POLICY TITLE:     Information Security Framework
POLICY #: IT - 18
DATE DRAFTED:01/02/03, 10/18/06 V2
DATE POSTED for Review: 10/18/06 V2, 3/12/07 V2.1    
APPROVED DATE: 05/28/08
REVISION DATE: 07/06/04, 10/18/07 V2, 03/12/07 V2.1, 08/08/13

BRIEF DESCRIPTION: The purpose of this policy is to identify and disseminate the University of Iowa’s framework and principles that guide institutional actions and operations in generating, protecting, and sharing confidential information.

Introduction | Policy ScopePrinciples | Related Policies | Policy Home

Introduction:
Information assets of the University of Iowa, in all its forms and throughout its life cycle, will be protected through information management policies and actions that meet applicable federal, state, regulatory, or contractual requirements and support the University of Iowa’s mission, vision, and values. The purpose of this policy is to identify and disseminate the University of Iowa’s framework and principles that guide institutional actions and operations in generating, protecting, and sharing institutional data.

Scope:
This policy applies to all institutional data owned by The University of Iowa. The Institutional Data Access Policy defines three sensitivity levels (low, moderate, and high) which categorize institutional data. Each faculty and staff member, trainee, student, vendor, volunteer, contractor, or other affiliate of the University of Iowa with access to institutional data is subject to and has responsibilities under this policy.

Principles
Roles

Responsibility for The University of Iowa’s comprehensive enterprise information security program is delegated to the groups and individuals as defined in the Roles and Responsibilities for Information Security Policy.
Information Assessment and Classification
Business Owners will assess risks and threats to data for which they are responsible, and accordingly classify and oversee appropriate protection of institutional data as described in the Institutional Data Access Policy.
Information Access 
Physical and electronic access to institutional data must be controlled. The level of control will depend on the classification of the data and the level of risk associated with loss or compromise of the information. Data handling requirements are outlined in the Institutional Data Access Policy.
Physical Access Control    
Electronic Access Control
Access control will be regulated by the following University of Iowa Policies:  University Login ID Standard, Enterprise Authentication, and the Enterprise Password Policy. In addition,
Secondary Use
An authorized user of Level I & II data may re purpose the information for another reason or a new application when it is authorized by the Business Owner. Secondary use or re purposing of Level III data is prohibited.
External Data Sharing
Level II & III data will be shared outside the University of Iowa as allowed by Iowa Open Records Law, FERPA restrictions, or Non-UI Project or study participants.  Level III data, specifically Protected Health Information (PHI) data will be shared based on HIPAA Business Associate Agreements.
Access to Data for Automated Operations (Generic, Scheduled, or Task Initiated Access)
Generic access to information stored in databases is allowed only for non-interactive tasks. A non-interactive task is one that is scheduled to run automatically or one that is triggered by a series of events. It is automatically initiated, and the output is automatically handled by software. This includes automatic downloads and other linkages for data transfer.
Systems administered by contractors
An on-site Data Custodian must be identified to oversee administrative duties performed by contractors to ensure their compliance with security policies and standards. Contractor activities will be controlled and monitored as follows:
 Audits
Communication Security
Institutional data transmitted outside the organization requires additional safeguards. The security provisions employed will depend upon the identified risk and threats, regulatory requirements, and the technical mechanisms available.
Information Integrity Controls  
Information must remain consistent, complete and accurate. Integrity errors and unauthorized or inappropriate duplications, omissions and intentional alterations will be investigated and reported to the Business Owner of the affected data.
Separation of duties and functions
Tasks involved in critical business processes must be performed by separate individuals. Responsibilities of programmers, system administrators and database administrators must not overlap, unless authorized by the Business Owner of the data.
Systems and Application software
Change controls
A system for change control management must be implemented for systems handling Level II & III institutional data, to monitor and control hardware and software configuration changes. Change control includes documentation of change requests, approvals, testing, and final implementation.
Anti-Malware controls
Preventive Measures, Backup and Recovery 
Processes are necessary to prevent loss of vital information, to provide backup and recovery, and provide continuous operation consistent with the business needs of the institution.
Mobile Devices
Mobile devices present a challenge to securing sensitive data. Lost or stolen devices must be protected from theft, unauthorized access and sensitive data disclosure.
Data Disposal
Proper data disposal is essential to controlling sensitive data. Media or devices containing sensitive information transferred between departments or removed from service must be properly erased, as described in the Computer Data and Media Disposal Policy.
Related Policies, References and Attachments:
This collection of University of Iowa Information Technology policies and procedures contain acceptable use, security, networking, administrative, and academic policies that have been developed to supplement and clarify University of Iowa policy.
They are incorporated into the University of Operations Manual (http://www.uiowa.edu/~our/opmanual/index.html) by reference, per the Policy on Acceptable Use of Information Technology Resources (http://www.uiowa.edu/~our/opmanual/ii/19.htm)