North Dakota University System
TwitterFacebook
A-Z Index
Access. Innovation. Excellence.
Colleges & Universities Academics & Activities State Board of Higher Education North Dakota University System News Reports & Information
Students
Policymakers
Business & Industry
Employees
Media
Home
Employees
Printer Friendly Page You are here
NDUS Home  |  Employees  |  Policies and Procedures  |  NDUS Procedures


NDUS Procedures



 << return 

SUBJECT: 1900s: Miscellaneous EFFECTIVE: June 1, 2015
Section: 1901.2.1 Data Classification and Information Security Standard

Standard

This standard specifies requirements to protect the confidentiality of the North Dakota University System data. All data must be assigned to one of three classification categories based on various considerations such as compliance, federal and state regulations, contractual agreements, privacy, sensitivity, and risk. Data must be protected with the appropriate security controls as specified in the Standard Details, section II in this document. The level of protection required is based on the classification level the data is assigned.

Purpose of Standard

The purpose of this standard is to help members of the North Dakota University System (NDUS) properly classify data so that they can apply the appropriate level of security to the information systems and data for which they are responsible.

Definitions

Term Definition
DataInformation collected, created, maintained, transmitted, or stored by or for the University System to conduct university business. It includes, but is not limited to, information in electronic, paper, video and audio formats.
Confidentiality Access to information is limited to those persons authorized to use the information.
IntegrityMaintaining and assuring the accuracy and consistency of data over its entire life-cycle.
AvailabilityThe computing systems used to store information, the controls used to protect information, and the communications channels used to access information must be functioning correctly.
NIST - approved encryptionThe National Institute of Standards (NIST) develops cryptographic standards that enable U.S. Government agencies and others to select cryptographic security functionality for protecting their data.
Computing equipmentAny NDUS or institution system, desktop, laptop, or portable device.
Multi-factor authenticationA method of computer access control in which a user presents at least two of the authentication factors from these categories:
-Something the user knows, such as a password
-Something the user has, such as token, device, or certificate
-Something the user is, such as a biometric

STANDARD DETAILS
  1. Data Classification
    1. All data must be assigned to one of three data classifications. The three classifications are, from most to least restrictive:
      1. Restricted
        This is data that requires the highest level of protection. It is data protected by federal or state laws, regulations, contracts, or policy. The unauthorized disclosure of restricted data would typically require the university system to report the disclosure and/or provide notice to the individual whose data was inappropriately accessed.
      2. Private
        This is data that should not be available to the public. It is data that may be protected by federal or state laws, regulations, contracts, or policy. This data requires protection, but not at the same level as "Restricted" data.
      3. Public
        This is data that is not considered to be "Restricted" or "Private". It is data that can generally be released to the public. It typically requires minimal protection.

    2. The classification of common data elements and their permitted use in University System services and user activities are specified in the following documents:
      1. Classification of Common Data Elements
      2. Permitted Data Usage by Service and Activity

  2. Security Controls and Protection of Data
    1. Access
      1. Restricted Data - Access is limited to those permitted under law, regulation, and NDUS or institution policies, and with a need to know. All access to "Restricted" data and systems storing "Restricted" data must be authenticated using a multi-­factor authentication mechanism.
      2. Private Data-Access is limited to those with a need to know, at the discretion of the NDUS or institution. All access to "Private" data and systems storing "Private" data must be authenticated.
      3. Public Data-Anyone may access "Public" data. However, care should be taken to use "Public" data appropriately and to respect all applicable laws, such as North Dakota's Open Records and Meetings law.

    2. Transmission
      1. Restricted Data - NIST-approved encryption is required when transmitting information through a network.

      2. Private Data - NIST-approved encryption is strongly recommended when transmitting information through a network.
      3. Public Data - No encryption is required for "Public" data

    3. Storage
      1. Restricted Data - NIST-approved encryption is required for any "Restricted" data stored on NDUS or institution computing equipment. Storage of "Restricted" data is not permitted on personally owned devices unless otherwise authorized under II. h. ii. If disk encryption is used (rather than file-level, or column-level database encryption), logical access must be managed separately and independently of native operating system authentication and access control mechanisms (for example, by not using local user account databases or general network login credentials). Decryption keys must not be associated with user accounts.
      2. Private Data - NIST-approved encryption is strongly recommended for any "Private" data stored on NDUS or institution computing equipment or personally owned devices.
      3. Public Data - No encryption is required for "Public" data, however, care should be taken to protect the integrity of the data.
      4. The NDUS, in collaboration with the individual institutions, may implement technologies or establish procedures to discover "Restricted" and/or "Private" data stored on any NDUS or institution owned devices
        and any personally owned device connecting to an NDUS or institution network. When "Restricted" or "Private" data is found, the NDUS and the institution will work with the responsible party to protect or remove the data.

    4. Logging and Security Monitoring
      1. Restricted Data - All access to "Restricted" data stored on servers must be logged. Logs should be routinely monitored, reviewed and analyzed. Security logs should be properly secured (access control, centralized storage, integrity, etc.) and retained in accordance with data retention requirements.
      2. Private Data - Logging of access to "Private" data is highly recommended.
      3. Public Data - Logging of access to "Public" data is not required.

    5. Backups and Availability
      1. Data critical to the mission and operation of the NDUS or the institution must be backed up according to established procedures.
      2. Data having value beyond the person who created it or data critical to the mission of the NDUS or the Institution must be located on centralized servers maintained by the NDUS or institution, unless otherwise authorized by the institution or University System CIO.

    6. Sharing and Relinquishing Data
      1. Individuals with access to "Restricted" or "Private" data must safeguard their access and not share this data without the express permission of their supervisor and in accordance with their Institution's policies and procedures.
      2. All individuals with access to "Restricted" or "Private" data are required to relinquish this data upon termination or as required by changes in their role or relationship with the University System or institution.

    7. Data destruction
      1. To prevent unauthorized disclosure of "Restricted" or "Private" data, computing equipment containing this data must be properly disposed of using destruction methods that meet the legal, regulatory, and/or NDUS or institutional requirements.

    8. Personally owned-devices
      1. The NDUS and institutions may define standards for the types of devices permitted to access and store "Restricted" or "Private" data, including the types of personal devices permitted, if any.
      2. All devices permitted to access and/or store "Restricted" or "Private" data, including personally owned devices, must adhere to NDUS and institutional security standards and procedures. This may involve the
        installation of various management and threat protection programs.

  3. Records Management
    1. NDUS and institutional data may constitute official university records.
    2. University records need to be managed in accordance with approved records retention and disposition schedules consistent with records management policies and guidelines. North Dakota State law requires that these records not be discarded or destroyed in advance of the authorized disposition date.

  4. Open Records
    1. NDUS and institution records are generally "public records" available to the public under the State of North Dakota's Open Records and Meetings Law. Some records are protected by federal or state law or are otherwise exempt from disclosure.
    2. Release of records in response to a public records request must be made in accordance with all NDUS policies and procedures.

  5. Training and Annual Review
    1. All individuals who access "Restricted" data must complete the Data Protection Training course annually, at a minimum.
    2. Individuals needing access to "Restricted" data must work with their supervisor and either the appropriate Campus Access Control Officer (CACO) or institution Information Technology Security officer (ITSO) to ensure the access is appropriate to the employee's duties. Individual access to "Restricted" data will be reviewed, on an annual basis, with the employee's supervisor, and any necessary changes will be coordinated with the appropriate CACO or institution ITSO.

  6. Reporting Unauthorized Access
    1. Any suspected loss, unauthorized access, or exposure of "Restricted" or "Private" data must be immediately reported to the NDUS Core Technology Services (CTS) Office of Information Security or the institution's IT Security Officer or CIO.
Contacts

Subject Office PhoneEmail
Policy QuestionsNDUS Core Technology Services (CTS) Office of Information Security(701)777-3587InfoSec@ndus.edu
Report a suspected data loss, unauthorized access or exposure NDUS Core Technology Services (CTS) Office of Information Security
or
Institution's IT Security Office or CIO
(701)777-3587
or
Institution
InfoSec@ndus.edu
or
Institution

History:
Issued: February 12, 2015
Bismarck State CollegeDakota College at BottineauDickinson State UniversityLake Region State CollegeMayville State UniversityMinot State UniversityNorth Dakota State College of ScienceNorth Dakota State UniversityUniversity of North DakotaValley City State UniversityWilliston State College
Contact Us  |   Privacy Policy  |   Disclaimer  |   Accessibility  |   Security Policy