Departmental Information Security Action Plan
Confidential information is defined as that information which is not releasable to the public under state or federal law, and which could reasonably be used to perpetrate identity theft, constitute a serious and unwarranted invasion of personal privacy, compromise the physical security of university employees or property, or compromise the University’s computer systems.
All academic and administrative offices within the University have the primary responsibility and authority to ensure their respective departments comply with University requirements for privacy and security of specific types of confidential information (e.g., student educational records, personnel records, health records, and financial transaction data). These units are responsible for general security issues (e.g., legal issues, security compliance, physical security and communications) as well as for completing risks assessments and assisting in the development of University IT security policies, standards and best practices in the areas of their responsibility.
ITS requests that each department engage in the necessary efforts to secure its data from improper disclosure. Specifically, each department is charged to complete the following Action Plan:
- Complete an audit of confidential information electronically stored in their respective areas. For each file or database which meets the confidential criteria, complete and submit the Confidential Information-Data Audit Report request. A help desk ticket will be generated and forwarded to ITS for the purpose of identifying it for secure storage. When feasible, remove or redact confidential information.
- Review the ITS audit report for additional identification of confidential data residing on departmental machines. When feasible, remove or redact confidential information.
- Move all existing confidential documents to the assigned centralized confidential document storage space specified by ITS which requires network authentication for access. Store all newly created electronic files containing confidential information on this confidential document storage space. For more information on centralized confidential document storage review this presentation (PDF).
- Once a file containing confidential information has been successfully moved to the secure storage space, delete it from local storage and then empty the recycle bin.
- For any confidential file or data that is transmitted offsite, complete and submit the Confidential Information-Data Transmission Report. This report allows for the establishment of a dedicated station where files can be transmitted securely using the latest security protocols.
- Develop procedures and guidelines for your area to implement an ongoing process for continued information security which includes periodic security reviews referencing this action plan.