Purpose
The purpose of this document is to provide guidance to members of the Boise State user community who extract, post or use Sensitive Information outside Boise State’s secured network and computing infrastructure.
The data covered by these guidelines include any type of Protected Information as defined in the Boise State Information Privacy and Data Security Policy #8060.
Background
The Office of Information Technology (OIT) protects Boise State’s Protected Information from unauthorized access or inappropriate use by enforcing technical and procedural security controls for infrastructure based systems and applications (e.g. PeopleSoft, Oracle, etc…) that store and/or process Protected Information. However, the availability of local workstations, shared and portable drives, Boise State hosted and Web-based applications and services provides the opportunity for otherwise secure data to be extracted from hardened infrastructure systems and applications and then used outside of OIT data security controls.
System Security Category Designations
Boise State maintained infrastructure systems and applications (including hardware, software, managed cloud services and associated devices) store, process and protect various types of Protected Information under Boise State’s control. System security requirements directly correlate to data sensitivity levels as defined in the University Data Classification Standard.
For example, if Boise State systems or applications contain information designated as sensitive by laws or regulations then the data and system is considered as Restricted with the highest potential risk to the University and campus community. The most stringent system security requirements have to be implemented to provide maximum security and data protection.
If the systems or applications contain any personally identifiable information or data that Boise State is required to keep private either by law or confidentiality agreement (e.g., about any member or affiliate of the Boise State community), but do not meet the criteria for Restricted, then the data and systems are considered as Confidential. The risk to the University is considered high and provides a significant level of security and data protection as data within this category must be protected.
If the systems or applications contain any data that is used to conduct official University business that must be safeguarded due to proprietary, ethical, or privacy considerations and must be protected from unauthorized access, then the data and systems are considered Internal. The risk to the University and campus community is moderate, so system security requirements are slightly less but still provide a significant level of security and data protection.
Systems or applications containing solely public data are considered as Public Data and have the lowest level of risk to the University and the campus community. These are not required to have any extraordinary system security requirements.
Appropriate Data Use
Members of the Boise State user community who use any of the services or devices listed in Table 1, below, must do so in accordance with the policies, standards and guidelines that governs acceptable computer usage on campus. Before extracting data, users must ensure the security category level of the application or service is consistent with the level of protection required for the extracted data to be stored or processed and have obtained approval from your supervisor, manager or Data Owner (Contact the office of IT Governance, Risk & Compliance if there are questions about the use of sensitive information in any Boise State infrastructure system).
Collective Sensitive Information belonging to multiple sensitivity levels must be treated according to the highest level of sensitivity. Boise State considers information (i.e., data) to be sensitive if it is, or has been, determined to be protected because of state or federal laws, regulations, Boise State policy, or by agreement, whether the information is in physical or electronic format. Sensitive information includes the following categories of information:
Restricted Data
Restricted Data is sensitive data intended for limited, specific use and must be protected as specifically guided by law (e.g., HIPAA, FERPA, Sarbanes-Oxley, Gramm-Leach-Bliley), industry regulation (PCI-DSS), government controls (CUI, ECI, FISMA, CDI), Non-Disclosure Agreements (NDA) in the research and creative activity space, or University rules and regulations. This is the most sensitive Data of the university and must be safeguarded in accordance with its individual requirements (i.e., some Restricted Data require more rigorous controls than other Restricted Data). Examples include:
- Medical records covered by the Health Information Portability and Accountability Act (HIPAA)
- Banking and credit card records covered by the Payment Card Industry (PCI) data security standards.
- An individual’s first name or first initial and last name, personal mark, or unique biometric or genetic print or image, in combination with one or more of the following data elements:
- SSN
- Driver’s license number, state identification card number, or other individual identification number issued by a unit
- Passport number or other identification number issued by the United States government
- Individual Taxpayer Identification Number
- Financial or other account numbers, a credit card number, or a debit card number that, in combination with any required security code, access code, or password, which would permit access to an individual’s account.
- FAFSA Data
- Academic records covered by the Family Education Right and Privacy Act (FERPA)
- Personnel Records
Information of this type carries a (High) security risk and is always sensitive if personal identifiers (e.g. name, SSN, birth date) are, or can be, associated with the medical or banking records. Non-personal data fitting into this category may also have additional restrictions based on the nature of its content (e.g. CUI, CDI, ECI data). This type of sensitive information receives the highest level of security protection within Boise State’s infrastructure systems and must never be extracted from those systems without prior written consent from the appropriate Boise State Data Owners. Note that not all Restricted Data can be stored within Boise State’s infrastructure.
Confidential Data
Confidential Data is intended for limited University business use only, with access restricted to personnel with a legitimate need, even though that need may constitute a small group (e.g., only designated security personnel) or a large group (e.g., all student advisors or all faculty). This classification also includes Data that is not subject to public disclosure and that the University is required to keep confidential per legal agreements, policies, third party agreements such as a vendor contracts and MOUs.
Boise State proprietary institutional information or personally identifiable information collected and retained by Boise State about any member or affiliate of the Boise State community that requires a Freedom of Information Request to disclose. This includes:
- Student birthdates
- Student directory information for those who have elected privacy
- Student demographic information
- Student ID numbers
- Employee ID numbers
- Any individual or combination of data elements that, if disclosed without authorization, identify a specific individual and could place the individual’s privacy, or Boise State, at risk.
- Correspondence containing personally identifiable information or otherwise marked confidential due to its content.
- Gift history, prospective donor information, and alimony education information.
This type of sensitive information carries a (Serious) security risk and is protected securely within Boise State’s infrastructure systems and must be secured with the same level of protection if extracted from those systems. When Confidential data is combined with additional identifying elements (e.g. ID number plus username or first/last name) then this data may move into the Restricted classification.
Internal Data
Internal Data is information used for official University business and must be safeguarded due to proprietary, ethical, or privacy considerations and protected from unauthorized Access, modification, transmission, storage, or other use. This Data is not intended to be shared with the public; however, it is generally releasable in accordance with the Idaho Public Records Act. This Data includes potentially sensitive information and applicable privacy laws will be considered before release of Data. Examples include:
- Planning documents
- Business partner information where no more restrictive confidentiality agreements exists
- Technical documents relating to information systems or processes
- Organizational charts
- University policies and procedures
- Department budgets and financial transactions
- Documents stored within University systems that are not otherwise classified as Restricted or Confidential
- Employee emails
- Employee chat messages
This type of sensitive information carries a (Moderate) security risk and is protected securely within Boise State’s infrastructure systems and must be secured with the same level of protection if extracted from those systems.
Public Data
Public information not classified as Restricted, Confidential, or Internal and carries a (Low) security risk and is not required to be secured. Examples include:
- Staff directory information
- University department names and contact information
- Course descriptions
- Course schedules
- University calendar dates
- Campus maps
- Commonly reported summary statistics (e.g., those found on the Boise State public web site or reported to the Federal or State government)
Approved Security Category By Service/ Device
Boise State OIT provides students, faculty, and staff with a variety of file storage options for retaining and sharing institutional data. The table below contains a list of data classifications allowed and key attributes for each storage option. The storage solution information, along with data classification categories, should be used to determine which services are suitable for storing data. Note that certain conditions may dictate variances as annotated in the comments.
Users must assess the security level of any service or application not listed in Table 1 before posting or storing Sensitive Information in such locations. If you have question, please contact the office of IT Governance, Risk & Compliance.
Violation of these Data Use Guidelines or other campus policies may result in temporary or permanent restriction of access privileges to services, or other measures detailed in the Enforcement section of the 8060 – “Information Privacy and Data Security” policy.
Further Information on Data Sensitivity and Classification
Unspecified Data Types
Data types not specified in Boise State Policy #8060 Information Privacy and Data Security or other policies or guidelines should be evaluated on a case-by-case basis. If unauthorized access or disclosure of data could cause financial or reputational harm to an individual or Boise State, DO NOT post or store such data to web-based applications or services.
Questions about whether certain data should or should not be stored on specific web-based applications, services or systems, should be directed to the Chief Information Security Officer at CISO@boisestate.edu or (208) 426-4127.