Major Revision of Existing Policy
Minor/Technical Revision of Existing Policy
Reaffirmation of Existing Policy
I. OBJECTIVE & PURPOSE
To educate the University community about the importance of protecting data generated, accessed, transmitted and stored by the University, to identify procedures that should be in place to protect the confidentiality, integrity and availability of University data, and to comply with local and federal regulations regarding privacy and confidentiality of information.II. STATEMENT OF POLICYAll members of the University community have a responsibility to protect University data from unauthorized generation, access, modification, disclosure, transmission or destruction, and are expected to be familiar with and comply with this policy. Violations of this policy can lead to disciplinary action up to and including dismissal, expulsion, and/or legal action. Any known violations of this policy are to be reported to the University's Compliance Officer and Director of Networking, Systems and Security (NSS).A. RESPONSIBILITY FOR DATA MANAGEMENTData is a critical asset of the University. All members of the University community have a responsibility to protect the confidentiality, integrity, and availability of data generated, accessed, modified, transmitted, stored or used by the University, irrespective of the medium on which the data resides and regardless of format (electronic, paper or other physical form).Departments are responsible for implementing appropriate managerial, operational, physical, and technical controls for access to, use of, transmission of, and disposal of University data in compliance with this policy.Data owned, used, created or maintained by the University is classified into the following three categories:• Public• Internal Use• RestrictedDepartments should carefully evaluate the appropriate data classification category for their information and ensure compliance with applicable procedures and guidelines.B. DATA CLASSIFICATIONSPUBLIC DATAPublic data is information that may or must be open to the general public. It is defined as information with no existing local, national or international legal restrictions on access or usage. Public data, while subject to University disclosure rules, is available to all members of the University community and to all individuals and entities external to the University community.INTERNAL USE DATAInternal Use Data is information that must be guarded due to proprietary, ethical, or privacy considerations, and must be protected from unauthorized access, modification, transmission, storage or other use. This classification applies even though there may not be a civil statute requiring this protection. Internal Use Data is information that is restricted to members of the University community who have a legitimate purpose for accessing such data.RESTRICTED DATARestricted Data is information protected by statutes, regulations, University policies or contractual language.Restricted Data may be disclosed to individuals on a need-to-know basis only. Disclosure to parties outside the University should be authorized by the General Counsel’s Office.The classifications and examples of each type of data are summarized in table 1.
Table 1: Data Classification Categories
EAR, ITAR, safeguarding
III. STATEMENT OF PROCEDURESThe Compliance Officer and Director of Networking, Systems and Security (NSS) are the primary entities charged with developing policy and procedures subordinate to and in support of this policy. They are charged with the promotion of awareness within the University community, as well as responsibility for the creation, maintenance, enforcement and design of training on relevant security standards in support of this policy and other applicable policies. The Director of NSS will receive and maintain reports of incidents, threats and malfunctions that may have a security impact on the University's information systems, and will receive and maintain records of actions taken or policies and procedures developed in response to such reports. The Director of NSS will assist the Internal Audit Department and the Compliance Officer, as appropriate, in conducting periodic audits to determine University compliance with this policy.The Director of NSS and the Compliance Officer must be notified in a timely manner if data classified as Restricted is lost, disclosed to unauthorized parties or suspected of being lost or disclosed to unauthorized parties, or if any unauthorized use of the University's information systems has taken place or is suspected of taking place.
Copyright © 2017 University of North Florida1 UNF Drive | Jacksonville, FL 32224 | Phone: (904) 620-1000
RegulationsConsumer Information | Disability Accommodations