Information system access control

The purpose of this policy is to protect Lynn University information systems that collect, store, process, maintain, use, share, disseminate or dispose of institutional data in accordance with the university’s data classification policy. Access control ensures that authenticated user access only those information systems and institutional data for which that data user is authorized to access.

It is the policy of Lynn University to limit access to university information systems that collect, store, process, maintain, use, share, disseminate or dispose of institutional data in accordance with the university’s data classification policy to authenticated data users. The university employs the principle of “least privilege”, allowing access only to those authenticated data users, or processes acting on behalf of approved data users, necessary to accomplish assigned tasks in accordance with the university’s mission and business functions.

Data managers - data managers are application module administrators or power users responsible for the daily operation and management of information systems and processes that collect, manage and provide access to institutional data.

Data stewards - data stewards are university business officials (directors, managers or coordinators outside the IT department) who have direct operational-level responsibility for the management of one or more types of institutional data and have the authority (delegated from executive data stewards) to make operational decisions. Data stewards have the ability to appoint data managers for their specific subject area domain.

Data users - individuals, including, but not limited to, employees, temporary employees, faculty, students, alumni, trustees, campus visitors, contractors, vendors, consultants and their related personnel authorized by the university to access information systems that collect, process, maintain, use, share, disseminate or dispose of institutional data.

Executive data stewards - executive data stewards are defined as institutional officers (e.g., vice presidents, deans, etc.) who have authority over policies and procedures regarding business definitions of data and the access and usage of that data within their delegations of authority. Each executive data steward appoints data stewards and data managers for their subject area domains.

High risk data - includes (1) Institutional data that is required by law/regulation to be protected; (2) Institutional data the university is required to self-report to the government and/or provide notice to the individual if the data is inappropriately accessed, and (3) Institutional data that could have a significant adverse impact on the university’s mission, safety, finances, or reputation if there is a loss of confidentiality, integrity, or availability of the data or information system housing the data. See the data classification and data governance policy for additional information.

Information system(s) - a set of information resources organized expressly for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. The term system is used to represent all types of computing equipment and platforms that can process, store, or transmit institutional data.

Institutional data - any information collected, manipulated, stored, reported, or presented in any format, on any medium, at any location by any unit, program or office of the university in support of Lynn University’s mission. There are three types of institutional data: high risk; medium risk; and low risk. See the data classification and data governance policy for additional information.

Low risk data - institutional data and information systems are classified as "low risk" if they are not considered to be medium or high risk, and the data is intended for public disclosure, or the loss of confidentiality, integrity, or availability of the data or system would have no adverse impact on the institution mission, safety, finances, or reputation. See the data classification and data governance policy for additional information.

Media - includes, but is not limited to, paper, hard drives, random access memory (RAM), read-only memory (ROM), disks, flash drives, memory devices, phones, mobile devices, networking devices, and all-in-one printers.

Medium risk data - includes institutional data and information systems not considered to be high risk, and data that is not generally available to the public, or the loss of confidentiality, integrity, or availability of the data or system could have a mildly adverse impact on the institution mission, safety, finances, or reputation. See the data classification and data governance policy for additional information.

Mobile device - any handheld or portable computing device running an operating system optimized or designed for mobile computing that is capable of accessing, storing, and manipulating information in an untethered manner (usually, but not always, through a wireless connection). This includes, but is not limited to, laptops, tablets, smart phones/cell phones, PDAs, or other portable devices. Any device running a full desktop version operating system is not included in this definition.

Payment card information - as regulated by the Payment Card Industry Data Security Standard (PCI DSS), payment card information is defined as cardholder data or sensitive authentication payment data:

• Cardholder data - full magnetic stripe or the primary account number (PAN) plus any of the following: cardholder name; expiration date; service code; CVC2/CVV2/CID (a three- or four-digit number displayed on the signature panel of the card or, in the case of American Express, on the face of the card; and
• Sensitive authentication data - magnetic strip data or equivalent on a chip, CAV2/CVC2/CVV2/CID, and PINs/PIN blocks.

Student financial information - information the university or its affiliates have obtained from a student in the process of offering a financial product or service, or such information provided to the university by another financial institution. Offering a financial product or service includes offering student loans to students, receiving income tax information from a student’s parent when offering a financial aid package, and other miscellaneous financial services as defined in 12 CRF §225.28. Examples of student financial information include addresses, phone numbers, bank and credit card account numbers, income and credit histories and social security numbers, in both paper and electronic format.

To learn more about this policy or the supporting procedures, please contact  Information Technology.