Policy Number: IT-18

Date Drafted: 01/02/2003
Approved Date: 05/28/2008
Approved Date: 04/09/2019
Reviewed Date: 09/27/2023

Introduction

Information assets of the University of Iowa, in all their forms and throughout their life cycle, will be protected through information management policies and actions that meet applicable federal, state, regulatory, or contractual requirements and support the University of Iowa’s mission, vision, and values. The purpose of this policy is to identify and disseminate the University of Iowa’s framework and principles that guide institutional actions and operations in generating, protecting, and sharing institutional data.

Scope

This policy governs management of devices, resources, and user access to University owned equipment and institutional data. The Institutional Data Policy defines and classifies four sensitivity levels (public, internal, restricted and critical) to categorize institutional data. All sensitivity levels other than “public” may be described collectively as “non-public” data.  Each faculty, staff, student, contractor, or affiliate of the University of Iowa with access to institutional data is subject to and has responsibilities under this policy.

Principles

  • The University of Iowa is committed to ensuring the security and confidentiality of institutional data is maintained at all times, and that institutional data is only accessed appropriately. 
  • Users are individually responsible for any breaches that occur as a direct result of non-compliance. 
  • Access to non-public institutional data may only be granted to Authorized Users on a need to know basis. The Data Steward of any non-public institutional data, as defined below, must approve and verify Authorized User access.
  • Users who access data for which they are not authorized and/or commit breaches of confidentiality may be subject to disciplinary action up to and including discharge, termination of contract/relationship, and/or liability to civil and criminal penalties.
  • Authorized Users shall be provided training on the expectations, knowledge, and skills related to information security.
  • Authorized Users must maintain the confidentiality of all non-public institutional data even if technical security mechanisms fail or are absent. A lack of security measures to protect the confidentiality of information does not imply that such information is public.
  • Authorized Users are responsible for enforcing security controls whenever they place institutional data onto non-university-managed devices or services. Data Trustees of institutional data assets are responsible for appointing Data Custodians.
  • All users’ access to UI owned or managed digital and or physical assets will comply with applicable standards, controls, and regulations (e.g., PCI-DSS, FERPA, HIPAA, GLBA, FISMA, ITAR, GDPR, etc.).
  • Non-compliance shall be reported to the Chief Information Security Officer.

Roles and Responsibilities for Information Security

Responsibility for The University of Iowa’s comprehensive enterprise information security program is delegated to the groups and individuals as defined below.  Note that an individual may function within more than one role (e.g., a network security contact for one unit may be an authorized user of data within another unit).

University Level Roles:
Data Trustee
Information Risk and Policy Council (IRPC)
Chief Information Security Officer

Unit Level Roles:
Data Steward
Network Security Contact
Data Custodian
Authorized User

University Level Roles

Data Trustee

The enterprise vice-president or Org-level executive having policy-level responsibility and authoritative decision making for a particular set of information assets. The Data Trustee will:

  1. Establish standards for business use of information.
  2. Assign administrative responsibility to Data Stewards.
  3. Monitor compliance and periodically review violation reports.
Information Risk and Policy Council (IRPC)

The Information Risk and Policy Council is responsible for governance and oversight of the enterprise information security program. The IRPC will:

  1. Analyze and manage institutional risks.
  2. Review and recommend policies, procedures, and standards.
  3. Ensure consistency in disciplinary processes for violation.
Chief Information Security Officer

The official responsible for directing implementation of the enterprise information security program. The Chief Information Security Officer will:

  1. Coordinate the development and maintenance of information security policies and standards.
  2. Investigate security incidents and coordinate their resolution as defined in the Network Vulnerability Assessment & Incident Response Policy.
  3. Advise Data Stewards in classifying their data and recommend available controls as defined in the Institutional Data Policy.
  4. Implement an information security awareness program.
  5. Serve as liaison to the IRPC, Law Enforcement, Internal Audit, and University Legal Services.
  6. Provide consulting services for information security throughout the enterprise.

Unit Level Roles

Data Steward

The senior official within a college or departmental unit (or his/her designee) accountable for managing information assets. The Data Steward will:

  1. Approve business use of information.
  2. Identify Data Custodian(s) (see below) for each segment of information under his/her control.
  3. Ensure implementation of policies, and documentation of process and procedures for guaranteeing availability of systems, including:
    • Risk assessment
    • Disaster recovery
    • Business Continuity
    • Software testing and revision controls
  4. Determine appropriate classification of each segment of data as described in the Institutional Data Policy. 
  5. Define departmental access roles and assign access for individuals based on their business need to know.
  6. Ensure that all department/unit personnel with access to information assets are trained in relevant security and confidentiality policies and procedures.
  7. Ensure applicable protection of health information assets under his/her control, including:
    • Register all health information assets containing individually identifiable health information (e.g., Protected Health Information, or "PHI") in any medium with the University HIPAA Privacy Officer.
    • Ensure that validated corrections to health information are implemented.
    • Ensure compliance with federal and state laws and University policy regarding the use of individually identifiable health information in directed communication or solicitation.
    • Require the completion of an information sharing agreement before access to health information assets is granted to external entities.
    • Ensure similar, applicable protection for non-health information assets.
Network Security Contact (NSC)

The individual within a unit who acts as a liaison for timely and relevant information flow between central networking and IT security personnel and the unit. 
The NSC will:

  1. Receive vulnerability reports for unit computer systems and disseminate such information to appropriate technical staff for resolution.
  2. Receive network alerts, outage notifications, or other networking issues affecting the unit and disseminate such information to appropriate staff.
  3. Coordinate unit response to computer security incidents.
Data Custodian

Functional or technical user that has operational responsibility for the capture, maintenance, and dissemination of a specific segment of information, including the installation, maintenance, and operation of computer hardware and software platforms. The data custodian may or may not be IT staff. 
The Data Custodian will:

  1. Define and implement processes for assigning User access, revoking User access privileges, and setting file protection parameters.
  2. Implement system protection, data protection and access controls conforming to the Institutional Data Policy.
  3. Define and implement procedures for backup and recovery of information.
  4. Ensure processes are in place for the detection of security violations.
  5. Monitor compliance with information security policy and standards.
  6. Limit physical and logical access to information assets, including:
    • Equipment control (inventory and maintenance records), and physical security of equipment (e.g., locks, HVAC).
    • Authorization procedures prior to physical access to restricted areas, such as data centers, with sign-in or escort of visitors, as appropriate.
    • Implement a system for software change management and revision controls.
      Maintain appropriate internal audit, which record system activity such as log-ins, file accesses, and security incidents.
      Maintain records of those granted physical access to restricted areas (e.g., key card access lists).
    • Provide appropriate handling and physical protection for health information assets
    • Ensure operation and maintenance personnel are given access only as necessary to perform system maintenance responsibilities. Ensure authorized University staff supervise all external personnel performing maintenance activities.
    • Some of the above requirements may be delegated to others, when hosting within an institutional data center or when in the cloud.  The data custodian will take appropriate steps to monitor these delegated requirements.
Authorized User

Individuals who have been granted access to information assets in the performance of their assigned duties are considered Authorized Users ("Users"). Users include, but are not limited to: faculty and staff members, trainees, students, vendors, volunteers, contractors, or other affiliates of the University of Iowa. 
Authorized Users will:

  1. Seek access to data only through established authorization and access control processes.
  2. Access only that data for which they have a business need to know to carry out job responsibilities.
  3. Disseminate data to others only when authorized by the Data Steward.
  4. Report access privileges inappropriate to job duties to the Data Steward for correction.
  5. Complete training in information security and confidentiality policies and procedures.
  6. Acknowledge or sign annual confidentiality statements for access to restricted and critical data.
  7. Perform all responsibilities necessary to protect data when placing institutional data on personally owned or managed devices.
Separation of duties and functions

Tasks involved in critical business processes must be performed by separate individuals. Responsibilities of developers, system and database administrators must not overlap, unless authorized by the Data Steward.

Information Assessment and Classification

Data Stewards will assess risks and threats to data for which they are responsible, and accordingly classify and oversee appropriate protection of institutional data as described in the Institutional Data Policy.

Information Access

Physical and electronic access to institutional data must be controlled. The level of control will depend on the classification of the data and the level of risk associated with loss or compromise of the information. Data handling requirements are outlined in the Institutional Data Policy.
Procedures must be documented for the timely removal of access to systems, services and accounts, including return of institutionally owned materials (e.g., keys, ID Cards), for employees, affiliates and contractors.

Technology Evaluation and Procurement

All technology must be reviewed via the campus Technology Review Process prior to acquisition.

External Data Sharing

All non-public data shared or placed outside the University of Iowa’s control are subject to University Policy, as well as external regulations and controls.  For example, Protected Health Information (PHI) will only be shared based on HIPAA Business Associate Agreements.

Institutional data transmitted outside the organization requires additional safeguards. The security provisions employed will depend upon the identified risk and threats, regulatory requirements, and the technical mechanisms available.

  • The Data Steward is responsible for making decisions regarding appropriateness of external transmission and access to institutional data.
  • Sharing PHI externally requires the completion of a HIPAA Business Associate Agreement unless the communication is authorized for the purpose of treatment, payment or health care operations.  Sharing other non-public data may have similar contract requirements.
  • The Chief Information Security Officer will review and approve technical security mechanisms and services for remote access and external transmission of non-public institutional data.
  • Critical or restricted data transmitted and exchanged over open networks such as the public Internet or outside of the UI managed network must be encrypted and include strong authentication.
  • Encryption must be employed for all external transmissions of critical or restricted institutional information via electronic mail, except as authorized by the subject of the data.
  • University owned mobile devices (such as laptops, tablets and external storage devices) must utilize full disk encryption.
Information Integrity Controls

Information must remain consistent, complete and accurate. Integrity errors and unauthorized or inappropriate duplications, omissions and intentional alterations will be investigated and reported to the Data Steward of the affected data.

Change Management

1. System and Application software

  • System and application software must be tested before installation in a production environment.
  • System and application software must be protected from unauthorized changes.
  • System and application updates must be applied in a timely manner, commensurate with the risk associated with the addressed vulnerability.

2. Change controls

Change control management must be implemented for systems handling non-public institutional data, to monitor and control hardware and software configuration changes. Change control includes documentation of change requests, approvals, testing, and final implementation.  Change control management is required for both physical hardware as well as cloud services.

3. Anti-Malware controls

  • All systems connected to the network or handling non-public institutional data will have malware protection where technologically feasible.
  • The most recent version of anti-malware software must be implemented and maintained with daily malware definition updates. 
  • All anti-malware titles must be approved by the Information Security and Policy Office.

4. Mobile Device Security

Mobile devices present a unique challenge to securing sensitive data. Lost or stolen devices must be protected from unauthorized access and sensitive data disclosure.

  • Mobile devices containing institutional data must be kept in a secure location when not in use, and the device must be access controlled with a password or similar control.
  • Full disk encryption is required for university-owned mobile devices (e.g. laptops, tablets) unless the device meets criteria for an exception.  Personally-owned mobile devices must employ full disk encryption if critical or restricted institutional data is authorized to be stored locally.
  • Authorized Users must choose University approved storage services over externally attached storage devices (such as USB flash drives) whenever possible, to minimize the risk of lost or stolen devices and institutional data.  
  • For Departments that routinely handle critical and restricted data:
    • All external storage devices must be encrypted prior to writing institutional data
    • Ability to write data to an external storage device will be restricted to authorized computers
    • All client computers (desktop and mobile) will utilize full disk encryption
  • For Departments that do not routinely handle critical and restricted data:
    • External storage devices must be encrypted prior to writing critical and restricted institutional data
    • Client computers (desktop and mobile) are recommended to utilize full disk encryption
  • Additional requirements may apply for devices traveling outside the U.S.

Preventive Measures, Backup and Recovery 

Processes are necessary to prevent loss of vital records (Records Retention), to provide backup and recovery, and provide continuous operation consistent with the business needs of the institution.

  • Prevention: Annual testing of preventive methods as they apply to fire, utility services and other environmental hazards must occur.
  • Backup: Institutional data must have sufficient backup and be fully recoverable.  Responsibilities are described for the regular backup and safe recovery of systems.  Backups containing non-public data should be encrypted.
  • Emergency Mode of Operation: Alternate modes of operation, that may include manual methods, must be documented to ensure continuity of critical services in the event a natural disaster, fire, act of vandalism, or act of terrorism occurs.
  • Disaster Recovery Planning: All data centers and computerized systems critical to the University of Iowa must have written and tested disaster recovery plans. Data Stewards will prioritize the recovery of services, applications and associated databases to ensure critical services are recoverable in a timely fashion.

Data Disposal

Proper data disposal is essential to controlling sensitive data. Remove sensitive information on all media or devices leaving the control of the department, as described in the Institutional Data Policy.

References and Attachments:

This collection of University of Iowa Information Technology policies and procedures contains acceptable use, security, networking, administrative, and academic policies that have been developed to supplement and clarify University of Iowa policy.

These policies and procedures are incorporated into the University of Operations Manual (http://opsmanual.uiowa.edu) by reference, per the Policy on Acceptable Use of Information Technology Resources (http://opsmanual.uiowa.edu/community-policies/acceptable-use-information-technology-resources)

Institutional Data Policy

Computer Data and Media Disposal Training

Enterprise Authentication, Authorization, and Access Policy

Requests for an exception to IT Policies & Standards can be submitted via the webform link here: Request a Security Exception