4:042 Information Security and Data Classification Policy
|Austin Peay State
|Information Security and Data Classification Policy
||August 17, 2018
||Vice President for Finance and Administration
||Office of Information Technology
It is the policy of Austin Peay State University to provide a security framework that
will ensure the protection of university information from unauthorized access, loss,
or damage. The university is committed to protecting all restricted and private data
collected and maintained on university students, employees, donors, vendors and others.
This policy governs the use, control, and access to restricted data defined by statute,
regulation, contract, license, or definitions within this policy. This policy also
defines and governs the use of private and public university data. Included within
this policy is the university data classification description and definition.
Austin Peay State University is committed to maintaining the confidentiality, integrity,
and availability of all restricted, private, and public university data. The purpose
of this policy is to establish classifications for university data and a framework
to preserve the integrity of all university information regardless of the medium,
to include physical and electronic forms.
Contents (if applicable)
-Data vs. Information
-Enterprise Information System (EIS)
-Family Educational Rights and Privacy Act (FERPA)
-Gramm-Leach-Bliley Act (GLBA)
-Health Insurance Portability and Accountability Act (HIPAA)
-Payment Card Industry Security Standards (PCI-DSS)
-Personally Identifiable Information (PII)
-Protected Health Information (PHI)
-Virtual Private Network (VPN)
-Who Is Affected By This Policy
-Failure to Comply with this Policy
-APSU Policy 1:016
-APSU Policy 4:029
-APSU Policy 4:031
-APSU Policy 4:040
-APSU Policy 4:041
-Access Control Guideline
||Ensuring that data and services are available when needed.
||The assurance of data privacy and protection from unauthorized disclosure.
|Data vs. Information
||Data is raw, unorganized facts that are not meaningful until processed, organized,
structured, or presented in a context that makes them useful. This context is called
||Programs and measures to encode data such that it cannot be decoded and read without
knowing an appropriate secret key.
|Enterprise Information System (EIS)
||Any centralized data storage or distribution system on the university network. Enterprise
information systems are managed by the Information Technology department.
|Family Educational Rights and Privacu Act (FERPA)
||Federal legislation that protects the privacy of students’ personally identifiable
information (PII) and governs its access and disclosure. The act applies to all educational
institutions that receive federal funds.
|Gramm-Leach-Bliley Act (GLBA)
||Federal law that defines and controls how financial institutions handle, secure, and
destroy customers’ private information.
|Health Insurance Portability and Accountability Act (HIPPA)
||Federal law designed to provide privacy standards to protect patient’s medical records
and other health information provided to health plans, doctors, hospitals, and other
||The protection of data from unauthorized modification, both malicious and accidental.
|Payment Card Industry Data Security Standards (PCI-DSS)
||Proprietary standard for organizations that handle branded credit cards mandated by
the major credit card brands and administered by the Payment Card Industry Security
Standards Council. The standard was created to increase controls for cardholder data
to reduce credit card fraud.
|Personally Identifiable Information (PII)
||Any information about an individual maintained by the university, including any information
that can be used to distinguish or trace an individual’s identity, such as name, social
security number, date and place of birth, mother’s maiden name, or biometric records;
and any other information that is linked or linkable to an individual, such as medical,
educational, financial, and employment information.
|Protected Health Information (PHI)
||Any information created, received, maintained, processed or transmitted by the university
that relates to the past, present, or future physical or mental health of an individual,
the provision of health care to an individual, or the past, present or future payment
for health care, and identifies the individual or with respect to which there is a
reasonable basis to believe that the information can be used to identify the individual.
|Virtual Private Network (VPN)
||The extension of a private network across a public network, enabling users to send
and receive data across the public network as if their computers or devices were directly
connected to the private network. The VPN creates a secure, encrypted tunnel between
the end user and the private network.
|Who Is Affected By This Policy
||This policy applies to all university faculty and staff, as well as students acting
on behalf of Austin Peay State University including, but not limited to, student workers,
student interns, and graduate assistants. This policy also applies to all other individuals
and entities granted use of university data and information including, but not limited
to, contractors, vendors, temporary employees, and volunteers.
||Austin Peay State University has adopted the following three classifications of university
- Restricted Data: Any information protected by federal, state, or local laws and regulations or industry
standards; to include HIPAA, GLBA, FERPA, and PCI-DSS. Restricted Data includes but
is not limited to PII and PHI information, Social Security numbers, credit card numbers,
bank account numbers, and driver’s license numbers.
- Private Data: Any information that is proprietary or produced only for use by members of the Austin
Peay State University community who have a legitimate purpose to access such data.
Private Data includes but is not limited to internal operating procedures and operational
manuals. Internal memoranda, emails, reports and other documents, and technical documents
such as system configurations and floor plans.
- Public Data – Any information that can be made available to the general public with no legal
restrictions on its access or use. Public Data includes but is not limited to general
access data on the university websites, campus maps, directory information (except
for students who explicitly request to restrict their directory data), and university
financial statements and reports generally available to the public.
- General Security
- All university personnel and agents of the university with access to restricted and/or
private data must ensure that this data is protected against physical theft or loss,
electronic invasion, or unintentional exposure. All university personnel and agents
of the university must also protect all university data against loss of integrity.
- Electronic Security
- General Security
- Electronic Restricted data must only be stored on university owned and protected Enterprise
Information Systems (EISs), the university file server system, and cloud applications
that have a contractual relationship with the university and have adequately addressed
compliance with university data security, privacy, and IT management requirements.
The Information Technology department is responsible for the management and security
of all EISs.
- Electronic Private data may be stored on university owned desktops and laptops that
are protected with university required encryption and security applications, and where
all operating system patches and updates are applied as scheduled by the Information
Technology department. Private data may also be stored on university authorized cloud
applications and cloud storage solutions. Private data may not be stored on personally
owned computers or devices.
- Remote Access
- Remote access to restricted and private data is available only to authorized personnel
and agents of the university. Personnel must be authenticated to access restricted
and private data, the data must be encrypted during transit, and the remote access
must be via university supported VPN.
- Portable Devices and Media
- Restricted data may not be stored on any portable device and media.
- Private data may be stored on university supplied portable devices and media that
have adequate protective measures implemented to safeguard the confidentiality and
integrity in the event of theft or loss. Users in possession of private data on portable
devices and media are responsible for protecting the data.
- Equipment Disposal
- University owned computers, portable devices, and portable media must have all university
data permanently erased before transferring out of university control, and/or destroyed,
by the Information Technology department.
||All Austin Peay State University faculty, staff, students acting on behalf of the
university, and others granted use of university data and information are expected
- Understand the data classification levels defined in this policy.
- As appropriate, classify the data and information for which one is responsible accordingly.
- Access university data and information only as needed to meet legitimate business
- Not divulge, copy, release, sell, loan, alter, or destroy any university data or information
without a valid business purpose and/or authorization.
- Protect the Confidentiality, Integrity, and Availability of university data and information
in a manner consistent with the classification level and type.
- Handle information in accordance with any other applicable university standard or
- Safeguard any physical key, ID card, computer account, or network account that allows
one to access university data and information.
- Discard media containing Austin Peay State University data and information in a manner
consistent with the classification level, type, and any other applicable university
retention requirement. This includes data and information contained in any hard copy
document, or in any electronic, magnetic, or optical storage medium.
- Contact the Office of the General Counsel prior to responding to any litigation or
law enforcement subpoenas, court orders, open records requests, and other requests
from private litigants and/or government agencies.
- Contact the appropriate university office prior to responding to requests for information
from regulatory agencies, inspectors, examiners and/or auditors.
- All university units and departments are responsible for developing procedures for
handling, disposing of, and securing Restricted and Private Data in physical form.
|Failure to Comply with this Policy
Failure to comply with current Data Security procedures may result in limiting or
denying access to university data resources. If, upon investigation by the appropriate
university officials, the lack of compliance appears to have been willful and deliberate
or if there is repeated lack of compliance, disciplinary action up to and including
termination may be taken.
APSU Policy 4:017 – Issued: August 17, 2018
President: signature on file