REG 08.00.03 – Data Management Procedures

Authority:  Issued by the Chancellor. Changes or exceptions to administrative regulations issued by the Chancellor may only be made by the Chancellor.

History: First Issued: January 19, 1990.  Last Revised: May 5, 2016.

Related Policies:
NCSU POL08.00.01 – Computer Use Policy 
NCSU REG08.00.02 – Computer Use Regulation 
NCSU REG01.25.11 – Process for Requesting Access to Social Security Numbers
NCSU REG 04.00.08 – Security of Sensitive Plans Designs and Construction Documents Arrangements and Drawings
NCSU REG 07.40.01 – Disposal of University Property

Additional References:
N.C. Gen. State. § 14-453 (1999) – Computer-Related Crimes 
North Carolina Identity Theft Protection Act (2005 SB-1048) 
Information Security Acknowledgement Form
Data Categories, Trustees, Stewards, and Custodians
Determining Sensitivity Levels for Shared Data
Controls for Securing University Data – Best Practices
Data Management Procedures Summary and Guidance
Frequently Asked Questions – Data Management Procedures
Storage Locations for University Data
NCSU Policies Rules and Regulations Website 
Office of General Counsel Website
OIT Data Removal Guidance

Contact Info:  Vice Chancellor for Information Technology; Director of Security & Compliance, Office of Information Technology (919-513-1194)

 

1. Introduction

1.1. Purpose of this Regulation

The purpose of this Regulation is to assign responsibility for custody and security of University Data. This Regulation applies to all University Data, and to all administrative and user-developed computing systems that may access or utilize University Data.

This Regulation governs the management and accessibility of University Data regardless of the environment where the data reside. This includes the central servers, college or departmental mini-computers, data servers, individual personal computers, mobile devices and data residing in any other medium (paper printouts, microfiche, tapes, digital storage devices, laptop computer disk drives, removable storage, etc.).

The Data Classification Standard section of this document defines the classification levels assigned to different types of University Data according to confidentiality. Identification and classification of University Data allow the appropriate degree of protection to be applied.  Another goal of this document is to apply university security controls consistently for data of similar sensitivity across various university colleges and departments.

1.2. Definition of Terms

1.2.1. University Data:

“University Data” is defined as all information content related to the business of NC State University that exists in electronic or digital form, and also such information that exists in other forms (e.g. ink on paper).  “Data” includes but is not limited to text, graphics, video, audio, still images, databases, and spreadsheets.

1.2.2. Access:

“Access” to data is the ability to view, retrieve, alter, or create data.

1.2.3 Sensitive Data:

“Sensitive Data” is defined as University Data classified by the relevant Data Steward as requiring additional controls and safeguards during processing, storage or transmission.

The University Data Sensitivity Framework defines the classification levels for common elements of Sensitive Data in use at the university. Sensitive Data may be protected by legal act, statute or contractual provisions against unwarranted disclosure. Sensitive Data also includes any information that is protected by university policy from unauthorized access. Data Stewards may further declare other University Data as “Sensitive Data” for legal or ethical reasons, for data for which unwarranted disclosure would represent a high degree of business risk to the university, for issues pertaining to personal privacy, or for proprietary considerations.

Sensitive Data may include but is not limited to:

1.3. Limitations:

This document does not address confidentiality as it relates to release of university information under Public Records law or other legal requirements such as subpoenas, court orders or special exceptions to privacy laws.

2. Authority Over Data

2.1. NC State University Authority and Rights

The university has authority over use of the university’s physical computer assets.  NC State University is the legal custodian of all University Data.

2.2. Chancellor’s Delegation of Responsibility

The Chancellor delegates responsibility for data management at the university as specified in Section 3 below. The Chancellor and Chancellor’s designees are responsible for protecting University Data at the level appropriate for its sensitivity.

3. Data Management

Data Trustees, Data Stewards and Data Custodians are collectively responsible for the management of all university data. Their decisions with regard to university data management must be made in the interest of the university’s mission and goals, rather than in the sole interests of their individual units. The current full list of Data Trustees, Data Stewards, and Data Custodians is shown in the “Data Categories, Trustees, Stewards, and Custodians” document (listed in Additional References section above).

3.1. Data Trustee

3.1.1. Definition

Data Trustees have oversight responsibility for data management related to university functions managed/administered/run by the units and personnel reporting to them.

3.1.2. List of Data Trustees

3.1.2a. Executive Vice Chancellor and Provost

3.1.2b. Vice Chancellor for Finance and Administration

3.1.2c. Vice Chancellor and Dean for Academic and Student Affairs (DASA)

3.1.2d. Vice Chancellor for University Advancement

3.1.2e. Vice Chancellor for Research, Innovation and Economic Development

3.1.2f. Vice Chancellor and General Counsel

3.1.2g. Vice Chancellor for Information Technology

3.1.2h. Director of Athletics

3.1.3. Resolution of Data Disputes

It may be necessary to resolve data control, data sensitivity or access issues when the responsible Data Stewards cannot agree as to how the data should be used.  If this occurs, the appropriate Data Trustees shall meet to resolve any disputes. All disputes not resolved at this level will be sent to the Chancellor for final disposition.

3.2. Data Steward

3.2.1. Selection of Data Stewards

Each Data Trustee will assign Data Stewards to be responsible for data management within his or her area of responsibility.

3.2.2. Duties of Data Stewards

Data Stewards have the primary responsibility for the accuracy, privacy, and security of the University Data under his/her responsibility. All University Data must have an identified Data Steward.  Specific responsibilities of Data Stewards include:

3.2.2a. Requests for access to data

Data Stewards shall be responsible for evaluation, approval or disapproval of requests for access to data within his/her assigned oversight.

3.2.2b. Degree of access

Data Stewards are responsible for determining the degree of access (interactive query only, interactive update, downloading of specific data to user, etc.) to be granted to specific users, and for assuring compliance with access security standards.

3.2.2c. Defining data elements

Data Stewards shall be responsible for defining or describing each data element, to the extent required by public records law, for which they have oversight.  This definition shall be done in coordination with the Office of Information Technology.

3.2.2d. Value of data

Data Stewards should give consideration to the value of data in terms of its confidentiality and criticality to the conduct of university business.  Security plans and procedures shall be implemented with emphasis dictated by the determined data value.

3.2.2e. Request for modification to the data

Data Stewards are the initiation point for any request for modification to the data for which they have responsibility.

3.2.2f. Security of data

Data Stewards are responsible for ensuring security of University Data under their stewardship.  At a minimum, Data Stewards should ensure that:

  • Each general Data Element is classified as described in the “Determining Sensitivity Levels for Shared Data” document (listed in Additional References section above) according to the University Data Classification Standard listed in Section 6 below.
  • Data is protected and assigned sensitivity levels according to federal laws, state laws, contractual provisions, and university policies, regulations, rules and standards.
  • Classification levels are reassessed at least once every three years based on changing sensitivities, usage, regulations, or legislation.
  • Classification levels and associated protection of replica data remain consistent with those of the original data (e.g., database extracts with Sensitive Data should carry the same protection as the original database).

3.3. Data Custodian

Data Custodians are persons who are assigned specific data management responsibilities by the Data Stewards.  Data Custodians typically will manage access rights to data they oversee.  Each Data Custodian may delegate specific custodial responsibilities for different subsets of data under his/her custody.

3.4 Application Sponsors

Application Sponsors are those university employees who are responsible for approving the functionality of a particular university application, and for controlling the protection of the data within that application. Application Sponsors will be appointed by the primary Data Trustee associated with the data that their application accesses.

3.4.1 Application Security Certification

Application sponsors of all university applications that handle Sensitive Data will certify their applications on an annual basis to indicate that Sensitive Data displayed and/or stored by the application is identified and suitably protected. This certification process will be administered by the OIT Security and Compliance Unit.

  1. User Responsibilities

4.1. User of University Data

Users of University Data include but are not limited to the following categories:

  • University employees
  • Volunteers
  • Contractors
  • Vendors
  • Partners
  • Students

Individual university users play a critical role in ensuring the security of University Data.  Ultimately, only the user can prevent unauthorized access and ensure responsible use of the data. Proper use of data, including assurance of security and privacy, is a job requirement for all university employees, is a condition of volunteer service, should be included in all university agreements providing access to University Data, and is a condition of enrollment for students.

4.2. Responsibilities

4.2.1. Users are responsible for the following actions:

4.2.1a. Store data under secure conditions appropriate for the data classification level

4.2.1b. Make every reasonable effort to ensure the appropriate level of data privacy is maintained

4.2.1c. Use the data only for the purpose for which access was granted

4.2.1d. Not to share IDs or passwords with other persons

4.2.1e. When disposing of any media or device, users must comply with REG 07.40.01 – Disposal of University Property and consult the Office of Information Technology’s Data Removal Guidance.

4.2.2. Copies of University Data

If University Data is downloaded (e.g., to a college or department) or otherwise made available as a copy, the individual creating or accepting the copy of the data automatically becomes the Data Custodian for the University Data elements in the copy. In this situation, the custodial responsibility for complying with this Data Management regulation and with applicable laws regarding the University Data in the copy resides with the department or unit authorized to receive the University Data in the copy. Individuals accessing the downloaded data may not use it beyond the terms and purpose for which it was originally approved for download by the relevant Data Steward without additional approval.

4.3. Non-compliance

Users who fail to comply with the requirements of this regulation will be subject to university discipline, and in applicable cases to civil lawsuit liability and to criminal prosecution.

5. Security Administrators

 

5.1. Role of Security Administrators

Each Data Custodian, in consultation with each relevant Data Steward, appoints Security Administrators. Security Administrators have responsibility for implementing, monitoring and coordinating standards, procedures, and guidelines necessary to administer access to University Data.

5.2. Responsibilities of the Security Administrator

5.2.1. Complying with Data Access Guidelines

Data Stewards will develop Data Access Guidelines to be used by the Security Administrators in approving access for users of computer systems to University Data. These guidelines are the primary communication media between the Data Steward and Security Administrator regarding data protection, and will also be used by others involved (e.g. Application Sponsors, developers, Data Custodians and users).

5.2.2. Implementation of Data Access Guidelines to be followed by users of online computer systems

Each Security Administrator is responsible for procedures to implement the Guidelines as provided by the appropriate Data Steward to be followed by authorized users.

5.2.3. Processing requests for access to University Data

The Security Administrator will process a user’s request and complete the technical work required to provide access to the user.  The Security Administrator is responsible for ensuring that the appropriate Data Steward has authorized access before granting the user access to the data.  The Security Administrator and Data Steward work together to ensure the appropriate security measures are followed.

5.2.4. Procedures to confirm the roles of Data Stewards and users

Each Security Administrator will assure that Data Stewards and users with access to university computer systems are verified on a regular basis as appropriate authorized users.

6. Data Classification Statement

This Data Classification Statement section describes principles that are used to safeguard transmission of, access to, and storage of Sensitive Data in use at the university. This Sensitive Data must be restricted to those with a legitimate business need for access.

The scope of this Data Classification Statement includes all equipment that contains Sensitive Data, including the central Office of Information Technology (OIT) servers, college or departmental servers, servers remote to the university campus (e.g., in the Internet ‘cloud’),  individual personal computers, mobile devices (including laptops, tablets and smart phones), and data residing on any other electronic media. Data Trustees, Data Stewards, Data Custodians, Application Sponsors and Security Administrators should provide data security consistent with this Data Classification Statement.

The Data Stewards and Application Sponsors controlling access to the Sensitive Data at the university are the primary audience for this Data Classification Statement. This includes both Data Stewards for administrative data and applications as well as the deans of the colleges and heads of departments for ownership of data in college and departmental applications.

Information Technology (IT) staff at the university, both in OIT and in the colleges and departments, are the secondary audience for this Data Classification Statement. IT staff act as Data Custodians for Sensitive Data in data center and network environments. Implementers of applications accessing Sensitive Data will use controls to implement the principles in this regulation under the direction of the Data Stewards and Application Sponsors. More details of these types of controls by Data Classification category are given in the document “Controls for Securing University Data – Best Practices” (listed in Additional References section above).

The degree of protection required for different types of data is based on the nature of the data and the relevant compliance requirements.  Purple, Red and Yellow level data are considered Sensitive Data. Green and Unclassified level data are not Sensitive Data. The following classification levels, from most sensitive to least sensitive, will be used for classifying all University Data.

6.1 Ultra-High Security (also known as Purple level data)

6.1.1 Purple level data is the limited amount of University Data that meets all of the following criteria:

  • The data is subject to multiple federal or state laws, contractual agreements, or government regulations;
  • Disclosure of the data is subject to extreme financial penalties and
  • The data has a history of litigation or other very high risk to the university.

The primary examples of Purple level data are:

  • Data used as credentials for identifying individuals, including Social Security Numbers, PINs, passwords, digital signatures, biometric data, and fingerprints.
  • Payment Card data that is subject to the Payment Card Industry (PCI) Data Security Standard (PCI DSS), primarily the card account number (PAN) and other data on the face or the reverse of a credit/debit card in conjunction with the PAN, used for authorizing a financial card transaction. Data on the reverse of the card or held in the card’s magnetic strip are not to be stored at NC State.

6.1.2 Any data collection medium or storage device (e.g., a database, memory stick or a filing cabinet) that contains any Ultra-High data element should also be classified at the Ultra-High Level.

6.1.3 Additional data items may be classified as Ultra-High Security and added to the Data Sensitivity Framework as specified by the appropriate Data Steward(s).

6.2. High Security (also known as Red level data)

6.2.1 Data for which unauthorized disclosure or unauthorized modification causes two or more of the following four consequences:

  • Significant financial loss to the university, and/or
  • Serious negative impact on the university’s reputation, and/or
  • Serious impairment of the university’s ability to conduct business, and/or
  • Violation of federal or state laws, contractual agreements, or government regulations.

More information is available at the website of the Office of General Counsel(listed in Additional References section above).

Examples of Red level data include:

  • “Personally Identifying Information,” as defined by the North Carolina Identity Theft Protection Act of 2005. This includes employer tax ID numbers, driver’s license numbers, passport numbers, state identification card numbers, banking account numbers, and any other numbers or information that can be used to access a person’s financial resources.
  • “Protected Health Information” as defined by the Health Insurance Portability and Accountability Act (HIPAA).
  • “Customer record information,” as defined by the Gramm Leach Bliley Act (GLBA).
  • Confidential “personnel information,” as defined by the State Human Resources Act.
  • Information that is deemed to be confidential in accordance with the North Carolina Public Records Act.

6.2.2 Any data collection medium or storage device (e.g., a database, memory stick or a filing cabinet) that contains any High Security data element should also be classified at the High Security Level.

6.2.3 Additional data items may be classified as High Security and added to the Data Sensitivity Framework as specified by the appropriate Data Steward(s).

6.3. Moderate Security (also known as Yellow level data)

6.3.1 Data for which unauthorized disclosure or unauthorized modification causes one or more of the following three consequences:

  • Some financial loss to the university, and/or
  • Impairment of the university’s ability to conduct business, and/or
  • A violation of federal or state laws, or contractual agreements, or government regulations.

Most student “education records,” as defined by the Family Educational Rights and Privacy Act (FERPA) constitute Yellow level data, in that although these data require strict protection under federal regulations, the data is pervasive throughout the university environment, and the risk of financial or other penalties to the university is quite low. Student directory information, not subject to an individual student privacy block, is considered Green level data.

6.3.2 Data for which unauthorized disclosure or unauthorized modification would not result in direct financial loss or any legal, contractual, or regulatory violations but may otherwise cause serious adverse effects to the university, as classified by the appropriate Data Steward(s), is considered Yellow level data.

6.3.3 Any data collection medium or storage device (e.g., a database, memory stick or a filing cabinet) that contains any “Moderate Security” data element will also be classified at the Moderate Security level.

6.3.4 Additional data items may be classified as Yellow level and added to the Data Sensitivity Framework as specified by the appropriate Data Steward(s).

6.4. Normal Security (also known as Green level data)

Data for which disclosure would not cause any adverse impact on the university; however, only appropriate university personnel are allowed to modify or approve the automated modification of the master copy or original data. Green level data is not considered “Sensitive Data,” but requires limited additional controls for ensuring the integrity of the data and, where appropriate, an audit trail of changes. Green level data does not require security controls other than access control to establish the individual responsible for adding, deleting or modifying Green level data. An example of Green level data would be public university Web page data. The Data Steward(s) for any particular data items may classify the data as Green level and add them to the Data Sensitivity Framework as they consider appropriate.

6.5. Unclassified data

University Data that is publicly available, or the release of which would not cause any significant harm to the university, is specified as unclassified. Unclassified data does not require additional security controls.

6.6. Sensitivity of individual data elements

6.6.1 The official list of data elements at various classification levels is shown in the “Determining Sensitivity Levels for Shared Data” document (listed in Additional References section above). This document cross-references specific University Data elements and categories to their protection under federal and state laws as well as other types of regulation, and associates the specific data elements with the security classifications above.

Examples of Sensitive Data may include but are not limited to research data, public safety information, financial donor information, system access passwords, information security records, and information file encryption keys.

6.6.2 To have additional data elements officially classified as Purple, Red, Yellow or Green level data, please contact the appropriate Data Steward(s), or the Director of the OIT Security and Compliance Unit. The OIT Security and Compliance Unit will coordinate the approval of the classification of the Data Element by the affected group of Data Stewards.

  1. Training

The Office of Information Technology staff will provide training in the use of these Data Management Procedures and security awareness training based on the Data Classification Standard to all university staff on a regular basis.

To determine appropriate storage locations for data in each of the sensitivity levels defined in Section 6, refer to the “Storage Locations for University Data” document (listed in Additional References section above).

To determine the controls that should be applied to data in each of the sensitivity levels defined in Section 6, refer to the “Controls for Securing University Data – Best Practices” document (listed in Additional References section above).