University of Minnesota  Administrative Policy

Information Security

Policy Statement

University information is a valuable asset to the University of Minnesota and requires appropriate protection. Unauthorized use or disclosure of data protected by laws, regulations, or contractual obligations could cause severe harm to the University or members of the University community, and could subject the University to fines or government sanctions.

In order to manage these risks:

  • Units and University community members must ensure that their electronic devices, including personally owned devices used for University business, and other resources which store, transmit, or process University information, or can impact the security of the data, meet the information security processes and standards contained in the appendices of this policy, and all pertinent laws, regulations, or contractual obligations. Examples of standards include controls related to data storage, access, security protection software, and awareness.
  • Authorized individuals will be provided access to data they need to carry out work responsibilities.
    • Data custodians must limit access to University data classified as private data to those individuals whose work responsibilities require it.
    • Employees and departments must follow the appropriate approval processes to request access to non-public information and request removal of access when no longer needed.
    • Individuals authorized by their job responsibilities to share University data with internal audiences must follow the procedures related to sharing University data, including instructions on aggregating data where appropriate.

Enforcement

Employees must report known non-compliance with any requirement of this policy to University Information Security ([email protected]).

Individual University community members who do not comply with this policy or the University's information security standards may be denied access to University IT resources and may be subject to disciplinary action up to and including termination.

Exceptions

Units may specify additional more stringent requirements within their physical or administrative areas of responsibility.

Units unable to meet a requirement defined by the information security standards must obtain an exception through the exception request procedure.

The University Chief Information Officer or delegate may allow exceptions to this policy after consultation with the unit and the appropriate compliance officer.

Reason for Policy

This policy will help to:

  • comply with legal, regulatory, and contractual requirements to protect data;
  • safeguard University data and IT resources from accidental or intentional damage and the data stored or accessed by these IT resources from alteration or theft of data;
  • designate the appropriate level of security requirements for securing IT resources;
  • increase the value of University information resources through widespread and appropriate use;
  • prevent the inappropriate and unauthorized disclosure of information and thereby avoid adverse legal consequences.

Procedures

Forms/Instructions

Appendices

Frequently Asked Questions

  1. If my smartphone or other electronic device only supports the use of numbers, not alphabetical and special characters, is that acceptable authentication?

    For electronic devices that do not support the use of complex passwords for authentication, use biometric (e.g., finger print), or a complex swipe pattern, or a non-obvious number sequence. For example, do not use your employee ID or part of your phone number. See Authentication, Access, and Account Management Standard related information for complex password features.

  2. Why do I need to use a password after the screensaver is activated and why is the time so short?

    The password helps protect you from malicious use of your device or others viewing your display when your device is not attended. The screensaver prevents anyone who steals or finds your device (e.g., laptop) from using the device, acting as you, stealing data, etc. See Authentication, Access, and Account Management Standard for other settings that help protect data and your device.

  3. How does the Information Security policy relate to personal devices?

    Personal devices (e.g., smartphones, tablets, laptops) used for University business need to comply with the Information Security Policy and the information security standards contained in the policy.

  4. How does the Information Security policy relate to vendor solutions?

    Vendor solutions also need to comply with the Information Security Policy and the information security standards contained in the policy.

Contacts

SubjectContactPhoneEmail
Primary ContactBrian Dahlin612-625-1505[email protected]
HIPAA Compliance Medical Records, PHI Medical Records, PHILauren Popp [email protected]
FERPA Compliance Student RecordsStacey Tidball612-626-0075[email protected]
PCI Compliance Credit Card DataAccounts Receivable Services612-625-2392[email protected]
Financial SystemsDirector, EFS Customer Support, Controller’s Office (Data Custodian)612-624-1617[email protected]
Human Resources/PayrollDirector, Office of Human Resources (Data Custodian)612-624-8647 or 800-756-2363[email protected]
Student SystemsUniversity Registrar612-625-2803[email protected]
Disclosure of DataCoordinator, Records and Information Management Office; or Office of the General Counsel612-625-3497 
612-624-4100
[email protected]
Institutional Analysis of University Data, University Data CustodianDirector of Institutional Analysis612-626-9518[email protected]
Responsible Individuals
Responsible Officer Policy Owner Primary Contact
  • Vice President and Chief Information Officer, Office of Information Technology
  • Chief Information Security Officer, Office of Information Technology
  • Brian Dahlin
    Chief Information Security Officer, Office of Information Technology

Definitions

Access

The ability to view information and, when applicable, change, delete, duplicate, or transfer it.

Administrative Data

Data that the University generates or collects for operational purposes. It does not include data collected during faculty research.

Application Custodian

The University designated individual responsible for serving as a steward of the application or system, or for provisioning access.

Authorized Individual

An employee, consultant, volunteer or other individual who needs access to University information to perform an activity on behalf of the University.

Authentication

A verification that substantiates a person's identity.

Compensating Control

An alternate but effective means of meeting a security requirement.

Compliance Officer

The University designated individual responsible for a broad type of data (e.g., HIPAA, PCI DSS, FERPA), or data set (e.g., research data) across the University, consistent with University policy and all applicable state and federal laws, and contractual agreements.

Control

A control is any administrative, management, technical, or legal method that is used to prevent, detect or correct risks. Controls are also known as safeguards or countermeasures. Controls include practices, policies, procedures, programs, and technologies.

Control Level

A level assigned to a control at each security level.

  • Required- Must apply the control.
  • Recommended- Should apply the control. It is not required due to limitations in available technology or because the control could potentially place an undue burden on a unit to implement. Units should evaluate the implications of not implementing the control and determine whether or not a compensating control has or can be implemented.
  • Optional- Evaluate and apply the control as appropriate.

Data

Information collected, stored, transferred, or reported for any purpose, whether electronically or on hard copy.

Data Custodian

The University designated individual responsible for serving as a steward of University data in a particular area (e.g., principal investigator (PI)).

Data Owner

The individual with primary authority and accountability for specified information (e.g., a specific business function) or type of data (e.g., research). Where there is a designated University compliance officer, the compliance officer is the data owner.

Enterprise System or Application

System or application that is designated by the Vice President for Information Technology or designee as Enterprise. Enterprise Systems or Applications are typically used across one or more campuses.

Health Care Component

Unit(s) of the University that provide health care or are part of the health plan or are designated by the University as health care components covered under HIPAA. These covered health care components include units that provide health care ("Provider Components") and the Health Plan of the University.

Information Technology Resource (IT resource)

Facilities, technologies, and information resources used for University information processing, transfer, storage, and communications. Included in this definition are computer labs, classroom technologies, computing and electronic communications devices and services, e-mail, networks, telephones (including cellular), voice mail, fax transmissions, video, multimedia, and instructional materials. This definition is not all inclusive but rather reflects examples of equipment, supplies and services. This also includes services that are University owned, leased, operated or provided by the University or otherwise connected to University resources, such as cloud and Software-as-a-Service (SaaS) or Infrastructure-as-a-Service (IaaS), or any other connected/hosted service.

Internal Audiences

For the purpose of sharing administrative data, internal audiences are current employees with a business need to know, requiring access to the data to perform their job duties.

Multi-user System

Any system used by multiple people. Examples include: workstation (e.g., Windows, Mac computer) used by multiple individuals, server (e.g., application, database, web, print, authentication, virtual), medical device, storage area network (SAN), network attached storage (NAS), software application, database. When appropriate, a system used by multiple individuals sequentially may use the single-user designation.

Private Data

For the purposes of this policy, private-highly restricted and private-restricted are defined in Administrative Policy: Data Security Classification.

Providers

Individuals or units who provide data in any form to those audiences requesting either aggregated data or detail unit record data.

Public Data

Public data is defined by Minnesota Statutes as “data collected, created, received, maintained or disseminated by a government entity” unless classified as private by statute or federal law. For purposes of the Sharing Data with University Educational and Administrative Audiences procedure and the Sharing Data with University Faculty and Researchers procedure, public data are those administrative data elements that are non-FERPA suppressed. All other data are considered private. For a list of public and private data elements see the list of examples provided through Administrative Policy Public Access to University Information.

Security Level

A level (high, medium, or low) assigned to data or IT resource following the process in Administrative Policy: Data Security Classification.

Security Violation

Any action that does not comply with system security concepts, policies, processes, or procedures.

Server

A computer which provides services for other computers connected to it via a network. Common examples are file servers, web servers, mail servers, and database servers.

Single-user System

Any system primarily used by a single person at a time. Examples include: workstation (e.g., Windows, Mac computer), laptop, tablet/pad, mobile device (e.g., smart phone), software application, and database. When appropriate, a system used by multiple individuals sequentially may use the multi-user designation.

Standard

Defines information security controls by which an individual or IT resource within the scope must adhere to.

Supervisor

The person to whom an individual directly reports. For those seeking access to information not published publicly, or access to centrally supported systems, it is the person designated by the Dean, Director or Department Head to function in that role for information/data access purposes.

Unauthorized Disclosure

The act of providing information to any person or entity not specifically authorized to receive such information, whether inside or outside of the University community.

Unit

Any organizational entity within the University. Includes, but is not limited to colleges, departments, centers, institutes, offices and programs.

Unit Record Data

Data that is considered non-aggregated data at the lowest level of detail (e.g., individual student or employee level data).

University Community Member

A University community member is a student, faculty or staff member, University guest, volunteer, contractor, or employee of an affiliated entity.

University Data Custodian

The University designated individual responsible for serving as steward of University data when data crosses organizational and system boundaries.

University Data Network

The University data network includes University telecommunications facilities such as the UM data network with all wired or wireless links including departmental networks, ResNet, UM Wireless, academic and administrative network facilities, network facilities serving affiliates or tenants, and system campus networks.

University Data

Information collected, manipulated, stored, reported or presented in any format, on any medium, by any unit of the University, unless contractually identified as owned by another entity.

University-Owned Computers

All computers purchased using University related funds, irrespective of whether the source of those funds is the legislature, research grants, sponsored, foundation or departmental budgets.

User Level Account

An account on a system that is authorized to run programs and applications, and use the system, but does not have the ability to directly install programs and applications, or change the system configuration. Examples of accounts that are not user level accounts include the root account on Unix-like systems, and user level account with administrative privileges or Administrator account on Windows systems.

Responsibilities

University Community Member

  • Review and comply with this policy, the information security standards, and related procedures, as well as pertinent laws or contractual obligations.
  • Inform administrative and technical staff of private-highly restricted or private-restricted data that is stored on computers and other electronic devices.
  • Work with their IT Director, IT Service Owner, or Department Head through the exception request process if needed.
  • Report non-compliance with this policy to University Information Security.

Authorized Individual or Employee

  • Review access needs with Supervisor.
  • Submit access request to Supervisor.
  • Maintain the integrity and confidentiality of information.
  • Report security violations to Supervisor and/or University Information Security.

Supervisor

  • Review access needs with staff.
  • Review and submit access requests.
  • Request access changes for those they have authorized.
  • Change in job responsibilities.
  • Transfer within the University.
  • Termination from the University.
  • Report security violations to Data Custodians, Application Custodians and/or the group that manages access to the system or application, and University Information Security.

General Counsel

  • Provide legal advice, including information classification to Data Custodians and other University personnel, to ensure compliance with state and federal laws.

Records and Information Management Office

  • Serve as the responsible authority and data practices compliance official under the Minnesota Government Data Practices Act and fulfills requests for public information that cannot be met through existing reports and other materials.
  • Assist General Counsel in advising University staff and other decision-makers regarding access to and disclosure ofUniversity Information.

University Data Custodian

  • Provide policy direction and oversight regarding access to University data.
  • Ensure appropriate and consistent procedures related to accessing data.
  • Decide how University data will be treated (e.g., any restrictions for viewing, printing, copies).
  • Assemble appropriate constituent groups to examine specific data issues crossing organizational and system boundaries, while balancing the needs and desires of the constituent groups, within legal and data security policy constraints.
  • When needed, resolve problems that arise at the Data Custodian and Application Custodian levels.

Data Custodian

  • Participate with the University Data Custodian, other Data Custodians, University Information Security, Compliance Officers and legal representatives, in the development of University data access policy and procedures.
  • Advise the Application Custodians, Supervisors and Data Owners on data access as it relates to their areas of responsibility.
  • Establish appropriate processes and procedures for access to data stored within the systems for which they are responsible, in cooperation with others responsible within the organization.

Application Custodian

  • Advise Supervisors, Data Owners and others on access and procedures as it relates to their applications.
  • Establish appropriate processes and procedures for access to data stored within the systems for which they are responsible, in cooperation with others responsible within the organization.
  • May authorize data access, or grant system access based on the authorization of others, in accordance with University policy and access processes. When performing this function, system administration responsibilities must be performed by another individual or area.
  • Monitor access based on University policy.

Compliance Officer

  • Monitor data security compliance.
  • Investigate allegations and incidents of non-compliance.
  • Recommend appropriate corrective and disciplinary actions.
  • Develop and maintain policies related to the compliance requirements.
  • Participate with the University Data Custodian, other Data Custodians, University Information Security and legal representatives, in the development of University data access policy and procedures.
  • Report non-compliance with this policy to University Information Security.

Technical Staff

  • Secure IT resources in accordance with this policy, information security standards and related procedures, as well as pertinent laws or contractual obligations.
  • Establish, develop, implement and manage the organization's access processes, systems and procedures in coordination with the Data Custodians, Application Custodians and other security and system administrators.
  • Participate in campus and University-wide technical and security groups or forums.
  • Respond to technical questions from users related to securing IT resources.
  • Complete gap analysis for the IT resources the unit manages.
  • Participate in exception to policy or information security standards request process, if needed.
  • Report non-compliance with this policy to University Information Security.

Campus, College, and Department Administrators

  • Assign the responsibility of managing the risk and identifying specific security requirements associated within the collegiate or departmental unit.
  • Create, disseminate, and enforce local security requirements to comply with University-wide policies for IT resources under their control.
  • Provide oversight and assure the security of legally or contractually private data created, stored, or accessed by employees.
  • Assign the responsibility of maintaining documentation of information security controls in operational procedures and ensuring that they are used and known by all affected individuals.
  • Manage the security gap analysis for data and IT resources for security control requirements.
  • Request exceptions to policy or information security standards, if needed.
  • Report non-compliance with this policy to University Information Security.

Providers

  • Provide data to those audiences requesting either aggregate data or detail unit record data following the administrative procedures for sharing data with University educational and administrative audiences, University faculty, or University Researchers.

University VP of Information Technology and Chief Information Officer (CIO)

  • Delegated authority and responsibility for Information Technology security.
  • Designate individuals who have the responsibility and authority for information technology resources.
  • Designate individuals who have the responsibility for information technology policies.
  • Review and approve information security standards.
  • Approve the list of systemsand applications designated as an enterprise system or application.

University Chief Information Security Officer or Designate

  • Delegated authority and responsibility for Information Technology security from the CIO.
  • Establish and maintain an Information Security Advisory Committee to provide guidance on information security policy, standards, and procedures, requested exceptions to policies and information security standards, information security risk, information security incidents, and other information security related matters.
  • Establish information security policies and standards to protect University data, other private data, and University IT resources. Review and approve final information security standards following the CIO approved process.
  • Establish a process to review exception requests to information security policies and standards.
  • Provide security policy advice to Supervisors and other offices.

Office of Information Technology (OIT) - University Information Security

  • Manage the information security policies and standards exception process.
  • Provide guidance on information technology security issues.
  • Monitor and notify regarding potential system intrusions
  • Review reported and discovered security incidents.
  • Provide oversight for the vulnerability scan process.
  • Operational responsibility and authority to remove non-compliant electronic devices from the network and, as appropriate, retrieve equipment and data as part of an investigation.
  • Coordinate with the unit administrative and technical/security staff to assure that actions are taken as necessary to protect University resources.
  • Coordinate with law enforcement, compliance offices, and the Office of the General Counsel.

Security Advisory Committee

  • Advise on information security issues.
  • Advise on information security policies and standards for high-level risks to the University.

Related Information

Related Policies

Related Laws and Regulations

Related Instructions

Other

History

Amended:

June 2019 - Comprehensive Review.

  • Merges the Internal Access to and Sharing University Information policy with the Information Security policy
  • Updates the Managing Access to University Information to include procedure for provisioning and access review
  • Updates the security controls in the information security standards (in appendices) to provide more clarification and identify which are required at each security level
  • Combines security standards and controls for multi-user and single-user systems into a new information security standard and add new standards for software development, virus/malware protection management and encryption
  • Updates the policy statement, reason for the policy, contacts, definitions, responsibilities, related information, procedures and appendices (standards)

Amended:

April 2015 - Comprehensive Review, Major Revision. Title of the policy changed from Securing Private Data, Computers and Other Electronic Devices to Information Security. The content updated to reflect information security controls and Data Security Classification. Basic and Enhanced Security for Computers and Other Electronic Devices procedure removed.

Effective:

August 2010