This page is to be used in conjunction with REG 08.00.03 – Data Management Procedures and the following pages:
- Controls for Securing University Data – Best Practices
- Data Categories, Trustees, Stewards, and Custodians
- Determining Sensitivity Levels for Shared Data
- Storage Locations for University Data
- Frequently Asked Questions – Data Management Procedures
Summary of Changes
Summary of REG 08.00.03 – Data Management Procedures – 1. Purpose of this Regulation
Guidance for Faculty and Staff – REG 08.00.03 – Data Management Procedures – 1. Purpose of this Regulation
Summary of REG 08.00.03 – Data Management Procedures – 2. Authority Over Data
Summary of REG 08.00.03 – Data Management Procedures – 3. Data Management
Guidance for Faculty and Staff – REG 08.00.03 – Data Management Procedures – 3. Data Management
Summary of REG 08.00.03 – Data Management Procedures – 4. User Responsibilities
Summary of REG 08.00.03 – Data Management Procedures – 5. Security Administrators
Guidance for Faculty and Staff – REG 08.00.03 – Data Management Procedures – 5. Security Administrators
Summary of REG 08.00.03 – Data Management Procedures – 6. Data Classification Statement
Guidance for Faculty and Staff – REG 08.00.03 – Data Management Procedures – 6. Data Classification Statement
Summary of REG 08.00.03 – Data Management Procedures – 7. Training
Revisions to REG 08.00.03 – Data Management Procedures clarify (1) the definition of sensitive university data, (2) classification levels for sensitive university data, and (3) the university officials responsible for Data Management. In addition the proposed version introduces (1) the Data Sensitivity Framework, (2) the role of Application Sponsor, and (3) the process of Application Security Certification. Some additional clarifications and simplifications of language have also been provided.
REG 08.00.03 – Data Management Procedures assigns responsibility for custody and security of all university data, allowing the university to control data security consistently across various colleges and departments.
The regulation governs:
- All data that belongs to the university, regardless of storage location or format.
- Any computing system that accesses or uses university data.
Any information content in any format that has to do with university business, in the broadest terms, is university data. If you have the ability to create, read, retrieve, alter, or delete data, you have access to that data. The regulation describes data sensitivity levels assigned to university data in order to protect it appropriately.
When a Data Steward deems that university data requires additional controls and protections when it is processed, stored, or transmitted, that data is sensitive. Legal or contractual requirements may bind the university to protect this data from disclosure or unauthorized modification. In addition, the university may afford protection to some data for ethical reasons. REG 08.00.03 – Data Management Procedures does not address the release of university data as required by Public Records Law or subpoenas, court orders, or special exceptions to Privacy Laws.
The list below provides some examples of sensitive university data:
- Personally Identifying Information (PII)
- Protected health information (PHI)
- Student education records
- Customer record information, including but not limited to your library records that may identify you as having checked out a particular item, in accordance with RUL 02.61.02 – Confidentiality of Library Records and Data.
- Cardholder data (Payment Card Industry (PCI) defined data)
- Information in an employee’s personnel file not identified specifically as public information. See Your Personnel File under the bold heading Confidential Information.
- Confidential or proprietary information that a third party may share with you under the terms of a confidentiality agreement.
- Information that a research grant or other university contract protects
- University owned Intellectual Property
As you work with university data, keep in mind how sensitive it may be. The term “university business” might first bring to mind data that pertains to financial transactions or personnel files. However, it is important to think broadly about university data. For example, student information, research data, and educational course materials are university data because they pertain to the educational business of the university. Sensitive university data may also include, but not be limited to: public safety information, financial donor information, system access passwords, information security records, and information file encryption keys.
The fact that some of the list items above are sensitive data may be obvious. For example, you might think to yourself, “Of course I need to take special care to protect my customers’ credit card information because if it is compromised, there may be disastrous consequences for the cardholder.” Disclosure of credit card information may also have disastrous consequences for the university — up to $500,000 per breach incident and $50,000 per month for non-compliance with the Payment Card Industry Data Security Standard (PCI-DSS).
Consequences for disclosure of other sensitive university data, such as unapproved meeting minutes, may not be immediately obvious to you. However, if unapproved meeting minutes were prematurely disclosed, there might be negative effects on the university’s reputation and ability to do business as planned.
The university has authority over how its physical computer assets are used. NC State University is the legal custodian of all university data. Responsibility for data management flows from the Chancellor. The Chancellor’s designees are responsible for protecting university data based on data sensitivity classification.
Data Trustees oversee the data management related to university functions that units and personnel reporting to them manage, administer, or run. The list of Data Trustees includes: the Provost and Executive Vice Chancellor, the Vice Chancellor for Finance and Business, the Vice Chancellor and Dean for Academic and Student Affairs (DASA), the Vice Chancellor for University Advancement, the Vice Chancellor for Research, Innovation, and Economic Development, the Senior Vice Provost for Academic Outreach & Entrepreneurship, the Vice Chancellor and General Counsel, the Vice Chancellor for Information Technology, and the Director for Athletics.
Data Trustees will assign Data Stewards responsibility for data management under Data Stewards’ respective purviews. Data Stewards are primarily responsible for the accuracy, privacy and security of their assigned university data. In their respective areas, Data Stewards are responsible for the following:
- Evaluating, approving or disapproving requests for access to data.
- Determining the degree of users’ access to data (create, read, write, delete), and assuring compliance with access security standards.
- Defining or describing each data element under their respective oversights.
- Implementing security plans and procedures that take into account how confidential university data is, and how critical it is to university business.
- Initiating requests to modify university data definitions in their respective oversight.
- Classifying the degree of protection needed for all data elements in their respective oversights according to the Data Sensitivity Framework and in accordance with federal law, state law, contractual provisions, and university policies, regulations, rules, and standards.
- Ensuring protection of their assigned data according to data sensitivity level.
- Developing and maintaining Data Access Guidelines for all data elements in their respective oversights. Data Access Guidelines are the communication media between the Data Steward and Security Administrators, Data Custodians, Application Sponsors and end users on controls and special security considerations for the individual or grouped data elements in their respective oversights.
- Reassessing classification levels at least once every three years.
- Classifying and assuring protection of any replica data in their purviews consistently with the original data elements.
Sometimes Data Stewards may not agree on how university data should be used. In such cases, they will meet to jointly resolve data control, data sensitivity, or access issues.
Data Stewards assign specific data management responsibilities to individuals known as Data Custodians, who manage access rights to data and the implementation of controls to protect the security of the data . Data Custodians may delegate custodial responsibilities.
Application Sponsors approve the functionality of university applications and control protection of and access to application data. If a university application handles sensitive data, the relevant Application Sponsor and Data Custodian coordinate to define review and certification processes for the security of their applications’ data elements. Application Sponsors must identify and appropriately protect any sensitive data the application displays and/or stores, and certify protection annually. OIT Security and Compliance will coordinate the certification process with Application Sponsors. Application Sponsors are required to register applications handling sensitive data with OIT Security & Compliance.
Data Stewards are functionally responsible for university data under their respective purviews. Data Custodians are physically responsible for their assigned university data. Keep in mind that to a certain extent, the nature of data may dictate who the Data Custodian is. For example, you are your own Data Custodian for any university data stored in your home directory or locally on your desktop computer. The Director of OIT Security & Compliance is the Data Custodian for all OIT-supported applications that you might be using, but s/he may delegate custodial responsibility to someone else. The Principal Investigator on a research grant may be the Data Custodian for the research data involved with that grant. If you are unsure who the Data Custodian is, ask the relevant Data Steward (see Table of data categories, trustees, stewards, and custodians). Application Sponsors provide specifications for and fund the design and implementation of custom applications. For example, they may be departmental administrators, principal investigators, or research faculty in need of custom applications programming.
The individual is ultimately responsible for the security of any data that he or she has access to. Not only university employees, but also volunteers, contractors, vendors, partners, and students may use university data. These individuals must understand the sensitivity of university data that they interact with and use it properly. As a condition of their employment, university employees are required to use university data appropriately and to assure its security and privacy.
Data Custodians and their relevant Data Stewards appoint Security Administrators, who implement, monitor and coordinate standards, procedures, and guidelines necessary to administer access to university data. Security Administrators are responsible for:
- Ensuring compliance with Data Access Guidelines and assigned security controls.
- Implementing Data Access Guidelines that address authorized users.
- Processing requests from users for access to university data.
- Making sure that both Data Stewards and authorized users have appropriate access levels.
Data Stewards set Data Access Guidelines for their assigned university data. Data Access Guidelines are the main communication media among Data Stewards, Data Custodians, Security Administrators, and end users. See page 5 of Standard Operating Procedure – Advancement Data Use & Donor Privacy Guidelines (PDF) for a practical example of Data Access Guidelines. For help developing Data Access Guidelines, refer to Elements of a Data Management Plan.
The Security Administrators referred to above may administer access to university data by means of the Security Access Request (SAR) system. OIT Security & Compliance organizes a semi-annual certification of the appropriateness of end users’ access levels by the relevant Data Stewards.
The Data Classification Statement explains how the university protects the kind of data that is available only to those with a legitimate business need to access it.
University data belongs to the university regardless of where it is stored. Sensitive university data is considered sensitive regardless of where it is stored. The data classification statement applies to sensitive university data no matter where it is stored and no matter what format it is in. If you have a collection of data, such as a database, memory stick, or filing cabinet that contains any sensitive data elements, treat the entire collection at the highest level of sensitivity of any data element in the collection.
The Data Classification Statement primarily addresses Data Stewards and Application Sponsors who control access to sensitive data. In addition, the Data Classification Statement addresses Information Technology (IT) staff, both in the central Office of Information Technology (OIT) and at the college and/or department level who may control access to sensitive data. Data Stewards and Application Sponsors will generate Data Access Guidelines and other documentation for their end-users based on their interpretation of REG 08.00.03 – Data Management Procedures.
The university affords various degrees of protection for sensitive data based on a) the nature of the data, and b) the laws, policies, regulations, and rules that protect it in context. If you implement an application that accesses sensitive data, follow Data Access Guidelines to take appropriate measures to protect sensitive data.
The university uses colors to denote data sensitivity levels. Purple, red and yellow data are sensitive. Green and unclassified data are not sensitive.
Ultra-high Security (also known as purple-level data)
Data stewards may classify data elements within their data categories as Ultra-High Security (purple) in conjunction with the Data Sensitivity Framework. Purple data is extra-sensitive because:
- Multiple federal or state laws, contractual agreements, or government regulations protect it.
- If anyone discloses it or modifies without permission the university will pay extreme financial penalties.
- Based on past history, there is a greater likelihood that unauthorized disclosure or unauthorized modification would prompt litigation against the university.
Examples of purple data may include, but not be limited to: a) personally identifying information such as Social Security numbers, PINs, passwords, digital signatures, fingerprints, retinal scans or other biometric data, or b) credit card data, such as the credit card account number or the card security code, both of which are used to authorize a financial transaction on a credit card and subject to the PCI-DSS.
High Security (also known as red-level data)
You know that data belongs at the High Security classification level if unauthorized disclosure or unauthorized modification poses two or more of the following risks:
- Significant financial loss to the university, and
- Serious negative impact to the university’s reputation, and/or
- Serious impairment to the university’s ability to conduct business, and/or
- Violation of federal or state laws, contractual agreements or government regulations.
Data stewards may classify data elements as High (red) in conjunction with the Data Sensitivity Framework.
Moderate Security (also known as yellow-level data)
You know that data belongs in the Moderate Security classification if unauthorized disclosure or unauthorized modification causes at least one of the following:
- Some financial loss to the university,
- Some impairment of the university’s ability to conduct business, and/or
- A violation of federal law, state law, contractual agreement, or government regulations.
The federal law called the Family Educational Rights and Privacy Act (FERPA) protects most student education records from disclosure or modification. Unless students have requested that their directory information be protected with privacy blocks, student directory information is green level data. FERPA requires those who work with student records to treat them as sensitive data. However, student records are pervasive in the university environment. Exposing them does not pose the same level of risk for the university as exposure of Purple or Red data. Unauthorized disclosure or unauthorized modification of some data other than student education records may not result in financial loss, violation of law, contract, or regulation, but may affect the university’s reputation negatively. Data stewards may classify data elements as Moderate (yellow) in conjunction with the Data Sensitivity Framework.
Normal Security (also known as green-level data)
You know that data belongs in the Normal Security category if its disclosure would not affect the university adversely. However, only the appropriate university personnel may modify or approve automated modification of a master copy. Green level data is not considered sensitive, but does require controls to show who is ultimately responsible for the data itself and for changes to it. Data stewards may classify data elements as Normal (green) in conjunction with the Data Sensitivity Framework.
Unclassified data (also known as white level data)
If university data is generally available to the public, or if its release would not harm the university in any way, treat it as unclassified. Unclassified data requires no additional security controls. See Determining Sensitivity Levels for Shared Data for examples of types of data and how they are protected.
Specific examples of the consequences for disclosure or modification of Ultra-high Security (purple) university data may help you understand how important it is for the university to protect Ultra-high Security (purple) data. For example, if credit card information is disclosed, the department responsible for disclosure could be fined up to $500,000.
Data Stewards may apply to a) add data elements to the Data Sensitivity Framework, or b) to modify the sensitivity levels of data elements already in the Data Sensitivity Framework. Data Stewards should coordinate with a) each other, b) stakeholders, and c) OIT Security and Compliance, who will add the elements to the Data Sensitivity Framework.
In order to foster information security awareness among faculty and staff, OIT will offer regular training for all university staff to explain Data Management Procedures and the Data Classification Standard.