Description of Risk
Data compromised or lost due to poor data stewardship may have adverse effects on business operations, competitiveness, and public relations. Monetary loss to individuals and the Institute may occur if the compromise is severe enough. It is the responsibility of Georgia Tech, through the chief data stewards, to implement procedures to effectively manage and provide necessary access to Institute data, while at the same time ensuring the confidentiality, integrity, availability, accountability, and auditability (CIAAA) of the information. Appropriate implementation of the policy will ensure Institute compliance with the Federal Trade Commission’s Safeguards Rule under the Gramm-Leach-Bliley Act (GLBA), as well as the Family Educational Rights and Privacy Act (FERPA), and the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Data is an important campus unit business asset. “Data stewardship,” for the purpose of this section of this document, is defined as the prudent management of Georgia Tech’s data. Georgia Tech’s data is defined as:
- Data provided to external stakeholders (public and private organizations with which Georgia Tech conducts business such as other U.S. Department of Defense offices, Congress, other government agencies, laboratories, contractors, and the general public)
- Data provided to internal stakeholders (individual organizational components that comprise Georgia Tech)
- Data that may be of a sensitive nature (budget, personnel, proprietary, credit card, reviewer, and procurement data).
It is management’s responsibility to ensure:
- The confidentiality, availability, and integrity of Institute, propriety, and personnel data held by the unit or accessed through the unit’s information systems
- That credit card and other financial instruments are protected and credit card information meets the requirements of Institute polices (no unit should be processing and storing credit card information outside of the Institute’s approved processing environment).
Maintain a policy that answers the following questions as they apply to your unit:
- Can you identify what business, academic, or research functions are supported by applications running on departmental servers and individual workstations?
- Is there a single point of contact regarding the integrity of the data? Who assigns access to PeopleSoft, Banner, Data Warehouse, and other Institute systems?
- How are staff/faculty/students made aware of network security issues? Is that procedure documented?
- Who determines access to applications, files, and data stored on your file server?
- What are your safeguards to ensure that outside entities that are facilitated by access to the Georgia Tech information system infrastructure do not have access to sensitive files or data repositories within the unit?
- Does the unit use any type of nondisclosure agreement to protect data or intellectual property? Who keeps these?
- Do you accept/store or process credit card information in any of your unit activities?
“How do we do all that?”
EMPOWER THE PEOPLE RESPONSIBLE
Deans, vice presidents, and associate vice presidents are responsible for monitoring compliance with the Data Access Policy and associated guidelines by:
- Directing the reviews of, and responding to technical reports for, servers within units for which approval has been given to store sensitive information
- Ensuring that all sensitive information and unit level servers are registered with OIT Information Security (email: email@example.com)
- Coordinating with OIT Information Security to ensure that the server(s) providing this information to the campus network and Internet are secured through reasonable procedures
- Conducting periodic access control assessments of any sensitive information devices or services within their business units, in coordination with OIT Information Security.
COMMUNICATE WITH EVERYONE IN THE UNIT
Post policies and procedures. Hold routine training.
DISSEMINATE POLICIES AND PROCEDURES
Write it down to prevent confusion.
Under regulations promulgated in May 2000, colleges and universities are deemed to be in compliance with the privacy provisions of the GLB Act if they are in compliance with the Family Educational Rights and Privacy Act (FERPA). However, higher education institutions are subject to the provisions of the Act related to the administrative, technical, and physical safeguarding of customer information.
Related Issues Review the Georgia Tech and other data-related policies: