Management Responsibilities for Protecting Electronic Restricted Data

Home UCSC Information Security Security & Technology Policies and Guidelines Management Responsibilities for Protecting Electronic Restricted Data

DRAFT

| Introduction | Getting Help | Definitions | Management responsibilities for protecting electronic restricted data | General practices for protecting electronic restricted data | Additional practices for Service Providers |

INTRODUCTION:

All individuals in the University community have a responsibility to protect restricted data under their jurisdiction or control (see definition below). This document outlines specific management responsibilities for the protection of this data. These responsibilities are above and beyond the general practices for protecting electronic restricted data, and assume that Management is familiar with those practices. The information below does not supersede UC Business and Finance Bulletin IS-3 requirements for protection of restricted and essential data: http://www.ucop.edu/ucophome/policies/bfb/is3.pdf

Certain types of restricted data, such as electronic protected health information (ePHI) and credit card data (PCI), have specific protection requirements. For information, see ITS' Restricted Data Resources page at http://its.ucsc.edu/security_awareness/restricted_data_resources.php.

GETTING HELP

For assistance with any of these practices, please contact the ITS Support Center or your ITS Divisional Liaison (DL) or Local IT Specialist (LITS):

• The ITS Support Center at 459-HELP, help@ucsc.edu, or in person M-F 8AM-5PM, 54 Kerr Hall


• Your ITS Divisional Liaison (DL)

DEFINITIONS:

Restricted Data: The University of California has defined "restricted data" as "any confidential or personal information that is protected by law or policy and that requires the highest level of access control and security protection, whether in storage or in transit." Please see UC Business and Finance Bulletin IS-3, Information Security, for a complete definition: http://www.ucop.edu/ucophome/policies/bfb/is3.pdf.

At UCSC, restricted data includes information whose unauthorized release or disclosure could be expected to have a severe or catastrophic effect on the University. This includes, but is not necessarily limited to

• Personal Identity Information (PII),
• Electronic protected health information (ePHI) protected by Federal HIPAA legislation,
• Credit card data regulated by the Payment Card Industry (PCI),
• Records of students with a "Non-Release of Public Information" (NRI) flag in UCSC's Academic Information System (AIS),
• Information relating to an ongoing criminal investigation,
• Court-ordered settlement agreements requiring non-disclosure,
• Information specifically identified by contract as restricted,
• Other information for which the degree of adverse affect that may result from unauthorized access or disclosure is high.

Please see ITS' online glossary for information about most of these types of data.

MANAGEMENT RESPONSIBILITIES FOR PROTECTING ELECTRONIC RESTRICTED DATA
above and beyond the 'general practices for protecting electronic restricted data'.

1. Authorization
2. Physical security
3. Disposal and re-use
4. Education and training
5. Documentation and distribution of policies
6. Sanction policy
7. Background checks
8. Security incidents and breaches
9. Disaster recovery and emergency procedures
10. Third party/vendor relationships
11. Identification of systems storing and accessing restricted data
12. Review of policy and effectiveness of implementation
    
    

1. Authorization

• Ensure that individuals have proper authorization prior to accessing restricted data.
• Authorize access to the minimum amount of restricted data, and only as needed for individuals to perform assigned duties.
• Ensure that employees, including student employees, read and sign the UCSC Access to Information Statement prior to obtaining access to restricted data: http://its.ucsc.edu/services/accounts/online_forms/acc_info_stmt.pdf
  • The Access to Information Statement is to be filed with the ITS Support Center for campus systems, i.e. FIS, PPS, etc., and according unit or department procedure for departmental or local systems.
• Implement and document procedures for authorizing, granting, reviewing, and terminating access to restricted data. This should include ensuring that when an employee leaves or changes job duties, their access is modified or terminated, as appropriate.
• Restrict and limit superuser or administrator accounts: Authorize superuser accounts only for specified activities. If the individual also needs regular access to the restricted data, authorize a separate, non-superuser account or require a mechanism to elevate privileges in a manner that can be tracked and audited.
  • When an account is closed, ensure that any related superuser access is also closed.

2. Physical security

• Ensure appropriate access controls, policies and procedures for facilities that contain physical or electronic restricted or essential data or equipment. This includes management of lock codes and keys.
• Use of electronic door locks is encouraged for access to locations containing restricted data because of their ability to record access to the facility by individual code, date, and time. This information can be useful should an investigation of access be needed.
• Inventory control: Working with Service Providers as necessary, implement and document procedures to track hardware and electronic media containing restricted data, including receipt, removal, reassignment and disposition.

3. Disposal and re-use

Working with Service Providers as necessary, ensure the secure removal or destruction of restricted data prior to equipment reassignment or disposal.

4. Education and training

Develop procedures to ensure and document that all employees whose jobs entail working with restricted data receive training, including periodic updates and reminders, in the following areas:

• Basic computer security awareness as well as specific practices for protecting restricted data
  • General training materials are available on ITS' Security Awareness website: http://its.ucsc.edu/security_awareness/ (see the "Training" box)
• Any specific procedures that must be followed in order to maintain proper security
• Security incident response (see #8, below)
• Local emergency operations procedures for protecting restricted data in the event of a disaster

5. Documentation and distribution of policies

• Ensure that all individuals who work with restricted data are aware of applicable UC, UCSC, and departmental policies, procedures and guidelines, available online at Security Policies.
• Where applicable, implement and document policy and procedure for obtaining signed statements of receipt and understanding of applicable policies and requirements for employees with access to restricted data.

6. Sanction policy

Management shall report known or suspected violations or policy or law to the appropriate System Steward or Service Provider, or to Internal Audit or the Whistleblower Office. Management shall work with Staff or Academic Human Resources to determine appropriate actions and documentation in response to such violations.

7. Background checks

When hiring or reassigning individuals to critical positions that will require access to restricted data, check with Staff or Academic Human Resources regarding the campus policy on background checks and/or fingerprinting.

8. Security incidents and breaches

• Management should be familiar with UCSC's campus incident response procedures, available online at UCSC Breach Guideline.
• Make sure employees know who to notify in addition to the ITS Support Center in the event of a suspected IT security incident or breach. In the absence of a designated individual in the department, employees should notify their supervisor.
• Establish a procedure for confirming incidents, escalation, and any required reporting.
• Identify provisions for remediation of information security incidents, as appropriate.

9. Disaster recovery and emergency procedures

• Determine the criticality of all restricted data in order to identify what restricted data must be backed up regularly to a secure location.
  • Work with ITS or your ITS DL or LITS to ensure this happens.
• Educate employees on emergency procedures for the protection of restricted data in the event of a disaster.
• Emergency procedures, including backup and recovery, must be documented and tested regularly.

10. Third party/vendor relationships

• When passing restricted data to an agent of the University, there must be a written contractual agreement in place, including terms and conditions, that:
  • prevent disclosure of restricted information by the agent or affiliate to other third parties including subcontractors, except as required or permitted by the approved University agreement or contract terms.
  • require all agents and affiliates to observe federal and state laws and University policies for privacy and security,
  • require a specific plan by the agent or affiliate for the implementation of administrative, technical, or physical security strategies as outlined in this bulletin,
  • require a plan for the destruction or return of restricted information upon completion of the agent's or affiliate's contractual obligations,
  • specify access or authorization permissions and restrictions necessary to fulfill contractual obligations.
• Establish procedures to ensure that contract language meets University requirements.
  • UCSC Purchasing can provide assistance with necessary contract language, contract amendments and updates.
• Ensure that third parties with access to restricted UCSC data, or systems that contain or access this data, are aware of their obligations for data security under the terms and conditions of their contract. Guidance in this area is available at http://its.ucsc.edu/security_awareness/appendixds.php.
• Regularly review and update agreements with external service providers to ensure vendor and contractual compliance with these requirements.

11. Identification of systems storing and accessing restricted data

All systems that store or access restricted data require additional security and protections beyond what less sensitive systems may require. Management should identify systems that store or access restricted data and bring them to the attention of ITS (contact info above).

12. Review of policy and effectiveness of implementation

Develop procedures for regular, periodic review and update of local implementation of these practices and of local policies developed in support of these practices.

• Document compliance activities and their effectiveness.

DRAFT