University information is a valuable asset to the University of Minnesota and requires appropriate protection. Unauthorized use or disclosure of data protected by laws, regulations, or contractual obligations could cause severe harm to the University or members of the University community, and could subject the University to fines or government sanctions.
In order to manage these risks:
- Units and University community members must ensure that their electronic devices, including personally owned devices used for University business, and other resources which store, transmit, or process University information, or can impact the security of the data, meet the information security processes and standards contained in the appendices of this policy, and all pertinent laws, regulations, or contractual obligations. Examples of standards include controls related to data storage, access, security protection software, and awareness.
- Authorized individuals will be provided access to data they need to carry out work responsibilities.
- Data custodians must limit access to University data classified as private data to those individuals whose work responsibilities require it.
- Employees and departments must follow the appropriate approval processes to request access to non-public information and request removal of access when no longer needed.
- Individuals authorized by their job responsibilities to share University data with internal audiences must follow the procedures related to sharing University data, including instructions on aggregating data where appropriate.
Employees must report known non-compliance with any requirement of this policy to University Information Security ([email protected]).
Individual University community members who do not comply with this policy or the University's information security standards may be denied access to University IT resources and may be subject to disciplinary action up to and including termination.
Units may specify additional more stringent requirements within their physical or administrative areas of responsibility.
Units unable to meet a requirement defined by the information security standards must obtain an exception through the exception request procedure.
The University Chief Information Officer or delegate may allow exceptions to this policy after consultation with the unit and the appropriate compliance officer.
Reason for Policy
This policy will help to:
- comply with legal, regulatory, and contractual requirements to protect data;
- safeguard University data and IT resources from accidental or intentional damage and the data stored or accessed by these IT resources from alteration or theft of data;
- designate the appropriate level of security requirements for securing IT resources;
- increase the value of University information resources through widespread and appropriate use;
- prevent the inappropriate and unauthorized disclosure of information and thereby avoid adverse legal consequences.