Managing University Data
The classification of data on campus is important to a number of business processes.
In the event of a disaster, data classified in their respective levels are brought back up online using the appropriate controls and in a timely manner.
See the Disaster Recovery and Business Continuity Planning Tool resource for more information on managing and maintaining effective business recovery tools.
Likewise if a system is infected with any malware the appropriate level of controls and management will be engaged and applied, commensurate with the level of sensitivity the data on the compromised system has. Level III data disclosures may need to be publicly disclosed in addition to notifying the sponsoring federal agencies, if grant based. Click the Procedures on Handling a System Compromise link for additional information.
Local State and Federal regulations in addition to industry standards require systems processing protected data to be controlled appropriately. Classification of the intended data types aids this effort.
Export Controls Policies list types of industry standards or regulations relating to the restricted (Level III) data research entities create to ensure that the data is appropriately controlled.
All university managed devices which store or process critical data need to utilize centralized endpoint software capable of identifying and, if necessary, containing individual systems automatically.
Systems incapable of installing and running the centralized endpoint software should have a registered exception on file - https://workflow.uiowa.edu/form/ispo-exceptions.
Departmental and or research units looking to provision systems to begin business operations will have a good working idea of what costs and or savings are involved, and budget accordingly.
Data Handling Requirements in the Institutional Data Access Policy
This document describes the minimum requirements for protecting systems based on the type of data they hold.
Having a working idea of what types of data exist and how each needs to be protected will allow the Business Owners, Data Custodians and End Users to work responsibly and protect the data accordingly.
Knowing how to classify and protect institutional data is important information to have when
1. Considering/ building new processes involving critical data.
2. Looking to utilize third-party applications and storage solutions.
3. Managing and maintaining critical data across mobile endpoints.
The Security Policy describes the administrative roles campus staff assume to manage and protect their data through out its various life-cycles.
Whilst not exhaustive, if your role with the university involves working with restricted data, bookmark and reference the information below to guide decisions when thinking of storing and transferring restricted data.