RUTGERS POLICY

Section:  xx.x.xx

Section Title: Legal Matters

Policy Name: Information Security

Formerly Book: not applicable

Approval Authority: Senior Vice President and Chief Financial Officer

Responsible Executive: Vice President for Information Technology

Responsible Office: OIT Information Protection and Security

Originally Issued: DATE TBD

Revisions:

Errors or changes? Contact: mgergel@rutgers.edu

1.                   Policy Statement

The university recognizes that information is a valuable asset, and must be protected to ensure confidentiality, integrity, and availability, and support its core functions, to comply with its legal and regulatory obligations, and to contribute to the effective overall management of the institution.

This document provides the policy framework through which these aims can be achieved.

2.         Reason for Policy

To ensure that all individuals utilizing university resources understand their responsibility with respect to protecting the university’s data, and achieving these objectives.

To provide guidance on the data classification of Rutgers information based on fiscal, legal, administrative value to the university.

To identify the corresponding Rutgers standard to be implemented by owners and/or custodians based upon the sensitivity and classification of the information asset

3.                   Who Should Read Policy

All members of the Rutgers University community

4.         Related Documents

GLBA Policy (link to policy)

Identity Theft Compliance Policy (link to policy)

Records Management Policy (draft, link to policy)

Rutgers Minimum Security Standards for Networked Devices (draft, link to standard)

NJ Right to Know Law (Open Public Records Act) (link to law)

5.         Contacts

Rutgers Information Protection and Security

732-445-8011

6.         The Policy

xx.x.xx  Information Security

I.          Policy Statement

Rutgers has adopted a security model to address its highly distributed and complex environment. There are a wide variety of systems, databases, and applications connected to RUNet which create, store, and transmit information. Information protection is the responsibility of the department which brings in or generates the information for the university. They are also responsible for ensuring the protection of that data once it is distributed to any other department, which maintains or uses the information. Further, the department is responsible for applying the appropriate “due care”, based upon the sensitivity of the information.

This policy provides direction on classifying information assets, and identifies the applicable Rutgers control standards which shall be applied to the information based on fiscal, legal, administrative value to the university. Therefore, university faculty and staff shall:

·         Classify data based upon the sensitivity criteria outlined in this document

·         Implement the applicable Rutgers security standard based upon this classification

II.         Classification of Data

A.             Data

The University's data is defined as any information within its purview, including student record data, personnel data, financial data (budget and payroll), student life data, departmental administrative data, police records and legal files, and all other data that pertains to, or supports the administration of the University. This document covers all information regardless of storage medium (e.g., paper, fiche, electronic tape, cartridge, disk, and CD-ROM) and regardless of form (e.g., text, graphic, video, and voice), as well as University data stored at third party providers.

B.         Classification of Data

All University data is classified based upon sensitivity and risk. The classification of data and the corresponding levels take into account legal and regulatory obligations of the University, contractual agreements, and strategic or proprietary worth of the data.

C.         Classification Levels

Classification levels provide guidance to custodians, owners, and users of Rutgers data on the appropriate access and authentication mechanisms appropriate for that data. Therefore, University data will be assigned one of the following classification levels.

Restricted Data

Restricted data is the most sensitive information and requires the highest level of protection. This information is usually described as 'non-public information' about people and under the purview of a Data Custodian. Restricted data also includes data that Rutgers is required to protect under regulatory or legal requirements. Examples include student or employee identifiable information (i.e., Social Security Number, birth date, driver’s license number, etc.), financial records, medical records, legal records, student records, police records, and credit card information. Unauthorized disclosure of restricted information could result in adverse legal, financial or reputational impact upon the University.

Sensitive Data

Sensitive data is information that business units may decide to share with other units outside their administrative control for the purpose of collaboration. This information is not information that meets the requirements of 'non-pubic' information. Examples include data created by the department, research data, and project data. Loss of this information could cause harm to the University's image or reputation, but would not necessarily violate existing laws or regulations.

Public Data

Most Rutgers information falls into this classification under the “New Jersey Right to Know” law, is suitable for public dissemination and is accessible to anyone in the world. Examples include public web pages, course listings, press releases, marketing brochures, etc. While the requirements for protection of public data are less than that of Restricted and Sensitive, sufficient controls must be maintained to protect unauthorized modification of data.

III.        Responsibilities

The major responsibilities each party has in conjunction with the University Information Security policy are as follows:

A.      Data Custodians

Data Custodians are individuals who have been officially designated as accountable for specific data that is transmitted, used, and stored on a system or systems within a department, college, school, or administrative unit of the Rutgers The role of the data custodians is to provide direct authority and control over the management and use of specific information. These individuals might be deans, department heads, managers, supervisors, or designated staff.

B.      Supporting Role of Data Managers

Data Managers store, manage access, and distribute data, based upon the direction of the Data Custodian. Data Managers are responsible for protecting the information while under their control, based upon the classification level assigned by the Data Custodian.

C.      Data Owner

The Data Owner is defined as a department head, manager or delegate within the University who has responsibility and authority for a particular set of information and grants access to the information for use by others. The Data Owner shall develop and administer information security programs that appropriately classify and protect information under their control.

D.      Data User

Each member of the Rutgers community is responsible for the security and protection of electronic information resources over which he or she has control.

Data Users are responsible for following the information access procedures established by Data Owners;

·         Access only the information for which they are authorized;

·         Report suspected or actual violations of policies and standards to management;

·         Exercising “due care” in the use of sensitive and restricted data.

·         Properly disposing of data, when no longer required.

E.       Information Protection and Security

OIT Information Protection and Security publishes the information security standards and guidelines which establish an effective baseline of appropriate system, administrative, and physical controls to apply to Data based upon its classification.

IV.        Implementation

The Rutgers Information Security Policy is enunciated by the following documents.

A.      Rutgers Minimum Security Standards for Networked Devices

The Rutgers Minimum Security Standards for Networked Devices has been developed in order to provide direction on the appropriate system, administrative, and physical control to apply to Data based on sensitivity. University data will be protected by implementing Rutgers security standards, based upon the data classification, identified in this document.

B.      Rutgers Policies, Standards, and Guidelines for Information Security

Information Security standards are mandatory controls that must be employed in order for compliance to policy. Security guidelines provide suggested alternatives, including implementation checklists to enable compliance with Standards.