Standard for Data Management and Security

Purpose

This set of standards interprets our policies into operational requirements for data storage and sharing data according to Indiana State University's Data Security and Management Policy found in section 830 of the University Policy Library.  

Application

• These standards apply to the storage and sharing of institutional data regardless of the form or medium in which the data are created or received.     
• Standards are required behaviors by students, faculty, and staff. 
• Failure to meet standards may result in a documented incident reported and filed under the Acceptable Use of Information Technology Policy found in section 810 of the University Handbook.  

Exceptions

• These standards are intended to address 80% of the operational uses for data storage and management and should address most day-to-day uses.  Request a consultation with your OIT Consultant if you have a need for storing or sharing data that is not described in the standards below.

• Some classifications of data may be stored on workstations for short periods of time as required for processing. 

  • If stored locally on such a temporary basis, data must be encrypted and protected from unauthorized access and must be moved to institutional storage as quickly as possible and deleted from the hard drive and the recycle bin.   

  • Hard drives on ISU desktops are not encrypted; hence, certain types of data must never be stored on a desktop hard drive, as indicated in the standards matrix.   

• Grant/Contract-controlled data must be protected according to specific requirements set out in the governing grant or contract (which includes, but is not limited to, non-disclosure agreements, confidentiality agreements, data use agreements, etc.).

  • The requirements may not correspond exactly with the University's data classification levels.

  • In these cases, all requirements specified in the grant/contract must be met first.

  • The data should be classified at the level that most closely corresponds to the specified requirements and, if there are additional protections required by that data classification level, those protections must be applied as well.

Standards

1. Never leave computers logged on and unattended, as this makes data you have access to available to others. 

• Log off at the end of each session or  

• Lock your computer with access control software (i.e., screen saver with password) during unattended use  

2. Store and share data according to the data classifications described in the Indiana State University Data Storage Standards Policy Matrix.

3. Personal devices should never be used to store university Internal, restricted, or highly restricted data.

4. Personal devices should never be used for the administration of systems storing or transmitting university Internal, restricted, or highly restricted data.

5. ISU Staff and Faculty should understand individual roles and responsibilities required to meet regulatory compliance requirements when generating, storing, using, sharing, and managing regulated data. (See: Different Types of Regulated Data at ISU)
   .      

   NOTE: Contact email above is deprecated, please contact OIT Help Desk for questions regarding this document