REG 08.00.03 – Data Management Regulation

Authority:  Issued by the Chancellor. Changes or exceptions to administrative regulations issued by the Chancellor may only be made by the Chancellor.

History: First Issued: January 19, 1990.  Last Revised: September 10, 2019.

Related Policies:
NCSU POL08.00.01 – Computer Use Policy 
NCSU REG08.00.02 – Computer Use Regulation
NCSU REG 01.25.12 – University Record Retention and Disposition Regulation
NCSU REG01.25.11 – Process for Requesting Access to Social Security Numbers
NCSU REG 04.00.08 – Security of Sensitive Plans Designs and Construction Documents Arrangements and Drawings
NCSU REG 07.40.01 – Disposal of University Property
NCSU REG 07.40.02 – Reporting Misuse of State Property
NCSU Rule 08.00.16 – NC State University Security Standards for Sensitive Data and Systems
NCSU RUL 08.00.17 – Cybersecurity Incident Response Procedures
NCSU RUL 08.00.18 – Endpoint Protection Standard
NC State Information Security Acknowledgement Form

Additional References:
N.C. Gen. State. § 14-453 (1999) – Computer-Related Crimes
North Carolina Identity Theft Protection Act (2005 SB-1048)
NC State Data Management Framework Website
OIT Data Removal Guidance
NCSU Policies Rules and Regulations Website
Office of General Counsel Website
FIPS Publication 199, “Standards for Security Categorization of Federal Information and Information Systems”
NIST Special Publication 800-37, “Risk Management Framework for Information Systems and Organizations A System Life Cycle Approach for Security and Privacy”
NIST CyberSecurity Framework Website
NIST Updates Risk Management Framework to Incorporate Privacy Considerations, May 9, 2018
ISO 27002:2013

Delegated Points of Contact:  CIO/Vice Chancellor for Information Technology (919-515-0141) or CISO/Director of Security & Compliance, Office of Information Technology (919-513-1194)


1.  INTRODUCTION

1.1  Purpose of this Regulation

The purpose of this Regulation is to define the Data Management Framework used by NC State University (NC State) and define authority and accountability for the secure use of University Data. The regulation applies to all aspects of data management (collection, access, storage, and disposition) of all University Data regardless of the format (e.g., software, hardware, peripherals, audio, printed or digital) or location (e.g., central, college, department, institute, personally owned) of the data.

The DMF defines the classification governance procedure for the management of University Data and allows for the appropriate degree of protection to be applied consistently across the university based on identified threats, risks, security, and regulatory requirements.

1.2  Scope

This regulation does not address confidentiality as it relates to the release of University information under Public Records laws or other legal requirements such as in response to subpoenas, court orders or special exceptions to privacy laws.

2.  DEFINITIONS

When used in this regulation, the following definitions shall apply:

2.1  “Availability” refers to ensuring timely and reliable access to and use of information and resources.

2.2  “Certification” means the authoritative act of verifying the accuracy and authenticity of an assertion or credential.

2.3  “Compensating controls” are alternative controls or mechanisms that are put in place to satisfy the requirement for a security measure that is deemed too difficult or impractical to implement at the present time.

2.4  “Data access” means the ability, right, or permission to access data (including collection, access, storage, and disposition). This includes software, hardware, peripherals, audio, printed and digital materials.

2.5  “Data Access Guidelines” means the methodology and processes prescribed to manage access to University Data, approved by the Data Stewards and developed by Data Managers and supporting Data Custodians.

2.6  “Data category” is a high-level classification or type of University Data that requires specific security or privacy considerations.

2.7  “Data disposition” means the act of disposing or transferring the care or possession of University Data.

2.8  “Data element” means a basic unit of information that has a unique meaning and subcategories (data items) of distinct value. Examples of data elements include gender, race, and geographic location.

2.9  “Data environment” means the collection of computer systems and associated infrastructure devices, facilities, and people that support the storage, processing, or transmission of data supporting the university’s mission and business.

2.10  “Data Management Framework (DMF)” means the classification governance methodology for the management of university data and allows for the appropriate degree of protection to be applied consistently across the university based on identified threats, risks, and security requirements.

2.11  “Data protection controls” are the safeguards or countermeasures that are prescribed for protecting the confidentiality, integrity, and availability of University Data.

2.12  “Data storage” means the collective methods and technologies that capture and retain information.

2.13  “Security Administrators” means the support personnel responsible for the documentation, testing, and monitoring of security controls to protect the university’s data environments.

2.14  “Sensitive data” means data that needs to be protected from unauthorized disclosure.

2.15  “University Data” means all the information content related to the business and mission of NC State that exists in any form (e.g., software, hardware, peripherals, audio, printed or digital) that is either owned by the University or used by the university under contract with an external provider where NC State has custodial responsibility.

3.  DATA MANAGEMENT FRAMEWORK AND DATA CLASSIFICATION

3.1  Data Management Framework

The DMF describes the authorities, roles, requirements, and principles that are necessary to ensure that proper safeguards are in place to protect University data and to support University business requirements. The DMF provides a framework to enable the university to balance the confidentiality, integrity, and availability requirements that impact all University Data and the associated data environments

3.2  Data Classification

3.2.1  University Data Stewards assign classification levels based on several risk types related to the impact that may result from loss or unauthorized disclosure of data. These risk types are strategic, reputational, financial, operational, compliance, and hazards. They are represented on an impact scale of high, medium, and low and established risk tolerance of NC State. Risk assessments are informed by the university’s information security program and supporting governance entities. Data Stewards use a university risk scorecard to support determination of classification levels for university data elements.

3.2.2  The degree of protection required for University data elements is based on four classification levels: Ultra Sensitive/Purple, Highly Sensitive/Red, Moderately Sensitive/Yellow, and Normal/Green.  Examples of these types of data are provided at the NC State Data Management Framework Website

a)  Ultra Sensitive Data (purple classification level)

Ultra Sensitive Data includes data where unauthorized disclosure or loss poses a high risk or impact to the university or its affiliates or where specific data categories require special privileged access management to support the university’s ability to prevent unauthorized data modification, use, or destruction.

b)  Highly Sensitive Data (red classification level)

Highly Sensitive Data includes data where unauthorized disclosure or loss poses a high risk or impact to the university or its affiliates. Authorized users of this data are responsible for managing data confidentiality, integrity, and availability to prevent unauthorized data modification, use, or destruction.

c)  Moderately Sensitive Data (yellow classification level)

Moderately Sensitive Data includes data where unauthorized disclosure or loss poses a moderate to low risk or impact to the university or its affiliates. Authorized users of this data are responsible for managing data confidentiality, integrity, and availability to prevent unauthorized data modification, use, or destruction.

d)  Normal Data (green classification level)

Normal Data includes data where unauthorized disclosure or loss poses a low risk or impact to the university or its affiliates. This information may be disclosed to individuals regardless of their university affiliation. Minimal security measures are needed to control the unauthorized modification, use, or destruction of this data.

e)  Unclassified Data

Unclassified Data means data that is created or collected within the university’s data environment and has not been classified by the Data Steward(s).  This data should be controlled at a minimum as yellow/moderately sensitive until final classification is assigned.

4.  AUTHORITY OVER DATA

4.1  University Authority and Rights

NC State has authority over the use of all University Data.

4.2  Chancellor’s Delegation of Responsibility for Data Management

The Chancellor is the primary authority for the governance of Data Management at the university. To support consistency across the university, Data Trustees are delegated responsibility for data management, protection, and oversight.

5.  DATA MANAGEMENT ROLES

Data Trustees, Data Stewards, Data Managers, and Data Custodians are collectively responsible for the management of all University Data. All their decisions must be made in the interest of the university’s mission and goals, rather than solely in the interests of the individual units they support.

5.1  Data Trustees

Data Trustees are designated oversight authority and responsibility for the portion of University Data that is related to the university functions managed and administered by the units and/or personnel who report to them, as delegated by the Chancellor.

5.1.1  Data Trustees at NC State include the following positions:

a)  Executive Vice Chancellor and Provost
b)  Vice Chancellor for Finance and Administration
c)  Vice Chancellor and Dean for the Division of Academic and Student Affairs
d)  Vice Chancellor for University Advancement
e)  Vice Chancellor for Research and Innovation
f)   Vice Chancellor and General Counsel
g)  Vice Chancellor for Information Technology
h)  Director of Athletics
i)   Vice Chancellor for External Affairs, Partnerships and Economic Development
j)   Vice Chancellor for Institutional Equity and Diversity
k)  Chief Communications Officer and Associate Vice Chancellor of University Communications

5.1.2  Each Data Trustee will assign one or more Data Stewards to be responsible for all University data elements managed within the Data Trustee’s authority and responsibility.

5.2  Data Stewards

Data Stewards are responsible and accountable for the confidentiality, integrity, and availability of University data elements within their business or mission area. They shall ensure proper levels of security and protection measures are implemented.

5.2.1  Specific responsibilities of Data Stewards include:

a) Verifying that each element which they have oversight is defined, described, and classified. Coordinating a review with the Office of Information Technology at least every three (3) years in order to address any changes to business processes, risk, threats, or regulatory, policy, and legislative requirements that impact the management of the data elements.
b) Approving access requests and access levels (read, write, and administrative privileges) with certifications. These approvals must be renewed at least annually.
c) Verifying that there are access request processes in place and that Data Access Guidelines have been developed for the data elements for which they are responsible
d) Verifying that levels of data integrity are maintained
e) Approving the use of software, applications, and tools that use their assigned data elements
f) Designating Data Managers as applicable to support the university’s Data Management Framework

5.2.2  All University Data must have an identified Data Steward.

5.2.3  Dispute Resolution

Disputes between Data Stewards on data control, data sensitivity or access issues should be resolved by the appropriate Data Trustees. All disputes not resolved at this level will be sent to the Chancellor for a final decision.

5.3  Data Managers

Data Managers are persons who are assigned specific data management responsibilities by the Data Stewards because of their knowledge and position at the operational level.  Data Managers typically will manage access rights to data they oversee.  Each Data Manager may delegate specific custodial responsibilities for different subsets of data under their authority.

5.3.1  Specific responsibilities of Data Managers include:

a) Developing and managing business processes that meet University Data protection requirements for the data elements’ classification levels as determined by the Data Stewards;
b) Developing and managing access requests and access level (read, write, and administrative privileges) based on approved Data Access Guidelines; conducting access verification reviews and reporting findings to Data Steward for their certification and approval;
c) Managing, testing, and improving data protection controls to maintain appropriate levels of confidentiality, integrity, and availability for University Data;
d) Confirming that the use of data by software, applications, and tools has been approved by applicable Data Steward(s) and has undergone appropriate business, compliance, security, and accessibility reviews; and
e) Designating Security Administrators as applicable to support the university’s Data Management Framework.

5.4  Data Custodians

Data Custodians are those University employees who are responsible for verifying that all operational requirements are met by the current data security controls configuration of a particular University Data environment, system, application, software, or tool. These employees may include IT support staff, systems administrators, database administrators, security administrators, or other responsible staff. In coordination with the Data Managers, they ensure that all data protection controls required as part of the Data Management Framework are planned, implemented, supported, and tested.

5.5  Users

5.5.1  Individual users play a critical role in ensuring the protection of university data. All users must agree to comply with all University policies, regulations, and rules as a condition for using University Data.  Users of University Data include but are not limited to the following categories:

a)  Employees
b)  Contractors
c)  Students
d)  Vendors
e)  Partners/Stakeholders

5.5.2  User Responsibilities

Users are responsible for the following actions:

a) Collecting, using, storing and disposing of all data as required by the data classification level, Data Management Framework (DMF) and the university retention and disposition schedule or contractual obligations;
b) Understanding the classification levels and protection requirements for the data they use;
c) Using University Data only for the purpose for which access was granted; and
d) Reporting suspected or actual misuse, abuse, unauthorized access, or loss of University Data.

5.5.3  Non-compliance

Users who violate the requirements of this regulation and its related rules and guidelines may be subject to disciplinary actions, including loss of access to University Data.  Violations could also result in both civil and criminal liability and/or penalties.

6.  SECURITY CERTIFICATION

Data Managers shall coordinate with Data Custodians and OIT Security & Compliance to review and document compliance with University Data protection requirements and industry and regulatory standards for all university data environments, systems, applications, software, and tools that use the Sensitive Data for which they are responsible. Results shall be reviewed and certified by the applicable Data Steward(s). This review must be conducted annually.

7.   TRAINING, AWARENESS, AND GUIDANCE

7.1  Mandatory Training

NC State requires mandatory annual Data Security Training for all university employees. Employees must successfully pass an assessment to demonstrate cybersecurity awareness and receive a Certificate of Completion. Supervisors shall verify that their employees have completed the training module on an annual basis.

7.2  Targeted Training

University Data Trustees, Stewards, Custodians, and users of sensitive data and sensitive data environments will also be required to complete more targeted training based on their roles and responsibilities. This training shall be provided to all, prior to accessing sensitive University Data.