Tufts University Information Technology
Security of Data and Data Bases
Resource Security Policy
- Each data manager will maintain records of the owner(s) of all confidential and/or sensitive information stored on his/her computer systems.
- Data stewards are responsible for conducting and documenting a risk analysis of anticipated threats to the sensitive or confidential information for which they are responsible. This analysis will be maintained and updated as conditions change.
- Data managers are responsible for the classification of information as confidential and/or sensitive. Classifications must adhere to federal and state laws and regulations, and Tufts University policies. Audit and Management Advisory Services reserves the right to review such classifications and, based on that review, make specific recommendation. Using risk analysis, data managers will map data classifications into security levels. These levels will be communicated to access coordinators and system managers along with specific recommendations regarding access to data.
- Owners of, or those who are the subject of, as applicable, confidential and/or sensitive Information will identify those to whom confidential or sensitive information may be released, unless such release is otherwise addressed by applicable law. It is the data steward's responsibility to ensure that this released information is obtained and recorded.
- Data and system managers will be granted access to confidential or sensitive information as required to satisfy operational needs.
- Data stewards are responsible for the periodic review and updating of their data risk analysis and data security classification levels.
- Users of confidential and/or sensitive information are responsible for proper security of that information when it's transferred from a computer system to hard-copy documents or removable media or when it's downloaded to computers on a network. Data stewards and data managers may require that users execute a separate confidentiality agreement before being given access to confidential and/or sensitive information
- Data stewards and data managers will make their best effort to insure that hard-copy documents and removable media containing confidential and/or sensitive information are:
- Made accessible only to authorized personnel
- Accounted for
- Properly stored in appropriate facilities
- Properly disposed of
- Once it is no longer required, data stewards and data managers are responsible for ensuring that appropriate disposal or scouring procedures are used for all hard-copy documents and removable media containing confidential and/or sensitive information and for all downloaded confidential and/or sensitive information. (See also Tufts' General Policy on Access to University Records in the Archives for additional information on the disposition of confidential and/or sensitive information.)
- Data stewards are responsible for ensuring that all data stored in databases are recoverable.
- Data stewards are responsible for ensuring that authorized personnel are able to audit and establish individual accountability for any action which may provide or change access to, modify or release confidential and/or sensitive information.
- Each data or system manager, as applicable, must initiate an investigation of any suspected security breach involving data or a database for which (s)he is responsible and must document the suspected breach and actions taken. It is the responsibility of the data or system manager to notify his/her supervisor or dean as well as the Information Security Officer of any suspected security breach.