Purpose

Category D1 research data includes data which the University is obligated to protect in accordance with the Department of Defense Cybersecurity Maturity Model Certification and National Institute of Standards and Technology (NIST) Special Publication 800-171. Category D1 data is also subject to State of Oklahoma Policy, Standards, Procedures, and Guidelines (PSPG).

Data Collection and Use

1. All Category D1 uses must be approved by the Office of Export Controls.
2. Departments/Colleges must maintain an inventory of physical or virtual assets storing, transmitting, and processing Category D1 data in accordance with the IT Asset Management Policy and Standard.
3. System interconnections must be approved by a Data Owner, Principal Investigator, or Asset Administrator and documented.
4. All assets storing, processing, or transmitting Category D1 data must undergo an IT Risk Assessment completed by the OU IT Governance, Risk, and Compliance before interacting with CUI.  This assessment is to be reviewed and updated on or before the execution and anniversary date of agreements imposing Category D1 protection requirements.  These assessments will result in an System Security Plan (SSP) that will be provided to the Director of Export Controls, Chief Information Security Officer, and Principal Investigator for signature, as an attestation of the level of compliance with information protection requirements.
5. OU IT Governance, Risk, and Compliance (GRC) team in collaboration with the Principal Investigator, OU IT, Distributed IT, and Independent System Administrators, must develop, document and maintain:
   1. A Systems Security Plan;
   2. A Plan of Action and Milestones to monitor and manage security controls not yet implemented, but scheduled to be implemented, and controls not scheduled to be implemented; and
   3. University risk decisions supporting any decisions to not implement required security controls.

Granting Access or Sharing

1. Access shall be limited to authorized University officials or agents with a legitimate academic or business interest and shall be approved by the Principal Investigator (Data Owner).
2. Before granting access to external third parties, contractual agreements which outline responsibilities for security of the data shall be approved by the Office of Legal Counsel.
3. Per the Identity and Access Management Policy, all access shall be approved by an appropriate Data Owner or Steward and tracked in a manner sufficient to be auditable.
4. Access to Category D1 data must require multi-factor authentication, in accordance with the Identity and Access Management Policy.
5. Staff, faculty, or student accounts must authenticate to Category D1 data, using an an approved authentication method, in accordance with the Identity and Access Management Policy.
6. Data Owners and Stewards must review access to Category D1 data in accordance with the Identity and Access Management Policy.
7. All interfaces used for sharing Category D1 data must be registered in the IT Asset Inventory, in accordance with the IT Asset Management Policy. 

Disclosure or Posting

1. Disclosure or public posting of Category D1 data is not permitted unless approved by the Sponsor and the Office of Export Controls.

Electronic Display

1. Category D1 data shall be displayed only to authorized and authenticated users of a system.

Open Records Request

1. Data can be provided upon request with approval from the OU Open Records Office. 

Exchanging with Third Parties, Service Providers, or Cloud Services

1. A contractual agreement outlining security responsibilities shall be in place and approved by the Office of Legal Counsel before exchanging data with the third party or service provider.
2. An IT Security Assessment must be completed before the purchase or integration of new hardware, software, or third-party technology services that collect, store, transmit, or process Category D1 Data. 
3. All contractors, consultants, third parties, or other non-employees must only be given Privileged Access to data or systems when the Data Steward or Asset Administrator, determines there is a legitimate business need.  These privileges must be enabled only for the time period required to accomplish approved tasks and then promptly disabled upon completion of the approved tasks.  Unattended access by contractors, consultants, third parties, or other non-employees requires an OU IT Exception Request be submitted. 
4. All access by contractors, consultants, third parties, or other non-employees must be monitored and reviewed by the Office of Information Technology and Asset Administrators.

Storing or Processing: Server Environment

1. Servers or data classified as Category D1 must be stored in one of OU's designated enterprise data centers and be placed in the controlled unclassified information (CUI) network zones.
2. Category D1 data shall be encrypted in storage, where available.  Where encryption is not available, it must be captured in the IT Risk Assessment and the risk accepted, in writing by departmental leadership.
3. Servers that connect to the OU network shall comply with IT Security Policies and Standards.
4. Servers that store, process, or transmit Category D1 data shall implement measures to comply with NIST Special Publication 800-171.

Storing or Processing: Endpoint Environment (e.g., laptop, phone, desktop, tablet, etc.)

1. Category D1 data must not be stored on an Endpoint unless the Endpoint or data is encrypted in accordance with the Encryption Standard.
2. Endpoints that connect to the OU network shall comply with IT Security Policies and Standards.
3. Endpoints that store, process, or transmit Category D1 data shall implement measures to comply with NIST Special Publication 800-171.

Storing on Removable Media (e.g., USB drives, flash drives, CDs, DVDs, etc.)

1. Category D1 data shall be stored only on removable media if encrypted in accordance with the Encryption Standard.

Electronic Transmission

1. Only secure, authenticated connections or secure protocols shall be used for transmission of Category D1 data.

Email and other Messaging

1. Messages shall be sent only to authorized individuals with a legitimate need to know.
2. Messages shall be transmitted using only the OU Microsoft 365 GCC High Email service.

Copying and Printing

1. Data should only be printed when there is a legitimate need.
2. Printed materials must be marked appropriately.  See CUI Marking Guideline.
3. Paper copies of data must be limited to individuals authorized to access the data.
4. Paper copies should not be left unattended where others may see them.
5. Unauthorized access to printed materials must be prevented by locking doors, cabinets, etc.

Retention and Disposal

1. Data shall be retained in accordance with the State of Oklahoma General Records Disposition Schedule for State Universities and Colleges or contractual obligations.
2. Copies of records may be destroyed when they are no longer required for administrative purposes.
3. Data shall be deleted and rendered unrecoverable using a DoD 3-pass secure deletion technique.
4. Printed materials or paper copies shall be destroyed by the shredding method.

Revision, Review, and Approval History

• October 2023: OU IT Governance, Risk, and Compliance: Initial draft, opened for comments
• January 2024: OU IT Governance, Risk, and Compliance: Comment period closed
• January 2024: Office of the Provost, Health Sciences: Standard reviewed, comments submitted
• January 2024: Office of Compliance: Standard reviewed, comments submitted
• February 2024: OU IT Governance, Risk, and Compliance: Replaced "Data Risk Assessment" with "IT Risk Assessment".  Added risk acceptance must be in writing from departmental leadership.  Added clarification to Endpoint Environment encryption.  
• March 2024: OU IT Governance, Risk, and Compliance: Added Granting Access and Sharing statements.  Added Exchanging with Third Parties statements.  These statements align with the Identity and Access Management Policy.