Data Security and Access Management Policy
|Effective Date||December 1, 2021||Policy Owner||Information Technology Services (ITS)|
|Last Reviewed Date||December 1, 2021||Approved By||Vice President for Information Technology and CIO|
|Review Cycle||Annual||Policy Contact||Information Security & Compliance Analyst|
Institution data is information that is related to New York Tech's activities and is created, maintained, or processed by New York Tech. Institution data is a vital asset that must be available to employees who have a legitimate business need. However, the use of institution data for anything other than approved institution purposes is prohibited by institution policy and, in many instances, by law. Therefore, the data and system resources referred to in this policy must be properly safeguarded regardless of the location of those resources or the medium of storage.
Access to institution data will be granted on the principle of least privilege and consistent with the classification of the institution data, role(s) and responsibilities of the user, and level of employee training. Institution data will be classified according to its sensitivity to unauthorized exposure as per the standards defined in the Data Classification Matrix. This policy is supported by the Data Classification Matrix, and a data security/privacy training program which educate users to effectively and securely process institution data.
More specifically, the intent of this policy is to:
- Provide a structured framework for classifying and securing data from risks including, but not limited to, unauthorized destruction, modification, disclosure, access, use, and removal
- Define a consistent process to obtain necessary data access for conducting New York Tech operations (including administration, research, and instruction)
- Specify relevant mechanisms for delegating authority to accommodate this process at the unit level while adhering to appropriate controls, segregation of duties and other best practices
- Support compliance initiatives regarding FERPA, HIPAA, the Gramm Leach Bliley Act (GLBA), New York Privacy Laws, other privacy and security requirements and best practices that address data access controls
This policy applies to all employees whose job responsibilities include inputting, safeguarding, retrieving, or using institution data, and to those who supervise such individuals on all campuses and within all schools/departments. This policy applies to institution data classified as confidential or restricted that is maintained by New York Tech or a party acting on the institution's behalf. The policy applies regardless of the medium on which data resides (including electronic devices, USB drives, printouts, CD, etc.) or the form it may take (text, graphics, video, voice, biometrics, etc.).
This policy does not apply to:
- Data or records that are the personal property of a New York Tech community member or data created and/or kept by an individual employee for their own use
- Institution data that has been de-identified such that it may be classified as public, as determined by the data steward
- Situations in which New York Tech is legally compelled to provide access to data
- Research data, scholarly work of faculty and students, and intellectual property
- Data classified as public. Access to these data types is determined at the discretion of the office that creates, maintains, or processes it.
- Flow of information between a store of data and a user, system, or process. A user, system, or process is considered to have access to data if it has one or more of the following privileges; the ability to read or view the data, update existing data, create new data, delete data or the ability to make a copy of the data. Access can be provided either on a continual basis or alternatively, on a one-time ad hoc basis.
- Data Steward
- Institution officials who have planning and policy-level responsibilities for data in their functional areas are considered data stewards. Data stewards have operational-level responsibility for information management activities related to the capture, maintenance, and dissemination of data in their respective subject and system areas. Data stewards are responsible for developing and applying standards for the management of institution data, for reviewing access privileges on an annual basis, and for ensuring that data users are appropriately informed of security obligations associated with their data access. For historical reasons—because data and the responsibility for data have traditionally been organized along functional or subject-area boundaries—the data stewards are established according to this same subject-area organizing principle. The data steward is usually the dean, vice president, or unit head of the New York Tech unit that creates or originates the institution data.
- Data User
- An individual that has been authorized to access/process institution data for the performance of his/her assigned job duties, or in fulfillment of their assigned role at the institution.
- Institution Data
- Those data, regardless of format, maintained by New York Tech or a party acting on behalf of New York Tech. Institution data (electronic and paper) consists of information stored in any institution database, file system, storage medium, or paper that contains information on past, current, or future students, employees, or donors/friends. All institution data, whether maintained in a central database, copied into other data/file systems, or printed onto paper, remain the property of the institution and are governed by this policy statement.
- Principle of Least Privilege
- The principle of least privilege stems from the idea that any user, program, or process should have only the bare minimum privileges/access necessary to perform the required function or task.
Institution data shall be used only for the legitimate business of New York Tech and only as required in the performance of specified job functions. Under no circumstances shall anyone use confidential or restricted institution data in any publication, seminar, or professional presentation, or otherwise release data, in any form, outside the institution without prior written approval from the appropriate data steward and/or the appropriate executive officer(s). Publication or release of institution data that includes data about a student's academic work requires permission from the student. Institution data must never be left on any system or in an area to which access is not controlled (i.e. a computer hard drive, USB drive, unlocked file drawers, etc.).
As a general principle of access, institution data (regardless of who collects or maintains it) shall be shared among those employees, students, and faculty whose work can be done more effectively by knowledge of such information. Though the institution must protect the security, confidentiality and privacy of data, the procedures to allow access should not unduly interfere with the efficient conduct of institution business.
Standards of Data Classification
Institution data shall be classified in accordance with the Data Classification Matrix to identify the level of confidentiality needs, legal requirements, and minimum standard protections for the data before access is granted. The three classifications of institution data are as follows:
- Public Data – Information which there is no expectation of privacy or confidentiality.
- Restricted Data – Information where a decision was made to not publish or make public. Data protected by contractual obligations.
- Confidential Data – Information which is legally regulated, and data that would provide access to confidential or restricted data.
Confidential data and restricted data will require varying security measures appropriate to the degree to which the loss or corruption of the data would impair the business or research functions of the institution; result in financial loss; or violate law, policy or institution contracts. Security measures for data are set by Information Technology Services working in conjunction with General Counsel and the respective data stewards. The Data Classification Matrix outlines the criteria used to determine which data classification is appropriate for a particular piece of data or information system.
Specific Roles and Responsibilities
Vice President for IT and CIO
The Vice President for IT and CIO has responsibility for security oversight of the institution's IT resources. Implementation of security policies is assigned to Information Technology Services and may be delegated throughout the institution at the Vice President for IT and CIO's discretion. The Vice President for IT and CIO can make exceptions to data security procedures in support of the institution's mission.
Data stewards are responsible for the accuracy and completeness of data in their respective areas and systems. Data stewards, often in collaboration with Information Technology Services, are also responsible for the maintenance and control of the administrative information system's validation and rules tables, processes which define how business is conducted at the institution, and the integrity of all coding and data entry processes.
A data steward, usually a senior administrator of a major institution office or department, may make institution data available to others within his or her purview for use and support of the institution business functions. Data stewards, in partnership with Information Technology Services, shall define access control principles and restrictions on use and handling of the data for which they are assigned responsibility, consistent with New York Tech's Data Classification Matrix. Data stewards shall also provide education and training to individuals with respect to access and manipulation of institution data.
Before granting access to data, the data steward shall be satisfied that protection requirements have been implemented and that a business "need to know" is clearly demonstrated. By approving end-user access to institution data, the data steward consents to the use of this data within the normal business functions of administrative and academic offices. Access to institution data shall not be granted to persons unless there is an established business "need to know." The principle of least privilege will be applied to all data access/use cases. Data stewards are required to audit all security authorizations at least annually for their area and make additions or deletions as necessary.
The data user, synonymous with user, is the individual, automated application, or process that is authorized by the data steward to create, enter, edit, and access institution data, in accordance with institution policies and procedures. Data users must responsibly use institution data for which they have access including only using the data for its intended purpose and respecting the privacy of members of the New York Tech community. Data users must maintain the data in accordance with applicable laws and institution policy. Authorized access to Confidential Data or Restricted Data does not imply authorization for copying, further dissemination of data, or any use other than the use for which the employee was authorized. The data steward retains the right to approve and grant access to confidential or restricted institution data.
Colleges, Departments, and Other Units
Colleges, schools, departments, and other units are responsible for securing any information they create, manage, or store, and for any information they acquire or access from other institution systems (e.g., student educational records, personnel records, and business information). This responsibility includes participating in periodic risk assessments, developing and implementing appropriate security practices, and complying with all aspects of this policy.
Individuals Using Personally Owned Computers and Other Network Devices
Students, faculty, and staff who use personally owned systems to access New York Tech IT resources and institution data are responsible for the security of their devices. Further, they are responsible for following and implementing necessary security protocols on their personal devices and required to follow all applicable laws, regulations, policies, and procedures directed at the individual user. ITS in consultation with General Counsel and the appropriate data steward(s) may prohibit the use of personal devices to access data under their purview. Confidential data may not be stored on personally owned systems.
Third Party Vendors
Third party vendors providing hosted services and vendors providing support, whether on campus or from a remote location, are subject to New York Tech security policies and will be required to acknowledge their security obligations in contractual agreements. The vendors are subject to the same auditing and risk assessment requirements as colleges, departments, and other units.
General Data Handling Requirements
1. All credit card processing (e.g., online, phone, mail, over-the-counter, card-swiping) must be reviewed and approved by the institution controller. No member of the New York Tech community is permitted to electronically store or maintain credit card or debit card numbers, expiration dates, and/or security codes in any way relating to New York Tech or New York Tech-sponsored activities. ITS must approve the use of any system or application that electronically processes, stores, or transmits credit card data. Paper documents containing credit card data should be secured in a locked office and stored in a cabinet. In an open office environment paper documents should be stored in locked cabinets. Paper documents should not be left in an unsecured office after work hours.
2. The following confidential data types can only be electronically stored on an ITS managed server and can only be accessed from an ITS managed computer.
- Social Security number
- Driver's license number
- State/Federal ID card number
- Passport number
- Financial account numbers (checking, savings, brokerage, CD, etc.)
If an exception is necessary in order to carry out the business of the institution, the user must get written approval from both their vice president as well as the VP for IT/CIO.
3. All other confidential data and restricted data types must be electronically stored or accessed from the one of the following devices, in order of preference:
A. ITS managed server or file share
B. ITS managed desktop computer, encrypted laptop, encrypted mobile storage device
Any encrypted device must be encrypted using a process documented and approved by ITS and the administrator of such system must report to the Vice President for IT/CIO on system security related matters.
4. When handling physical documents containing any confidential data and/or restricted data types, the documents must be in your possession at all times; otherwise they should be stored in a secure location (e.g. room, file cabinet, etc.) to which only specifically-approved individuals have access through lock and key. When the information is no longer needed, the physical documents must be shredded using an institution-approved device prior to being discarded; or destroyed by an institution-approved facility.
Confidential data cannot be transmitted through any electronic messaging (i.e., email, instant messaging, text messaging, chat, etc.) even to other authorized data users. Confidential data in a physical format cannot be transmitted through untracked delivery methods. Campus mail and regular postal services are not tracked delivery methods.
Confidential data and restricted data should not be taken or stored off-campus unless the data user is specifically authorized to do so by a vice president and notification of the authorization is sent to the Vice President for IT/CIO.
5. New York Tech reserves the right to electronically scan all New York Tech-owned resources and resources connected to the New York Tech network for confidential data. If confidential data is found in unauthorized locations, the Vice President for IT/CIO will follow-up with the responsible vice president to remedy the situation.
Electronic access to confidential data should be granted by authenticating to a central authentication resource maintained by ITS. If it is not possible to use a central ITS authentication method, the application conducting the authentication must operate under the same policies as the central ITS resource (password and user lockout rules must apply and user accounts must be tied to a unique user—no shared accounts).
Data Access for Faculty, Staff and Student Employees
Authorization for access to confidential data or restricted data shall be specified and approved by the respective data steward and must be made in conjunction with authorization or signed acknowledgement from the requestor, or other official authority.
Data Access for Contractors/Vendors
When negotiating contracts with third party vendors, the responsible party must consider whether such vendors require access to institution data, institution databases or to other filing systems containing confidential data or restricted data. Vendors should be contractually obligated to meet certain insurance requirements and implement data protection and security measures that match or exceed institution practices. If a vendor or consultant is to have access to confidential data or restricted data, the contract must be reviewed by New York Tech's General Counsel and ITS prior to execution.
Responsibility for Policy Oversight
Except as otherwise specified in this policy or as otherwise duly authorized by New York Tech, the Vice President for IT/CIO has responsibility for the interpretation, implementation, and oversight of this policy. The Vice President for IT/CIO will issue such administrative guidelines and procedures to facilitate policy as may be reasonable and consistent with it.
Report suspected violations of this policy to the Vice President for Information Technology/CIO, the appropriate data steward or the responsible organization/party. Reports of violations are considered restricted data until otherwise classified.
Related Internal Policies
- Mobile Device Policy
- New York Tech Information Security and Incident Response Procedures
- Record Retention and Destruction Policy (requires login)
- Federal Legislation:
- HIPAA (Health Insurance Portability and Accountability Act)
- FRCP (Federal Rules of Civil Procedure, a.k.a. eDiscovery)
- USA Patriot Act
- FERPA (Family Educational Rights and Privacy Act)
- GLBA (Gramm-Leach-Bliley Act)
- FISMA (Federal Information Security Modernization Act)
- State Regulations:
- SHIELD Act (New York's Stop Hacks and Improve Electronic Data Security Act) and other state security regulations
- PCI DSS (Payment Card Industry Data Security Standard)
- GDPR (European Union's General Data Protection Regulation)
- PIPEDA (Canadian Personal Information Protection and Electronic Documents Act)
- PIPA (British Columbia's Personal Information Protection Act)
Violations of the policy may result in loss of data access privileges, administrative sanctions (including termination or expulsion), as well as personal civil and/or criminal liability.