Standard 11: Safeguarding Data

Revision Number:

New Standard
Major Revision of Existing Standard
Minor/Technical Revision of Existing Standard
Reaffirmation/Review of Existing Standard

Effective Date:

2/24/2020

Revised Date:

2/24/2020

Review Date:

2/24/2020

Responsible Division/Department:
Office of the CIO / Information Technology Services

The University of North Florida's (UNF) policies, standards, and procedures must describe and require steps to protect University data using appropriate administrative, physical, and technical controls.
1. Standard 9 - Data Classification describe and require appropriate steps to protect confidential data stored, processed, or transmitted on the university's computing devices.
2. Minimum Security Standards for Applications describe and require appropriate steps to protect confidential data stored, processed, or transmitted on the university's applications.
Third party service providers storing University data. University data must not be stored on personally procured third party (e.g. Cloud) storage services. All third party services storing university data must have a valid contract in place that has been signed by a University officer with signature authority.
Password and encryption protection for computing devices and data.
1. Desktop and laptop computers.
  1. All desktop and laptop computers owned, leased, or controlled by the University must be password protected and encrypted regardless of data classification, using methods approved by the UNF Chief Information Security Officer.
2. Other mobile devices.
  1. All other mobile devices, including but not limited to mobile and smart phones, and tablet computers, that are owned, leased, or controlled by the University, must be password protected and encrypted, regardless of data classification, using methods approved by the UNF Chief Information Security Officer.
  2. All USB drives and similar removable storage devices owned, leased, or controlled by the University must be password protected and encrypted, using methods approved by the UNF Chief Information Security Officer, before storage of any sensitive University data on the device.
3. Personal owned devices. Specific permission must be obtained from the data stewards before a user may store sensitive University data on any personally owned computers, mobile devices, USB drives, or similar devices. Such permission should be granted only upon demonstration of a business need and an assessment of the risk introduced by the possibility of unauthorized access or loss of the data. All personally owned computers, mobile devices, USB drives, or similar devices must be password protected and encrypted using methods approved by the UNF Chief Information Security Officer if they contain any of the following types of University data:
  1. Information made confidential or sensitive by Federal or State law, regulation, or other legally binding order or agreement;
  2. Federal, State, University, or privately sponsored Research that requires confidentiality or is deemed sensitive by the funding entity; or
  3. any other Information that has been deemed by UNF as essential to the mission or operations of the University such that its integrity and security should be maintained at all times.
4. Approved encryption methods are published and maintained by UNF IT Security and are listed in Standard Definitions.
5. Exceptions must be filed with IT Security in the event of hardware compatibility conflicts, technology limitations for certain types of devices, etc. All exceptions must note why alternative solutions are not possible (newly purchased hardware should be selected to adhere to UNF standards prior to purchase) and identify the compensating controls that will be implemented to offset the risk created by the lack of encryption. A single exception may be filed for a number of devices as long as the devices can be uniquely identified (e.g., UNF tag, serial number or MAC address).
Assured access to encrypted data.
1. Data and device owners are responsible for ensuring encrypted data will be accessible in the event decryption keys or related credentials become lost or forgotten and no other copy of the data is available. Only escrow methods approved by the UNF Chief Information Security Officer are permissible.
Protecting data in transit. Data owners shall implement appropriate administrative, physical, and technical safeguards necessary to adequately protect the security of data during transport and electronic transmission. Each of the following shall be addressed:
1. Identification and transmission of the least amount of confidential or sensitive data required to achieve the intended business objective;
2. Encryption of all confidential or sensitive data transmitted over the internet or the UNF network;
3. Encryption of all confidential or sensitive data transmitted between institutions and shared data centers; and
4. Deletion of transmitted and received confidential or sensitive data upon completion of the intended business objective.
Discarding electronic media. For electronic devices and media containing University data:
1. IT Security will establish and maintain acceptable standards for media destruction, in a manner that adequately protects the confidentiality of the data and renders it unrecoverable, such as overwriting or modifying the media to make it unreadable or indecipherable or otherwise physically destroying the media.
2. Such destruction must be in accordance with the applicable institutional records retention schedule.
The University shall adopt and implement a policy for internet website and mobile application security procedures that complies with this standard and aligns with the Minimum Security Standards for Applications. The Chief Information Security Officer is responsible for developing and implementing the policy and procedures in conjunction with the General Counsel's office, Compliance Officer, Privacy Officer, and other officials responsible for compliance with privacy laws (including PCI and FERPA) and data security laws. The policy and procedures should consider business processes such as contracting, acceptance testing, and system deployment, etc.
1. Before deploying an internet website or mobile application that processes confidential or sensitive University information, the developer of the website or application must submit to IT Security the information required by the Minimum Security Standards for Applications to protect the privacy of individuals by preserving the confidentiality of information processed by the website or application.
2. Before deploying an internet website or mobile application that processes confidential or sensitive University information the website or application must be subjected to a vulnerability and penetration test conducted internally or by an independent third party. IT Security shall review and accept the findings.