Information and Infrastructure Assurance at Indiana University

• UIPO
• >>University Data Management
• >> Policies and Guidelines
• >> Distribution and Storage Issues Notice

The Committee of Data Stewards is responsible for recommending policies and establishing procedures and guidelines for university-wide management of institutional data. From time to time the Committee will issue notices in order to promote the appropriate dissemination, storage, use, and security of institutional data to those persons involved in managing and authorizing access to those data on a daily basis. The data managers are urged to share these notices with the end-users of university data within their functional areas.

Important Points:

• Storage of restricted institutional data 1 on user workstations, laptops, personal digital assistants (PDA), or an other type of electronic equipment is not permitted; data must be stored on registered department or central file servers. Departments are expected to identify, for their users, appropriate server locations for storage of data extracted from central sources or derived through department operations. In addition, UITS will investigate technical methods for restricting the destination of extracts from central sources to servers, to registered servers.
• University file servers that are used to store restricted institutional data must comply with specific management standards, as outlined in IT policy 12 , issued by the University Information Policy Office.
• Web and other servers that must be accessible from off-campus, must be physically separated from servers hosting restricted institutional data.
• Direct access to University file servers hosting restricted institutional data must be blocked from non-IU network addresses3 Individuals requiring direct access to files stored on these servers from off-campus must first connect through the University’s modem pool or (preferably) the UITS Virtual Private Network (VPN) service 4.
• Where technically feasible, the IU central authentication service (CAS)5 must be used for all services that facilitate update or inquiry access to restricted institutional data on University servers, so that (minimally) strong password selection rules, password expiry, and intruder lockout can be employed.
• Where technically feasible, user equipment should be set-up for automatic lock-out after 15 minutes of non use, if institutional applications containing restricted data are used.
• Where technically feasible, password tokens 6 (in addition to secure password) must be required for any update access to restricted institutional data on University servers.
• Departments (including UITS) must eliminate insecure protocols for connecting to all University systems, and for transferring data to-and-from those systems 7 especially those servers that support critical operations and/or host restricted institutional data.
• Individuals requiring access to central sources of restricted institutional information must be authorized by the appropriate data steward or manager8 and subsequently must use the UITS Decision Support Service9 via the IU Information Environment (IUIE) for that access.
• Direct (non-IUIE) access to the UITS Decision Support Service (DSS), using individual desktop query tools, will be restricted to a limited number of staff with advanced knowledge and experience with the DSS data constructs. These individuals must first establish a connection to the VPN servers to ensure that their password and the other data transmitted are encrypted.

Per a previous related memo from this Committee:

• Data classified as restricted may be accessed only by those whose positions explicitly require such access.
• Except for elements labeled by IU as "directory" information 10, student information is classified as restricted in accordance with Federal law.
• The only employee data considered not restricted are name, department, rank, title, service date, and base pay rate. Examples of restricted access employee information are SSN, benefits enrollment and use, date of birth, ethnic group, sex, payroll data, and home address.
• When restricted access university data are stored on appropriate servers they should not include SSN unless they are keys to linking with other files.
• SSN must not be collected from individuals nor extracted from central systems and stored on departmental servers unless doing so is absolutely required to maintain the business functions of the office involved.
• To preserve human protection standards for survey research and FERPA requirements for non-directory student records, all program evaluation and assessment data should be stored in such a way that responses are not associated with individual names or SSN. Linkage files containing the association of protected data to individuals should be placed in different directories and with different naming conventions to obscure the connection and should be permanently deleted when no longer needed.
• Unattended workstations with access to directories containing restricted data should be logged off, locked, or otherwise made inaccessible to individuals without access rights.

References and Resources:

• Campus Registrars Offices or University Counsel will handle questions on the impact of the federal Family Educational Rights and Privacy Act (FERPA) on IU student record use. Updates to the official IU policy, “Release of Student Information Policy,” to broaden the definition of “school official” and to make e-mail address public, among others, are being implemented. As soon as these are published, a notice will be sent out among the university community. In the interim, the concepts are contained in the document, “Indiana University’s Annual Notification of Students Rights under FERPA,” available on-line at http://www.indiana.edu/~iues/ferpa.htm.
• The Information Policy and Security Offices have issued guidance for technology and information management and server security. These documents are accessible at the office’s web site:http://www.informationpolicy.iu.edu/
• The Committee of Data Stewards is currently working with the Information Technology Policy Office to identify criteria to help in assessing the levels of risk associated with the wide variety of server installations throughout the university.
• The university’s data administration policies and complete listing of the members of the Committee of Data Stewards are available at:http://datamanagement.iu.edu Members are ready to answer questions you may have regarding these policies and issues.Co-chairs of the committee are Paul J. Sullivan, Deputy Vice President for Administration (855-4155), and Stephen L. Keucher, Assistant Vice President and University Budget Director (855-9438).

Footnotes:

1. See the Policy on Security of IT Resources.
2. For consulting on network filtering, contact noc @ indiana.edu or noc @ iupui.edu.
3. See What is a virtual private network (VPN), and why would I want to use the IU VPN, in the Knowledge Base at http://kb.iu.edu/data/ajrq.html.
4. See At Indiana At Indiana University, what is Central Authentication Service (CAS)? in the Knowledge Base at http://kb.iu.edu/data/akui.html.
5. See What is a SafeWord card, and which systems require one? in the Knowledgebase at http://kb.iu.edu/data/abvw.html.
6. See What are SSH and SSH2? in the Knowledgebase at http://kb.iu.edu/data/aelc.html.
7. See Decision Support Services at http://www.iu.edu/~edss.