Current through all regulations passed and filed through September 16, 2024
(A)
Policy
statement
The confidentiality, integrity, and
availability of sensitive data requires the use of reasonable and appropriate
logical and technical security controls. The university will secure its
technology assets through measures designed to limit access to sensitive data
to authorized users. These measures may include logical access controls,
identity controls, workstation and server controls, audit logs, and encryption
technology.
(B)
Purpose
This policy defines logical access
controls and technical safeguards and prescribes their use for technology
assets that access, create, process, transmit, receive, or destroy sensitive
data.
(C)
Scope
This policy applies to all university
operating units, and to any university partnerships, vendor/vendee
relationships or other contractual relationships where sensitive information
may be exchanged, accessed, processed, otherwise disclosed.
(D)
Definitions
(1)
Device. As used in this policy, "device" shall retain
its meaning as defined in paragraph (D) of rule
3364-65-05 of the Administrative
Code (technology asset management).
(2)
Information
technology asset. Information technology assets "IT assets" shall retain their
meaning as defined in paragraph (D) of rule
3364-65-05 of the Administrative
Code (technology asset management).
(3)
Sensitive data.
Sensitive data is data for which the university has an obligation to maintain
confidentiality, integrity, or availability.
(4)
Technology asset.
Technology assets shall retain their meaning as defined in paragraph (D) of
rule 3364-65-05 of the Administrative
Code (technology asset management).
(5)
Workstation. As
used in this policy, "workstation" shall retain its meaning as defined in
paragraph (D) of rule
3364-65-05 of the Administrative
Code (technology asset management).
(E)
Policy
(1)
Access, identity,
and audit controls. The university will implement procedures to limit access to
sensitive data only to authorized users of the data. The requirements for
access and identity controls are established under rule
3364-65-02
of the Administrative Code (information security and technology administrative
safeguards).
(2)
Workstation and device controls. The logical access
control and technology safeguard requirements for devices and workstations are
established under rule
3364-65-06 of the Administrative
Code (device and workstation policy).
(3)
Contingency
plans. Procedures for developing contingency plans are established under rule
3364-65-02
of the Administrative Code (information security and technology administrative
safeguards).
(4)
Encryption. Strong encryption, as designated by the
information security office and informed by a risk analysis, is the default
mechanism to ensure the confidentiality of the contents of a message.
Exceptions and alternatives to this requirement may be made based on an
appropriate risk analysis.
(5)
Audit logs.
Access to university technology assets and sensitive data will be logged. The
logs will be protected from unauthorized access or modification and they will
be retained for an appropriate period of time. Information security office will
monitor and review audit logs to identify and respond to inappropriate
activities on a regular basis.
