Purpose
This standard provides guidance on how
and when University public or private unit record or summary data can be shared
electronically via the Microsoft 365 platform with audiences external to the
University. This procedure applies to external requests that go through the IT
Service Desk or directly to individuals and departments across the University
for any purpose outside of internal University business.
External audiences can be provided
with University data from a variety of platforms (e.g. official reports from
the Offices of Institutional Research, ad hoc reports created by centers,
colleges and departments) either electronically or in printed form. When
sharing data with external audiences, providers should limit the breadth of the
information to meet only the scope of the request, and not provide any
additional information.
Individuals or units providing data in
any form are responsible for the application of this procedure and its related
policy (see Administrative Policy: Public Access to University Information).
INTERNAL SHARING???
This standard defines how and when
members of the University community can share public or private unit record
data and or aggregate-level administrative data. This procedure applies to all
University providers of data, including individuals and units. Units include,
but are not limited to central units (e.g., Office of Institutional Research,
central-work streams such as Human Resources, etc.), colleges, departments,
centers, and programs.
The standard for sharing personally
identifiable private student data is defined in the XXXXX. The policy defines
“legitimate educational interest” as “an interest in reviewing student
education records for the purpose of performing appropriate University
research, educational, or administrative function (see below examples). The
University uses the same definition of “legitimate educational interest” for
sharing other private data on individuals within the University.
Scope
Out of scope for this standard:
·
Private data (e.g., health information (HIPAA; or ePHI), social
security numbers, PCI DSS) that is classified as Private-Highly Restricted as
defined in Administrative Policy: Data Security Classification will not be
shared in this manner and are out of scope for this procedure.
·
Those receiving requests (providers) for data from internal
University audiences should be directed to Administrative Procedure: for
Sharing Data with University Educational and Administrative Audiences.
·
Those receiving requests (providers) for data from external
University audiences should be directed to Administrative Procedure: Sharing
Data with Audiences External to the University.
Definitions
Data Security Classification
Requirements and Procedures
Standards
Benefits of Microsoft 365
•
Microsoft 365 is UL Lafayette-licensed for use by the University
and supported by UL Lafayette IT and college IT departments.
•
Microsoft 365 / OneDrive offers generous file storage. OneDrive
can automatically synchronize files across platforms and devices, e.g., PC, Mac,
and mobile devices.
•
Microsoft 365 facilitates file sharing and collaboration among UL
Lafayette students, faculty and staff in accordance with the classifications of
data described in the sections that follow.
•
Microsoft 365 / OneDrive facilitates the sharing of public files
(see Section VI Sharing Public Data) with colleagues both inside and
outside of the University.
Using Microsoft 365 Securely
You as the User are responsible for
securing every workstation or device you are using to access Microsoft 365
services. Talk to your college or the IT Service Desk to get help or answers to
questions regarding securing your computers and other devices.
• Ensure
virus/malware detection software is installed with the latest definitions.
• Keep
your operating system and software up-to-date.
• Password-protect
your workstation or device and use idle-time screen saver passwords where
possible.
• Only
use your workstation or device with the privileges of a regular user―not
as a system administrator.
• Take
particular care to maintain these precautions when using OneDrive to
synchronize files to a device that is not issued and managed by the University.
Protecting Your Data in Microsoft 365
You as the User are also responsible for protecting the data
you choose to store in Microsoft 365.
• Periodically
review security and sharing settings, ensuring that information is shared only
with intended audiences.
• Back
up any valuable data you store in Microsoft 365 so that Microsoft 365 is not
the sole repository of the data.
• Files
must be stored in accordance with University and college records retention
schedules.
• Storing
personal files or information in your UL Lafayette Microsoft 365 account is not
recommended. Data present in your UL Lafayette Microsoft 365 account may be
subject to open records requests.
Protecting Confidential Data
Confidential data includes data that, if accessed by
unauthorized entities, could cause personal or institutional financial and
reputational loss or constitute a violation of a statute, act, law or
University policy.
Confidential
information should not be stored in Microsoft 365 unless the specific use has
been reviewed and approved by the University’s IT Security Officer (ITSO) in
consultation with relevant offices possessing expertise on the type of data
involved, including the Provost.
Examples of confidential data
include but are not limited to:
• Personally
Identifiable Information (PII) including but not limited to social security
number, date of birth, mother’s maiden name, passport number, driver’s license
number, taxpayer identification number, bank account and credit/debit card
numbers.
• Data,
such as student educational records, covered by the Federal Educational Rights
and Privacy Act (FERPA). This includes class rosters, test scores, grades and
financial aid information that can be associated with an individual.
• Protected
Health Information (PHI), including medical records, health status, and records
covered by health privacy laws.
• Citizenship
information.
• Payment
cardholder information requiring protection under the Payment Card Industry
Data Security Standard (PCI DSS), such as credit and debit card numbers, card
expiration, etc.
• Trade
secrets, intellectual property or information that may be relevant for the
creation of a University, faculty or student owned patent.
• Research
data under a restricted data use agreement or other IRB data and relevant
restrictions that do not explicitly permit cloud storage.
• Passwords
and access codes.
Protecting Sensitive Data
Sensitive data is information generally used internally at
the University or with its authorized partners. If released to unauthorized
individuals, sensitive data would not result in financial loss or legal
compliance issues but would negatively affect the privacy of the individuals
named or the integrity or reputation of the University.
Sensitive data may be
stored and shared in Microsoft 365 but must be stored and shared in a secure
manner in accordance with Sections II and III above regarding “Using Microsoft
365 Securely” and “Protecting Your Data in Microsoft 365”
This includes but is not limited
to the following:
• Email
and other communications regarding internal matters which have not been
specifically approved for public release.
• Proprietary
financial, budgetary or personnel information not explicitly approved by
authorized parties for public release.
• Identities
of donors or other third-party partner information maintained by the University
not specifically designated for public release.
Sharing Public Data
Public Data refers to data that does not meet the criteria
for Confidential or Sensitive Data as defined above. Although not Confidential
or Sensitive, to maintain its integrity access to Public Data must be managed
in a safe and secure manner.
Public data may be
stored and shared in Microsoft 365.
Best practices for
sharing Public Data:
• Use
folders to share groups of files with others online.
• Share
files with specific individuals, never with “everyone” or the “public.”
• Be
careful when sending links to shared folders because they can be forwarded to
others to whom you did not intend to provide access.
• Remember
that once a file or information is shared, the recipient can download it to a
device and share it with others.
• Remove individuals when they no longer require access
to files or folders.
• Shared OneDrive files and folders will have a defined
time limit on their sharing. That time limit can be renewed.
Roles And Responsibilities Regarding Enforcement
Each University department/unit is
responsible for implementing, reviewing, and monitoring internal policies,
practices, etc. to assure compliance with this standard.
The Office of the Chief Information
Officer is responsible for enforcing this standard.
Non-Compliance And Exceptions
Non-compliance with these standards
may incur the same types of disciplinary measures and consequences as
violations of other University policies, including progressive discipline up to
and including termination of employment, or, in the cases where students are
involved, reporting of a Student Code of Conduct violation.
Any device that does not meet the
minimum-security requirements outlined in this standard may be removed from the
UL IT network, disabled, etc. as appropriate until the device can comply with
this standard.
Exceptions to this standard may be
submitted in writing to the UL Lafayette IT Security Officer who will assess
the risk and make a recommendation to the UL Lafayette Chief Information
Officer. Written approval
must be attained from UL Lafayette IT prior to utilizing any exceptions. Exceptions must be reviewed for
reauthorization on no less than an annual basis.
APPLICABLE UL LAFAYETTE IT POLICIES:
Comprehensive
Information Security Program:
http://helpdesk.louisiana.edu/sites/helpdesk/files/UL%20Lafayette%20Comprehensive%20Information%20Security%20Program%20-%202014.pdf
RELATED UL LAFAYETTE IT POLICIES
and/or STANDARDS:
RESPONSIBLE OFFICE: Information Technology
APPROVAL AUTHORITY: Gene Fields, Chief Information
Officer
STANDARDS MANAGER:
CONTACT:
EFFECTIVE DATE:
NEXT SCHEDULED REVIEW:
REVISION HISTORY:
|
Date
|
Change Description
|
|
|
XXX
XXXXX (Initial Draft Submitted)
|
Protecting
Sensitive Data
Sensitive
data is information generally used internally at the University or with its
authorized partners. If released to unauthorized individuals, sensitive data
would not result in financial loss or legal compliance issues but would
negatively affect the privacy of the individuals named or the integrity or
reputation of the University.
Sensitive
data may be stored and shared in Office 365 but must be stored and shared in a
secure manner in accordance with Sections II and III above regarding “Using
Office 365 Securely” and “Protecting Your Data in Office 365”
This
includes but is not limited to the following:
•
Email and other communications regarding internal matters which have not been
specifically approved for public release.
•
Proprietary financial, budgetary or personnel information not explicitly
approved by authorized parties for public release.
•
Identities of donors or other third-party partner information maintained by the
University not specifically designated for public release.
VI.
Sharing Public Data Public Data refers to data that does not meet the criteria
for Confidential or Sensitive Data as defined above. Although not Confidential
or Sensitive, to maintain its integrity access to Public Data must be managed
in a safe and secure manner.
Public
data may be stored and shared in Office 365.
Best
practices for sharing Public Data:
•
Use folders to share groups of files with others online.
•
Share files with specific individuals, never with “everyone” or the “public.”
•
Be careful when sending links to shared folders because they can be forwarded
to others to whom you did not intend to provide access.
•
Remember that once a file or information is shared, the recipient can download
it to a device and share it with others.
•
Remove individuals when they no longer require access to files or folders.
OSRP
Must Approve sharing of any research data. Please refer to the university
policy on management and sharing of research data and the OSRP data sharing and
use agreements.
Out
of Scope for this Procedure
Private
data (e.g., health information (HIPAA; or ePHI), social security numbers, PCI
DSS) that is classified as Private-Highly Restricted as defined in
Administrative Policy: Data Security Classification will not be shared in this
manner and are out of scope for this procedure.
Those
receiving requests (providers) for data from internal University audiences
should be directed to Administrative Procedure: for Sharing Data with
University Educational and Administrative Audiences.
Those
receiving requests (providers) for data from external University audiences
should be directed to Administrative Procedure: Sharing Data with Audiences
External to the University.