Data Security Standards (DSS)

Last Reviewed: October 6, 2022
Last Revised: October 6, 2022

  1. 介绍

    Security and compliance are ongoing, 大学的关键任务业务流程,是大学社区所有成员的义务的一个组成部分. 本标准中包含的数据安全措施旨在针对当前和快速变化的威胁环境提供数据弹性,并为解决外部合规性法规奠定坚实的基础, both legal and contractual.

    This policy applies to anyone who 访问es, 使用, or controls University computer and data resources, 包括, but not limited to, 教师, 管理员, 工作人员, 研究人员, 学生, those working on behalf of the University, 客人, 承包商, 咨询顾问, 游客, and/or individuals authorized by affiliated institutions and organizations.

  2. POLICY OVERVIEW

    作为员工在大学工作职责的一部分,员工有权访问所有数据, based on the principle of “minimum necessary.数据安全标准定义了必须应用于策略IT 13中定义的数据类型的最低安全要求.10.051 - Data Classification. Some data elements, such as credit card numbers and protected health information, 在外部标准中是否定义了受监管的数据和附加的安全要求. GDPR-related data also requires heightened awareness and oversight. In addition, 访问 and use of university data is covered by the IT 13.10.050 - Institutional Data Management Policy.

  3. POLICY Process

    此策略概述了保护公共数据的安全措施, 内部, 保密, and 限制. 看到 Policy IT 13.10.051 – Data Classification.

    1. Requirements for Handling 公共 Data
      1. Access control: Access to data classified as 公共 is generally available to the public. 使用, 访问, 或更改公开资料,只要向公众公布不会伤害大学或个别社区成员,便不受限制. 公众有使用公开数据的隐含许可.
      2. 保护: 公共数据将受到保护,防止未经授权的修改或滥用(完整性). Applicable system security standards will be implemented for systems that store, 过程, or transmit 公共 Data.
      3. 共享:公共数据可以自由共享和公开发布,而无需获得数据管理员的许可.
      4. 保留: 公共 data may be stored for as long as necessary; there are no policies governing the retention of public data.
      5. Incident notification: 如果存在潜在的安全事件,可能使公共数据处于未经授权修改的风险中, the Information Security Office (ISO) must be notified
         
    2. Requirements for Handling 内部 Data
      1. Access control: 对内部数据的访问必须以最低权限为基础.
      2. 保护: 内部 data does not need to be encrypted unless specifically requested. Applicable system security standards will be implemented for systems that store, 过程, or transmit 内部 data.
      3. 共享: 内部 data can be shared among university employees. 它可以根据业务需要和批准提供给非大学实体.
      4. 保留: 内部数据只应存储在完成文档化业务流程所需的时间内. 看到 University Policy RISK 1.10.025 – Records Management.
      5. Incident notification: 如果存在潜在的安全事件,可能使内部数据处于未经授权访问的风险中, the Information Security Office (ISO) must be notified.
         
    3. Requirements for Handling 保密 Data
      1. 标签: No special requirements. Some documents should be labeled as “保密.”
      2. Access control: Access to 保密 data must be provided on a least-privilege basis. 除非业务流程需要,否则不应允许任何人或系统访问数据. When 访问 is required, the data steward must grant permission to use the data.
      3. 保护: 保密 data must be encrypted and securely disposed of. Applicable system security standards will be implemented for systems that store, 过程, or transmit 保密 data.
      4. 共享: 机密数据可以根据数据管理员批准的定义良好的业务流程在大学员工之间共享. 它只能根据定义良好的业务流程并在数据管理员的许可下公开发布.
      5. 保留: 机密数据只应存储在完成文档化业务流程所需的时间内. 看到 University Policy RISK 1.10.025 – Records Management.
      6. Incident notification: 如果存在潜在的安全事件,可能将机密数据置于未经授权访问的风险中, the University Office of Information Security must be notified.
         
    4. Requirements for Handling 限制 Data
      1. 标签: Must be marked as “限制.”
        1. Collection: Can be collected only when all of the following conditions are met:
        2. The data is not available from another authoritative source; and
        3. The data is required by a business 过程; and
        4. Permission has been granted to collect the data from the appropriate data steward; or if the data is requested by the University Office of General Counsel in response to litigation.
      2. Access control: Individuals must be granted 访问 to 限制 data on a least-privilege basis. 除非需要记录业务流程,否则任何人或系统不得访问数据. When 访问 is required, the data steward must grant permission to use the data.
      3. Access auditing: Access auditing for files containing 限制 data should be enabled.
      4. 共享: Access to 限制 data can be granted only by a data steward. 任何个人不得与数据管理员未给予其访问权限的另一个人共享受限制的数据.
      5. 闲置的访问: 可用于访问受限制数据的设备必须在一段时间不活动后自动锁定, using screensaver passwords, automatic logout, or similar controls.
      6. 保护:
        1. 传输—限制数据在传输过程中必须加密,加密方法必须满足以下要求.
          1. 加密算法列在FIPS 140-2附录A中,即批准的安全功能列表.
          2. Cryptographic key lengths meet best practices for length, given current computer 过程ing capabilities.
          3. Both the source and destination of the transmission must be verified.
        2. Storage – 限制 data must be encrypted using robust, 给定当前计算机处理能力的公开密码算法和合理的密钥长度. Keys must be stored securely, 并且必须以最小权限为基础提供对它们的访问(参见ISO 11568澳门威尼斯人官网保护密钥的建议). 如果使用单向哈希而不是可逆加密,则必须使用加盐哈希.
          1. 使用不同于系统登录时使用的密钥或密码加密包含受限制数据的文件.
          2. Encrypt data stored in databases.
          3. In addition to filing and database encryption, 对包含高风险数据的所有工作站和便携式设备实施全磁盘加密.
      7. Applicable system security standards will be implemented for systems that store, 过程, or transmit 限制 data
      8. 保留: 受限制的数据只应存储在完成文档化业务流程所需的时间内. 看到 University Policy RISK 1.10.025 – Records Management.
      9. 破坏: When 限制 data is no longer needed, it should be destroyed by applicable policies, 使用抵抗数据恢复尝试的方法,如加密数据破坏实用程序, on-site physical device destruction, or NAID-certified data destruction service.
      10. Incident Notification: 如果存在潜在的安全事件,可能将受限制的数据置于未经授权访问的风险中, the University IT Office of Information Security must be notified. 另请参阅 University Policy IT 2.30.064 – Data Breach Protocol.

       

    5. 为了安全, 隐私, and regulatory reasons, those creating, 管理, 或者存储研究数据必须特别适应其分类和适当的安全措施. 归类为机密或限制的研究数据必须存储在大学控制的设备和系统中, not personal devices or personally acquired services. The appropriate University units must vet data sharing agreements. 研究人员必须确保数据是安全的,并且只有那些被批准访问的人才能使用.
       
    6. Especially when working or traveling in the European Union, 必须高度关注受《澳门威尼斯人官网》(GDPR)影响的数据. 应特别注意人体实验研究(即, research concerning identified or identifiable individuals). Anonymization of the data is preferred; pseudonymization presents a greater risk, although it is acceptable. 适当的大学数据管理员或研究项目的个人首席研究员应该建议共享数据.
       
  4. 定义

版权 © 2023.  All rights Reserved.