsibilities of data stewards:
a. Develop procedures and policies to ensure the protection of all University data and particularly restricted highly sensitive data.
b. Ensure the accuracy and quality of all data within their area.
c. Annually review with appropriate data administrators the current set of highly sensitive data access authorizations and, as appropriate, update authority granted each user.
d. Ensure that authorized users of highly sensitive data are trained on their responsibilities associated with their approved access to that data.
e. Report any possible breach in computer security or illicit use of highly sensitive data to the CSIRT.
f. Review appeals to decision to deny access to University data within their area of responsibility.iii. Responsibilities of data administrators:
a. Use formal procedures and tools as determined by their respective data steward to enable access for authorized data processors and data users. This includes providing formal approval for data user access to highly sensitive data.
b. Maintain documentation of users who are authorized access to highly sensitive data. Where abuses of that authorization are discovered, make authorization withdrawal recommendations to the appropriate Data Steward.
c. A data administrator may also be a system administrator whose primary functions reside in the Information Technology Unit.iv. Responsibilities of data administrators who are also systems administrators within a unit: (Responsibility for the security of computer systems may belong to the Information Technology Unit if the unit or department has signed a service level agreement with the ITU to manage the server.)
a. Identify possible security gaps that may leave systems vulnerable to attacks or hackings and take remedial actions to make the systems secure.
b. Ensure the usability, reliability, availability, and integrity of information systems and their data by serving as liaisons between all parties with interests in such systems.v. Responsibilities of data processors:
a. Accurate input and presentation of data. Each data processor will be responsible for any intentional misrepresentation of data.
b. Maintenance of data integrity. Upon recognizing that any data elements are in error, the data processor will notify the appropriate data stewards.vi. Responsibilities of data users:
a. Use internal use only and highly sensitive data only as required by the employee’s job responsibilities and authorized by appropriate data administrators.
b. Respect and protect the confidentiality and privacy of individuals whose records they access.
c. Abide by federal and state laws and university policies and procedures with respect to access, use, or disclosure of highly sensitive data.
d. Report any possible breach in computer security or illicit use of internal use only and/or highly sensitive data to the data steward of the data user’s unit.vii. Responsibilities of the Privacy and Security Compliance Team:
a. Ensure the university complies with state and federal regulations on security and privacy of university data.
b. Educate the university community about trends in security and privacy that have the potential to affect how the university does business.
c. Recommend to the President of George Mason University remedial action(s) to identified problems.
d. Review policies and procedures developed by each department or unit to ensure that these departments or units have appropriate security measures that will protect institutional data from compromise or unauthorized access, modification, destruction, or disclosure.
D. Organizational and individual responsibilities for access control to highly sensitive data:
i. Access and storage of highly sensitive data requires a formal written request to the appropriate data administrator. A written request in e-mail format is acceptable.
ii. Each unit will have documented procedures that preserve and protect highly sensitive data in compliance with the security program as defined by the three major components of the Gramm Leach Bliley Act. These are:a. Ensure the security and confidentiality of customer information.
b. Protect against any anticipated threats to the security or integrity of such information.
c. Guard against the unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.iii. Each unit will have a documented set of procedures for reviewing requests to access, modify, or update highly sensitive data.
iv. Each unit will provide their access and data security procedures to the Privacy and Security Compliance Team for review to ensure compliance with this policy.
v. Members of the university community may appeal any decision that denies access to university data. Appeals are to the appropriate data steward.
vi. Public requests for legally restricted data made through the Virginia Freedom of Information Act [University Administrative Policy #1117–Virginia Freedom of Information Act Requests] or other applicable law will be reviewed by the Office of University Counsel prior to any release of data.
Data users authorized to access highly sensitive data are required to
participate in data security training commensurate with the type and use
of such data. This training will be recommended annually to the Chief
Data Stewards by a team drawn from the Research Office, University Life,
Office of Human Resources, and the Director of IT Security. Managers are
to train, or arrange for training, for all current employees who have
or will have access to sensitive and/or restricted university data prior
to granting access to such data.
VI. EFFECTIVE DATE AND APPROVAL
The policies herein are effective May 4, 2005. This policy shall be reviewed and revised, if necessary, annually to become effective at the beginning of the University's fiscal year, unless otherwise noted.
Approved:
_______________________
Maurice W. Scherrens
Senior Vice President
________________________
Peter N. Stearns
Provost
Date approved: August 1, 2005
Identification by Title of Chief Data Stewards, Data Stewards, Data Administrators, and Data Processors
Chief Data Stewards
A. Provost and Executive Vice President Academic Affairs
– All academic affairs and units
B. Senior Vice President – All administrative affairs
and units
Data Stewards
A. Deans
a. College of Arts and Sciences
b. College of Visual and Performing Arts
c. College of Education and Human Development
d. College of Nursing and Health Science
e. School of Information Technology and Engineering
f. School of Computational Sciences
g. School of Public Policy
h. School of Law
i. School of Management
j. Institute for Conflict Analysis and Resolution
k. Krasnow Institute
l. Admissions
B. Vice Presidents
a. University Relations
b. Human Relations
c. Equity and Diversity
d. Facilities
e. University Life
f. Information Technology
g. University Development and Alumni Affairs
h. Research
i. Budget/IRR
j. Controller
k. University Services
l. Director of Athletics
C. Other
a. Registrar
b. Director, Financial Aid
c. Chief of Police
d. University Counsel
e. Internal Audit and Management Services
Data Administrators – As designated by Data Stewards