Data Stewardship

I. SCOPE

This policy applies to all academic and operational departments and offices at all George Mason University locations, owned and leased. The policies and procedures provided herein apply to all University faculty, staff, students, visitors and contractors. This policy governs the privacy, security, and confidentiality of university data, especially highly sensitive data, and the responsibilities of institutional units and individuals for such data.

II. POLICY STATEMENT

Mason maintains data essential to the performance of university business. These data are valuable assets. State and federal laws identify the types of data to which access and storage must be restricted. This policy incorporates federal and state standards and establishes responsibilities for all elements of university data in terms of confidentiality, integrity, and availability.

The greatest benefit the university can provide to the community is data that is shared and used with care. This benefit is diminished through misuse, misinterpretation, or unnecessary restrictions on access. Although a large portion of university data are shared with the public, some data are restricted by the privacy protections established in laws or policies. To comply with these mandates and to protect the university community as a whole, the university has the right and the obligation to protect, manage, secure, and control data under its purview.

III. DEFINITIONS

A. University Data

University data are any data required to conduct the operations of the university. University data are divided into two main categories: protected data and public use data. Protected data include two subcategories: highly sensitive and restricted.

      1. Protected Data – Highly Sensitive: Data that (1) by their personal nature can lead to identity theft or exposure of personal health information, or (2) a researcher, funding agency or other research partner has identified as highly sensitive or otherwise requiring a high level of security protection. Some examples are: data classified as secret by the Federal government, data that is often involved in identity theft (e.g., SSNs), data described in the Health Insurance Portability and Accountability Act (HIPAA) as needing to be secured, and data that could lead to financial theft (e.g., credit card information). See Appendix A for a list of the types of data classified as Protected Data – Highly Sensitive.
      2. Protected Data – Restricted: Data that by their very nature or regulation, are private or confidential and must not be disclosed except to a previously defined set of authorized users.  Some examples are: data defined as confidential by the Family Educational Rights and Privacy Act (FERPA), employee performance evaluations, confidential donor information, some research data, minutes from confidential meetings, accusations of misconduct, or any other information that has been identified by the University, its contractors or funding agencies, or Federal or State regulations, as private or confidential and not to be disclosed.
      3. Public Use Data: Data intended for general public use. An example is the university’s on-line directory.
      4. Encryption: Encryption is the conversion of data into a form that is unreadable by an unauthorized user or process. Encrypted data must be decrypted (converted back to original form) prior to use. The university’s centrally managed encryption method requires a key for encryption and decryption. Data Custodians must employ encryption as a means of protecting Highly Sensitive Data.

B. Key Personnel Responsible for the Protection of University Data (See Appendix B)

President: The president of George Mason University, as the head of a Commonwealth of Virginia state agency, has ultimate responsibility for the university’s security program and the protection of restricted and highly sensitive data and critical system assets. The president has delegated these responsibilities to members of the president’s Executive Council.

Chief Information Officer (CIO): The Executive Council member designated by the university president to have executive oversight of the university’s IT security program and for the evaluation and classification of data.

Chief Data Stewards:

  1. Executive Vice President for Finance and Administration: The Executive Council member designated by the university president to be responsible for all highly sensitive and restricted data associated with employees, contractors, and affiliates. In this role, the executive vice president determines who has access to such data, how it can be stored, and how it must be protected. The executive vice president may delegate responsibility for certain data sets to others via formal memoranda.
  2. Provost and Executive Vice President: The Executive Council member designated by the university president to be responsible for all restricted and highly sensitive data associated with students and faculty in performance of their teaching and research activities. In this role, the provost determines who has access to such data, how it can be stored, and how it must be protected. The provost may delegate responsibility for certain data sets to others via formal memoranda.

Information Security Officer (ISO): The individual designated by the Chief Information Officer (CIO)to be responsible for the development, implementation, oversight, and maintenance of the university’s IT security program.

System Owner: The System Owner is the person responsible for operation and maintenance of a university IT system.

Data Owners: Deans, vice presidents, associate vice presidents, directors, managers, or others authorized by the Chief Data Stewards to manage a subset of data.

System Administrator: A System Administrator is an analyst, engineer, or consultant who implements, manages, and/or operates a system or systems at the direction of the System Owner, Data Owner, and/or Data Custodian. Their responsibilities can include administration at the system infrastructure layer and/or system application layer. Any given system may have more than one System Administrator depending on the size and complexity of the system. The System Administrator assists with the day-to-day administration of the university’s IT systems and implements security controls and other requirements of the IT security program on IT systems for which the System Administrator has been assigned responsibility.

Data Custodians: An individual who has been authorized to be in physical or logical possession of data by the Data Owner.

Data Processors: An individual authorized by data owners to enter, modify, or delete data.

IT System Users: Any university employee, contractor, affiliate, or duly authorized member of the community who can access restricted and/or highly sensitive university data but does not modify or delete that data. For the purposes of the responsibilities section in this policy, IT System Users include all who have the capacity to access university data. All IT System Users, whether they be Data Owners, Data Custodians, or Data Processors, are responsible for the security and privacy of the data they access, as prescribed in this policy.

Customer: Any employee, student, or individual not associated with the university from whom highly sensitive data are collected or received.

IV. RESPONSIBILITIES

A. General

Access to university data is provided to university employees for the conduct of university business. Protected data, as defined by this policy, will be made available to employees who have a genuine need for it. This may include data collected from students, faculty, staff, contractors, members of the community, or those who have no affiliation with the university. Employees accessing such data must observe the requirements for privacy and confidentiality, comply with protection and control procedures, and accurately present the data used in any type of reporting function. Individual units or departments that have stewardship responsibility for portions of protected university data must establish internal controls to ensure that university policies are enforced. All IT System Users, not just Data Owners, Data Custodians, or Data Processors, are responsible for the security and privacy of the data they access or store, as prescribed in this policy.

B. Compliance

      1. The university forbids the disclosure of protected data in any medium except as approved in advance by a Data Owner. The use of any protected university data for one’s own personal gain or profit, for the personal gain or profit of others, or to satisfy personal curiosity is strictly prohibited. Each IT System User will be responsible for the consequence of any misuse of university data.
      2. The university forbids the storage of highly sensitive data on any data storage device or media other than a centrally managed server approved for the storage of highly sensitive data, services explicitly approved for the purpose and specific data classification through the Architecture Standards Review Board (ASRB), or a secure networked file storage area. If an individual is required to store highly sensitive data for a business need, that individual must obtain permission from the Chief Data Steward. The written request for authorization must state the unique business need, the type of data that will be stored, the type of data storage device that will be used, and the mitigating controls that will be employed to protect the highly sensitive data. IT Security Office (ITSO) approved methods must be used to secure and store Highly Sensitive Data.
        See Appendix C for authorization procedures and forms that require the user to state the business need and agree to accept the responsibility to protect the highly sensitive data. Any university employee, student, or non-university individual who stores highly sensitive university data without proper permissions and protection measures is in violation of this policy and will be subject to appropriate disciplinary action, including possible dismissal and/or legal action.
      3. Should a security breach occur, the Computer Security Incident Response Team (CSIRT) will investigate and discuss with the chief information officer as to whether or not the matter is referred to law enforcement authorities through the University Police Department. The assistant vice president for Human Resources will review all matters involving university employees. The dean of students will review all matters involving students. The Office of University Counsel will review matters involving individuals not affiliated with the university.
      4. All individuals accessing university data at Mason are required to comply with federal and state laws and university policies and procedures regarding data security of highly sensitive data. Any university employee, student, or non-university individual with access to university data who engages in unauthorized use, disclosure, alteration, or destruction of data is in violation of this policy and will be subject to appropriate disciplinary action, including possible dismissal and/or legal action.

C. The Duties of Key Personnel

Authorization for access to and the maintenance and security of all university data, particularly highly sensitive data, is delegated to specific individuals within their respective areas of responsibility.

Chief Data Stewards Responsibilities

  1. Establish policies and direction for the overall security and privacy of all University data, particularly highly sensitive data, within their respective areas of responsibility.
  2. Identify and appoint Data Owners for units within their areas of responsibility.
  3. Designate personnel to review privacy and compliance inquiries and respond or escalate them appropriately.

System Owner Responsibilities

  1. Require that all users of the system complete required IT security awareness and training activities prior to, or as soon as practicable after receiving access to the system, and no less than annually, thereafter.
  2. Manage system risk and develop any additional IT security procedures required to protect the system in a manner commensurate with risk.
  3. Maintain compliance with university IT security policies and standards in all IT system activities.
  4. Maintain compliance with requirements specified by Data Owners for the handling of data processed by the system.
  5. Designate a System Administrator for the system. See System Administrator Resources – Information Technology Services (gmu.edu) for a list of System Administrator resources.

Data Owners Responsibilities

  1. Ensure that access and protection requirements consistent with university policies and the data classification are in place and responsive to business needs.
  2. Ensure the accuracy and quality of all data within their area.
  3. Communicate data protection requirements to the System Owner.
  4. Annually review with appropriate Data Custodians the current set of highly sensitive data access authorizations and, as appropriate, update authority granted each user.
  5. Ensure that authorized users of highly sensitive data are trained on their responsibilities associated with their approved access to that data.
  6. Report any possible breach in computer security or illicit use of highly sensitive data to the Support Center who will then notify the IT Security Office for CSIRT action.
  7. Review appeals to decision to deny access to university data within their area of responsibility.

Systems Administrators Responsibilities
(See http://itsecurity.gmu.edu/Resources/sysadmin-resources.cfm for more details on requirements and responsibilities)
Note: Responsibility for the security of certain systems may belong to Information Technology Systems if the unit or department has signed a service level agreement with ITS to manage the server.

  1. Identify possible security gaps that may leave systems vulnerable to attacks or hackings and take remedial actions to make the systems secure.
  2. Ensure the usability, reliability, availability, and integrity of information systems and their data, including serving as liaisons between all parties with interests in such systems.
  3. Follow established formal procedures and tools as determined by their respective Data Owner to enable access for authorized Data Processors and IT System Users.  This includes ensuring that all specified approvals have been granted before providing an IT System User access to highly sensitive data.
  4. Maintain documentation of users who are authorized access to highly sensitive data on IT systems to which they have been assigned.  Where abuses of that authorization are discovered, make authorization withdrawal recommendations to the appropriate Data Owner.

Data Custodian Responsibilities

  1. Protect the data in their possession from unauthorized access, alteration, destruction, or usage.
  2. Use IT systems in a manner consistent with university policies and procedures.
  3. A Data Custodian may also be a System Administrator.

Data Processors Responsibilities

  1. Responsible and accountable for the completeness, accuracy, and timeliness of the data assigned to them.
  2. Ensure the accurate input and presentation of data.  Each Data Processor will be responsible for any intentional misrepresentation of data.
  3. Ensure the maintenance of data integrity.  Upon recognizing that any data elements are in error, the Data Processor will notify the appropriate Data Owner.

IT System Users Responsibilities

  1. Read and, based on types of data accessed, comply with the relevant directions for “Computer Security” found at itsecurity.gmu.edu/.
  2. Use restricted and highly sensitive data only as required by the employee’s job responsibilities and authorized by appropriate Data Custodian.
  3. Respect and protect the confidentiality and privacy of individuals whose records they access.
  4. Report any possible breach in computer security or illicit use of restricted and/or highly sensitive data to the Data Owner of the IT System User’s unit.

D. Organizational and Individual Responsibilities for Access Control to Highly Sensitive Data

      1. No one is permitted to access highly sensitive data unless warranted as part of an established job role. The user must not store the data unless written approval has been granted to do so through the use of the online form that requires the user to describe the unique business need for storage and the mitigating security controls.
      2. Each department or business unit will have documented procedures, consistent with the university’s security policies, which preserve and protect highly sensitive data and are designed to accomplish these goals:
        1. Ensure the security and confidentiality of customer information.
        2. Protect against any anticipated threats to the security or integrity of such information.
        3. Guard against the unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.
      3. Each Data Owner will have a documented set of procedures for reviewing requests to access, modify, or update highly sensitive data.
      4. The IT Security Office will be available to assist each department or business unit by reviewing their access and data security procedures.  If needed, the privacy and compliance personnel will review to ensure compliance with this policy.
      5. Members of the university community may appeal any decision that denies access to university data. Appeals are to be made to the appropriate Data Owner.

E. Public Requests for Protected Data

Requests by the public for protected data made through the Virginia Freedom of Information Act University Policy 1117: Virginia Freedom of Information Act Requests or other applicable law will be reviewed by the Office of University Counsel prior to any release of data.

V. TRAINING

IT System Users authorized to access highly sensitive data are required to participate in data security training commensurate with the type and use of such data. Managers are to train, or arrange for training, for all current employees who have or will have access to highly sensitive university data prior to granting access to such data.

VI. DATES

A. Effective Date:

The policies herein are effective May 4, 2005.

B. Date of Most Recent Review:

June 15, 2023

VII: TIMETABLE FOR REVIEW:

This policy shall be reviewed and revised, if necessary, annually to become effective at the beginning of the University’s fiscal year, unless otherwise noted.

VIII: SIGNATURES

Approved:

____/s__________________
Deb Dickenson
Executive Vice President for Finance and Administration

Approved:

___/s____________________
Kenneth D. Walsh
Interim Provost & Executive Vice President

Date approved: August 1, 2005
Revision approved: March 2, 2009
Revised: January 29, 2013
Reviewed: June 15, 2023
Revision approved: December 14, 2023

Page last updated: December 14, 2023