5.3 Institutional Data Security & Protection Policy
Purpose
The purpose of this policy and accompanying procedures and resources is to ensure the protection of the College’s institutional data from accidental or intentional unauthorized access, damage, alteration or disclosure while preserving the ability of authorized users to access and use institutional data for appropriate College purposes.
Scope & Applicability
This security policy applies to all computing platforms, networks, systems, and applications used to process Bucks County Community College institutional data. The policy also applies to enterprise-level operational and administrative institutional data as well as data sets containing these data and systems that may access these data. The policy applies regardless of the environment, media, or device where the data reside or are used and regardless of how the data may be transmitted. It also applies regardless of the form the data may take or the data presentation format. Specific covered types of institutional data are listed in Appendix A, Institutional Data Types and Associated Data Trustees.
This policy also applies to all extracts of covered institutional data, feeds of these data from enterprise systems, and data maintained within so-called shadow or secondary database systems whether derived from enterprise systems or collected or assembled directly by College units.
This policy applies to all College community members, whether students, faculty, staff, or agents, who have access to College institutional data. It also applies to all College units and their agents and contractors. In addition, to the extent possible, it applies to any person or organization, whether affiliated with the College or not, in possession of College institutional data. Any person or group accessing College information must recognize their responsibility to preserve the security and confidentiality of this information. Such information shall be used only for conducting College business or as appropriately authorized.
All College employees and their supervisors are responsible for understanding, and complying with this policy as well as all laws, rules, standards, contracts and licenses applicable to their own and their subordinates’ specific uses of institutional data.
Institutional Data
Institutional data is defined as all data created, collected, maintained, recorded or managed by the College, its staff, and agents working on its behalf. It includes data used for planning, managing, operating, controlling, or auditing College functions; and data used for College reporting as well as research data that contains personally-identifiable subject information, or proprietary College information.
The College’s institutional data will be assigned one of three classifications based on data criticality and required confidentiality:
- Public – Data intended for broad distribution in support of the College’s missions or freely available to any person or organization with no restrictions. Examples: high-level
- enrollment statistics, course catalog, current budget, financial statements, and data on web sites intended for the general public.
- Limited Access – Data available internally but whose integrity must be carefully maintained; this classification is the default and includes all data in the enterprise-level administrative systems, such as date of birth, ethnicity, and purchasing information. Data stewards may identify data elements in this category which require additional specific authorization when the data’s unauthorized disclosure, alteration, or destruction will cause perceivable damage to the College or individuals.
- Restricted – Data protected or regulated by law or critical to College operations including sensitive personal information protected by law such as Social Security Numbers, proprietary information and trade secrets. The highest levels of protection should apply, both internally and externally, due to the risk or harm that may result from disclosure or inappropriate use. Failure to adequately protect this information may result in identity theft or place the College in non-compliance with numerous federal and state regulations.
Data Access Roles
College community members act in one the following roles when collecting, maintaining, accessing or using institutional data and must understand and fulfill the responsibilities associated with their roles. The responsibilities of these roles are further described in the policy appendix.
- Data Trustees - Senior College officials or their designees with planning and management responsibility for defined segments of institutional data within their functional areas.
- Data Stewards - College officials having direct operational-level responsibility for the management of one or more types of institutional data.
- Data Custodians - Computer system administrators responsible for the operation and management of systems and servers which collect, manage, and provide access to institutional data.
- Data Users -College units or individuals who have been granted access to institutional data in order to perform assigned duties.
Data Classification & Safeguards
Data Stewards must implement a formal data classification process for institutional data under their stewardship. This process must assess the criticality and required confidentiality of data elements, as well as the risk of exposure or loss.
Data Stewards and Data Custodians are responsible for identifying and implementing safeguards for Restricted Data based on information security best practices, applicable law, industry standards and College policy, while working in cooperation with the IT Security Officer and other appropriate individuals in the Division of Information Technology Services. When multiple Data Stewards share responsibility for the same restricted data element, these Data Stewards must work together to implement a common set of safeguards.
The specification of data as restricted should include reference to the legal or externally imposed constraint that requires this restriction, the categories of users typically given access to the data, and under what conditions or restrictions access is typically given.
Data Stewards are responsible for communicating and providing education on the required minimum safeguards for protected data to authorized end users and data custodians. Examples: social security numbers, data protected by law and industry standards, credit card information, security data, and all data exempt from disclosure under Pennsylvania’s Public Records Laws unless the exemption is waived by the College.
Data Access Control
Data Stewards must work with Data Custodians to develop and implement procedures for requesting and maintaining access to institutional data. These procedures shall be developed taking into account the risk associated with the specific data and/or system being accessed. The following minimum standards must be incorporated into the individual data access procedures for systems and facilities containing Restricted and Limited Access data:
- Anyone with access to Restricted or Limited Access data shall have unique and individual user credentials such as a user id and password.
- Access shall be deactivated after a period of inactivity not to exceed twelve months.
- Separated employees shall lose access as of their separation date.
- The data access request process shall be formalized and auditable. The request
process must include appropriate approvals, a description of the specific data requested, the level of access requested (read, write), and the purpose for accessing the data. Data access requests should be maintained in order to support the need to audit data access permissions throughout the complete data access lifecycle (account/access creation through termination). - Once data access is approved for a Data User or Data Custodian, Data Stewards are responsible for providing the following information specific to the data being requested: 1) data documentation and usage guidelines, 2) the data classification scheme including information on associated state and federal regulations, and 3) required minimum safeguards for protected data.
- A robust authentication process in compliance with College computer security standards and consistent with the level of risk associated with unauthorized access is required for access to all Limited Access and Restricted data.
- Data access processes, procedures and authorizations must be reviewed on an annual basis by each Data Steward to ensure that access remains appropriate.
- Data Custodians must monitor user access and logins to assure that only those approved are accessing the data as authorized.
- Data Trustees, Data Stewards, Data Custodians or specific College units may have additional procedures for institutional data within their areas of operational or administrative control. Consult your supervisor, unit management, or the appropriate Data Trustee, Data Steward, or Data Custodian for further information.
Data Breaches
Breaches, losses, or unauthorized exposures of restricted data must be immediately reported to the Vice President, Information Technology Services and CIO, and the IT Security Officer and handled in accordance with College policy and procedures related to disclosure or exposure of personal information, as well as legal requirements imposed upon the College in the event of such disclosures. Loss or theft of College computer equipment or mobile devices must also be reported to the Office of Security and Safety. College community members must also report actual or suspected criminal activity associated with any such incident to the Office of Security and Safety, or, if off campus, other appropriate law enforcement agencies.
Restricted Data Storage & Data Loss
The College does not permit storage of any Restricted data on any computer or network- attached device that has not been explicitly approved by the VP, Information Technology Services or his/her designee. Secure means, such as encryption and strong passwords must be utilized to transmit and store Restricted data. Email is not a secure means to deliver information, and consequently should not be used to transmit Restricted data without proper encryption, passwords, or other security measures.
Violations
Violation of any provision of this policy may result in:
- limitation of an individual's access to some or all College systems;
- initiation of legal action by the College including, but not limited to:
- disciplinary sanctions, including termination, in accordance with College policy or
- criminal prosecution under appropriate State and Federal laws or
- requirement of the violator to provide restitution for any improper use or service.
Appendices
Appendix A: Institutional Data Types & Associated Data Trustees
| Institutional Data Segment Type | Data Trustee |
|---|---|
| Budget | Vice President for Administrative Affairs |
| Financial (General Ledger, Procurement, Accounts Payable) | Vice President for Administrative Affairs |
| Student Billing and Accounts Receivable | Vice President for Administrative Affairs |
| Facilities and Space Management | Vice President for Administrative Affairs |
| Equipment and Asset Management | Vice President for Administrative Affairs |
| Payroll | Vice President for Administrative Affairs |
| Human Resources (including Compensation and Benefits) | Vice President for Administrative Affairs |
| Student Records | VP Student Enrollment & Planning |
| Student Admissions | VP Student Enrollment & Planning |
| Student Financial Aid | VP Student Enrollment & Planning |
| Campus Life | Provost |
| Student Health | Provost |
| Disability Services | Provost |
| BucksID | VP Student Enrollment & Planning |
| Counseling | Provost |
| Academic Catalog and Curricular Records | Provost |
| Health and Criminal Background Records | Provost |
| Advising | Provost |
| Learning Management | Provost |
| Library Records | Provost |
| Tutoring Records | Provost |
| Faculty Advising Records | Provost |
| Continuing Education Student Records | VP Student Enrollment & Planning |
| CE Admissions & Certification Programs | VP Student Enrollment & Planning |
| CE Bucks Student ID | VP Student Enrollment & Planning |
| CE Catalog and Curricular Records | VP Student Enrollment & Planning |
| Telecommunications and Networking | VP Technology/CTO |
| Alumni and Donations | Executive Director BCCC Foundation |
Note: Instances of some data types, for example sensitive personal items such as Social Security Numbers, may be covered by multiple data trustees depending on the context of collection and use.
Appendix B: Information Security Responsibilities
The Vice President, Information Technology Services & CIO, by providing leadership to College information technology functions, is responsible for ensuring that Bucks County Community College has adequate information security and that this policy is observed.
The IT Security Officer, as designated by the CIO, has responsibility for developing procedures in conjunction with the policy, communicating the policy and related practices, and monitoring its compliance. The IT Security Officer coordinates the standards, procedures, and guidelines necessary to administer access to College information resources. The IT Security Officer works in conjunction with information resource owners, system and database administrators, and functional users to protect these resources.
All institutional data is the property of Bucks County Community College, unless otherwise stated in a contractual agreement.
Appendix C: Data Role Responsibilities
Data Trustees work with the Vice President, Information Technology Services and CIO to ensure that the appropriate resources (staff, technical infrastructure, etc.) are available to support the data needs of the entire College. Data Trustee responsibilities include:
- Assigning and overseeing Data Stewards.
- Overseeing the establishment of data policies in their areas.
- Determining legal and regulatory requirements for data in their areas.
- Promoting appropriate data use and data quality.
Data Steward responsibilities include:
- Developing and maintaining data classification procedures.
- Developing, implementing, and managing data access procedures.
- Ensuring that data quality and data definition standards are developed and implemented.
- Interpreting and assuring compliance with Federal, State and College policies and regulations regarding the release of, responsible use of, and access to institutional data.
- Coordinating and resolving stewardship issues and data definitions of data elements that cross multiple functional units.
- Developing, implementing, and maintaining a Business Continuity Plan for institutional data under their control.
- Providing communications and education to data users on appropriate use and protection of institutional data.
- Developing, implementing, and communicating record retention requirements to the College community.
If a Data Steward’s responsibility includes Restricted data such as Social Security Numbers, the Data Steward must also work with other Data Stewards and Data Custodians with similar responsibilities to:
- Review and approve Restricted data usage and use requests.
- Ensure that individuals with visibility to Restricted data have completed required training and have agreed to confidentiality statements.
- Perform periodic reviews to ensure continued compliance with this policy.
Data Custodian responsibilities include:
- Maintaining physical and system security and safeguards appropriate to the classification level
of the data in their custody. - Complying with applicable College computer security standards.
- Maintaining Disaster Recovery plans and facilities appropriate to business needs and adequate
to maintain or restart operations in the event systems or facilities are impaired, inaccessible, or
destroyed. - Managing Data User access as prescribed and authorized by appropriate Data Stewards.
- Following data handling and protection policies and procedures established by appropriate Data Stewards.
- Complying with all federal and state laws, regulations, and policies applicable to the institutional data in their custody.
College units that develop databases and/or systems from institutional data sources and then provide access to this data to other users are considered Data Custodians. These Data Custodians must be authorized by the appropriate Data Steward, approved to further redistribute institutional data, and must implement the minimum required safeguards for the source data as prescribed by the Data Steward.
The Data User’s responsibilities include:
- Following the policies and procedures established by the appropriate Data Stewards.
- Complying with federal and state laws and regulations as well as College policies, procedures, and standards associated with the institutional data used.
- Using institutional data only as required for the conduct of College business within the scope of employment.
- Implementing safeguards prescribed by appropriate Data Stewards for Limited Access and Restricted Data.
- Ensuring the appropriateness, accuracy, and timeliness of institutional data used for the conduct of College business.
- Reporting any unauthorized access, data misuse, or data quality issues to the appropriate Data Steward for remediation.
- Accepting and completing the confidentiality statement yearly if access includes Restricted data.