Table of Contents
Overview
1. Purpose
This minimum standard serves as a supplement to the Information Resources Use and Security Policy, which was drafted in response to Texas Administrative Code 202 and UT System UTS-165. Adherence to the standard will improve confidentiality and integrity of university data.
The objective of this standard is to facilitate the identification, management, communications and training requirements to promote prudent stewardship of university data. This minimum standard exists in addition to all other university policies and federal and state regulations governing the protection of the university's data.
Compliance with these requirements does not imply that data will be completely secure. Instead, these requirements should be integrated into a comprehensive information security plan.
2. SCOPE
This standard applies to the handling of university data that are classified as Confidential, Controlled, or Published (see Data Classification Standard).
3. Audience
All faculty, staff, student employees, contractors, and vendors working with University of Texas at Austin data or information resources.
4. Minimum Standard
The university requires all data stewards and data custodians to manage, access, and utilize university data in a manner consistent with the university's need for confidentiality, integrity, and availability.
Each College, School, or Unit (CSU) handling university data shall develop, maintain, and execute a data stewardship plan comprised of clear and consistent procedures describing how the respective area manages the handling, access, and protection of university data. Each data stewardship plan for university data shall include the following components:
: A recurring task; this should be automated when possible
: Recommended
: Required
: Recommended
: Required
# | Action | Confidential | Controlled | Published |
---|---|---|---|---|
# 4.2.1 | Action Labeling documents | Confidential
Certain documents must be labeled as "Confidential" regardless of internal or external use.
Documents approved for distribution should be labeled accordingly.
|
Controlled
Certain documents may be labeled as "Confidential" regardless of internal or external use.
Documents approved for distribution should be labeled accordingly.
|
Published |
# 4.2.2 | Action Duplicating documents | Confidential
Receiver of document containing Confidential information must not further distribute without permission of respective CSU or data steward. Please see records management practices for more details about creating and managing copies of records.
|
Controlled | Published |
# 4.2.3 | Action Mailing documents via campus mail | Confidential The envelope is labeled as "Confidential" | Controlled | Published |
# 4.2.4 | Action Mailing documents via external mail carriers | Confidential No classification marking on external envelope required; Confirmation of receipt is required as legally mandated. | Controlled | Published |
# 4.2.5 | Action Disposing of documents | Confidential
Adhere to retention schedules . Employ the services of the preferred vendor for records management and destruction.
|
Controlled Adhere to retention schedules . Physical destruction beyond ability to recover (e.g. office cross-cut shredder). | Published
Refer to retention schedules .
|
# 4.2.6 | Action Storing of documents | Confidential Stored in a secured location when not in use. | Controlled Stored out of sight when not in use. | Published |
# 4.2.7 | Action Granting permission to view information | Confidential
Read access is restricted using various access control methods and is based on roles, classes, entitlements, or affiliations defined by respective Data Steward, or their designate.
|
Controlled
Read access is restricted using various access control methods and is based on roles, classes, entitlements, or affiliations defined by respective Data Steward, or their designate.
|
Published |
# 4.2.8 | Action Reviewing data classifications for data under CSU and Data Stewards' management | Confidential Review annually | Controlled Review annually | Published Review annually |
# | Action | Confidential | Controlled | Published |
---|---|---|---|---|
# 4.3.1 | Action Storing data on fixed media with access controls . | Confidential No encryption required. It is highly recommended that some credit card and/or bank account information be encrypted if it must be stored. (Refer to the Data Encryption Guidelines for information about encryption.) Sensitive credit card authentication data should not be stored at all. | Controlled | Published |
# 4.3.2 | Action Storing data on fixed media without access controls and accessible via the network | Confidential Not permitted. | Controlled Not advised. If Controlled data must be stored via this media, it should be encrypted (see Data Encryption Guidelines ) or isolated in such a manner that ensures confidentiality, integrity, and/or availability. | Published |
# 4.3.3 | Action
Storing data on fixed media without access controls, but not accessible via the network
|
Confidential Devices must be stored in a physically secured location at all times. | Controlled Devices must be stored in a physically secured location when not in use. | Published |
# 4.3.4 | Action Storing data on removable media or portable devices | Confidential It is required that Confidential data be encrypted when stored on such media or devices (see Information Resources Use and Security Policy (IRUSP) 11.3.4). Such media or devices must be stored in secured location when not in use. | Controlled It is recommended that Controlled data be encrypted when stored on such media or devices. Such media or devices must be stored in secured location when not in use. | Published |
# 4.3.5 | Action Granting permission to view data (including duplication) | Confidential Read access is restricted using various access control methods and is based on roles, classes, entitlements, or affiliations defined by respective Data Steward, or their designate. | Controlled Read access is restricted using various access control methods and is based on roles, classes, entitlements, or affiliations defined by respective Data Steward, or their designate. | Published |
# 4.3.6 | Action Granting permission to create or modify data | Confidential Create / Modify access is restricted using various access control methods and is based on roles, classes, entitlements, or affiliations defined by respective Data Steward, or their designate. | Controlled Create / Modify access is restricted using various access control methods and is based on roles, classes, entitlements, or affiliations defined by respective Data Steward, or their designate. | Published |
# 4.3.7 | Action Granting permission to delete data | Confidential Deletions are restricted using various access control methods and are based on roles, classes, entitlements, or affiliations defined by respective Data Steward or their designate. Also adhere to records management requirements for deleting data . | Controlled Deletions are restricted using various access control methods and are based on roles, classes, entitlements, or affiliations defined by respective Data Steward or their designate. | Published |
# 4.3.8 | Action Preventing data disclosure to unauthorized requestors (e.g., social engineering) | Confidential Consider what is being requested and who is requesting it. If the requestor's credentials or authenticity cannot be 100% assured, do not disclose any information. Escalate the situation to a supervisor, or to the Information Security Office. | Controlled Consider what is being requested and who is requesting it. If the requestor's credentials or authenticity cannot be 100% assured, do not disclose any information. Escalate the situation to a supervisor, or to the Information Security Office. | Published |
# 4.3.9 | Action
Preventing unauthorized viewing or eavesdropping of data (e.g., shoulder surfing)
|
Confidential Implement privacy screens on monitors that are in high-traffic areas. Be aware of any unauthorized individuals or loiterers. | Controlled Implement privacy screens on monitors that are in high-traffic areas. Be aware of any unauthorized individuals or loiterers. | Published |
# 4.3.10 | Action Printing hard copy report of data | Confidential Unattended printing permitted only if physical access controls are used to prevent unauthorized viewing. | Controlled Unattended printing permitted only if physical access controls are used to prevent unauthorized viewing. | Published |
# 4.3.11 | Action Labeling data at the internal application or screen level | Confidential If information has been specifically restricted (e.g. about a user), it should be clearly displayed to the viewer upon request of such restricted information. | Controlled | Published |
# 4.3.12 | Action Disposing of surplus physical electronic media device (e.g. disks, hard drives, CDs, etc) | Confidential Media must be securely destroyed using university-approved methods . | Controlled Media should be wiped or degaussed beyond the ability to recover data. It is advised that media be destroyed using the Confidential destruction processes | Published |
# 4.3.13 | Action Disposing of data (e.g., legacy data, unneeded data, etc) | Confidential Adhere to retention schedules . Manually or automatically attempt to verify Confidential data has been removed (e.g., SENF ). | Controlled Adhere to retention schedules . Manually or automatically attempt to verify Controlled data has been removed. | Published |
# 4.3.14 | Action Auditing access activity | Confidential Log all necessary access attempts defined by policy or business requirements; System Custodians shall review all access violation attempts and notify Data Steward and/or Information Security Office of any suspicious or abnormal activity. | Controlled Log all violation attempts; System Custodian reviews as appropriate. | Published |
# 4.3.15 | Action Retaining information access report logs | Confidential Retain logs for at least 14 days. Existing record retention schedules are authoritative. | Controlled Retain logs for at least 14 days. Existing record retention schedules are authoritative. | Published |
# 4.3.16 | Action Reviewing data classifications for data under CSU and Data Stewards' management | Confidential Review annually | Controlled Review annually | Published Review annually |
# | Action | Confidential | Controlled | Published |
---|---|---|---|---|
# 4.4.1 | Action Transmitting information via fax | Confidential Machine must have limited access such that only those authorized can view. Otherwise, recipient must first agree that an authorized person will be present when the material is received. | Controlled Machine must have limited access such that only those authorized can view. Otherwise, recipient must first agree that an authorized person will be present when the material is received. | Published |
# 4.4.2 | Action Transmitting information via voice mail | Confidential Confidential data must not be provided in a voice mail message. Instead, request a call back. | Controlled | Published |
# 4.4.3 | Action Transmitting information via wired, wireless, or cellular network | Confidential Encryption required (e.g. SSL, SSH, IPSEC, etc). If no secure transmission option is available, data must be encrypted prior to transmission. | Controlled Encryption suggested | Published |
# 4.4.4 | Action Transmitting information via other network protocols (e.g. e-mail, file transfers, telnet sessions, web applications, network printing) | Confidential Encryption required (e.g. SSL, SSH, IPSEC, etc). If no secure transmission option is available, data must be encrypted prior to transmission. | Controlled Encryption suggested. Access controls required. | Published |
# 4.4.5 | Action Reviewing data classifications for data under CSU and Data Stewards' management | Confidential
Review annually
|
Controlled
Review annually
|
Published
Review annually
|
5. Responsibility
5.1. Colleges, Schools, Units (CSUs)
5.1.1. CSUs, relying on the university's Data Classification Standard and the Minimum Security Standards for Data Stewardship, shall develop, maintain, and execute a data stewardship plan comprised of clear and consistent procedures describing how the respective functional areas and their reporting units manage the handling, access, and protection of university data.
5.1.2. CSUs must be able to clearly demonstrate effective employee awareness efforts as they relate to respective business practices involving university data.
5.2. Data Stewards
5.2.1. Data Stewards shall ensure that steps are taken to protect the data in accordance with respective policies, guidelines, and procedures are being properly implemented.
5.2.2. Data Stewards may delegate the implementation of the university polices, guidelines, and procedures (for example, system administration) to professionally trained campus or departmental IT owners and/or custodians.
5.3. Data Custodians
5.3.1. All university employees handling university data are considered Data Custodians for any data in their possession regardless of where the data may be stored.
5.3.2. Data Custodians should review and understand the university's Data Classification Standard and the responsibilities associated with viewing and handling university data they have been authorized to access. Any related questions should be directed to their respective supervisor and/or to the Information Security Office (security@utexas.edu).
5.3.3. Data Custodians should refer to the Minimum Security Standards for Data Stewardship, or their respective area or unit's specific data handling procedures, if there are any questions about how a piece of data should be handled.
5.3.4. Data Custodians are responsible for any unauthorized disclosure or exposure of data while the data is in their possession.
5.3.5. All university employees handling university data should avoid accessing, manipulating, or changing university data without the authorization of their supervisor or if is not required to fulfill assigned university duties. Such misuse includes, but is not limited to, the following examples:
5.3.5.1. Changing data about yourself or others for other than usual business purposes.
5.3.5.2. Using information, even if authorized to access it, to support actions by which individuals might profit (e.g., salary changes, grade changes, appointment changes.)
5.3.5.3. Disclosing information about individuals without prior supervisor authorization.
5.3.5.4. Monitoring the pattern of salary raises of others; determining the source and/or destination of telephone calls or Internet usage; patterns of personal location; exploring race and ethnicity indicators; querying student grades.
5.3.5.5. Circumventing the assigned levels of data access given to other users by providing access or data sets that are broader than those available via normal approved levels of access.
5.3.5.6. Facilitating another's illegal access to or compromise of the university's information resources by sharing account passwords or other information.
5.3.5.7. Violating university policies or federal, state, or local laws in accessing, manipulating, or disclosing university data.
6. Non-Compliance and Exceptions
For all CSUs and Data Stewards—if any of the minimum standards contained within this document cannot be met on systems manipulating Controlled or Confidential data that you support, you must submit a Security Exception Report that includes reporting the non-compliance to the Information Security Office, along with a plan for risk assessment and management. Non-compliance with these standards may result in revocation of system or network access, notification of supervisors, and reporting to the Office of Internal Audit.
For all university employees — non-compliance with this standard may result in revocation of system or network access, notification of supervisors, and/or reporting to the Offices of Internal Audit and Institutional Compliance.
All University of Texas at Austin employees are required to comply with both institutional rules and regulations and applicable UT System rules and regulations. In addition to university and System rules and regulations, University of Texas at Austin employees are required to comply with federal and state laws and regulations.
7. Related UT Austin Policies, Procedures, Best Practices, and Applicable Laws
The policies and practices listed here inform the system hardening procedures described in this document and with which you should be familiar. (This is not an all-inclusive list of policies and procedures that affect information technology resources.)
8. Sources
Portions adapted from "Security Requirements for Handling Information"
(http://www.itap.purdue.edu/security/procedures/dataHandling.cfm), with permission from Purdue University, West Lafayette, Indiana 47907.
Portions adapted from "Cornell University Policy: Data Stewardship and Custodianship" (http://www.dfa.cornell.edu/treasurer/policyoffice/policies/volumes/governance/data.cfm), with permission from Cornell University, Ithaca, New York 14853.
9. Revision History
Version | Date | New | Original |
---|---|---|---|
Version | Date 5/29/2018 | New Updated visual style; credit to Stanford's Minimum Security Standards. Added sections 4.7, 4.8, 4.9, and 4.10. | Original |
Version | Date 8/24/2015 | New Aligned with updated Data Classification Standard | Original |
Version | Date 6/24/2013 | New Reviewed and fixed broken links. Dropped recursive link back to this document in references. | Original
|
Version | Date 6/19/2013 | New Converted back to HTML | Original
No changes
|
Version Minimum Security Standards for Data Stewardship | Date 2/28/2011 | New Converted from PDF to HTML | Original
No changes
|
Version | Date 05/03/2010 | New
Updated information in Data Stewardship Standard Sec 3.4
Under Cat-I column, removed "(see Data Encryption Guidelines)" and replaced with "(see Information Resources Use and Security Policy (IRUSP))."
Under Cat-II column, replaced "Category-I" with "Category-II data"
|
Original
"(see Data Encryption Guidelines)"
"Category-I"
|
Version | Date 10/1/2009 | New Updated visual appearance to new template. Corrected any out of date links to ensure they are pointing to the most current policy documents. | Original |
Version | Date 9/14/2007 | New
Changed references from BPM 53 to UTS-165
In Section IV. References, removed "Draft" designation from the Data Stewardship and Application Development Standards
Corrected typo in standard 3.4. Changed "removal" to "removable"
|
Original
"BPM 53"
"(Draft)"
"Storing data on removal media or portable device"
|
Version | Date 9/8/2007 | New Corrected typo in standard 4.1. Changed "than" to "that." | Original
"Machine must have limited access such that only those authorized can view. Otherwise, recipient must first agree than an authorized person will be present when the material is received."
|
Version | Date 5/30/2007 | New Section IV, changed "printed digital data" to "printed data" to remove confusion. | Original
"Specific procedures addressing the handling of printed digital data, including but not limited to:"
|
8. Approvals
Name | Role | Members | Date |
Chief Information Security Officer | Approval | Cam Beasley | 8/24/2015 |