Document Title: Electronic Data Protection and Encryption Policy. Revision Date Authors Description of Changes

Similar documents
Mobile Device policy Frequently Asked Questions April 2016

Employee Security Awareness Training Program

Virginia Commonwealth University School of Medicine Information Security Standard

Access to University Data Policy

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

01.0 Policy Responsibilities and Oversight

Data Compromise Notice Procedure Summary and Guide

UCOP ITS Systemwide CISO Office Systemwide IT Policy

Subject: University Information Technology Resource Security Policy: OUTDATED

INFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES

UTAH VALLEY UNIVERSITY Policies and Procedures

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

Information Technology Standards

University Policies and Procedures ELECTRONIC MAIL POLICY

Bring Your Own Device Policy

Southern Adventist University Information Security Policy. Version 1 Revised Apr

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

Information Security Incident Response and Reporting

Security and Privacy Breach Notification

Cybersecurity in Higher Ed

Red Flags/Identity Theft Prevention Policy: Purpose

STATE OF NEW JERSEY. ASSEMBLY, No th LEGISLATURE. Sponsored by: Assemblywoman ANNETTE QUIJANO District 20 (Union)

Identity Theft Prevention Policy

Red Flags Program. Purpose

Document No.: VCSATSP Restricted Data Protection Policy Revision: 4.0. VCSATS Policy Number: VCSATSP Restricted Data Protection Policy

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

POLICY 8200 NETWORK SECURITY

INFORMATION SECURITY-SECURITY INCIDENT RESPONSE

Virginia Commonwealth University School of Medicine Information Security Standard

Policy. Sensitive Information. Credit Card, Social Security, Employee, and Customer Data Version 3.4

HIPAA Compliance Checklist

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Document Title: PAYMENT CARD PROCESSING & SECURITY POLICY

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Seven Requirements for Successfully Implementing Information Security Policies and Standards

Frequently Asked Question Regarding 201 CMR 17.00

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017

Sample BYOD Policy. Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited.

Compliance A primer. Surveys indicate that 80% of the spend on IT security technology is driven by the need to comply with regulatory legislation.

Post-Secondary Institution Data-Security Overview and Requirements

Regulation P & GLBA Training

Policies & Regulations

PTLGateway Data Breach Policy

The University of British Columbia Board of Governors

COMMENTARY. Information JONES DAY

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

IDENTITY THEFT PREVENTION Policy Statement

Complete document security

Information Security Data Classification Procedure

Policies and Procedures Date: February 28, 2012

Secure Messaging Mobile App Privacy Policy. Privacy Policy Highlights

DATA STEWARDSHIP STANDARDS

Putting It All Together:

Acceptable Use Policy

TERMS OF USE Terms You Your CMT Underlying Agreement CMT Network Subscribers Services Workforce User Authorization to Access and Use Services.

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

This regulation outlines the policy and procedures for the implementation of wireless networking for the University Campus.

Nebraska State College System Cellular Services Procedures Effective Date June 15, 2012 Updated August 13, 2015

Checklist: Credit Union Information Security and Privacy Policies

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

University of North Texas System Administration Identity Theft Prevention Program

HIPAA Privacy and Security Training Program

Housecall Privacy Statement Statement Date: 01/01/2007. Most recent update 09/18/2009

Summary Comparison of Current Data Security and Breach Notification Bills

Keeping It Under Wraps: Personally Identifiable Information (PII)

Privacy Breach Policy

II.C.4. Policy: Southeastern Technical College Computer Use

Information Security Policy

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

RUTGERS POLICY. Section Title: Legacy UMDNJ policies associated with Information Technology

RMU-IT-SEC-01 Acceptable Use Policy

Client Computing Security Standard (CCSS)

Policy. Policy Information. Purpose. Scope. Background

Customer Proprietary Network Information

State of Colorado Cyber Security Policies

OUTDATED. Policy and Procedures 1-12 : University Institutional Data Management Policy

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

BCN Telecom, Inc. Customer Proprietary Network Information Certification Accompanying Statement

Information Security Policy

Consolidated Privacy Notice

Overview of Presentation

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Protecting Personally Identifiable Information (PII) Privacy Act Training for Housing Counselors

Cyber Security Program

Information Privacy Statement

HIPAA. Developed by The University of Texas at Dallas Callier Center for Communication Disorders

Donor Credit Card Security Policy

Department of Public Health O F S A N F R A N C I S C O

UCOP Guidelines for Protection of Electronic Personal Information Data and for Security Breach Notification

Number: USF System Emergency Management Responsible Office: Administrative Services

UCOP ITS Systemwide CISO Office Systemwide IT Policy. UC Event Logging Standard. Revision History. Date: By: Contact Information: Description:

STOCKTON UNIVERSITY PROCEDURE DEFINITIONS

Privacy Policy on the Responsibilities of Third Party Service Providers

Cellular Site Simulator Usage and Privacy

University of Alabama at Birmingham MINIMUM SECURITY FOR COMPUTING DEVICES RULE July 2017

Transcription:

Effective Date: 01/01/2014 Page 1 of 7 REVISION HISTORY Revision No. Revision Date Authors Description of Changes 1.0 11/04/2013 CISO Populate Into Standard Template APPROVED BY This Policy is established for Policies pertaining to information technology by the approval signatures below. Name Title Signature Date Connie Barrera Executive Director, Information Security and Compliance Signature on file 12/04/2013 Tim Ramsay Chief Information Security Officer Signature on file 12/04/2013

Effective Date: 01/01/2014 Page 2 of 7 PURPOSE: Information Security exists to further the mission of the University. The University is comprised of large and diverse populations with evolving needs related to information technology resources and data. University management is committed to safeguarding those resources while protecting and promoting academic freedom. Although intrinsic tension exists between the free exchange of ideas and information security, and can manifest itself in some circumstances, the requirements that follow have been identified to promote the best balance possible between information security and academic freedom. This policy establishes a framework that outlines when encryption must be used to secure the University s data from risks including but not limited to, access, use, disclosure, and removal as well as to adhere to regulatory and compliance requirements. SCOPE: This policy applies to all electronic data stored on any media or system(s) throughout the University of Miami and applies to all individuals storing, accessing, or working with the data, in any way, including all University employees, students, contractors, guests, consultants, temporary employees, and any other users who may have access to University resources. DEFINITIONS: Data: Information stored on any electronic media throughout the University of Miami. Protected Data: Any data governed under Federal or State regulatory or compliance requirements such as HIPAA, FERPA, GLBA, PCI/DSS, Red Flag, and FISMA as well as data deemed critical to business and academic processes which, if compromised, may cause substantial harm and/or financial loss. o HIPAA: The Health Insurance Portability and Accountability Act of 1996 with the purpose of ensuring the privacy of a patient s medical records. o FERPA: The Family Educational Right and Privacy act of 1974 with the purpose of protecting the privacy of student education records. o FISMA: The Federal Information Security Management act of 2002 recognizes the importance of information security to the economic and national security interests of the United States and as a result sets forth information security requirements that federal agencies and any other parties collaborating with such agencies must follow in an effort to effectively safeguard IT systems and the data they contain. o GLBA: The Gramm-Leach-Bliley Act, also known as the Financial Services Modernization Act of 1999, contains privacy provisions requiring the protection of a consumer s financial information. o PCI/DSS: Payment and Credit Card Industry Data Security Standards is guidance developed by the major credit card companies to help organizations that process card

Effective Date: 01/01/2014 Page 3 of 7 payments prevent credit card fraud, hacking and various other security issues. A company processing card payments must be PCI compliant or risk losing the ability to process credit card payments. o Red Flag: A mandate developed by the Federal Trade Commission (FTC) requiring institutions to develop identity theft prevention programs. Cryptography: The science of radically changing information in order to conceal the content from a third party. Encryption Algorithm: A mathematical formula used to encrypt and decrypt data. External Email Recipients: Email recipients who are not part of a University maintained email system. Proprietary Algorithm: An algorithm that has not been made public and/or has not withstood public scrutiny. The developer of the algorithm could be a vendor, an individual, or the government. One-way Hash Function: An algorithm that does not require a key and produces an irreversibly encrypted cipher-text. Other names for this are message digest, fingerprint, digital signature, and compression function. Personally Identifiable Information (PII): Any piece of information contained in Protected Data which can potentially be used to uniquely identify, contact, or locate a single person. Examples of PII include Protected Health Information, Credit Card Numbers, Social Security Numbers, etc. System Administrator: An individual who performs network/system administration duties and/or technical support of network/systems that are accessed by other people, systems, or services. Only full-time and permanent part-time employees of the University and/or third party vendors approved by IT may function as system/network administrators. Data Custodian: The person responsible for, or the person with administrative control over, granting access to an organization's documents or electronic files while protecting the data as defined by the organization's security policy or its standard IT practices. University: University refers to the University of Miami as a whole and includes all units. POLICY: The University of Miami requires that Protected Data be secured at all times. Therefore, University Protected Data must never be moved or copied outside of standard approved operating procedures. Data encryption:

Effective Date: 01/01/2014 Page 4 of 7 The University requires data be encrypted under the following circumstances: 1. Physically moving data: 1.1. University Protected Data must be encrypted when residing on any media. This includes but is not limited to: Laptops Desktops Backup media DVDs External hard drives, thumb drives, etc. Note: The list above applies to all devices, regardless of ownership, whenever they contain Protected Data. 2. Electronically transmitting data: 2.1. Protected Data must be encrypted when transmitted over an electronic communication network (internally and externally). 2.2. Email containing Protected Data destined for external email recipients must be encrypted and contain the following confidentiality statement: The information contained in this transmission may contain privileged and confidential information, including information protected by federal and state privacy laws. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution, or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. 2.3. Protected Data shall not be sent through insecure public instant messaging networks. Examples of insecure instant messaging networks include, but are not restricted to, AOL Instant Messenger, Yahoo Messenger, MSN Messenger, and Google Talk. 3. System Administrators shall implement formal, documented processes for utilizing encryption and integrity controls on University Protected Data being transmitted over electronic communications networks. At a minimum, such processes shall include: 3.1. A procedure enabling Protected Data recipients to report instances of attempted or successful unauthorized access to University Protected Data that is transmitted over an electronic communications network. 3.2. A procedure for responding to instances of attempted or successful unauthorized access to University Protected Data that is transmitted over an electronic communications network.

Effective Date: 01/01/2014 Page 5 of 7 Encryption standards: The University requires all of the following minimum encryption criteria: 1. Standard encryption algorithms must be used. Some examples include: 3DES, Blowfish, RSA, RC5 and IDEA. 2. The use of proprietary encryption algorithms is not allowed for any purpose, unless reviewed by qualified experts outside of the vendor in question and approved by the Information Technology Security Department. 3. A one-way hash to encrypt data irreversibly must be used for: authentication information (e.g. passwords) integrity checksums, digital signatures 1. Key management must adhere to the following: Private keys must be kept confidential, Key management must be fully automated, Short life keys are to be used, ensured by having activation and deactivation dates, Long-life keys are to be used sparingly, Keys in storage and transit must be encrypted, Keys must be chosen randomly from entire key space, Keys for encrypting keys must be used separately from keys used for decrypting data. They are not interchangeable. Additional requirements for securing Protected Data: Where there are large amounts of Protected Data, supplemental measures need to be taken to further minimize the risk of loss. The amount of data that would constitute a large amount for these purposes will vary, depending on: the quantity and extent of the data records; how readily the data can be used to identify individuals; how serious the consequences would be for the university if the data were successfully stolen or publically released; and the legal duties, if any, to protect the information. Each academic or administrative unit possessing large amounts of Protected Data must publish policies explaining the data to be protected and what is meant by a large amount in that unit s context. (For additional guidance, see NIST-SP-800-122.) The unit s policy statement will also set forth the supplemental measures that will be taken to protect such data. These may include the use of dedicated non-networked computers, physical access

Effective Date: 01/01/2014 Page 6 of 7 limitations, multiple layers of passwords and/or pass phrases; biometric access control; and/or more frequent security audits and reviews. Mobile Devices are particularly vulnerable and should not be used for the storage of or access to large amounts of Protected Data. Where there is nevertheless a compelling academic or business reason to allow the use of a Mobile Device for that purpose, the Dean or Vice President in charge of the unit and the CIO will jointly determine what supplemental security measures are prudent given the quantity and sensitivity of the data. These measures will include, at a minimum, either (1) de-identification of the data to prevent information being tied to particular individuals or (2) at least two layers of access control, plus inspection of the device to verify that appropriate encryption software has been installed and activated. EXCEPTIONS: Any requests for exceptions to this policy must be submitted in writing and will be reviewed on a case by case basis. Exceptions shall be permitted only after written approval from the responsible Vice President or designee of the respective campus. The list of exceptions shall be reviewed annually and cancelled as required. IMPLEMENTATION: System Administrator/Data Custodian: Responsible for following the policy by encrypting data whenever required. Responsible for communicating any exception requests to the Vice President or Information Technology designee of the respective campus. Chief Information Security Office: Responsible for regular review of the. The review will occur annually or when significant changes occur. Responsible Vice President or CIO: Responsible for reviewing and approving or denying exception requests. Responsible for reviewing exceptions yearly. Responsible for monitoring the enforcement of the policy. SANCTIONS: Accounts and network access may be administratively suspended with or without notice by the University when, in the University's judgment, continued use of the University's resources may interfere with the work of others, places the University or others at risk, or violates University policy. Knowing violations of the policy will be addressed by disciplinary policies and procedures applicable to the individual.

Effective Date: 01/01/2014 Page 7 of 7 All known and/or suspected violations must be reported to the applicable Systems Administrator, who will report, as appropriate, to the applicable department.. All such allegations of misuse will be investigated by the appropriate University administrative office with the assistance of the Department of and the Department of Human Resources. Penalties may include: Suspension or termination of access to computer and/or network resources; Suspension or termination of employment, to the extent authorized by other university published policies and procedures; Suspension or termination of contract computer and/or network services; or Criminal and/or civil prosecution. OTHER APPLICABLE POLICIES: A050: System Administrator Policy POL-UMIT-A180-015-00 Mobile Computing Policy POL-UMIT-A190-016-00 Remote Access Policy POL-UMIT-A155-010-00 Information Security Policy POL-UMIT-A150-009-00 Hardware Decommissioning Policy POL-UMIT-A140-007-00 Cardholder Information Security Policy ENFORCEMENT: Chief Information Security Officer of designee (CISO) is Responsible for monitoring the enforcement of the policy.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback