Restricted Data Security Management Policy

Layout for printing
Policy Number:
UW-515
Old Policy Number:
n/a
Responsible Office:
Division of Information Technology (DoIT)

University Policy

Scope:

Applies to all Schools, Colleges, Divisions, Centers and other units of UW-Madison, including any associated contractors or other entities or persons.

Policy:

Policy

The Restricted Data Security Management policy will initially only apply to UW-Madison Social Security Numbers (SSN’s) during the period from January 1st 2015 through December 31st 2020. The initial period may be extended.

"Restricted Data", (defined at Data Classifications,) includes at least six different kinds of data, one of which is Social Security Number (SSN). “UW-Madison Restricted Data” is Restricted Data for which the institution has an ownership, stewardship or custodial interest. It does not include data which is unrelated to UW-Madison business.

  1. All Schools, Colleges, Divisions, Departments, Centers and other units of UW-Madison must at least annually find, reduce, protect, and report the storage locations of UW-Madison Restricted Data related to the unit’s business, including Restricted Data stored by contractors or other entities or persons associated with the unit.
    1. Find UW-Madison Restricted Data on all computing devices and services that are used for UW-Madison business, including Restricted Data on personally-owned devices and privately-contracted services when the device or service is used for UW-Madison business.
    2. Dispose of unneeded files, data records, or data sets that contain UW-Madison Restricted Data, being careful to retain UW-Madison records according to the approved records retention schedules.
    3. Move as many of the remaining instances of UW-Madison Restricted Data as practical into any of the offline or online storage locations that are approved by the Office of Cybersecurity for the long-term storage of Restricted Data, retaining in other locations only those instances that are necessary for immediate operations.
    4. Report all remaining instances of UW-Madison Restricted Data to the Office of Cybersecurity using the currently established reporting procedures.
  2. Accountability and responsibility for compliance with provision (1) of the policy is distributed as follows:
    1. Management for each School, College, Division, Department, Center or other unit of UW-Madison is accountable for the compliance of their unit, including all employees, contractors and associates.

    2. Employees, contractors and associates of each unit are responsible for making computing devices and services that they own, operate, or possess available for inspection if that device or service is used for UW-Madison business.

      Some UW-Madison Restricted Data is stored on personally-owned devices or privately-contracted services that are being used for UW-Madison business. UW-Madison is obligated to assure that UW-Madison Restricted Data is appropriately protected, regardless of the ownership or location of the device or service.

      The university respects the privacy of individuals and non-university entities. As an alternative to inspection, employees, contractors and associates may provide satisfactory assurances that either:

      1. there is not significant storage or use of UW-Madison Restricted Data on the device or service.
      2. if there is significant storage or use, either:
        1. the storage or use will be reduced in a timely manner so it is no longer significant, or

        2. the device or service is, or soon will be, protected as described by the mandatory portions of the applicable data security standard.

          The threshold for “significant use” is specified in the associated implementation procedures.

          Management for each unit determines what assurances are satisfactory, consistent with the guidelines provided in the associated implementation procedures, subject to review by higher management in consultation with the Office of Cybersecurity.

    3. Responsibility for providing technical or procedural support may be delegated to IT staff, but this does not relieve others from their accountability and responsibility as described in (2)(a-b).
  3. UW-Madison data stewards, data custodians, business process owners and others with similar responsibilities for managing data must, when practical, eliminate or reduce the presence of UW-Madison Restricted Data in forms, files, data records, data sets, databases, applications, processes, and other similar locations.
  4. The Restricted Data Security Management policy and the associated implementation procedures provide general criteria for managing UW-Madison Restricted Data. When more specific guidance is needed, the data stewards or their delegates, in consultation with the Office of Cybersecurity, make the final decision on the conditions under which UW-Madison Restricted Data may be present in particular circumstances.

Special cases

  1. The Restricted Data Security Management policy applies to all computing devices and services that are used for UW-Madison business, regardless of who owns, operates, or possesses them, including both UW-Madison-owned and non-UW-Madison-owned devices and services. The associated implementation procedures provide guidance on how to address personally-owned devices and privately-contracted services in a manner that respects the privacy of individuals and non-university entities.
  2. This policy applies to graduate and undergraduate student employees in the performance of their job duties. Students are otherwise exempt from this policy.
  3. Exceptions are described in the associated implementation procedures.

Background

The long-term purpose of the Restricted Data Security Management policy is to locate and secure UW-Madison Restricted Data.

In order to identify and manage the highest risk data as quickly as practical, the policy will initially only apply to UW-Madison SSN’s.

Unauthorized access to Restricted Data can have significant detrimental effects on individuals or the institution. Restricted Data can be used for fraud and identity theft. Cyber criminals regularly attack computers and networks in higher education institutions. There have been sizeable information security breaches at institutions that resulted in financial impacts of many hundreds of thousands dollars. Those amounts do not account for the loss of reputation and trust that can have a serious ongoing impact on both instruction and research.

The university is obligated to protect UW-Madison Restricted Data and to report possible incidents. Protection of Restricted Data is governed by a number of different laws and standards, including for example, the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI-DSS), and the Wisconsin Data Breach Notification Law.

In order to protect Restricted Data the institution must have up-to-date information about where it is stored. There is a significant reduction in risk if the presence of Restricted Data is reduced to the extent practical. In addition to finding and reporting the presence of the data, the annual discovery and reporting process is a convenient time to consider how the presence of the data can be reduced.

The university’s obligation to protect UW-Madison Restricted Data does not depend upon the location or ownership of the computing device or service which is used to store, transmit or process it. For this reason, the policy and procedures address both UW-Madison-owned and non-UW-Madison-owned computing devices and services that are used for UW-Madison business.

The university respects the privacy of employees, contractors, and associates. The university is obligated to appropriately manage all UW-Madison data no matter how it is stored, transmitted, or processed. The policy and associated implementation procedures include provisions that protect privacy while at the same time enabling the institution to fulfill its obligations.

Authority

Issued by the UW-Madison Vice Provost for Information Technology.

Enforcement

Failure to comply may result in appropriate action to enforce compliance, and/or denial of access to UW-Madison Restricted Data or other UW-Madison information resources. In addition:

  1. UW-Madison employees who do not comply may be subject to disciplinary action up to and including termination of employment.
  2. Contractors or associates who do not comply may be subject to penalty under the governing agreement. Compliance with the policy may be a consideration affecting new or renewed agreements.
  3. Computing services or devices may be denied access to UW-Madison information resources to assure that UW-Madison Restricted Data is only present in known locations that are adequately protected.

Contact

Please address questions or comments to itpolicy@cio.wisc.edu.

Related UW-Madison Documents:

The "IT Policy Glossary" defines a number of terms used in this policy.

There are numerous other policies that govern the protection of UW-Madison Restricted Data. These may vary according to the specific type of Restricted Data, or how that data is collected or used.

The DoIT Knowledge Base (KB) has a document on Getting Started with Identity Finder (now known as Spiron), which includes training and links to other KB articles. There is also an Identity Finder FAQ (now known as Spiron) and a list of all related articles.

Policy Administration

Approval Authority:
Chief Information Officer & Vice Provost for Information Technology
Policy Manager:
Assistant Director, Cybersecurity Program and Business Services
Contact:
It Policy Writer and Analyst, Office of CyberSecurity -- Sara Tate-Pederson, itpolicy@cio.wisc.edu, (608) 263-5370
Effective Date:
01-01-2015
Revised Dates:

12/26/2019

Reviewed Dates:
12/26/2019
Retrieved:
03-02-2021 02:01:48