Standards for Protecting Category 2-Private Data

Category: Information Technology

Responsible Office: Information Security Office

Responsible Executive: Vice President and Chief Information Officer (VPCIO)

Date Established: March 5, 2019

This standard defines how UB protects Category 2-Private Data. It supplements the Data Risk Classification Policy, Protection of University Data Policy, UB Minimum Security Standards for Desktops, Laptops, Mobile, and Other Endpoint Devices, UB Minimum Server Security and Hardening Standards, and the Data Access Procedure.

Back to Top

The security intent of this standard is (1) to define the safeguards required to maintain the confidentiality of Category 2-Private Data and (2) to minimize the risk of accidentally or intentionally making Category 2-Private Data publicly available.

The following safeguards are required to maintain the confidentiality of Category 2-Private Data:

1. Implement UB Minimum Security Standards for Desktops, Laptops, Mobile, and Other Endpoint Devices.
2. Implement UB Minimum Server Security and Hardening Standards.
3. Protect Category 2-Private Data from accidental or intentional alteration, theft, unauthorized access, and other risks.
4. Protect data systems and devices that store, process, transmit, or in other capacities handle Category 2-Private Data. Protection should be commensurate with the intended uses and risks associated with the data. However, the minimum protection required for Category 2-Private Data is to limit it to authorized access via UB login.

Principles of Least-Privilege and Minimum-Necessary

In order to protect Category 2- Private Data, the university adheres to the information security principles of least-privilege (“need to know”) and minimum-necessary (“no more than needed or required for the intended task or use”). Adhering to the principles of least-privilege and minimum-necessary protects against unintentional inclusion, sharing, or possible publication of Category 2-Private Data along with Category 3-Public Data.

Examples of least-privilege include, but are not limited to:

• Limit the sharing of electronic files or folders with intended individuals or groups. Do not share with all users by default.
• Limit file access to read-only for individuals who do not need to edit or make changes to documents.
• Do not email attachments to whole departments or lists of individuals when only one person needs the information to accomplish the intended task(s).

Examples of minimum-necessary include, but are not limited to:

• Only include the data points in a spreadsheet or data set that are required to complete a task. Do not include data points that are unnecessary to complete the function/task.
• Do not ask for personal information on a survey, form, or document unless it is required to perform or complete the function/task.
• Extract information from data stores (tables, spreadsheets, databases, etc.) before copying or using them for another purpose.

Disposition

Dispose of Category 2-Private Data properly when no longer needed/when the retention period has been satisfied in accordance with the university’s Record Retention and Disposition Policy.

Back to Top

Category 2-Private Data encompasses a wide range of data types that fall between Category 1-Restricted Data and Category 3-Public Data. Category 2-Private Data is often used for University business and mission-related requirements. Therefore, specific instances of Category 2 –Private Data are more or less sensitive, depending upon the context or data with which it is stored or combined, and the manner in which the data is used.  

Back to Top

This standard applies to all university employees, students, and third-party vendors who access, manage, store, or in other capacities use university data.

Back to Top

Includes university data not identified as Category 1 – Restricted Data, and data protected by state and federal regulations. This includes Family Educational Rights and Privacy Act (FERPA)-protected student records and electronic records that are specifically exempt from disclosure by the NYS FOIL. Category 2 – Private Data must be protected to ensure that they are not disclosed in a FOIL request. FOIL excludes data that if disclosed would constitute an unwarranted invasion of personal privacy.  The National Institute Standards and Technology (NIST) Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations maps to the Category 2 – Private Data risk classification. However, systems housing the data should take reasonable measures to protect its accuracy.

Back to Top

• Responsible for ensuring that data stewards, data managers, and data users in their respective area(s) are compliant with data governance principles.
• Classify university data in accordance with the Data Risk Classification Policy.
• Control university data by granting access, renewing access, and revoking access to Data Stewards, Data Managers, and/or Data Users. Data Trustees may delegate this responsibility to Data Stewards or Data Managers.
• Ensure that Data Stewards in their area are compliant with data governance principles.
• Adhere to the principles of least privilege and minimum-necessary.
• Report concerns and possible incidents to management for proper institutional evaluation and response.

• Responsible for planning and policy-level responsibilities for data in their functional areas.
• Have supervisory responsibilities for defined elements of institutional data.
• May grant, renew, and revoke access to Data Managers and/or Data Users (as delegated by Data Trustees).
• Develop and maintain clear and consistent procedures for data access and use in keeping with university policies.
• Adhere to the principles of least privilege and minimum-necessary.
• Reporting concerns and possible incidents to management for proper institutional evaluation and response.

• Follow appropriate safeguards to protect data based on its classification.
• Adhere to the principles of least privilege and minimum-necessary
• Reporting concerns and possible incidents to management for proper institutional evaluation and response

• Review and approve departmental collection, storage, and transmission of data when necessary according to its classification.
• Serve on the Cloud Services Review Committee.
• Conduct periodic security reviews of systems approved for storing and handling protected data.

• The VPCIO provides leadership for development and delivery of information technology (IT) services to the university.  The VPCIO oversees an enterprise IT services organization, Computing and Information Technology (CIT), and works in partnership with UB’s schools, colleges and administrative IT units to enable a unified and productive IT experience for students, faculty and staff.

Back to Top

Office of the Vice President and Chief Information Officer
517 Capen Hall
Buffalo, NY 14260
Phone: 716-645-7979
Email: vpcio@buffalo.edu
Website: http://www.buffalo.edu/ubit.html

Information Security Office
201 Computing Center
Buffalo, NY 14260
Phone: 716-645-6997
Email: sec-office@buffalo.edu
Website: http://security.buffalo.edu  

Back to Top

• Data Access Procedure
• Data Risk Classification
  
• Protection of University Data Policy
• Record Retention and Disposition Policy
• UB Minimum Security Standards for Desktops, Laptops, Mobile, and Other Endpoint Devices
• UB Minimum Server Security and Hardening Standards

Related Links

• NIST 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Back to Top