Information assets of the University of Iowa, in all its forms and throughout its life cycle, will be protected through information management policies and actions that meet applicable federal, state, regulatory, or contractual requirements and support the University of Iowa’s mission, vision, and values. The purpose of this policy is to identify and disseminate the University of Iowa’s framework and principles that guide institutional actions and operations in generating, protecting, and sharing institutional data.
This policy applies to all institutional data owned by The University of Iowa. The Institutional Data Access Policy defines three sensitivity levels (low, moderate, and high) which categorize institutional data. Each faculty and staff member, trainee, student, vendor, volunteer, contractor, or other affiliate of the University of Iowa with access to institutional data is subject to and has responsibilities under this policy.
- Access to University of Iowa Level II and Level III data may only be granted to Authorized Users on a need-to-know basis. The Business Owner of the data as defined in the Roles and Responsibilities for Information Security policy must approve and verify such access.
- All Authorized Users shall receive education on the expectations, knowledge, and skills related to information security.
- Every user must maintain the confidentiality of Level II & III institutional data even if technical security mechanisms fail or are absent. A lack of security measures to protect the confidentiality of information does not imply that such information is public.
- If an Authorized User elects to place institutional data onto personally owned or University owned and personally managed media, laptops, USB keys, or storage devices or maintains a personal database, s/he is responsible for ensuring that its security, confidentiality, and integrity are maintained in accord with this policy.
- The User is personally responsible for any breaches that occur as a result of his/her actions.
- A Data Custodian must be identified by the Business Owner for all institutional data as defined in the Roles and Responsibilities for Information Security policy. A Data Custodian is the person responsible for capture, maintenance, protection, and dissemination of institutional data.
- Everyone has an obligation to report instances of non-compliance to the Chief Information Security Officer.
- Users who access data for which they do not have a need to know and/or commit breaches of confidentiality may be subject to disciplinary action up to and including discharge, termination of contract/relationship, and/or liability to civil and criminal penalties.
- Everyone must comply with all applicable industry standards, federal, and state regulations and controls (e.g., PCI-DSS, FERPA, HIPAA, GLBA, FISMA etc.) governing the access and use of data.
Responsibility for The University of Iowa’s comprehensive enterprise information security program is delegated to the groups and individuals as defined in the Roles and Responsibilities for Information Security Policy.
Information Assessment and Classification
Business Owners will assess risks and threats to data for which they are responsible, and accordingly classify and oversee appropriate protection of institutional data as described in the Institutional Data Access Policy.
Physical and electronic access to institutional data must be controlled. The level of control will depend on the classification of the data and the level of risk associated with loss or compromise of the information. Data handling requirements are outlined in the Institutional Data Access Policy.
Physical Access Control
- All devices with Level II & III institutional data and all mobile devices must be kept in a physically secure (locked) location when staff are not present.
- The level of physical access control for any area that contains institutional data is determined by the level of risk and exposure. Data centers and other locations where Level II & III data is housed must be protected at all times by physical access controls such as keys, biometrics or proximity cards.
- Physical access to data centers or any area with Level III data must be monitored and logged through electronic logging or tracking mechanism. Visitors and other maintenance personnel must be escorted by authorized operations staff when in a data center.
- Media (e.g., paper records, digital devices and peripherals) that contains Level III data must be secured during transportation and disposal.
Electronic Access Control
- For Level II & III data, criteria must be established by the Business Owner for account eligibility, creation, maintenance, and expiration.
- Access to Level III data must be individually authorized by the Business Owner and an annual confidentiality agreement must be acknowledged or signed by all authorized users.
- Data Custodians must periodically review user privileges and modify, remove, or inactivate accounts when access is no longer required.
- Procedures must be documented for the timely revocation of access privileges and return of institutionally owned materials (e.g., keys, ID Cards), for terminated employees and contractors.
- Inactivity time-outs must be implemented, where technically feasible, for workstations that access Level III data. The period of inactivity shall be no longer than 20 minutes in publicly accessible areas.
An authorized user of Level I & II data may re purpose the information for another reason or a new application when it is authorized by the Business Owner. Secondary use or re purposing of Level III data is prohibited.
External Data Sharing
Level II & III data will be shared outside the University of Iowa as allowed by Iowa Open Records Law, FERPA restrictions, or Non-UI Project or study participants. Level III data, specifically Protected Health Information (PHI) will only be shared based on HIPAA Business Associate Agreements.
Access to Data for Automated Operations (Generic, Scheduled, or Task Initiated Access)
Generic access to information stored in databases is allowed only for non-interactive tasks. A non-interactive task is one that is scheduled to run automatically or one that is triggered by a series of events. It is automatically initiated, and the output is automatically handled by software. This includes automatic downloads and other linkages for data transfer.
- Requests for generic access to information stored in databases for automated operations are made to the Business Owner, and if approved, will be executed by the Data Custodian.
- Generic account passwords must be protected from unauthorized disclosure. Hard coded passwords that reside on a client machine or in an application must be reasonably protected (i.e. encrypted), commensurate with risk and the available platform or application security features.
- Information access via generic accounts must be limited to the specific task required.
Systems administered by contractors
An on-site Data Custodian must be identified to oversee administrative duties performed by contractors to ensure their compliance with security policies and standards. Contractor activities will be controlled and monitored as follows:
- Contractor user accounts must not allow more system or network privileges than necessary to meet contract requirements.
- Secure authentication of contractors is required.
- Logging and auditing of system accesses and activity is required.
- Contractors will be required to sign a confidentiality agreement before handling any Level II or III institutional data.
- Data Custodians must be able to audit logins to Level II institutional data, and logins, accesses, and changes to Level III institutional data.
- Audit log records shall be kept a minimum of three months, or as defined by specific regulations pertaining to the data. The Business Owner and/or Data Custodian shall periodically review the audit records for evidence of violations or system misuse. An investigation must be conducted if unauthorized access, login, or changes are identified.
- All authorized users shall be notified that access, login, and change audits will be conducted for Level III institutional data. If evidence of improper data access is discovered, it may result in disciplinary action.
- The location of computer systems containing Level III institutional data, including but not limited to Social Security Numbers, Credit Card Numbers, and Protected Health Information, must be registered with the Information Security and Policy Office. (see how to register your system by clicking the USR link in Related Policies, References and Attachments section below.)
Institutional data transmitted outside the organization requires additional safeguards. The security provisions employed will depend upon the identified risk and threats, regulatory requirements, and the technical mechanisms available.
- The Business Owner is responsible for making decisions regarding appropriateness of external transmission and access to institutional data.
- Externally sharing PHI requires the completion of a HIPAA Business Associate Agreement unless the communication is authorized for the purpose of treatment, payment or health care operations.
- The Chief Information Security Officer will review and approve technical security mechanisms and services for remote access and external transmission of Level III institutional data.
- External network transmission and exchange of Level III institutional data over open networks such as the Internet or outside of the UI managed network must be encrypted and include strong authentication.
- Encryption must be employed for all external transmissions of Level III institutional information via electronic mail, except as authorized by the subject of the data.
- University owned mobile devices (examples include laptops, tablets and external storage devices) must utilize full disk encryption.
Information Integrity Controls
Information must remain consistent, complete and accurate. Integrity errors and unauthorized or inappropriate duplications, omissions and intentional alterations will be investigated and reported to the Business Owner of the affected data.
Separation of duties and functions
Tasks involved in critical business processes must be performed by separate individuals. Responsibilities of programmers, system administrators and database administrators must not overlap, unless authorized by the Business Owner of the data.
Systems and Application software
- System and application software must be tested before installation in a production environment.
- System and application software must be protected from unauthorized changes.
- All security updates must be applied in a timely manner, commensurate with the risk associated with the addressed vulnerability.
A system for change control management must be implemented for systems handling Level II & III institutional data, to monitor and control hardware and software configuration changes. Change control includes documentation of change requests, approvals, testing, and final implementation.
- All systems connected to the network will have virus protection where technologically feasible.
- The most recent version of anti-virus software must be implemented and maintained with daily virus signature/pattern updates
Preventive Measures, Backup and Recovery
Processes are necessary to prevent loss of vital information, to provide backup and recovery, and provide continuous operation consistent with the business needs of the institution.
- Prevention: Annual testing of preventive methods as they apply to fire, utility services and other environmental hazards must occur.
- Backup: All information must have sufficient backup and be fully recoverable. Responsibilities are described for the regular backup and safe recovery of systems in the Backup and Recovery Policy.
- Emergency Mode of Operation: Alternate modes of operation, that may include manual methods, must be documented to ensure continuity of critical services in the event a natural disaster, fire, act of vandalism, or act of terrorism occurs.
- Disaster Recovery Planning: All data centers and computerized systems critical to the University of Iowa must have written and tested disaster recovery plans. Business Owners will prioritize the recovery of applications and associated databases to ensure critical services are recoverable in a timely fashion.
Mobile Device Security
Mobile devices present a unique challenge to securing sensitive data. Lost or stolen devices must be protected from unauthorized access and sensitive data disclosure.
- Mobile devices containing institutional data must be kept in a secure location when not in use, and the device must be access controlled with a password.
- Full disk encryption is required for university-owned mobile client devices (e.g. laptops, tablets) unless the device meets criteria for an exception. Personally-owned mobile devices must employ full disk encryption if Level III (highly sensitive) institutional data is authorized to be stored locally.
- Employees must use University provided storage services (such as OneDrive) rather than externally attached storage devices (such as USB flash drives) whenever possible, to minimize the risk of lost or stolen devices and institutional data.
- Departments that routinely handle Level III data:
- All external storage devices must be encrypted prior to writing institutional data
- Ability to write data to an external storage device will be restricted to authorized computers
- All client computers (desktop and mobile) will utilize full disk encryption
- Departments that do not routinely handle Level III data:
- External storage devices must be encrypted prior to writing Level III institutional data
- Client computers (desktop and mobile) are recommended to utilize full disk encryption
Proper data disposal is essential to controlling sensitive data. Media or devices containing sensitive information that are transferred between departments or are removed from service must be properly erased, as described in the Computer Data and Media Disposal Policy.
- Devices containing Level II data must be wiped or erased.
- Devices containing Level III data must be DOD-level wiped or have the media destroyed before disposal.
- Printed reports with Level II data should be recycled, and reports with Level III data must be shredded.
Related Policies, References and Attachments:
This collection of University of Iowa Information Technology policies and procedures contain acceptable use, security, networking, administrative, and academic policies that have been developed to supplement and clarify University of Iowa policy.
They are incorporated into the University of Operations Manual (http://opsmanual.uiowa.edu) by reference, per the Policy on Acceptable Use of Information Technology Resources (http://opsmanual.uiowa.edu/community-policies/acceptable-use-information-technology-resources)
Backup and Recovery Policy
Computer Data and Media Disposal Policy
Institutional Data Access
Roles and Responsibilities for Information Security
University Login ID Standard
How to register your system(s) in the Uiowa System Registry (USR)
IT Security and Network Log Retention Guidelines