Connectivity
- Network Services & Internet Access
- E-mail & Calendar Resources
- Web Publishing
- Telephone & Cable TV
- Public Printing
Hardware & Software
Equipment
Consulting Services
Business Partners
Information Technology Policies
Information Technology Policies
- About Policies
- Information Security
- Web Site Privacy
- Web Policy
- Web Site Terms & Conditions of Use
- Computer Purchase & Support
- Virtual Private Network Policy
- Identification, Authentication & Authorization Policy
- Faculty Computer Policy
- Electronic Commerce Policy
- DMCA Compliance
- Data Access Policy
- Information Technology Computer Use Policy
- Computer & Network Usage
- Business Computing Policy
Additional Information
Data Access Policy
Policy Statement
All College data is classified into defined access levels. Data may not be accessed without proper authorization.
Authority
This policy is approved by the CIO.
Summary
The purpose of this policy is to protect the information resources of the College from unauthorized access or damage. The requirement to safeguard information resources must be balanced with the need to support the pursuit of legitimate academic objectives. The value of data as an institutional resource increases through its widespread and appropriate use; its value diminishes through misuse, misinterpretation, or unnecessary restrictions to its access.
1. Classification of Data
All College data is classified into levels of sensitivity and risk. These classifications of data take into account the legal protections (by statute, regulation, or by the data subject’s choice), contractual agreements, ethical considerations, or strategic or proprietary worth. Data can also be classified as a result of the application of “prudent stewardship”, where there is no reason to protect the data other than to reduce the possibility of harm or embarrassment to individuals or to the institution.
Classification Levels
The classification level assigned to data will guide data owners, data stewards, business and technical project teams, and any others who may obtain or store data in the security protections and access authorization mechanisms appropriate for that data. Such categorization encourages the discussion and subsequent full understanding of the nature of the data being displayed or manipulated. Data is classified as one of the following:
- Public. Access to “Public” institutional data may be granted to any requester. Public data is not considered confidential. Examples of Public data include published directory information and academic course descriptions. The integrity of Public data must be protected, and the appropriate owner must authorize replication of the data. Even when data is considered Public, it cannot be released (copied or replicated) without appropriate approvals.
- Internal. Access to “Internal” data must be requested from, and authorized by, the Business Owner who is responsible for the data. Data may be accessed by persons as part of their job responsibilities. The integrity of this data is of primary importance, and the confidentiality of this data must be protected. Examples of Internal data include financial, project, human resources and budget information.
- Restricted. Access to “Restricted” data must be controlled from creation to destruction, and will be granted only to those persons affiliated with the College who require such access in order to perform their job, or to those individuals permitted by law. The confidentiality of data is of primary importance, although the integrity of the data must also be ensured. Access to restricted data must be requested from, and authorized by, the Business Owner who is responsible for the data. Examples of Restricted data include student registration, grades, financial aid data and research data. Access to this data may be further legally restricted by federal or state law.
- Restricted-Health. Access to “Restricted-Health” data is controlled in the same fashion as Restricted data, but with the additional requirements that the location of all Protected Health Information (PHI) must be registered. Release of PHI is restricted to the minimum necessary. Business Associate Agreements may be required for external sharing and signed confidentiality agreements must be obtained before access is granted to users. Examples of Restricted-Health data include medical records, health related research data, and other PHI.
Control requirements for data based on classification:
| Data Classification | |||||
|---|---|---|---|---|---|
 |
Public | Internal | Restricted | Restricted-Health | |
| Access – Read Only | No Controls | Role Based | Individually Authorized | Individually Authorized, signed confidentiality | |
| Access – Write | Role Based | Role Based | Individually Authorized | Individually Authorized, signed confidentiality | |
| Secondary Use | As authorized | As authorized | Prohibited | Prohibited | |
| Physical Data Storage | No controls | Non-public Area | Access controlled by area | Access controlled by area | |
| Communication | No controls | Encryption not required | Encryption may be required for external transmission | Encryption may be required for external transmission | |
| Data Tracking | No controls | No controls | No controls | Location must be registered in central repository | |
| Destruction | No Controls | Erase media | Overwrite media | Overwrite media | |
| Auditing | No Controls | Log changes | Log all changes | Log all accesses and changes | |
| Workstation placement | No Controls | Non-public area | Non-public area | Access Controlled Area | |
Relationship to Information Security
The more institutional or personal damage that might result from unauthorized access to (or modification of) some particular data, the higher the level of risk (sensitivity) associated with that data. The higher the sensitivity of the data, the greater the amount of information security that must be applied for its protection. Similarly, data with lower levels of sensitivity can be protected with less rigorous measures.
Relationship to Other Information Assets
Once the appropriate level of protection of the data has been determined, the same level of protection is applied to all other related information resources (i.e. servers, network segments, desktop computers).
2. Roles and Responsibilities
Chief Information Security Officer
The Chief Information Security Officer implements policies and procedures to comply with the Family Education Rights and Privacy Act (FERPA), the Gramm-Leach-Bliley Act (GLBA), and others governing the treatment of individually identifiable information.
Health Privacy Officer
The Health Privacy Officer implements policies and procedures to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPPA) as it governs the treatment of individually identifiable information.
System and Data Owners
System and data owners working with IT are responsible for the application of this and related policies to the systems, data, and other information resources under their care or control.
System Administrators
System administrators are responsible for the application of this and related policies to the systems, data and other information resources in their care at the direction of the system and data owners
Users
Every user of Bowdoin’s information resources is responsible for the application of this and related policies to the systems, data, and other information resources in their care.