(D101) Classification and Use of Information Assets
This policy applies to the creation, collection, classification, use, and retention of electronic information for academic, research, and administrative purposes.
As a routine matter, data in electronic form is created, collected, used and maintained by members of SUNY Polytechnic Institute community for educational, research, public service and health care purposes. Each person with access to SUNY Polytechnic Institute data shall comply with applicable data protection and control procedures, and shall secure that data against inappropriate, unauthorized or illegal use.
- Assessment of the inventory of information assets is a critical step in protecting those elements that need special handling. The inventory includes assessments based on general personal information (ID Theft), those elements protected by FERPA and HIPAA where applicable, and data that must be restricted based on Gramm-Leach-Bliley (GLB).
- The Security Steering Committee will specify the composition of sub-groups that will take responsibility for the inventory. These groups will be authorized by the Steering Committee to conduct the inventory.
- Data elements are to be classified as public, private or sensitive based on applicable laws, SUNY Polytechnic Institute policies, and potential reputational damage that may occur should the data be compromised.
- Identified data elements will be further classified by the applications that need them to meet the educational and business needs of SUNY Polytechnic Institute.
- Classification of the data element will include combinations of data. For example, a Social Security number by itself has no intrinsic value. However, combined with other data elements like name, address, date of birth, raise the level of sensitivity. Applications that contain these combinations of data elements must be classified to afford the highest level of protection.
- Data Stewardship: The Chief Information Officer (CIO) and designated data custodians for each office of record shall ensure that University data is created, used, maintained, disclosed and disposed of according to applicable law, regulation or SUNY Polytechnic Institute policy.
- Data custodians shall develop appropriate access controls to data in the department, division or unit under their supervision, consistent with the data's confidentiality, sensitivity and use. Disclosure or distribution of SUNY Polytechnic Institute data is prohibited unless authorized in writing by SUNY Polytechnic Institute counsel. SUNY Polytechnic Institute maintains audit trail records in accordance with legal requirements.
- Data Retention: The IT Department maintains electronic backups of data. Please direct all requests to the Chief Information Officer.
- Data Security: All transmissions of confidential data shall be over a secured channel or be encrypted.
- Managers shall promptly report changes in employee job status or duties involving data access to the appropriate data custodian and to the Chief Information Officer.
- Generally, disclosure of confidential information, including, by way of example only, personnel, student, financial and patient information is prohibited by law. Access to this data is available only to persons with a "need to know" by virtue of their job responsibilities, in accordance with law, or an authorized request.
- Data Exchange Agreements with state, local or federal agencies and any lease, permit or contract with a third party that may involve access to SUNY Polytechnic Institute data shall include a statement of compliance with SUNY Polytechnic Institute policies on data security and confidentiality. All Data Exchange Agreements must be approved by the appropriate data custodian and the Information Security Committee.
- Physical Security: All computers, data storage media and storage repositories that contain confidential information must be secured against loss or tampering.
Portable computing devices such as laptops, hand-held equipment (PDAs) and data storage media pose a significant risk for the exposure of protected information and potential access to SUNY Polytechnic Institute’s administrative systems. For these reasons, special care must be exercised when utilizing these devices. All protected data stored on portable devices must be encrypted. In addition, the login settings for these devices should never be set for automated login to any SUNY Polytechnic Institute administrative application. All administrative systems shall have and document backup and recovery procedures. The backup media must be stored in a secure location off site. The IT Department shall test these procedures on a periodic basis.
- Penalties for Misuse: The inappropriate or illegal use of SUNY Polytechnic Institute data is a violation of SUNY Polytechnic Institute policy that will subject the violator to disciplinary procedure. Individuals that misuse SUNY Polytechnic Institute information technology resources may lose information technology privileges and be referred for prosecution by state or federal authorities.
Policy adopted from StonyBrook.edu as of March 1, 2017