Information Sensitivity Policy
July 1, 2011 | By Damon Armour, IT Security Officer
Augusta State University has enacted a new policy as of spring 2011 to address information sensitivity. During the IT Audit of 2008 by the Board of Regents, one audit finding was related to the handling of sensitive and confidential information. ASU needed a local policy that identified the types of data and how that data would be handled. ASU formed a Sensitive Information Team to help develop the Information Sensitivity Policy and its supporting Data Classification Chart/Data Stewardship Chart.
The BOR IT Audit Report of 2008 recommended that ASU “Define, document, and periodically review policies, standards, and procedures for the receiving, handling, storing, and destroying of sensitive or confidential information.”
The campus’ response to this audit finding was:
ASU has formed a team (Sensitive Information Team) to create policies and procedures for the handling and life cycle of sensitive and confidential information on campus. This team consists of the IT Security Officer, the Assistant Director of Programming and System Services, and Business Services (Management Control Analyst and the Projects Director). This team will work with each of the data trustees and stewards to gain acceptance of the policy and procedures. This team also will work with the department heads to ensure their understanding of the policy and its implementation within their business functionality. As part of the campus-wide awareness to sensitive and confidential information, a formalized yearly program is being developed that will require all faculty and staff to complete.
The Sensitive Information Team developed a draft of the Information Sensitivity Policy that was shared with the campus’ Information Security Advisory Committee (ISAC). Once a consensus was established within the ISAC, Chip Matson, Director of ITS/CIO, presented the policy to the President’s Cabinet. The President’s Cabinet recommended that the policy be vetted and voted on by the Faculty Policies Committee (FPC). Chip Matson and I presented the policy to FPC in January 2011. After a few edits, the policy was approved by FPC to be presented at the Faculty Meeting scheduled for March 8, 2011. The Information Sensitivity Policy was approved by the faculty with an addition to the Purpose section.
Below is an excerpt from the policy:
Augusta State University has an obligation to protect sensitive information collected from and about its students, faculty, staff, business partners, and others. This obligates the university to establish a policy for the responsible use of sensitive information while respecting individual privacy, protecting against identity theft and other unauthorized uses, and complying with federal and state regulations. Federal and state regulations include Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA), Gramm‐Leach‐Bliley Act (GLBA), and the Georgia Open Records Act. This policy outlines the classifications of information and calls for limited access to sensitive and confidential information within the confines of the state and federal regulations.
The Information Sensitivity Policy is intended to help employees determine what information can be disclosed to non-employees, as well as the relative sensitivity of information that should not be disclosed outside of Augusta State University without proper authorization.
The information covered in these guidelines includes, but is not limited to, information that is either stored or shared via any means. This includes: electronic information, information on paper, and information shared orally or visually (such as telephone and video conferencing).
All employees should familiarize themselves with the information labeling and handling guidelines that follow this introduction. It should be noted that the sensitivity level definitions were created as guidelines and to emphasize common sense steps that you can take to protect Augusta State University’s sensitive/confidential information (e.g., Augusta State University’s sensitive/confidential information should not be left unattended in conference rooms).
Please Note: The impact of these guidelines on daily activity should be minimal.
The Augusta State University Data Classification Chart is available as a guide to how to classify the campus’ information. Questions about the proper classification of a specific piece of information should be addressed to your supervisor. Questions about these guidelines should be addressed to the ITS Security Office.
This policy applies to all personnel of the campus to include faculty, staff, student assistants, graduate assistants, contractors, temporary employees, and any other agent acting for the campus.
The Information Sensitivity Policy can be found in full at: http://www.aug.edu/its/policies/Information_Sensitivity_Policy.pdf
GLOSSARY OF REGULATIONS
FERPA – Family Educational Rights and Privacy Act. FERPA is a federal law that protects the privacy of student education records. Students have specific, protected rights regarding the release of such records and FERPA requires that institutions adhere strictly to the guidelines. Therefore, it is imperative that faculty and staff have a working knowledge of FERPA guidelines before releasing educational records.
GLBA – Gramm‐Leach‐Bliley Act. GLBA is a federal law that protects the personal financial information held by financial institutions. In 2003, the FTC found that higher education institutions can be classified as financial institutions under federal law. Academic institutions are responsible for the Safeguarding Rule of the Act. If institutions are in compliance with FERPA, they are likewise found to be in compliance with the Privacy Rule of GLBA.
HIPAA – Health Insurance Portability and Accountability Act. HIPAA is a federal law that mandated that health care providers and health plans protect the privacy of patient records.
GA ORA – Georgia Open Records Act. Under the Georgia Open Records Act, all public records are available for inspection and copying unless they are specifically exempted from disclosure under the law. If a government agency or custodian of public records withholds a public document from production under an Open Records Request, they must cite to the provision of Georgia law that exempts the record from being produced. A request to inspect or copy records may be made either orally or in writing. For purposes of documenting and clarifying the scope and timing of the request, it is a better practice to make the request in writing.