8.2.2.20 Category E Data Protection Standard

Purpose

Category E data includes confidential University information requiring security and privacy protection, subject to State of Oklahoma Policy, Standards, Procedures, and Guidelines (PSPG), Privacy Act of 1974, E-Government Act of 2002, and the Fair and Accurate Credit Transaction Act of 2003.

Data Collection and Use

  1. Limited to authorized uses as outlined in the University Privacy Policy.
  2. A Notice of Collection that describes the purpose for which personal data is collected must be specified at, or prior to, the time of collection (also known as the Right to be informed).  Data collected must only be used in accordance with the Notice of Collection.
  3. Departments/Colleges that collect and/or use Category E data must participate in the Information Security Program by reporting Category E servers to OU IT through an OU IT Security Assessment.
  4. University web pages that are used to collect Category E data must include a link to the OU Privacy Policy.
  5. SSNs shall not be used to identify members of the OU community if there is a reasonable alternative.
  6. Social Security Numbers shall not be used as a username or password.
  7. Social Security Numbers shall not be collected on unauthenticated individuals.

Granting Access or Sharing

  1. Reasonable methods shall be used to ensure internal data is accessed by or shared with authorized individuals or individuals with a legitimate need to know.
  2. Per the Identity and Access Management Policy, all access shall be approved by an appropriate Data Owner or Steward and tracked in a manner sufficient to be auditable.
  3. Access to Category E data must require multi-factor authentication, in accordance with the Identity and Access Management Policy.
  4. Staff, faculty, or student accounts must authenticate to Category E data, using an an approved authentication method, in accordance with the Identity and Access Management Policy.
  5. Data Owners and Stewards must review access to Category E data in accordance with the Identity and Access Management Policy.
  6. All interfaces used for sharing Category E data must be registered in the IT Asset Inventory, in accordance with the IT Asset Management Policy

Disclosure or Posting

  1. Category E data that includes identifiable data elements (e.g., Employee ID, first name, last name, date of birth, address, SSN, gender) shall not be disclosed without consent.
  2. Category E data that includes identifiable data elements (e.g., Employee ID, first name, last name, date of birth, address, SSN, gender) may not be posted publicly.
  3. Directory information can be disclosed without consent.  However, individual employees can opt out of directory information disclosure.

Electronic Display

  1. Category E data shall be displayed only to authorized and authenticated users of a system.
  2. Identifying numbers or account number shall be, at least partially, masked or redacted.

Open Records Request

  1. Category E data is typically not subject to open records disclosure.  However, some open records requests can be fulfilled by redacting the sensitive portions of records.
  2. Data can be readily provided upon request with approval from the OU Open Records Office. 

Exchanging with Third Parties, Service Providers, or Cloud Services

  1. A contractual agreement outlining security responsibilities shall be in place and approved by the Office of Legal Counsel before exchanging data with the third party or service provider.
  2. An IT Security Assessment must be completed before the purchase or integration of new hardware, software, or third-party technology services that collect, store, transmit, or process Category E Data. 
  3. All contractors, consultants, third parties, or other non-employees must only be given Privileged Access to data or systems when the Data Steward or Asset Administrator, determines there is a legitimate business need.  These privileges must be enabled only for the time period required to accomplish approved tasks and then promptly disabled upon completion of the approved tasks.  Unattended access by contractors, consultants, third parties, or other non-employees requires an OU IT Exception Request be submitted. 
  4. All access by contractors, consultants, third parties, or other non-employees must be monitored and reviewed by the Office of Information Technology and Asset Administrators.

Storing or Processing: Server Environment

  1. Servers or data classified as Category E must be stored in one of OU's designated enterprise data centers and be placed in the business or general network zones.
  2. Category E data shall be encrypted in storage, where available.  Where encryption is not available, it must be captured in the IT Risk Assessment and the risk accepted by the appropriate party.
  3. Servers that connect to the OU network shall comply with IT Security Policies and Standards.

Storing or Processing: Endpoint Environment (e.g., laptop, phone, desktop, tablet, etc.)

  1. Category E data must not be stored on an Endpoint unless encrypted in accordance with the Encryption Standard.
  2. Asset Administrators must create procedures to transfer Category A data from endpoints to an approved enterprise data center location on a nightly basis.
  3. Endpoints that connect to the OU network shall comply with IT Security Policies and Standards.

Storing on Removable Media (e.g., USB drives, flash drives, CDs, DVDs, etc.)

  1. Category E data shall only be stored on removable media if encrypted in accordance with the Encryption Standard.

Electronic Transmission

  1. Secure, authenticated connections or secure protocols shall be used for transmission of Category E data.

Email and other Messaging

  1. Messages shall only be sent to authorized individuals with a legitimate need to know.
  2. Messages shall be transmitted in an encrypted format by placing [SECURE] or [ENCRYPT] in the subject line.

Copying and Printing

  1. Data should only be printed when there is a legitimate need.
  2. Paper copies of data must be limited to individuals with a need to know.
  3. Paper copies should not be left unattended where others may see them.
  4. Unauthorized access to printed materials must be prevented by locking doors, cabinets, etc.

Retention and Disposal

  1. Data shall be retained in accordance with the State of Oklahoma General Records Disposition Schedule for State Universities and Colleges.  
  2. Copies of records may be destroyed when they are no longer required for administrative purposes.
  3. Data shall be deleted and rendered unrecoverable using a DoD 3-pass secure deletion technique.
  4. Printed materials or paper copies shall be destroyed by the shredding method.

Revision, Review, and Approval History

  • October 2023: OU IT Governance, Risk, and Compliance: Initial draft, opened for comments
  • January 2024: OU IT Governance, Risk, and Compliance: Comment period closed
  • March 2024: OU IT Governance, Risk, and Compliance: Added Granting Access and Sharing statements.  Added Exchanging with Third Parties statements.  These statements align with the Identity and Access Management Policy.
  • March 2024: OU IT Governance, Risk, and Compliance:  Added Storing or Processing: Server Environment statements from the OUHSC Information System Storage and Data Sharing Policy.  Added Storing or Processing: Endpoint Environment statements from the OUHSC Information System Storage and Data Sharing Policy.
Print Article

Details

Article ID: 3101
Created
Wed 10/25/23 1:18 PM
Modified
Tue 4/2/24 9:14 AM

Related Articles (1)

8.2.1.17 Data Governance Policy - Pending President Approval
The University of Oklahoma (OU) recognizes that Institutional Data is an asset and critically important to effectively supporting OU’s mission. The value of data as an institutional resource is increased through its widespread and appropriate use; its value is diminished through misuse, misinterpretation, or unnecessary restrictions to its access. The university has an obligation to protect the integrity and quality of institutional data, privacy of data subjects, and security of institutional d