Purpose
The purpose of this policy is to provide a data governance framework for securing institutional data from risks including, but not limited to, unauthorized destruction, modification, disclosure, access, use, and removal by outlining measures and responsibilities required for securing institutional data systems.
Policy
It is the policy[1] of Lynn University to maintain a data governance framework that includes policies, procedures, standards and controls with the goal of improving institutional data quality, protecting access to data, establishing business definitions, and documenting processes that impact data. Data security standards and controls are implemented commensurate with institutional data value, sensitivity, and risk. Standards such as NIST 800-60 v1 and v2 and FIPS 199 should be referenced where applicable.
Definitions
Cloud computing/cloud computing environment - encompasses utilizing any external computing, software services, or hosting environment that is not directly controlled by the university.
Data stewards - data stewards are university business officials (directors, managers or coordinators outside the IT department) who have direct operational-level responsibility for the management of one or more types of institutional data and have the authority (delegated from executive data stewards) to make operational decisions. Data stewards have the ability to appoint data managers for their specific subject area domain.
Data managers - data managers are application module administrators or power users responsible for the daily operation and management of systems and processes that collect, manage and provide access to institutional data.
Data users - individuals, including, but not limited to, employees, temporary employees, faculty, students, alumni, trustees, campus visitors, contractors, vendors, consultants and their related personnel authorized by the university to access information systems that collect, process, maintain, use, share, disseminate or dispose of institutional data.
Executive data stewards - executive data stewards are defined as institutional officers (e.g., vice presidents, deans, etc.) who have authority over policies and procedures regarding business definitions of data and the access and usage of that data within their delegations of authority. Each executive data steward appoints data stewards and data managers for their subject area domains.
IT coordinators - IT coordinators are information technology staff responsible for the daily operation and management of systems, processes and applications that collect, manage, bridge and provide access to institutional data.
Information system(s) - a set of information resources organized expressly for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. The term system is used to represent any method that can process, store, or transmit institutional data.
Institutional data - any information collected, manipulated, stored, reported, or presented in any format, on any medium, at any location by any unit, program or office of the university in support of Lynn University’s mission. There are three types of institutional data: high risk; medium risk; and low risk.
Media - includes, but is not limited to, paper, hard drives, random access memory (RAM), read-only memory (ROM), disks, flash drives, memory devices, phones, mobile devices, networking devices, and all-in-one printers.
Mobile device - any handheld or portable computing device running an operating system optimized or designed for mobile computing that is capable of accessing, storing, and manipulating information in an untethered manner (usually, but not always, through a wireless connection). This includes, but is not limited to, laptops, tablets, smart phones/cell phones, PDAs, laptops or other portable devices. Any device running a full desktop version operating system is not included in this definition.
Procedures/Guidelines
Not applicable.
To learn more about this policy or the supporting procedures, please contact Information Technology.
[1] This policy describes Lynn University data classification and data governance definitions and procedures. Appreciation is extended to Stanford University, Carnegie Mellon University, Ohio State University, The George Washington University, Northern Illinois University, and University of Florida for permission to use their standards, policies and classification documents as a model.