- Home
- About OUS
- Departments
- Academic Strategies
- Board's Office
- Budget Operations
- Chancellor
- College Access Programs
- Contracts & Purchasing
- Controller's Division
- Accounting & Reporting
- Banner Standards Management
- Business Services
- Payroll Operations
- Treasury Operations
- Policies & Procedures
- Internal Management Directives
- OUS Fiscal Policy Manual
- OUS Fiscal Policy Manual Preface
- Formulation, Issuance, & Revision of System Fiscal Policies
- OUS Fiscal Policy Manual Summary of Changes
- Roles and Responsibilities - Accounting and Financial Reporting
- Accounting and Financial Reporting
- Description of Accounting Periods
- Accounting for Leases
- Inter-institutional and Inter-fund Loans
- Compensated Absences Accounting Policy
- Accounting for Other Post-Employment Benefits
- Accounting for Facilities & Administrative Cost Recoveries
- Budgeted Operations Fund Balances
- Accounting for Designated Operating Funds
- Accounting for Venture Development Funds
- FASOM - Section 1: OSBHE Accounting
- FASOM - Section 6: General Accounting
- Roles and Responsibilities - Auditing
- Auxiliary Enterprises and Other Activities
- FASOM - Section 9: Auxiliary Enterprise and Service Accounts
- Auxiliary Enterprise Indirect Cost Allocation
- Roles and Responsibilities - Budgeting
- FASOM - Section 4: Budgets
- Installation of FIS and HRIS OUS Baseline Changes in Production
- FASOM - Section 3: Cost Accounting
- Roles and Responsibilities - Debt Financing & Management
- Policy Guidelines for Electronic Commerce
- Returning Excess Bond Proceeds
- Roles and Responsibilities - Facilities Management
- Fixed Assets Accounting Policies
- Fixed Assets Building Component Depreciation Policy
- Fixed Assets Library Accounting
- Accounting for Intangible Assets
- FASOM - Section 8.01: Fixed Assets - Asset Accounting
- FASOM - Section 08.02: Fixed Assets - Rental of Facilities
- FASOM - Section 8.03: Fixed Assets - Non-Expendable Personal Property
- FASOM - Section 8.04: Fixed Assets - Expendable Property
- FASOM - Section 8.05: Fixed Assets - Rededication of Facilities
- Bicycle Commuter Benefit
- Football Bowl Games
- Moving Expenses
- Pre-tax Parking
- Pre-tax Transit Pass
- Vehicles
- Non-travel Meals, Refreshments and Hospitality Expenses
- House Bill 2500 Reporting
- Identity Theft Prevention Program
- Information Security
- Lost and Unclaimed Property
- Vendor Payments to Nonresident Aliens
- Vendor Tax Levies
- Military Leave Donation Policy
- Employee Recognition Awards
- Employment Related Liabilities
- Other Fringe Benefits
- Roles and Responsibilities - Endowment Management
- Roles and Responsibilities - Legal Issues
- Roles and Responsibilities - Treasury Management
- Roles and Responsibilities - Payroll
- HRIS Reconciliations
- Aggregate HR Data Warehouse Access
- FASOM - Section 10: HRIS - Certification of Certain Distributed Payroll Processes
- FASOM - Section 10: HRIS
- FASOM - Section 10: HRIS - Payroll Checks and Earnings Statements
- FASOM - Section 10: HRIS Payroll Processing Calendar and Related Issues
- FASOM - Section 10: Payroll Processing Flowchart
- Roles and Responsibilities - Procurement
- Purchasing - Procurement Card
- Contractor Travel Reimbursements
- Purchasing and Accounts Payable
- FASOM - Section 13.02: Purchasing - Competitive Procedures for the Purchasing, Procurement and Contracting of Goods and Services
- FASOM - Section 13.04: Purchasing - Encumbrances
- FASOM - Section 10: HRIS - Payroll Checks and Earnings Statements
- FASOM - Section 13.06: Purchasing - Independent Contractor
- Board Policies
- Research and Sponsored Programs
- FASOM - Section 05.01: Grants and Contracts - General Administration
- FASOM - Section 05.02: Grants and Contracts - Graduate Fee Remissions
- FASOM - Section 05.03: Grants and Contracts - Specialized Service Facilities
- FASOM - Section 05.04: Grants and Contracts - Building and Equipment Use or Depreciation Allowance
- Roles and Responsibilities - Risk Management
- Section 7: Insurance
- Roles and Responsibilities - Student Financial Aid
- Use of Institutional Tax Identification Numbers
- OUS Tax Exempt Status
- Travel and Transportation Administration and Expenses
- Foreign Programs and Payments
- Treasury Management Operations
- Replacement and Returned Checks
- Advances of Federal Funds
- Section 12: Student Financial Aid and Services
- Roles and Responsibilities - Taxation
- Chancellor's Office Business Policies & Procedures
- 01.05 Preface
- 01.06 Summary of Changes Made to Chancellor's Office Business Policies & Procedures
- 05.00 Delegations and Approvals
- 05.05 Approval Levels Summary
- 05.10 Delegations of Fiscal Authority & Responsibility
- 05.15 Approval of Chancellor's Transactions
- 10.00 Electronic Information Systems Use Table of Contents
- 10.01 Electronic Information Systems Security and Data Confidentiality Policy
- 10.03 Banner Security Classes
- 10.05 Banner & Data Warehouse User Access
- 10.07 Banner Approval Queues
- 10.10 Banner Non-Standard Updates
- 10.15 Banner Version Management
- 10.20 PCI & ACH Compliance with Incident Response for Electronic Commerce
- 15.00 Monitoring
- 15.05 Reconciliation of FIS Activity
- 15.10 Budget Status Reporting
- 15.15 Contract Monitoring
- 15.20 Compliance Review
- 15.25 Financial Irregularities
- 20.00 Receipts and Receivables
- 20.05 Accounts Receivable
- 20.10 Receipts
- 20.15 Accounts Receivable Write-Off
- 20.20 Reimbursements for Meals Served at Meetings
- 25.35 Procurement of Fixed Assets
- 25.00 Purchasing, Contracting, and Disbursements Table of Contents
- 25.05 Procurement Thresholds Summary
- 25.06 Memberships, Licenses, and Other Professional Dues
- 25.08 Establishing/Updating Vendor Records
- 25.10 Procurement Cards and Ghost Accounts
- 25.15 Purchase Orders
- 25.20 Encumbrances
- 25.25 Invoices
- 25.30 Business Expense Reimbursements
- 25.40 Credit Memos
- 25.45 Personal/Professional Services Contracts
- 25.50 Replacement Checks
- 25.55 Accounting for State of Oregon Assessments & CO Cost Recoveries
- 25.60 Wireless Communication Usage & Allowance Policy
- 28.05 Contractor Travel Reimbursements
- 29.05 Vendor Set-up and Payment Information
- 30.00 Travel and Moving
- 30.05 Travel Reimbursements
- 30.10 Motor Pool Vehicles
- 30.15 Moving Expense Reimbursements
- 35.00 Journal Vouchers
- 40.00 Grants and Other Sponsored Agreements
- 40.05 Grants and Other Sponsored Agreements
- 44.00 Employee Self-Service
- 44.05 Accessing Employee Self-Service
- 45.00 Payroll
- 01.10 Definitions
- 45.05 Paycheck Delivery
- 45.10 Leave Accrual and Use
- 45.15 Leave Reporting
- 45.20 Exception Time Reporting (for Non-Hourly Employees)
- 45.25 Time Reporting (for Hourly Employees)
- 45.30 Pay Distribution Changes
- 45.85 Payroll Frequently Asked Questions & Contacts
- 45.90 Payroll-Related Forms and Instructions
- 50.00 Property Control
- 50.25 Annual Inventory of Capital Assets
- 85.00 Exceptions
- 85.05 Exceptions
- 88.00 Commonly Used Banner Forms & Reports
- 90.00, Chancellor's Office Forms, Samples, & Attachments
- 35.05 Journal Vouchers
- Board Policies
- OUS Campus Procedures
- ORS & OAR
- Policies Pending Review
- Organization Chart
- Forms
- Finance & Administration
- Government Relations
- Human Resources
- Industry Partnerships
- Institutional Research
- Internal Audit
- Legal Counsel
- State Board
- Students & Counselors
- Facts & Reports
- Alignment & Partnerships
- Contact Us
You are here
Information Security
| Section: General Operations |
Number: 56.350
|
| Title: Information Security |
Index
POLICY
- .100 POLICY STATEMENT
- .110 POLICY RATIONALE
- .120 AUTHORITY
- .130 APPROVAL AND EFFECTIVE DATE OF POLICY
- .140 KNOWLEDGE OF THIS POLICY
- .160 RESPONSIBILITIES
- .200 INFORMATION IDENTIFICATION & CLASSIFICATION
- .210 INFORMATION HANDLING -- BASELINE STANDARDS OF CARE
- .220 PERSONAL INFORMATION PRIVACY -- PROTECTION BEYOND BASELINE
- .230 PROTECTING INFORMATION STORED ON PAPER
- .240 INCIDENT RESPONSE
- .250 TRAINING
- .690 CONTACT INFORMATION
- .695 HISTORY
APPENDIX
POLICY
The Oregon University System (OUS) takes its responsibility to protect and care for the information entrusted to us by our students, faculty, staff, and partners seriously. This policy summarizes three requirements of OUS institutions in meeting our obligations pertaining to information security:
- Data identification and classification
- Incident response
- Training
In the absence of any other institutional specific policy governing information security, this policy will apply.
OUS seeks to ensure that the policies and procedures related to information security are documented, communicated, clearly understood, and consistently applied.
- OAR 580-040-0205, Code of Ethics
- OAR 580-055-0000, OUS Information Security Policies
- Oregon 2007 Consumer Identity Theft Protection Act
- Family Educational Rights and Privacy Act (FERPA)
.130 APPROVAL AND EFFECTIVE DATE OF POLICY
Approved by the Vice Chancellor for Finance and Administration on 06/23/10.
All institutional and Chancellor’s Office personnel, in the absence of a campus-specific policy, should be knowledgeable of this policy.
A. INSTITUTION
I. President:
The institutional president or designee has overall oversight responsibility for institutional provisions set forth in this policy.
II. Chief Information Security Officer or equivalent:
The campus CISO or equivalent is responsible for the institution’s security program and for ensuring that procedures and standards are developed, implemented, maintained, and adhered to.
III. Records Custodian:
The following Records Custodians have management responsibility for defined segments of institutional information:
Director of Business Affairs – Responsible for institutional financial records.
Director of Human Resources – Responsible for institutional employee and employment records.
Provost or Designee – Responsible for institutional student records.
University personnel who collect data that do not fit these categories are recognized as the appropriate records custodian for that data.
Records Custodians shall do the following:
- Ensure compliance with contractual obligations and/or OUS, federal, state, and university policies and regulations regarding the release of, responsible use of, and access to information.
- Provide communication and education to users on appropriate use and protection of information.
- Develop and implement record and data retention requirements in conjunction with university archives.
IV. Data Owner:
The data owner, usually a director or department head, has the responsibility for the integrity, accurate reporting, and use of data in his/her department. The data owner shall:
- Assign information classifications based on a determination of the level of sensitivity of the information. (See Information Identification and Classification, section .210 of this policy.)
- Assign appropriate handling requirements and minimum safeguards which are merited beyond baseline standards of care. (See Information Handling -- Baseline Standards of Care, section .220 of this policy.)
V. User:
Individuals, including faculty, staff, other employees, and affiliated third party users, who are part of the OUS community, have a responsibility to understand the relative sensitivity of information they handle, and to protect the information entrusted to the institution.
Responsibilities include:
- Complying with OUS policy, procedures, and guidelines associated with information security.
- Implementing the minimum safeguards as required by the data owner and/or records custodian based on the information classification.
- Complying with handling instructions for protected information as provided by the data owner and/or records custodian.
- Reporting any unauthorized access, data misuse, or data quality issues to the data owner, who will follow incident response procedures. (See section .240.)
B. CHANCELLOR'S OFFICE
I. Chancellor
The OUS Chancellor or designee has oversight responsibility for the provisions of this policy.
II. Chief Information Security Officer (CISO):
The System CISO is responsible for ensuring that the institutional information security plans governing information systems, user and personal information security, physical and environmental security, and awareness and training are developed and adhered to in accordance with this policy. For OUS, this function is currently performed by the Vice Chancellor for Finance and Administration.
.200 INFORMATION IDENTIFICATION & DATA CLASSIFICATION
Each OUS institution will identify and classify its information assets into one of three levels of sensitivity and risk: Protected, Sensitive, and Unrestricted. Proper levels of protection will be implemented to protect these assets relative to the classification.
A. Protected Information
Protected information is information for which there are legal requirements for preventing disclosure or financial penalties for disclosure. e.g., personally identifiable information and student records. The highest levels of restriction apply due to the potential risk or harm that may result from disclosure or inappropriate use.
Protected information must be protected from unauthorized access, modification, transmission, storage, or other use, and should be disclosed to individuals on a need-to-know basis only. Disclosure to parties outside the university is generally not permitted and must be authorized by the data owner, as outlined in this policy.
Examples:
- FERPA-protected student information
- Employee data and certain personnel documents/records
- Credit/Purchasing card numbers
- Human subject information
- Lab animal care information
- HIPAA-protected health information
B. Sensitive Information
Sensitive information is information that would not necessarily expose the university to loss if disclosed, but that should be guarded against unauthorized access or modification due to proprietary, ethical, or privacy considerations. High or moderate levels of restriction apply, both internally and externally, due to the potential risk or harm that may result from disclosure or inappropriate use. This classification applies even though there may not be a statute, rule, regulation, university policy, or contractual language prohibiting its release.
Sensitive information must be protected from unauthorized access, modification, transmission, storage or other use, and is generally available to members of the university community who have a legitimate purpose for accessing such information. Disclosure to parties outside of the university should be authorized by the data owner, as outlined in this policy.
Examples:
- Research data where the corresponding research is incomplete
- Responses to a Request for Proposal before decision is reached
- Financial transactions
- Library transactions
C. Unrestricted Information
Unrestricted information, while subject to university disclosure rules, may be made available to members of the university community and to individuals and entities external to the university. In some cases, general public access to unrestricted information is required by law.
While the requirements for protection of unrestricted information are considerably less than for protected or sensitive information, sufficient protection will be applied to prevent unauthorized modification of such information.
Examples:
- Publicly posted press releases
- High-level enrollment statistics
- Course catalog
.210 BASELINE STANDARDS OF CARE
Specific additional handling requirements above the baseline may be required by the records custodian to ensure compliance with law, policy, or contractual obligation. Advanced security practices beyond the baseline are encouraged where practicable (such as employing encryption technologies).
A. Baseline Standards for Protected Information
All computer systems (workstations and servers) which store or process protected information shall have access restricted to authorized personnel only, fully patched operating systems and applications, current anti-virus software with current virus definitions, and if attached to the network will be in a secured zone protected by appropriate firewall rules.
Under no circumstances shall protected information be disclosed to anyone outside OUS without authorization from the appropriate records custodian, as outlined in this policy.
If protected information needs to be transmitted, it must be encrypted using current encryption standards.
B. Baseline Standards for Sensitive Information
All computer systems which store or process sensitive information shall have restricted access granted to authorized personnel only, and shall have fully patched operating systems and applications, and current antivirus software with current virus definitions.
All personnel granted access to sensitive information shall not disclose this information to parties outside of OUS without authorization by the appropriate records custodian, as outlined in this policy.
If sensitive information needs to be transmitted, it must be encrypted using current encryption standards.
C. Baseline Standards for Unrestricted Information
All computer systems which store or process unrestricted information shall have write access restricted to authorized personnel only to ensure that information presented is not edited without appropriate authorization. Any such computer system should have fully patched operating systems and applications, and current antivirus software with current virus definitions.
D. Mobile Computing
All mobile computer systems or portable storage media which store protected and sensitive information shall be encrypted with at least the 128 bit encryption common in operating systems and encoding devices sold in the United States in addition to the baseline requirement prescribed in this policy. Those that cannot meet this requirement due to the proprietary nature of how they are created, such as back-up tapes, must be stored in a physically secure area and shall only be transported in a manner commensurate with this policy.
.220 PERSONAL INFORMATION PRIVACY
Each element below merits extra protections beyond any baseline.
Social Security Number: All access and use of the social security number is prohibited except for meeting federal or state requirements, compliance and reporting.
VISA/Credit Card Numbers: All access and use of VISA/credit card numbers shall meet Procurement Card Industry (PCI) security standards.
Bank Account Numbers: All access and use of bank account numbers is restricted to the following uses:
- Business Affairs
- Processing direct deposit transactions, both incoming and outgoing
- Processing wire transfers
- Department Personnel
- Processing wire transfers – Paper copies of this data may be stored during the processing phase. They should be kept in a physically secure location with limited personnel access. Departments are prohibited from storing electronic copies of this data. Once verification of transfer is complete, the paper copy should be redacted or destroyed through an approved confidential document destruction method, and in accordance with the OUS records retention schedule found at /about/records.
Driver’s License Numbers and/or National Identification Numbers: All access and use of state or national driver’s license and/or national identification numbers for Oregon residents will be reported to the campus CIO/CISO and all reasonable precautions will be taken to ensure the integrity and confidentiality of this information.
Specific procedures for handling these elements will be defined by the records custodians for student records, employee data, and business transactions.
.230 PROTECTING INFORMATION STORED ON PAPER
Paper documents that include protected or sensitive information such as social security numbers, student education records, an individual's medical information, benefits, compensation, loan, or financial aid data, and faculty and staff evaluations are to be secured during printing, transmission (including by fax), storage, and disposal.
- Do not leave paper documents containing protected or sensitive information unattended; protect them from the view of passers-by or office visitors.
- Store paper documents containing protected or sensitive information in locked files.
- Store paper documents that contain information that is critical to the conduct of university business in fireproof file cabinets. Keep copies in an alternate location.
- Do not leave the keys to file drawers containing protected or sensitive information in unlocked desk drawers or other areas accessible to unauthorized personnel.
- All records are subject to OUS records retention policies and should be only be disposed of in accordance with the retention schedule defined within those policies. More information can be found at /about/records. Once the retention schedule has been met, shred confidential paper documents and secure such documents until shredding occurs.
- Make arrangements to retrieve or secure documents containing protected or sensitive information immediately that are printed on copy machines, fax machines, and printers. If at all possible, documents containing protected information should not be sent by fax. Those documents should be sent via a trusted courier service and secured in transit.
- Double-check fax messages containing protected or sensitive information:
- Recheck the recipient's number before you hit 'start.'
- Verify the security arrangements for a fax's receipt prior to sending.
- Verify that you are the intended recipient of faxes received on your machine.
Incident response flowchart in .pdf format
All information security incidents will be reported to the campus CISO or equivalent, who will complete an incident report. (See Appendix section .700, Sample Incident Response Form.)
Information security incidents involving protected information will be reviewed by legal counsel to ensure appropriate responses are taken in accordance with Oregon law, and a copy of the report will be shared with the appropriate records custodian(s), the university president, the OUS CISO, the OUS Internal Audit Division, and the OUS Communications Services as appropriate to deal with media implications.
Information security incidents involving sensitive information will be reviewed by the appropriate records custodian(s) along with a copy of the incident report to be shared as deemed appropriate by the records custodian(s).
OUS campuses and the Chancellor's Office will do the following:
- integrate training for proper handling of protected information in the Banner training required by all employees seeking access to the Banner system.
- include information about stopping ID theft in new employee orientation.
The OUS CISO will:
- send OUS employees (via the campus CISO email Listserv) ad hoc bulletins regarding urgent threats, time sensitive initiatives, training opportunities and tools, etc.
Direct questions about this policy to the following offices:
| Subject | Contact |
| General questions from institutional personnel | Campus CISO or equivalent |
| General questions from institutional central administration and Chancellor's Office personnel | OUS CISO (currently the Vice Chancellor for Finance and Administration) |
06/23/10 - Approved
Policy Last Updated: 06/24/10
APPENDIX
.995 HISTORY
06/23/10 Approved
Appendix Last Updated: 06/24/10