OIT Home > Policies > IT Standards > Information Handling Standards

Information Handling Standards

[Approved by the Data Oversight Committee on 6/15/07.]

Rationale and Background

The University Information Security Policy requires controls to manage risks to the confidentiality, integrity and availability of University information. These handling standards define the controls required for University information in any form. These required controls represent a minimum standard for protection of University information. Additional controls required under applicable laws, regulations, or standards governing specific forms of data (e.g., health information, credit cardholder data), may also apply.

Each individual who creates, uses, processes, stores, transfers, administers, and/or destroys University information is responsible and accountable for complying with these standards.

In addition to compliance with these standards, all computers owned by the University and/or connected to a University network must comply with the Security Configuration Standards [login required] and Server Management Standards, as applicable.

Creation

University employees create records as part of the normal course of conducting the business of the University. These records document the decisions and activities of our complex educational and business enterprise. It is essential that they be created and maintained appropriately throughout their entire life cycle.

Highly sensitive information contained in University records constitutes an area of critical concern because of the severe risk to the University should records be mishandled or information inappropriately accessed or disclosed. As a consequence, records containing highly sensitive information should exist only in areas where there is a legitimate and justifiable business need, as authorized by the Data Steward, and maintained under strict controls as outlined in this document.

Campus departments should work to identify and track all University records through their life cycle by way of records retention schedules (prepared in collaboration with the University Archives). A first priority in this effort should be the identification of highly sensitive information. Records schedules will document the existence of these materials, the rationale behind keeping them, and help ensure their availability during the period in which they are vital as either active administrative or historical records. Record retention schedules also will work to ensure the timely disposal of non-permanent, inactive records, thereby mitigating the risk of exposure of information when it no longer serves an active administrative or historical function.

Access

Highly Sensitive

Highly sensitive information requires strict control, very limited access and disclosure, and may be subject to legal restrictions.

Only University employees who have written authorization from the relevant Data Steward, and have a signed confidentiality agreement on file, may have access to highly sensitive information. Any other disclosure of highly sensitive information requires the written approval of the appropriate Officer of the University, in consultation with the Office of General Counsel as necessary.

Sensitive

Only University employees who have a legitimate business need may have access to sensitive information. Any other disclosure of sensitive information requires the written approval of the appropriate Data Steward.

Internal

Only University employees should have access to internal information. Employees may share internal information with others based upon University business needs.

Public

Public information is intended for widespread disclosure. It does not require confidentiality controls.

Use, Transmission and Storage

The following controls are required when using, transmitting or storing highly sensitive and/or sensitive information.

Do not discuss or display it in an environment where it may be viewed or overheard by unauthorized individuals.
Do not leave keys or access badges for rooms or file cabinets containing such information in areas accessible to unauthorized personnel.
Do not send this information via instant message or unsecured file transfer unless it is encrypted.
Store electronic media (including backups) containing such information in a secure location. If this media contains highly sensitive information, encrypt it, inventory it and review the inventory quarterly.
When printing, photocopying or faxing it, ensure that only authorized personnel will be able to see the output.

The following controls are required when using, transmitting or storing highly sensitive information and are recommended for sensitive information:

Do not send this information via email unless it is encrypted.
Store paper documents in a locked drawer and in a locked room to prevent unauthorized access.
Label highly sensitive information as such, from the time it is created until the time it is destroyed. Include the name of the originating office in the label. Such labels must appear on all manifestations of the information, whether hardcopy or electronic.
Number pages of documents using a running-total format to indicate both the page number and the total number of pages (e.g., page 3 of 5).
Encrypt electronic information when not in active use, using an encryption algorithm approved by the Office of Information Technologies (link).
Follow an established and documented software development lifecycle when building applications.

The following controls are required when using, transmitting or storing sensitive information and are recommended for internal information:

Do not send this information to non-nd.edu addresses via email unless it is encrypted.
Store paper documents in a locked room to prevent unauthorized access.

Transport

The following controls are required when transporting highly sensitive and/or sensitive information:

When sending such information by mail (including U.S. Postal Service, DHL, UPS, FedEx, etc.), the sender must obtain tracking and signature confirmation services.
Enclose this information in a tamper-evident sealed envelope and encrypt it when in electronic form.

The following controls are required when transporting highly sensitive information:

When carrying highly sensitive information, or devices containing such information, ensure that it is physically secure at all times.
Do not send unencrypted highly sensitive information by campus mail.
Do not remove highly sensitive information from an approved secure location without prior approval of the Data Steward.

Destruction

University records should be destroyed only in accordance with the Archives and Records Management Policy.

Destroy electronic instances of University information using an OIT-approved method as described at http://secure.nd.edu/disposal/index.shtml. Reformatting a hard drive is not sufficient to securely remove all data.
Crosscut shred or pulp all highly sensitive or sensitive information in paper form. This includes all transitory work products (e.g., unused copies, drafts, notes).

Definitions

Data Handling
Using, storing, processing, transferring, administering, aggregating, sharing, and/or maintaining University information

Data Steward
An individual who is responsible for ensuring the confidentiality, integrity, and availability of University information. A Data Steward defines access to and restrictions on use of the information for which he or she is responsible.

Encrypt(ion)
The process of encoding data so that it can only be read using the appropriate key.

Information Security
The protection of the confidentiality, integrity, and availability of University information.

Security Classifications
Categories of University information based upon intended use and expected impact if disclosed.

Public
Information intended for public use that, when used as intended, would have no adverse effect on the operations, assets, or reputation of the University, or the University's obligations concerning information privacy.
Internal
Information not intended for parties outside the University that, if disclosed, would have minimal or no adverse effect on the operations, assets, or reputation of the University, or the University's obligations concerning information privacy.
Sensitive
Information intended for limited use within the University that, if disclosed, could be expected to have a serious adverse effect on the operations, assets, or reputation of the University, or the University's obligations concerning information privacy.
Highly Sensitive
Information intended for very limited use within the University that, if disclosed, could be expected to have a severe adverse effect on the operations, assets, or reputation of the University, or the University's obligations concerning information privacy.

Software Development Life Cycle
A set of formal methods used to develop applications to help ensure that they meet expectations for quality, cost, and function.

University Information
All information that the University of Notre Dame or its agents use in the course of conducting University business, except those materials specifically excluded from University ownership as set forth in the University's Intellectual Property Policy.

University Records
Recorded information, in any form, created or received in the course of conducting University business and kept as evidence of such activity, excluding transitory work products.

Contacts

Handling Standards
For clarification of these standards, contact the appropriate Data Steward.
Data Steward List (MS Word document)

Office of Information Technologies