Policy Title: Data Stewardship, Security and Protection
Impact: Employees, Students, Affiliates
Responsibility: Chief Information Officer
Effective Date: 3/28/2018
Revised Date:
Reviewed Date:
Relates to Procedure(s): 3.08.03
Legal Citation(s):
I. Policy
It is the policy of North Idaho College (NIC) to protect its institutional data and allow the use, access, and disclosure of such information in accordance with NIC interests and applicable laws and regulations. NIC owns all institutional data and throughout its lifecycle, the data shall be classified and protected in a reasonable and appropriate manner based on its level of sensitivity, value, and criticality to NIC. All NIC faculty, staff, students, and affiliates who provide services or work with NIC institutional data are responsible for protecting it from unauthorized access, modification, destruction, or disclosure.
Authorization for access and the maintenance of security of all institutional data, particularly highly sensitive data, is delegated to specific individuals within their defined roles (data steward, data custodian, data user, or system administrator) and in relation to the data being used. Data security measures are commensurate with the value, sensitivity, and risk involved with particular data.
II. Compliance
- NIC prohibits the disclosure of restricted and sensitive data in any medium except as approved by the appropriate data steward or data custodian. The use of any data for one’s own personal gain or profit, for the personal gain or profit of others, or to satisfy personal curiosity is strictly prohibited.
- NIC prohibits the storage of restricted data on any storage device or media not approved for use by the NIC IT department. If an individual is required to store data on such media, that individual must obtain written approval from both the data steward and CIO.
- All individuals accessing NIC institutional data are required to comply with federal and state laws and NIC policies and procedures regarding data security. Any NIC employee, student, or affiliate with access to NIC data who engages in unauthorized use, disclosure, alteration, or destruction of data is in violation of this policy and will be subject to appropriate disciplinary action.
III. Data Classification
To implement security at the appropriate level, to establish guidelines for legal/regulatory compliance, and to reduce or eliminate conflicting standards and controls, data is classified by the appropriate data steward or data custodian into one of the following categories:
- Restricted: Any NIC institutional data that, if disclosed to unauthorized persons, would be a violation of federal or state laws, NIC policy, or NIC contractual obligations. Any file or data that contains personally identifiable information may also qualify as restricted data. The highest level of security is applied to this data classification.
- Sensitive: Any NIC institutional data that must be guarded due to proprietary, ethical, or privacy considerations and must be protected from unauthorized access, use, modification, transmission, or storage. A reasonable level of security is applied to this data classification.
- Public: Any NIC institutional data to which the public is granted access, in accordance with NIC policy or standards. A level of control is applied to this data classification to ensure appropriate use.
VI. Data Stewardship Roles
- Data steward refers to executive level NIC officials responsible for managing a major area of NIC institutional data, and who oversee the lifecycle of one or more sets of institutional data.
- Data custodian refers to NIC officials and their staff who have operational-level responsibility for the capture, maintenance, and dissemination of data for specific areas.
- Data user refers to individuals that have been granted access to institutional data in order to conduct NIC business.
- System administrator refers to individuals with administrative access to an information system at NIC.
VII. Definitions
- “Affiliate” refers to any authorized individual, business, or organization that acts on behalf of NIC, or is authorized to conduct work for NIC.
- “Institutional data” refers to any type of information that is processed, created, collected, transferred, recorded, or stored by NIC to conduct NIC business.
- “Information Technology (IT) resources” refers to any resources related to the access and use of digitized information, including but not limited to hardware, software, devices, appliances, and network bandwidth.
- “Security controls” are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets.
Procedure Title: Data Stewardship, Security and Protection
Impact: Employees, Students, Affiliates
Responsibility: Chief Information Officer
Effective Date: 3/28/2018
Revised Date:
Reviewed Date:
Relates to Policy(s): 3.08.03
Legal Citation(s):
This procedure defines data stewardship and the security requirements for protecting institutional data based on its data classification at North Idaho College (NIC).
I. Data Stewardship
- Individuals who create, collect, handle, manage, or use institutional data are responsible for complying with the responsibilities of their identified role. Responsibilities are defined by guidelines that accompany this procedure, and are created and maintained by the Information Technology department (IT) in conjunction with the IT Planning and Policy Council (ITPPC).
- All data stewards and data custodians must have a thorough understanding of security risks impacting institutional data. Security risks will be documented and reviewed by a data steward or data custodian so that they can determine whether greater resources need to be devoted to mitigating these risks.
- The IT department will not provide access to institutional data without approval from a data steward or data custodian. The IT department will identify security risks as well as provide and remove user access.
- The IT department shall provide guidelines for restricted data types based on state/federal regulatory requirements and contractual obligations.
II. Classifying and Reclassifying Data
- Classifying Data. Data stewards and data custodians assign a single classification to a collection of data that is common in purpose or function. When classifying a collection of data, the most restrictive classification of any of the individual data elements will be used.
If the appropriate classification is not obvious, the data steward or data custodian will default to classifying data based on the Federal Information Processing Standards (“FIPS”) publication 199 published by the National Institute of Standards and Technology (NIST).
If an appropriate classification is still unclear after using FIPS, the data steward or data custodian will contact the Chief Information Officer (CIO). - Reclassifying Data. Periodically, the classification of institutional data will be reviewed by a data steward or data custodian to ensure the classification is still appropriate based on changes to legal and contractual obligations as well as changes in the use of data or its value to NIC.
III. Security and Controls
The NIC IT department will work with personnel to ensure that the correct security controls are in place for data based on its classification. The NIC IT department and the ITPPC will establish security guidelines in accordance with industry best practices, standards, and federal and state laws.
IV. Enforcement
Regarding employees and other affiliates, the consequences of policy violation will be commensurate with the severity and frequency of the offense and may include termination of employment or contract.
- Regarding students, the consequences of policy violations will be commensurate with the severity and frequency of the offense and may include suspension or expulsion.
- Violations of this policy will be addressed in accordance with appropriate NIC policies and procedures, as issued and enforced by the appropriate authorities.
- Violations of any local, state, or federal law will be reported to law enforcement.
- Consequences of policy violation may include, but are not limited to, the following:
-
- Notification: alerting a user to what appears to be an inadvertent violation of this policy in order to educate the user to avoid subsequent violations.
- Warning: alerting a user to the violation with the understanding that any additional violation will result in a greater penalty.
- Loss of computer and/or network privileges: limitation or removal of computer and/or network privileges, either permanently or for a specified period of time.
- Penalties: if applicable, the violator may be subject to criminal or civil penalties.
V. Appeal
For employees, an appeal of unresolved disputes of enforcement actions will be handled via the Grievance Policy and Procedure. For students, all provisions of the Student Code of Conduct shall apply.
VI. Maintenance
This procedure will be reviewed by NIC’s Chief Information Officer (CIO), IT Department, and the ITPPC every three years or as deemed appropriate based on changes in technology or regulatory requirements.
VII. Exceptions
Exceptions to this procedure must be approved by the NIC IT Department and formally documented under the guidance of the CIO, and President’s Cabinet.