Site Menu
- Policy & Standards
- University
- Institutional Data
- Disclosure or Exposure of Personal Information
- Responsible Use of University Computing and Network Resources
- Archives and Records Retention
- Merchant Services & Use of Credit Cards
- Deployment and Use of Wireless Data Networks
- Statement on Public Records
- Draft Identity Theft Red Flags
- State & Federal
- Institutional Data
- Tools & Templates
- Standards & Frameworks
- FAQ
- Campus Resources
- Contact Us
- Site Map
What's New?
Learn about an IT Security Framework.
Hot Topics
- Institutional Data Policy Training
- Restricted Data Elements
- Implementation Plan
- University Security Standards (UCSS)
- Relevant Federal Laws & Regulations
2008-2009 IT Security Implementation Plan update!
The dates for the quarterly implementation plan submissions have been updated to reflect the 2008-2009 schedule.
Incident Response
Data Classification and Access Control FAQ
Below are commonly asked questions about data classification and access control.
- What data elements have been identified as Restricted Data?
- Who is responsible for classifying a data element as Restricted Data?
- Who are the Data Stewards?
- When will it be necessary to classify and inventory data?
- What other requirements should be considered?
- Is it appropriate to include Restricted Data while responding to an Ohio Public Records Request?
- Who can I contact for additional information on responding to Public Records Requests?
Download a PDF copy of these FAQ
Further Questions?
Please use the email form at the bottom of this page to contact us.
What data elements have been identified as Restricted Data?
Restricted data includes Social Security Numbers, bank account information, credit card information, FERPA and HIPAA. Over time, there will be additions to this list as the data stewards begin the data classification process. Refer to the Restricted Data Elements.
Who is responsible for classifying a data element as Restricted Data?
Data stewards are responsible for determining the appropriate classification for a data element. Once a data element is classified, the corresponding protection must be consistently applied to that element.
Who are the Data Stewards?
Refer to the Institutional Data Procedure: Roles and Responsibilities. Over time, there will be additions to this list.
When will it be necessary to classify and inventory data?
The initial focus will be to identify the data elements that will be classified as restricted data. Once that determination is made, the inventory of the restricted data use can begin. The restricted data classification process is being piloted with several areas during Autumn Quarter, 2007. It is anticipated that the data classification and inventory process will be extended to other areas during Winter Quarter, 2008.
What other requirements should be considered?
- Anyone with access to Restricted or Limited Access Institutional Data shall have unique and individual user credentials such as a user id and password.
- Access shall be deactivated after a period of inactivity not to exceed twelve months.
- Terminated employees shall lose access as of their termination date.
- The data access request process shall be formalized and auditable. The request process must include appropriate approvals, a description of the specific data requested, the level of access requested (read, write), and the purpose for accessing the data. Data access requests should be maintained in order to support the need to audit data access permissions throughout the complete data access lifecycle (creation through termination).
- Once data access is approved for a data user or data custodian, data stewards are responsible for providing access to the Institutional Data Policy and the following information specific to the data being requested: 1) data documentation and usage guidelines, 2) the data classification policy including information on associated state and federal regulations, and 3) required minimum safeguards for protected data.
- A robust authentication process in compliance with university computer security standards and consistent with the level of risk associated with unauthorized access is required for access to all limited Access and Restricted data.
- Maintain and monitor user access and login information.
- Data access processes, procedures and authorizations must be reviewed on an annual basis by each data steward to ensure that access remains appropriate.
Is it appropriate to include Restricted Data while responding to an Ohio Public Records Request?
The university’s institutional data is a component of the public information held, maintained and used in trust by the State of Ohio for its citizens. While the university’s institutional data is generally available to the public under Ohio’s Public Records Laws, Restricted Data is often protected by federal or state law or otherwise exempt from disclosure under Ohio law. As a result, public records requests for institutional data, especially Restricted Data, must be handled with care.
Who can I contact for additional information on responding to Public Records Requests?
First, work with your department to identify the designated individual who is responsible for handling these requests. Individuals in a position likely to receive a public records request are strongly encouraged to seek training and to follow any specific unit policies or procedures.
Contact the appropriate data steward and the Office of Legal Affairs for questions or assistance on a public records request. For requests from media outlets also contact the Office of University Relations.
Further Questions?
If your question is not listed in the above FAQ, please use the form below to contact us. We will respond to your inquiry as soon as possible.
