Data Stewardship

I. SCOPE

This policy applies to all academic and operational departments and offices at all George Mason University locations, owned and leased.  The policies and procedures provided herein apply to all University faculty, staff, students, visitors and contractors.  This policy governs the privacy, security, and confidentiality of university data, especially highly sensitive data, and the responsibilities of institutional units and individuals for such data.

II. POLICY STATEMENT

George Mason University maintains data essential to the performance of university business.  These data are valuable assets.  State and federal laws identify the types of data to which access and storage must be restricted.  This policy incorporates federal and state standards, and establishes responsibilities for all elements of university data in terms of confidentiality, integrity, and availability.

The greatest benefit the university can provide to the community is data that is shared and used with care.  This benefit is diminished through misuse, misinterpretation, or unnecessary restrictions on access.  Although a large portion of university data are shared with the public, some data are restricted by the privacy protections established in laws or policies.  To comply with these mandates and to protect the university community as a whole, the university has the right and the obligation to protect, manage, secure, and control data under its purview.

III. DEFINITIONS

A.  University Data

University data are any data required to conduct the operations of the university.  University data are divided into two main categories:  protected data and public use data.   Protected data include two sub categories:  highly sensitive and restricted.

i. Protected Data – Highly Sensitive:  Data that (1) by their personal nature can lead to identity theft or exposure of personal health information, or (2) a researcher, funding agency or other research partner has identified as highly sensitive or otherwise requiring a high level of security protection.  Some examples are: data classified as secret by the Federal government, data that is often involved in identity theft (e.g. SSNs), data described in the Health Insurance Portability and Accountability Act (HIPAA) as needing to be secured, and data that could lead to financial theft (e.g. credit card information).   See Appendix A for a list of the types of data classified as Protected Data – Highly Sensitive.  This list is updated annually by the Information Security Officer.

ii. Protected Data – Restricted: Data that by their very nature or regulation, are private or confidential and must not to be disclosed except to a previously defined set of authorized users.  Some examples are: data defined as confidential by the Family Educational Rights and Privacy Act (FERPA), employee performance evaluations, confidential donor information, some research data, minutes from confidential meetings, accusations of misconduct, or any other information that has been identified by the University, its contractors or funding agencies, or Federal or State regulations, as private or confidential and not to be disclosed.

iii. Public Use Data:  Data intended for general public use. An example is the university’s on-line directory.

B.  Key Personnel Responsible for the Protection of University Data (See Appendix B)

President:  The president of George Mason University, as the head of a Commonwealth of Virginia state agency, has ultimate responsibility for the university’s security program and the protection of restricted and highly sensitive data and critical system assets.   The president has delegated these responsibilities to members of the president’s Executive Council.

Chief Information Officer:  The Executive Council member designated by the university president to have executive oversight of the university’s IT security program and for the evaluation and classification of data.

Chief Data Stewards:

Senior Vice President   The Executive Council member designated by the university president to be responsible for all restricted and highly sensitive data associated with employees, contractors, and affiliates.   In this role, the senior vice president determines who has access to such data, how it can be stored, and how it must be protected.  The senior vice president may delegate responsibility for certain data sets to others via formal memoranda.

Provost   The Executive Council member designated by the university president to be responsible for all restricted and highly sensitive data associated with students and faculty in performance of their teaching and research activities.   In this role, the provost determines who has access to such data, how it can be stored, and how it must be protected.   The provost may delegate responsibility for certain data sets to others via formal memoranda.

Information Security Officer (ISO):The individual designated by the chief information officer to be responsible for the development, implementation, oversight, and maintenance of the university’s IT security program.

System Owner:  The System Owner is the person responsible for operation and maintenance of a university IT system.  With respect to IT security, the System Owner’s responsibilities include establishing security awareness and training capabilities that ensure that all IT System Users receive training appropriate to their role, maintaining compliance with university and state security policies and standards in all IT system activities, and maintaining compliance with requirements specified by Data Owners for the handling of data processed by the system.

Data Owners:  Deans, vice presidents, associate vice presidents, directors, managers, or others authorized by the Chief Data Stewards to manage a subset of data.  The delegation of this authority and responsibility is accomplished by written instructions.  This person is responsible for ensuring that University data security policies are followed and for developing internal controls to ensure data security and privacy.

System Administrator:  A System Administrator is an analyst, engineer, or consultant who implements, manages, and/or operates a system or systems at the direction of the System Owner, Data Owner, and/or Data Custodian.  Their responsibilities can include administration at the system infrastructure layer and/or system application layer.  Any given system may have more than one System Administrator depending on the size and complexity of the system.  The System Administrator assists with the day-to-day administration of the university’s IT systems, and implements security controls and other requirements of the IT security program on IT systems for which the System Administrator has been assigned responsibility.  System Administrators are responsible for documenting and enabling user access to a domain of university data on those IT systems.  System Administrators also maintain records of IT System Users authorized for highly sensitive data related to those IT systems.  Responsibilities and related security resources can be found at http://itsecurity.gmu.edu/Resources/sysadmin-resources.cfm.

Data Custodians:  An individual who has been authorized to be in physical or logical possession of data by the Data OwnerData Custodians are responsible for protecting the data in their possession from unauthorized access, alteration, destruction, or usage and for providing and administering general controls, such as back-up and recovery systems.  A Data Custodian may also be a System Administrator.

Data Processors:  An individual authorized by data owners to enter, modify, or delete data. Data Processors are responsible and accountable for the completeness, accuracy, and timeliness of the data assigned to them.

IT System Users:  Any university employee, contractor, affiliate, or duly authorized member of the community who can access restricted and/or highly sensitive university data but does not modify or delete that data.  For the purposes of the responsibilities section in this policy, IT System Users include all who have the capacity to access university data. All IT System Users, whether they be Data Owners, Data Custodians, or Data Processors, are responsible for the security and privacy of the data they access, as prescribed in this policy.

Privacy and Security Compliance Team:  A select group of deans, directors, coordinators, vice presidents, and other employees, representing their respective departments, who, under the leadership of the chief of staff, are responsible for developing policies and providing direction for overall institutional data management.

Customer:  Any employee, student, or individual not associated with the university from whom highly sensitive data is collected.

C.  Encryption

Encryption is the conversion of data into a form that is unreadable by an unauthorized user or process.  Encrypted data must be decrypted (converted back to original form) prior to use.  The university’s centrally managed encryption method requires a key for encryption and decryption.  Data Custodians must employ encryption as a means of protecting highly sensitive data.

IV. RESPONSIBILITIES

A. General

Access to university data is provided to university employees for the conduct of university business.  Protected data, as defined by this policy, will be made available to employees who have a genuine need for it.  This may include data collected from students, faculty, staff, contractors, members of the community, or those who have no affiliation with the university.  Employees accessing such data must observe the requirements for privacy and confidentiality, comply with protection and control procedures, and accurately present the data used in any type of reporting function.  Individual units or departments that have stewardship responsibility for portions of protected university data must establish internal controls to ensure that university policies are enforced.  All IT System Users, not just Data Owners, Data Custodians, or Data Processors, are responsible for the security and privacy of the data they access or store, as prescribed in this policy.

B. Compliance

i.  The university forbids the disclosure of protected data in any medium except as approved in advance by a Data Owner.  The use of any protected university data for one’s own personal gain or profit, for the personal gain or profit of others, or to satisfy personal curiosity is strictly prohibited.  Each IT System User will be responsible for the consequence of any misuse of university data.

ii.  The university forbids the storage of highly sensitive data on any data storage device or media other than a centrally managed server approved for the storage of highly sensitive data or a secure networked file storage area.  If an individual is required to store highly sensitive data for a business need, that individual must obtain permission from the Chief Data Steward.  The written request for authorization must state the unique business need, the type of data that will be stored, the type of data storage device that will be used, and the mitigating controls that will be employed to protect the highly sensitive data.  The centrally managed encryption program is required for storing any highly sensitive data on any type of device or media.  If the centrally managed encryption program is not compatible with the storage device or method, another mitigating control must be used and approved by the Information Security Officer.

See Appendix C for authorization procedures and forms that require the user to state the business need and agree to accept the responsibility to protect the highly sensitive data.  Any university employee, student or non-university individual who stores highly sensitive university data without proper permissions and protection measures is in violation of this policy and will be subject to appropriate disciplinary action, including possible dismissal and/or legal action.

iii.  Should a security breach occur, the Computer Security Incident Response Team (CSIRT) will investigate and discuss with the chief information officer as to whether or not the matter is referred to law enforcement authorities through the University Police Department.  The assistant vice president for Human Resources will review all matters involving university employees.  The dean of students will review all matters involving students. The Office of University Counsel will review matters involving individuals not affiliated with the university.

iv.  All individuals accessing university data at George Mason University are required to comply with federal and state laws and university policies and procedures regarding data security of highly sensitive data.  Any university employee, student or non-university individual with access to university data who engages in unauthorized use, disclosure, alteration, or destruction of data is in violation of this policy and will be subject to appropriate disciplinary action, including possible dismissal and/or legal action.

C.  The Duties of Key Personnel

Authorization for access to and the maintenance and security of all university data, particularly highly sensitive data, is delegated to specific individuals within their respective areas of responsibility.

Chief Data Stewards Responsibilities

  1. Establish policies and direction for the overall security and privacy of all University data, particularly highly sensitive data, within their respective areas of responsibility.
  2. Identify and appoint Data Owners for units within their areas of responsibility.
  3. Appoint appropriate representative individuals to the Privacy and Security Compliance Team.

System Owner Responsibilities

  1. Require that all users of the system complete required IT security awareness and training activities prior to, or as soon as practicable after, receiving access to the system, and no less than annually, thereafter.
  2. Manage system risk and develop any additional IT security procedures required to protect the system in a manner commensurate with risk.
  3. Maintain compliance with university IT security policies and standards in all IT system activities.
  4. Maintain compliance with requirements specified by Data Owners for the handling of data processed by the system.
  5. Designate a System Administrator for the system. See http://itsecurity.gmu.edu/Resources/sysadmin-resources.cfm for a list of System Administrator responsibilities.

Data Owners Responsibilities

  1. Ensure that access and protection requirements consistent with university policies and the data classification are in place and responsive to business needs.
  2. Ensure the accuracy and quality of all data within their area.
  3. Communicate data protection requirements to the System Owner.
  4. Annually review with appropriate Data Custodians the current set of highly sensitive data access authorizations and, as appropriate, update authority granted each user.
  5. Ensure that authorized users of highly sensitive data are trained on their responsibilities associated with their approved access to that data.
  6. Report any possible breach in computer security or illicit use of highly sensitive data to the Support Center who will then notify the IT Security Office for CSIRT action.
  7. Review appeals to decision to deny access to university data within their area of responsibility.

Systems Administrators Responsibilities
(See http://itsecurity.gmu.edu/Resources/sysadmin-resources.cfm for more details on requirements and responsibilities)
Note:  Responsibility for the security of certain systems may belong to Information Technology Systems if the unit or department has signed a service level agreement with ITS to manage the server.

  1. Identify possible security gaps that may leave systems vulnerable to attacks or hackings and take remedial actions to make the systems secure.
  2. Ensure the usability, reliability, availability, and integrity of information systems and their data, including serving as liaisons between all parties with interests in such systems.
  3. Follow established formal procedures and tools as determined by their respective Data Owner to enable access for authorized Data Processors and IT System Users.  This includes ensuring that all specified approvals have been granted before providing an IT System User access to highly sensitive data.
  4. Maintain documentation of users who are authorized access to highly sensitive data on IT systems to which they have been assigned.  Where abuses of that authorization are discovered, make authorization withdrawal recommendations to the appropriate Data Owner.

Data Custodian Responsibilities

  1. Protect the data in their possession from unauthorized access, alteration, destruction, or usage.
  2. Use IT systems in a manner consistent with university policies and procedures.
  3. A Data Custodian may also be a System Administrator.

Data Processors Responsibilities

  1. Ensure the accurate input and presentation of data.  Each Data Processor will be responsible for any intentional misrepresentation of data.
  2. Ensure the maintenance of data integrity.  Upon recognizing that any data elements are in error, the Data Processor will notify the appropriate Data Owner.

IT System Users Responsibilities

  1. Read and, based on types of data accessed, comply with the relevant directions for “Computer Security” found at http://itsecurity.gmu.edu/.
  2. Use restricted and highly sensitive data only as required by the employee’s job responsibilities and authorized by appropriate Data Custodian.
  3. Respect and protect the confidentiality and privacy of individuals whose records they access.
  4. Report any possible breach in computer security or illicit use of restricted and/or highly sensitive data to the Data Owner of the IT System User’s unit.

Privacy and Security Compliance Team Responsibilities

  1. Ensure the university complies with state and federal regulations on security and privacy of university data.
  2. Educate the university community about trends in security and privacy that have the potential to affect how the university does business.
  3. Recommend to the president of George Mason University remedial action(s) to identified problems.
  4. Review policies and procedures developed by each department or unit to ensure that these departments or units have appropriate security measures that will protect university data from compromise or unauthorized access, modification, destruction, or disclosure.

D.  Organizational and Individual Responsibilities for Access Control to Highly Sensitive Data

i.  No one is permitted to access highly sensitive data unless the Data Owner has given written permission, either through established business processes or specific memorandum.  Assuming the user has documented permission to access the data, the user must not store the data unless written approval has been granted to do so through the use of the online form that requires the user to describe the unique business need for storage and the mitigating security controls.

ii.  Each department or business unit will have documented procedures, consistent with the university’s security policies, which preserve and protect highly sensitive data and are designed to accomplish these goals:

  1. Ensure the security and confidentiality of customer information.
  2. Protect against any anticipated threats to the security or integrity of such information.
  3. Guard against the unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.

iii.Each Data Owner will have a documented set of procedures for reviewing requests to access, modify, or update highly sensitive data.

iv.  The IT Security Office will be available to assist each department or business unit by reviewing their access and data security procedures.  If needed, the Privacy and Security Compliance Team will review to ensure compliance with this policy.

v.  Members of the university community may appeal any decision that denies access to university data. Appeals are to be made to the appropriate Data Owner.

E.  Public Requests for Protected Data

Requests by the public for protected data made through the Virginia Freedom of Information Act [University Administrative Policy #1117–Virginia Freedom of Information Act Requests] or other applicable law will be reviewed by the Office of University Counsel prior to any release of data.

V. TRAINING

IT System Users authorized to access highly sensitive data are required to participate in data security training commensurate with the type and use of such data. This training will be recommended annually to the Chief Data Stewards by a team drawn from the Research Office, University Life, Office of Human Resources, and the Information Security Office.  Managers are to train, or arrange for training, for all current employees who have or will have access to highly sensitive university data prior to granting access to such data.

VI. EFFECTIVE DATE AND APPROVAL

The policies herein are effective May 4, 2005.  This policy shall be reviewed and revised, if necessary, annually to become effective at the beginning of the University’s fiscal year, unless otherwise noted.

Approved:

_/S______________________
Maurice W. Scherrens
Senior Vice President

_/S_______________________
Peter N. Stearns
Provost

Date approved: August 1, 2005
and March 2, 2009

Revised: January 29, 2013