Departmental Information Security Action Plan
Confidential information is defined as that information which is not releasable to the public under state or federal law, and which could reasonably be used to perpetrate identity theft, constitute a serious and unwarranted invasion of personal privacy, compromise the physical security of university employees or property, or compromise the University’s computer systems.
All academic and administrative offices within the University have the primary responsibility and authority to ensure their respective departments comply with University requirements for privacy and security of specific types of confidential information (e.g., student educational records, personnel records, health records, and financial transaction data). These units are responsible for general security issues (e.g., legal issues, security compliance, physical security and communications) as well as for completing risks assessments and assisting in the development of University IT security policies, standards and best practices in the areas of their responsibility.
ITS requests that each department engage in the necessary efforts to secure its data
from improper disclosure. Specifically, each department is charged to complete the
following Action Plan:
- Complete an audit of confidential information electronically stored in their respective
areas. For each file or database which meets the confidential criteria, complete and
submit the Confidential Information-Data Audit Report request. A help desk ticket will be generated and forwarded to ITS for the purpose of identifying
it for secure storage. When feasible, remove or redact confidential information.
- Review the ITS audit report for additional identification of confidential data residing
on departmental machines. When feasible, remove or redact confidential information.
- Move all existing confidential documents to the assigned centralized confidential
document storage space specified by ITS which requires network authentication for
access. Store all newly created electronic files containing confidential information
on this confidential document storage space. For more information on centralized confidential
document storage review this presentation (PDF).
- Once a file containing confidential information has been successfully moved to the
secure storage space, delete it from local storage and then empty the recycle bin.
- For any confidential file or data that is transmitted offsite, complete and submit
the Confidential Information-Data Transmission Report. This report allows for the establishment of a dedicated station where files can
be transmitted securely using the latest security protocols.
- Develop procedures and guidelines for your area to implement an ongoing process for
continued information security which includes periodic security reviews referencing
this action plan.