. .

What's New?

Gramm-Leach-Bliley Training New training created for those with access to customer information at the university.

Units Can Access Information Security Monthly Status Reports via Web Form Colleges and administrative units can submit their monthly information security status reports online using a web form. Use the links below to access the form and download instructions.

Hot Topics

Incident Response

Data Classification and Access Control FAQ

Below are commonly asked questions about data classification and access control.

  1. What data elements have been identified as Restricted Data?
  2. Who is responsible for classifying a data element as Restricted Data?
  3. Who are the Data Stewards?
  4. When will it be necessary to classify and inventory data?
  5. What other requirements should be considered?
  6. Is it appropriate to include Restricted Data while responding to an Ohio Public Records Request?
  7. Who can I contact for additional information on responding to Public Records Requests?

Download a PDF copy of these FAQ

Further Questions?

Please use the email form at the bottom of this page to contact us.

What data elements have been identified as Restricted Data?

Restricted data includes Social Security Numbers, bank account information, credit card information, FERPA and HIPAA. Over time, there will be additions to this list as the data stewards begin the data classification process. Refer to the Restricted Data Elements.

Who is responsible for classifying a data element as Restricted Data?

Data stewards are responsible for determining the appropriate classification for a data element. Once a data element is classified, the corresponding protection must be consistently applied to that element.

Who are the Data Stewards?

Refer to the Institutional Data Procedure: Roles and Responsibilities. Over time, there will be additions to this list.

Return to Top

When will it be necessary to classify and inventory data?

The initial focus will be to identify the data elements that will be classified as restricted data. Once that determination is made, the inventory of the restricted data use can begin. The restricted data classification process is being piloted with several areas during Autumn Quarter, 2007. It is anticipated that the data classification and inventory process will be extended to other areas during Winter Quarter, 2008.

What other requirements should be considered?

  • Anyone with access to Restricted or Limited Access Institutional Data shall have unique and individual user credentials such as a user id and password.
  • Access shall be deactivated after a period of inactivity not to exceed twelve months.
  • Terminated employees shall lose access as of their termination date.
  • The data access request process shall be formalized and auditable. The request process must include appropriate approvals, a description of the specific data requested, the level of access requested (read, write), and the purpose for accessing the data. Data access requests should be maintained in order to support the need to audit data access permissions throughout the complete data access lifecycle (creation through termination).
  • Once data access is approved for a data user or data custodian, data stewards are responsible for providing access to the Institutional Data Policy and the following information specific to the data being requested: 1) data documentation and usage guidelines, 2) the data classification policy including information on associated state and federal regulations, and 3) required minimum safeguards for protected data.
  • A robust authentication process in compliance with university computer security standards and consistent with the level of risk associated with unauthorized access is required for access to all limited Access and Restricted data.
  • Maintain and monitor user access and login information.
  • Data access processes, procedures and authorizations must be reviewed on an annual basis by each data steward to ensure that access remains appropriate.

Is it appropriate to include Restricted Data while responding to an Ohio Public Records Request?

The university’s institutional data is a component of the public information held, maintained and used in trust by the State of Ohio for its citizens. While the university’s institutional data is generally available to the public under Ohio’s Public Records Laws, Restricted Data is often protected by federal or state law or otherwise exempt from disclosure under Ohio law. As a result, public records requests for institutional data, especially Restricted Data, must be handled with care.

Return to Top

Who can I contact for additional information on responding to Public Records Requests?

First, work with your department to identify the designated individual who is responsible for handling these requests. Individuals in a position likely to receive a public records request are strongly encouraged to seek training and to follow any specific unit policies or procedures.
Contact the appropriate data steward and the Office of Legal Affairs for questions or assistance on a public records request. For requests from media outlets also contact the Office of University Relations.

Return to Top

Further Questions?

If your question is not listed in the above FAQ, please use the form below to contact us. We will respond to your inquiry as soon as possible.

Your Name:

Your e-mail address:

If phone contact is preferred, the phone number where you can be reached:

What is your primary role at the university? (e.g. Faculty, Staff, GA, Student)

Message:

Please enter the word(s) shown below in the "Captcha" box. This helps prevent spam from filling our email so we can focus on legitimate questions like yours.