Standard Number: IT.3.3.1S
Category: Information Privacy
Owner: Information Technology Services
Effective: May 15, 2019
Revision History: None
Review Date: May 14, 2022
PURPOSE, SCOPE AND RESPONSIBILITIES
- The Sensitive Data Policy establishes the criteria for data that the University determines to be Sensitive Data. The purpose of this Standard is to identify the physical and environmental safeguards that must be implemented to protect Sensitive Data.
- This Standard applies to all University employees, students, and volunteers, as well as any third-party individuals and entities who are doing work on behalf of the University that generate, have access to, collect, or use Sensitive Data.
- This Standard is intended to ensure the Security of Sensitive Data at the University. It is not intended to supersede any regulatory or contractual requirements for handling such data. Some specific data sets, such as credit/debit card data, healthcare data, and financial account data, may have stricter requirements in addition to the minimum standard requirements identified in this document.
- The Chief Information Security Officer is responsible for implementing and enforcing this Standard. Health Sciences Center Information Technology Services (“HSCITS”) is responsible for the Security of Protected Health Information at the University. Information Technology Services (“ITS”) is responsible for ensuring the Security of all other Sensitive Data types.
- The Data Steward is responsible for ensuring the Sensitive Data for which they are responsible is classified and secured appropriately.
- It is the responsibility of Data Users authorized to generate, maintain, and/or access Sensitive Data to abide by this Standard. Data Users should avoid collecting, accessing, or sharing Sensitive Data whenever possible.
ACCESS AND SHARING
- Access to Sensitive Data requires approval of the Data Steward and must be restricted to only those who require accessing such data to perform job duties.
- Access to Sensitive Data must immediately be removed when an individual’s employment duties no longer require access.
- Printing, copying, and scanning of Sensitive Data is strictly prohibited unless the printer is securely configured in a restricted-access location, an authorized person is available to receive the printout immediately, or the printer is password-protected.
- Data Stewards must approve remote access to Sensitive Data to ensure it is accessed securely. Those individuals approved to remotely access Sensitive Data must take precautions to ensure the data is not viewed or accessed by unauthorized individuals (e.g., family members).
- Access to Sensitive Data must be limited to as few devices as possible, and all devices that do access Sensitive Data must meet the University-Owned Device Standard, including installation of Identity Finder and anti-virus software.
- The use of personal devices to access Sensitive Data is prohibited unless approved by either ITS or HSCITS.
- Mobile devices should not be used to access Sensitive Data. At minimum, mobile devices approved to access Sensitive Data must be password protected and encrypted.
INFORMATION SYSTEMS AND DEVICES
- All applications that host Sensitive Data must undergo a security assessment conducted by ITS prior to being purchased. All critical and high-severity vulnerabilities identified must be remediated prior to being connected to the University network.
University Information Systems housing Sensitive Data must at minimum meet the following
requirements unless an exception is approved by the appropriate dean/director:
- Run a Supported Operating System;
- Be patched to the most current security level provided by the vendor;
- Employ anti-virus software (e.g., Sophos), which is configured for automatic daily definition updating, automatic protection of all incoming files, and scheduled weekly drive scans;
- Isolate Sensitive Data from all Internet-facing programs and services;
- Disable remote desktop protocols;
- Be secured behind a hardware firewall;
- All system passwords must meet the Password Standard; and,
- Employ two-factor authentication.
- Pursuant to the Acceptable Use of Data and Technology Resources Policy, access to systems and devices storing Sensitive Data should be based on Least Privilege.
- Back up files of Sensitive Data must be kept in an ITS-managed or HSCITS-managed location, with an approved third-party vendor, or a room that is physically secured with card swipe/key and requires access logging.
STORING AND SCANNING
- Storage of Sensitive Data on an unsecure University electronic file or workspace (e.g., SharePoint, OneDrive) is not permitted. Exhibit A of the Sensitive Data Policy indicates approved storage locations for Sensitive Data types.
- ITS will scan networked devices monthly to identify any Sensitive Data stored in an unapproved location. Scan results must be remediated at least quarterly.
- Storage of Sensitive Data on sites external to the University (e.g., DropBox, Google Drive) is not permitted unless ITS/HSCITS has approved the vendor for such storage.
TRANSMISSION AND TRANSPORTATION
- Transmission of Sensitive Data via email and email attachments is not permitted, except between approved University Health Care Components pursuant to the HIPAA Hybrid Entity Policy.
- Use of other messaging services (e.g., voicemail, text, Skype, FaceTime, Blackboard Collaborate) to transmit/share Sensitive Data is strictly prohibited.
- Faxing Sensitive Data is only permitted if the following criteria is met:
- The receiving fax machine is in a secure location;
- A cover sheet accompanies the transmission clearly indicating the recipient; and,
- The recipient has been alerted to transmission and is able to receive it.
- Faxes including Sensitive Data must never be stored on the fax machine or emailed.
- Other transmission channels for Sensitive Data (e.g., SecureFTP, FileLocker, S-HTTP) must be encrypted. The source and destination devices must be appropriately secured and approved by the University for storage of Sensitive Data.
- Transportation of Sensitive Data from one location to another must:
- Always be supervised;
- Be in a secure container (physical);
- Be encrypted and password protected (electronic);
- Physical copies of Sensitive Data no longer essential must be shredded with a secure, cross-cut shredder.
- University-owned devices that have accessed Sensitive Data and are no longer essential must be sanitized prior to being reassigned or sending to surplus.
- All computers, fax machines, and other electronic devices that have stored or received Sensitive Data are required to have the hard drive sanitized (or destroyed) and the memory erased before reassigning it or sending it to surplus.
- “Data Steward” means the University executive officers or their designees who have planning and policy-level responsibilities for data in their functional areas and have management responsibilities for recognized University Information Systems
- “Least Privilege” means granting the minimum system resources and authorizations that it needs to perform its function or restricting access privileges of authorized personnel to the minimum necessary to perform their job.
- “Security” means the strategies for managing University Sensitive Data to ensure the confidentiality (the rules that limit access), integrity (the assurance that data will remain uncorrupted), and availability (the assurance that data will continue to be available) of it, including the requirements to collect, store, transmit, and access Sensitive Data.
- “Supported Operating System” means the entity providing the OS, be it a vendor, open source, or individual, is actively and routinely providing and deploying patches and security updates for the OS.
- “University Business Need” means operations designated as essential to the academic, administrative, research, and outreach needs of the University.
- “University Information Systems” means applications that are on the campus network, require authentication, and are used to support the academic, administrative, research, and outreach activities conducted at the University (e.g., STAR, MAP, WVU+kc, eCampus).