|Policy Number: 1.2.B||Policy Owner:|
|Effective Date: 1/1/2011||Information Security & Business Continuity Governance|
|Policy applicable for: Faculty/Staff||Associated Standards/Regulations:|
|Responsible Office(s): BU Information Security||HIPAA, FERPA, GLB, PCI, Mass General Law|
Purpose & Overview
Information maintained by the University is a vital asset that must be available to all employees who have a legitimate business need for it. However, the use of University data for anything other than approved University business is prohibited by University policy and, in many instances, by state and federal law.
This document is a companion to the Data Classification Guide and defines the roles and responsibilities associated with the distribution and security of University data. As described below, individuals may not access, use or store some kinds of sensitive data without authorization from the appropriate Data Trustee. Individuals who are authorized by a Data Trustee to access, use or store sensitive information must follow any restrictions imposed by the Data Trustee.
Roles & Responsibilities
The executive or head of each department included in the list of Data and Data Trustees below will designate at least two, but not more than four, Data Trustees. Data Trustees are those persons at the University with responsibility for the accuracy, integrity, and privacy of University data. They grant or deny access to University data, monitor the integrity of the data repositories, and perform regular audits to ensure all approved accesses still valid and appropriate.
Data Trustees must make decisions regarding the handling of data in accordance with the University’s Information Security Policy and the Data Protection Standards, and in compliance with all federal, state, and local laws and regulations. Data Trustees are responsible for reviewing requests for access to sensitive data under their care regardless of whether the data is stored in the original data source, the authoritative repository or with any downstream users of the data.
Data Trustee responsibilities include:
- Responding to requests for access to University data within three business days with one of the following decisions: “Accepted”, “On Hold” (requesting more information), or “Denied”. Before permitting access, the Data Trustee must confirm that the requestor has a legitimate business reason for access to the data.
- Approving the minimum access or authorization necessary for the requestor’s needs.
- Support and enable the implementation of required security measures as outlined in the University Data Protection Requirements. Trustee may consult with IS&T and BU Information Security to determine appropriate controls.
- Ensuring that reviews are conducted regularly (not less than one time per year) to ensure all approved access is still valid and appropriate.
When an individual becomes a Data Trustee, the executive or department head should ensure that he or she receives a written description of his or her duties as Trustee and receives the appropriate training. (The Trustee duties list, manual and training are maintained and provided by BU Information Security.) The Data Trustee must acknowledge the responsibilities by signing and returning a copy to the executive or department head and to BU Information Security.
In the event a Data Trustee is unavailable to fulfill the responsibilities above, the executive or department head must designate an alternate until the Data Trustee is again available.
Departmental Security Administrators
Each unit or department’s executive or department head will designate at least two, but not more than four, Departmental Security Administrators (DSAs). DSAs will act as liaisons to the BU Information Security Team. DSAs oversee data security responsibilities at the department level.
Departmental Security Administrator responsibilities include:
- Identifying the department’s need to store or access Confidential and Restricted Use data
- Assisting with the data classification process and coordinate with the BU Information Security Team
- Before submitting a request for access, confirming with the requestor’s manager that the requestor has a legitimate business reason for access to the data.
- Communicating authorization requests for access to enterprise information system data, facilities, functions, roles and/or tasks to the appropriate data custodian.
- Requesting that access be removed when no longer required.
- Conducting regular reviews (not less than one time per year) of access lists and requesting removal of access when no longer needed.
- Assigning and collecting two-factor authentication tokens
- Communicating with BU Information Security in the event of any unauthorized disclosure, modification, or loss of Confidential or Restricted Use data
- Assisting with security awareness for the unit or departments
A new DSA’s manager should ensure the new DSA receives a written description of his or her duties as DSA and receives the appropriate training. (The DSA duties list, manual and training are maintained and provided by BU Information Security.) The DSA must acknowledge the responsibilities by signing and returning a copy to his or her manager and to BU Information Security.
BU Information Security
Members of the BU Information Security Team support enterprise data management by providing certain functions and processes centrally.
Information Security responsibilities include:
- Coordinating with Office of General Counsel to communicate changes in applicable law that impact the responsibilities of the Data Trustees, Data Security Administrators and Data Custodians.
- Maintaining and publishing data management and protection standards, with appropriate input and approval from the Information Security and Business Continuity Governance Committee.
- Providing training to Data Trustees on tools and processes to conduct reviews of the access to data for which Trustees are responsible.
- Maintaining the list of DSA responsibilities and processes; maintaining the DSA manual.
- Providing training for DSAs. Training should be refreshed on an annual basis.
- Receiving and processing access requests from DSAs for designated systems.
- Define and provide secure methods for clients to access Confidential and Restricted Use data. Where an appropriate method does not exist, provide consulting on the development of new solutions or compensating controls.
- Administering two-factor token assignments for specific individuals as coordinated with the DSA.
Data Custodians are those persons primarily responsible for maintaining security and integrity of University systems on which University data resides. The Data Custodian’s “clients” are people or systems that access or use the data or systems which the Data Custodian maintains.
Data Custodian responsibilities include:
- Assisting clients or project teams with the submission of requests for access to University data.
- Providing data or access to data only as approved by the Data Trustee.
- If a Data Trustee has previously approved access to the data using one format or method, the Data Custodian need not get a new approval for a different format or method. For example, if access via spreadsheet or database is approved and the client would like it in a text file instead, this change does not require re-approval by the Trustee. Similarly, as long as the data is being transported using a mechanism approved by BU Information Security, changing from one to the other does not require re-approval. For example, switching from SFTP to FTP-S as the secure transport mechanism.
- Removing of access when requested by the DSA.
- Conducting regular reviews (not less than one time per year) of access lists and removing access when no longer needed.
A new Data Custodian’s manager should ensure that the new Custodian receives a written description of his or her duties as Custodian and receives the appropriate training. The Custodian must acknowledge the responsibilities by signing and returning a copy to his or her manager.
Access Request Appeals
If the Data Trustee denies a requests for access to University data, the requestor may appeal the decision to the executive or department head of the unit or department that owns the data (or a designee).
If you need assistance identifying a specific Prime Domain Owner, please visit the Domain Contact List.
Alternatively, you may contact your DSA or BU Information Security (email@example.com).
Generally, contact these offices with questions about these data types:
|Administrative Offices||Records Retention|
|Development & Alumni Relations||Alumni Gifts & Records, Telefunds, Donor & Recipient Information, Alumni Bio||Sachin Agarwal|
|Accounts Payable||Invoices, Vendor Maintenance||Matthew Abrams|
|Budget||Budget, Adjustments||Meghan Tracey|
|WBUR||Campaign Tracking, Donor Participation, Gifts and Pledges||John Hoder|
|Business Affairs||Vending Services||Shawn Stone|
|Cashier||Credit Cards||Carol Moy|
|Grants & Contracts||Grant Attributes, Principal Investigator maintenance||Andy Horner, Gretchen Hartigan|
|General Accounting||General Ledger, Unrestricted & Restricted accounting||Gillian Emmons, Donna Lane|
|Receivables||Student Accounts, Settlements, Collections||Kathleen Hynes|
|Disbursements||Payroll, Stipends, HR Time Entry||Matthew Abrams|
|VP Finance||Financial Account Number||Martin Howard|
|Dean of Students||Off Campus Housing, Judicial Affairs, Orientation, Alternative Spring Break||Shiney James|
|Graduate Admissions||Graduate Student Applications and Admissions Information||Jacalyn Reisz|
|Int’l Students & Scholars Office||International Student Admissions, SEVIS, International Scholars||Jeanne Kelley|
|Medical Campus||Med Financial Affairs, Accounting, Business Afairs||Michelle Hamm|
|Medical Parking & Transportation||Med Parking Permits, Tpass||Louis D’Addario|
|Office of Housing||Room Assignments/Check In/Withdrawal/Selection, Terrier Convenience Plan, Residence Access Control||Babak Sadri|
|Office of Admissions /
|Student Applications, Admissions Information||Roberta Valday|
|Office of Risk Management||Drivers License Numbers||Paul Clancy|
|Office of Financial Assistance /Enrollment Services||Financial Aid Funds, Awards, Loans, Promissory Notes||Roberta Valday|
|Space Management||Buidling & Space Administration, Room survey, Building occupant and cost data||Gregg Snyder|
|Registrar/Enrollment Services||Student Records: Class Lists, Student Name, UID, SSN, Address, Telephone number, Race*||Roberta Valday|
|Human Resources||Employee Records: Employee Name, UID, SSN*, Address, Telephone number, Benefits, Race*, Payroll/Salary*||Maria Canellos|
|Payroll||Employee Records: SSN*, Payroll/Salary*||Kathleen Sirois|
|Parking Services||Parking Lots, Permits, Tpass||William Hajjar|
|Sourcing & Procurement||Requisitions, Purchase Orders, Buyer info||Richard Stack|
|Physical, Recreation & Dance||FitRec Memberships and Refunds, Registration, Instructor Class, Event Maintenance||Cynthia Loud|
|Provost Office||Faculty Records||Alison English|
|Student Activities Office||Student Activity Events and Sales||Gina Galland|
|School of Education||Literacy Test||Jacqueline Boyle|
|Student Employment Office||Student Employee information, Hire/Rehire, Timesheets, Job Board, Quickie Jobs, Work Study||Mary Ann French|
|Student Health Services||Student Health Records||Christopher Valadao|
|Telecommunications||Telephone Directory Information||Sean Kinneen|
* These data fields are jointly owned and approval must be granted by all trustees.
The Boston University Data Protection Standards:
- 1.2.A – Data Classification Guide
- 1.2.B – Data Management Guide
- 1.2.C – Access Management and Authentication Requirements
- 1.2.D – Data Protection Requirements & 1.2.D.1 – Media Destruction One-Sheets
- 1.2.E – Minimum Security Standards
- 1.2.F – Education, Compliance and Remediation
References & Related Documents:
For legal references, links to BU references and key contacts, see the References section of 1.2.A -Data Classification Guide
|3/27/2011||Original Draft||BU Information Security||–Original–|
|3/31/2011||Approved||BU Information Security Governance Committee||–Original–|