Purpose

The purpose of this policy is to provide a structured and consistent process to obtain necessary data access for conducting Clayton State University (CSU) operations (including administration, research, and instruction). This document will assist in defining the relevant mechanisms for delegating authority to accommodate the unit level processes while adhering to segregation of duties and other best practices, as well as defining data classification and related safeguards.

Please note that the term data classification should not be confused with the practice of handling or working with “Classified Data” (e.g. Government Classified Data). CSU classifies all data into one of four Data Categories described in the Data Categories section of this document. Insofar as this policy deals with access to CSU computing and network resources, all relevant provisions in the Acceptable Use Policy, the Cyber Security Program Plan, and the Clayton State Privacy Policy are applicable and included by reference in this document. In all cases, applicable federal and State statutes and regulations that guarantee either protection or accessibility of University records will take precedence over this policy.

Authority

It is the responsibility of Clayton State University, through the Chief Data Stewards, to implement procedures to effectively manage and provide necessary access to CSU Data, while at the same time ensuring the confidentiality, integrity, availability, accountability, and audibility (CIAAA) of the information. Appropriate implementation of the policy will ensure University compliance with the FTC’s Safeguards Rule under the Gramm-Leach-Bliley Act (GLBA), as well as the Family Educational Rights & Privacy Act (FERPA), and the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Scope

All employees, students, affiliates, contractors, consultants, vendors, or other consumers or users of Clayton State University data, and all data (electronic, paper or otherwise) used to conduct operations of the University are covered by this policy. This policy does not address public access to data as specified in the Georgia Open Records Act. Furthermore, this policy does not apply to notes and records that are the personal property of individuals in the CSU community.

Policy Terms: 

Term Definition
Cloud Computing/Cloud Services A network of remote servers or services, hosted by third parties, used to store, manage, and process data. Examples of cloud computing services include Outlook 365, OneDrive, Banner Managed Services, etc.
Data: All information generated or owned by Clayton State University. Also, information not generated by CSU, but which CSU has the duty to manage. This information can exist in any form including, but not limited to, print and electronic.
Chief Data Stewards: Define the guiding principles governing access to Institutional Data.
Data Steward: Are directly responsible for the care and management of data at Clayton State University. Data Stewards are ultimately responsible for classifying data elements, granting access to data, educating users on responsibilities associated with data access, and work with IT on data security.
Authorized Requester: Are designated departmental faculty or staff members responsible for reviewing employee data access requests to ensure it is required based on their job duties.
Data Coordinators Are appointed by the Data Stewards to coordinate data access requests, maintain records of all authorized users and will take steps to modify access when personnel changes occur that affect data access.
Data Administrators Will provide procedures for requesting data access and will execute any approved access request as authorized by a Data Steward or their appointed Data Coordinator.
Endpoint: Desktop computers, laptop computers, workstations, group access workstations, USB drives, small servers, cloud hosted virtual machines, and personal Network Attached Storage (NAS)
Mobile Device: Mobile devices at CSU include, but are not limited to:

  • Cellular telephones
  • Smart phones (e.g. iPhones, Android Phones, BlackBerrys)
  • Tablet computers (e.g. iPad, Kindle, Kindle Fire, Android Tablets)
  • Wearable Devices (e.g. Google Glass, watch devices)
  • Personal Digital Assistants
  • Any other mobile device containing CSU data (e.g handheld scanning devices)

Laptops and USB drives are considered Endpoints for the purpose of this policy (see definition above).
Server Any computer system that hosts a campus unit or University wide service, or acts as an authoritative source of data for the University or campus unit.


Policy Statement: 

The Chief Data Stewards have defined the following guiding principles governing access to CSU Data by any individual conducting Clayton State University operations:

  • Inquiry-type access to official University Data will be as open as possible to individuals who require access in the performance of CSU operations without violating legal, federal, or State restrictions. Compelling justification is required to limit inquiry access to any data element.
  • Data Users granted “create” and/or “update” privileges are responsible for their actions while using these privileges. That is, all campus units are responsible for the University Data they create, update, and/or delete.
  • Any individual granted access to CSU Data is responsible for the ethical usage of that data. It will be used only in accordance with the authority delegated to the individual to conduct Clayton State University operations.

Chief Data Stewards hereby delegate authority to Data Stewards for implementing the policy at the unit level.

Access Coordination

Data Stewards will designate individuals to coordinate University Data access for each functional data grouping. The Data Coordinator will maintain records of authorized Data Users and serve as the contact point for the Data Administrator(s). The Data Coordinator will inform the appropriate Data Administrator on a timely basis of any changes that affect data access. Employees may request access to data through a designated Authorized Requester. Procedures for requesting data access will be provided by the Data Administrator(s).
Documentation of data elements and their appropriate use is the responsibility of the Data Stewards, Data Coordinators and Data Administrator(s).

Data Categories

Clayton State University Data shall be classified into four major categories that are defined as described in this section. The Data Stewards, in consultation with the Data Coordinators and Data Administrators, are responsible for defining which data elements and data views fall into each data category.

  • Category I – Public Use: This information is targeted for general public use. Examples include Internet website contents for general viewing and press releases.
  • Category II – Internal Use: Information not generally available to parties outside the CSU community, such as directory listings, minutes from non-confidential meetings, and internal (Intranet) websites. Public disclosure of this information would cause minimal trouble to the University. This category is the default data classification category.
  • Category III – Sensitive: This information is considered private and must be guarded from disclosure; unauthorized exposure of this information could contribute to ID theft, financial fraud and/or violate State and/or Federal laws.
  • Category IV – Highly Sensitive: Data which must to be protected with the highest levels of security, as prescribed in contractual and/or legal specifications.

ITS Access to Data

Information Technology Services (ITS) positions with direct responsibility in maintaining and supporting University Information Systems that contain data used to conduct operations of CSU are not required to individually obtain approval for data access. Direct responsibilities of the position in relation to the access of data in these systems should be covered in each individual’s Workload Assignment, as defined by their department head.

ITS employees will be responsible for being familiar with the policy as it relates to his or her position and job duties. ITS Directorates will be responsible for conducting policy awareness training for new department hires and that policy awareness reminders occur on an annual basis.

Request for Review:
Data Users may request that the Data Stewards and Chief Data Stewards review the restrictions placed on a data element, Data View, and/or the classification of data. All such requests will be submitted through an Authorized Requester to a Data Coordinator. The appropriate Chief Data Steward has final governance authority regarding matters of data restrictions and requests for access rights to university data.

Procedures: 

The following paragraphs and referenced documents are intended to assist Authorized Requester, Data Stewards, Data Coordinators, and Data Administrators with the department-level implementation of the Data Access Policy.

Requesting Data Access:
Detailed procedures and guidelines for requesting data access under this policy are contained in the Clayton State University Data Access Procedures. These documents shall be updated on an “as needed” basis, reflecting any changes to the process and/or roles involved.

Protecting Sensitive Data:
The internal computers, mobile devices, networks, application software and data repositories of Clayton State University are critical resources of the University and must be protected against inappropriate access and/or disruption of service. Active measures are necessary to ensure data integrity and reduce the risk of system compromise, especially when sensitive information may be at risk. The rising frequency of security incidents involving network-attached devices significantly increases the probability that sensitive data, if not properly identified and protected, may be exposed to unauthorized viewing or modification. Established procedures for protection and release of sensitive information must be followed regardless of the platform used to store that data.

The Data Protection Safeguards document is a comprehensive set of Technical (IT), Administrative (procedural), and Physical safeguards which need to be put in place in order to ensure adequate protection for each category of data, as described in the Data Categories section above. Any deviation from mandatory requirements must be documented and covered by adequate compensating control(s). The department of Internal Auditing or Information Security Officer is available to assist in reviewing compensating controls.

Data Stewards, in consultation with the Data Coordinators and Data Administrators, are responsible for:

  • Categorizing and/or re-classifying data elements and views.
  • Granting selective access to Institute Data.
  • Educating authorized users on responsibilities associated with data access.
  • Informing technology specialists about data classifications to determine physical and/or logical controls required.

On the other hand, it is the express responsibility of authorized users and their respective business units to safeguard the data they are entrusted with, ensuring compliance with all aspects of this policy and related procedures.

Sensitive Data as it pertains to Department-Level Servers:
Serving devices (servers) storing sensitive information shall be operated by professional system administrators, in compliance with all ITS security and administration policies, and shall remain under management oversight. Each such unit-level server storing sensitive or highly sensitive data shall be registered as outlined below and shall have a Technical (IT) as well as an Administration point of contact.

Deans, Vice Presidents and Associate Vice Presidents, in their stewardship roles, are responsible for monitoring compliance with the Data Access Policy and associated guidelines by:

  • Directing the reviews of, and responding to technical reports for, servers within units for which approval has been given to store sensitive information;
  • Ensuring that all unit-level servers storing sensitive or highly sensitive data are registered with ITS Information Security: Refer to Data Protection Safeguards
  • Coordinating with ITS Information Security to ensure that the server(s) providing this information to the campus network and Internet are secured through reasonable procedures; and
  • Conducting periodic access control assessments of any sensitive information devices or services within their business units, in coordination with ITS Information Security.

Sensitive Data as it pertains to Endpoints and Mobile Devices:
When storing CSU data on Clayton State University owned or personally owned endpoints (e.g. desktops, laptops, or workstations), mobile devices, and devices that are not used or configured to operate as servers, the device must be configured as described in the Data Protection Safeguards document. Any deviation from mandatory requirements within the Data Protection Safeguards must be documented and covered by adequate compensating control(s). The department of Internal Auditing and Information Security is available to assist in reviewing compensating controls.

Sensitive Data as it pertains to Cloud Computing Services:
When using cloud computing services or storage with Clayton State University data, Data Users must follow procedures described in the Data Protection Safeguards. Regulatory requirements, such as International Traffic in Arms Regulations (ITAR) and U.S. Export Controls, must be considered when utilizing cloud computing services. Category IV data (credit card data) is not covered by this policy statement, refer to the University Credit Card Processing Policy.

Sensitive Data as it pertains to Email Services:
Data Users must use official Clayton State University email services when emailing CSU data. Using third party email services (e.g. Gmail, Hotmail, Yahoo Mail) to send or store University data is prohibited.

Communication

Upon approval, this policy shall be published on the CSU Policy Library. The following offices and individuals shall be notified via email and/or in writing upon approval of the policy and upon any subsequent revisions or amendments made to the original document:

  • Chief Data Stewards, Data Stewards, Data Coordinators, Data Administrators
  • Department Heads
  • Unit-level business officers

In addition, the Clayton State University Information Technology Services’ department shall provide training and awareness. Avenues for training and awareness will include:

  • New employee orientation
  • New faculty orientation
  • Campus unit faculty/staff training and awareness sessions

Enforcement: 

Data Users are expected to respect the confidentiality and privacy of individuals whose records they access; to observe any restrictions that apply to sensitive data; and to abide by applicable laws, policies, procedures and guidelines with respect to access, use, or disclosure of information. The unauthorized storage, disclosure or distribution of CSU Data in any medium, except for legitimate University business or authorized academic use is expressly forbidden, as is the access or use of any CSU Data for one’s own personal gain or profit, for the personal gain or profit of others, or to satisfy one’s personal curiosity or that of others.

Each person affiliated with Clayton State University will be responsible for being familiar with the policy as it relates to him or her. Violations of the policy may result in loss of data access privileges, administrative sanctions (including termination or expulsion) as outlined in applicable CSU disciplinary procedures, as well as personal civil and/or criminal liability.