Restricted Data Security Management

Layout for printing
Policy Number:
UW-515
Responsible Office:
Division of Information Technology (DoIT)

University Policy

Rationale/​Purpose:

The long-term purpose of this policy is to locate and secure UW–Madison restricted data. In order to identify and manage the highest risk data as quickly as practical, the policy will initially only apply to UW–Madison Social Security numbers (SSNs).

Unauthorized access to restricted data can have significant detrimental effects on individuals or the institution. Restricted data can be used for fraud and identity theft. Cybercriminals regularly attack computers and networks in higher education institutions. There have been sizeable information security breaches at institutions that resulted in financial impacts of many hundreds of thousands of dollars. Those amounts do not account for the loss of reputation and trust that can have a serious ongoing impact on both instruction and research.

The university is obligated to protect UW–Madison restricted data and to report possible incidents. Protection of restricted data is governed by a number of different laws and standards, including, for example, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Payment Card Industry Data Security Standard (PCI-DSS), and the Wisconsin Data Breach Notification Law.

To protect restricted data, the institution must have up-to-date information about where it is stored. There is a significant reduction in risk if the presence of restricted data is reduced to the extent practical. In addition to finding and reporting the presence of the data, the annual discovery and reporting process is a convenient time to consider how the presence of the data can be reduced.

The university’s obligation to protect UW–Madison restricted data does not depend upon the location or ownership of the computing device or service that is used to store, transmit or process it. For this reason, the policy and procedures address both UW–Madison-owned and non-UW–Madison-owned computing devices and services that are used for UW–Madison business.

The university respects the privacy of employees, contractors, and associates. The university is obligated to appropriately manage all UW–Madison data no matter how it is stored, transmitted, or processed. The policy and associated implementation procedures include provisions that protect privacy while at the same time enabling the institution to fulfill its obligations.

Scope:

This policy applies to all schools, colleges, divisions, centers, and other units of UW–Madison, including any associated contractors or other entities or persons.

This policy applies to all computing devices and services that are used for UW–Madison business, regardless of who owns, operates, or possesses them, including both UW–Madison-owned and non-UW–Madison-owned devices and services. The associated implementation procedures provide guidance on how to address personally-owned devices and privately-contracted services in a manner that respects the privacy of individuals and non-university entities.

This policy applies to graduate and undergraduate student employees in the performance of their job duties. Students are otherwise exempt from this policy.

Exceptions are described in the associated implementation procedures.

Policy:

Policy

This policy will initially only apply to UW–Madison Social Security numbers (SSNs) during the period from January 1, 2015, through December 31, 2020. The initial period may be extended.

"Restricted Data" (defined at Data Classifications) includes at least six different kinds of data, one of which is SSNs. “UW-Madison Restricted Data” is restricted data for which the institution has ownership, stewardship, or custodial interest. It does not include data that is unrelated to UW–Madison business.

  1. All schools, colleges, divisions, departments, centers, and other units of UW–Madison must at least annually find, reduce, protect, and report the storage locations of UW–Madison restricted data related to the unit’s business, including restricted data stored by contractors or other entities or persons associated with the unit.
    1. Find UW–Madison restricted data on all computing devices and services that are used for UW–Madison business, including restricted data on personally-owned devices and privately-contracted services when the device or service is used for UW–Madison business.
    2. Dispose of unneeded files, data records, or data sets that contain UW–Madison restricted data, being careful to retain UW–Madison records according to the approved records retention schedules.
    3. Move as many of the remaining instances of UW–Madison restricted data as practical into any of the offline or online storage locations that are approved by the Office of Cybersecurity for the long-term storage of restricted data, retaining in other locations only those instances that are necessary for immediate operations.
    4. Report all remaining instances of UW–Madison restricted data to the Office of Cybersecurity using the currently established reporting procedures.
  2. Accountability and responsibility for compliance with provision (1) of this policy are distributed as follows:
    1. Management for each school, college, division, department, center, or other unit of UW–Madison is accountable for the compliance of their unit, including all employees, contractors, and associates.

    2. Employees, contractors, and associates of each unit are responsible for making computing devices and services that they own, operate, or possess available for inspection if that device or service is used for UW–Madison business.

      Some UW–Madison restricted data is stored on personally-owned devices or privately-contracted services that are being used for UW–Madison business. UW–Madison is obligated to ensure that its restricted data is appropriately protected, regardless of the ownership or location of the device or service.

      The university respects the privacy of individuals and non-university entities. As an alternative to inspection, employees, contractors, and associates may provide satisfactory assurances that either:

      1. There is not significant storage or use of UW–Madison restricted data on the device or service; or
      2. If there is significant storage or use, either:
        1. The storage or use will be reduced in a timely manner so it is no longer significant; or

        2. The device or service is, or soon will be, protected as described by the mandatory portions of the applicable data security standard.

          The threshold for “significant use” is specified in the associated implementation procedures.

          Management for each unit determines what assurances are satisfactory, consistent with the guidelines provided in the associated implementation procedures, subject to review by higher management in consultation with the Office of Cybersecurity.

    3. Responsibility for providing technical or procedural support may be delegated to IT staff, but this does not relieve others from their accountability and responsibility as described in (2)(a-b).
  3. UW–Madison data stewards, data custodians, business process owners, and others with similar responsibilities for managing data must, when practical, eliminate or reduce the presence of UW–Madison restricted data in forms, files, data records, data sets, databases, applications, processes, and other similar locations.
  4. This policy and associated implementation procedures provide general criteria for managing UW–Madison restricted data. When more specific guidance is needed, the data stewards or their delegates, in consultation with the Office of Cybersecurity, make the final decision on the conditions under which UW–Madison restricted data may be present in particular circumstances.

Enforcement

Failure to comply may result in appropriate action to enforce compliance, and/or denial of access to UW-Madison Restricted Data or other UW-Madison information resources. In addition:

  1. UW-Madison employees who do not comply may be subject to disciplinary action up to and including termination of employment.
  2. Contractors or associates who do not comply may be subject to penalty under the governing agreement. Compliance with the policy may be a consideration affecting new or renewed agreements.
  3. Computing services or devices may be denied access to UW-Madison information resources to assure that UW-Madison Restricted Data is only present in known locations that are adequately protected.
Related UW–Madison Documents, Web Pages, or Other Resources:

Policy Administration

Approval Authority:
Chief Information Officer & Vice Provost for Information Technology
Policy Manager:
Assistant Director, Cybersecurity Program and Business Services
Contact:
IT Policy Writer and Analyst, Office of CyberSecurity; IT Policy Website Link -- Sara Tate-Pederson, itpolicy@cio.wisc.edu, (608) 263-5370
Effective Date:
01-01-2015
Revised Dates:

12-26-2019

Reviewed Dates:

12/26/2019

Retrieved:
05-22-2022 03:02:38