UBIT Standards for Protecting University Data

Category: Information Technology

Responsible Office: Information Security Office

Responsible Executive: Vice President and Chief Information Officer (VPCIO)

Date Established: March 11, 2025

The University at Buffalo, (UB, university) classifies data into three risk-based categories to regulate access to, use of, and necessary precautions required to the protect university data. This standard provides a classification framework based on relevant legal and regulatory requirements to which the university is subject. This document supports the Data Risk Classification and Protection of University Data policies by defining the actions needed to maintain compliance and minimize the risk of accidentally or intentionally disclosing Category 1 Restricted Data or Category 2 Private Data.

The University at Buffalo (UB, university) has legal and ethical obligations to ensure that all forms of university data are adequately secured to minimize the risk of unauthorized use or disclosure and is committed to protecting the data of individuals affiliated with the university and its services throughout all stages of the data lifecycle.

The University at Buffalo is the data owner of all university data, and as such adheres to the information security principles of least-privilege (“need to know”) and minimum-necessary (“no more than needed or required for the intended task or use”) to protect Category 1 – Restricted Data and Category 2 - Private Data. Adhering to the principles of least-privilege and minimum-necessary protects against unintentional inclusion, sharing, or possible publication of data.

Examples of least-privilege include, but are not limited to:

• Limiting the sharing of electronic files or folders with to only intended individuals or groups.
• Limiting file access to read-only for individuals who do not need to edit or make changes to documents.
• Do not email attachments to whole departments or lists of individuals when only one person needs the information to accomplish the intended task(s).

Examples of minimum-necessary include, but are not limited to:

• Only including the data points in a spreadsheet or data set which are required to complete a task.
  • Not including data points which are unnecessary to complete the function/task.
• Not asking for personal information on a survey, form, or document unless it is required to perform or complete the function/task.

Category 1 data must never be stored on an employee’s State or University issued device, including but is not limited to laptops, desktop computers, or other endpoint devices. Category 1 must never be stored on an individual’s personally managed computing device or with a third-party file storage service which has not been reviewed, approved, and contracted by the university. Personally owned devices are prohibited from processing or storing any type of Category 1. This includes devices which:

• Are personally owned and not considered a state asset.
• Devices which are not managed or maintained by a full-time UBIT or node staff member.

Category 1 data must never be stored on removable media or storage technologies, including, but not limited to:

• Cloud storage systems (ex: OneDrive, GoogleDrive, iCloud, Dropbox, etc.)
• Cell phones, tablets, or other mobile devices.
• DVD/CD technologies
• Portable disk drives that connect through a USB interface.
• USB Thumb Drives

Physical data storage devices must adhere to UB Minimum Server Security and Hardening Standards. All hardware that stores data on servers must be physically secured and protected from access by unauthorized individuals. Access to spaces with hardware that stores Category 1 or Category 2 data must keep records of access for auditing purposes, as outlined in the Guidelines for Retention of Security Log Data and the University Record Retention and Disposition Policy. Examples of acceptable storage locations are as follows:

• Databases: Most on-premises systems are linked to the UB consolidated database environment; it is mandatory to ensure that the environment (MSSQL/Oracle/MySQL) is hardened to securely store university data.
• Systems: All systems and software purchased by the university will undergo a thorough review process to determine the suitability of the data types which are permitted to be stored, processed, or rendered. The review must be completed and approved before any procurement is authorized.
• UBbox: The university has conducted a comprehensive review of Box and established a Business Associate Agreement (BAA) and policies and procedures to ensure safe storage of Category 1 and Category 2 university data in UBbox.

Data at the end of its lifecycle must be disposed of in accordance with the UB Record Retention and Disposition Policy, relevant SUNY records retention and disposition policies and the retention periods of applicable State and Federal laws, contracts, and regulations.

Failure to protect the confidentiality, accuracy and availability of university data may result in legal, reputational, or financial harm to the university.  Individuals found to be in violation of university policies related to the use of restricted data may face corrective actions up to, and including, separation from the university. Individuals who suspect a misuse of standards and policies related to university data must report their concerns to the applicable Data Trustee or the Information Security Office (ISO).

The collection and use of university data is necessary for many of UB’s business functions. Balancing access and protection to university data is critical to ensure that the university can conduct its mission while maintaining confidentiality and regulatory compliance.

This standard applies to all University at Buffalo employees, students, volunteers, and third-party vendors who access, manage, store, or in other capacities use university data. In instances where this standard conflicts with another university requirement, obligation, regulation or law, the most restrictive requirement should apply.

Data Administration: The responsibility for the activities of data administration, including detailed data definition, is shared among the Data Stewards, Data Managers, and the VPCIO.

Data Type: A specific and distinguishable data item or element which can be categorized under UB’s Data Risk Classification Policy and protected accordingly.

Non-Public Data: According to the Data Classification Risk Policy, Category 1- Restricted Data and Category 2- Private Data are considered non-public data.

Senior Management: Designated as the president, provost, vice provosts, executive vice presidents, vice presidents, associate vice presidents, and deans who are eligible for access to enterprise-wide aggregate and summary university data. Senior management is authorized to delegate access of enterprise-wide aggregate and summary university data, as deemed appropriate.

Shadow system, extension system, extender system: Small-scale databases and/or spreadsheets developed for and used by end users, outside the direct control of an organization's official information access, management, and/or security protocols.

Third Party Any entity which is legally separate from the University at Buffalo, but who the university may partner with when conducting business.

University Data: Items of information which are collected, maintained, and utilized by the university for the purpose of carrying out institutional business. Includes centrally stored data, as well as data generated and stored in university departments and decanal units All university data is required to have an identified Data Trustee.

Data Manager: University officials and their staff with operational-level responsibility for information management activities related to the capture, maintenance, and dissemination of data. Data Stewards may delegate data administration activities to Data Managers.

Data Owner: The University at Buffalo owns all university data, while individual units or departments may have stewardship responsibility for portions of such data. The Data Owner is responsible for:

• Administering activities delegated by data stewards.
• Maintaining physical and system security and safeguards appropriate to the classification level of the data in their custody.

Data Steward: University official who has planning and policy-level responsibilities for data in their functional areas. Data Stewards are assigned by the Data Trustee and responsible for:

• Adhere to the principles of least privilege and minimum-necessary.
• Creation and maintenance of data documentation, including data dictionaries, data flow diagrams and data lineage.
• Develop and maintain clear and consistent procedures for data access and use in keeping with university policies.
• Educate faculty, staff, and students on data-related matters.
• Ensure that training and awareness of the terms of this procedure are provided.
• Ensuring data in their functional area is accurate, consistent, and reliable.
• Have supervisory responsibilities for defined elements of institutional data.
• Implementation and enforcement of data policies, standards, and practice es.  This includes definition of data ownership, access controls, data classification and data lifecycle management.
• Maintenance of metadata – information about data elements, their definitions, and relationships.
• Management of data security in privacy, in conjunction with the ISO.
• May grant, renew, and revoke access to Data Managers and/or Data Users (as delegated by Data Trustees).
• Monitor compliance with this procedure.
• Prevent unauthorized access to Category 1 Restricted Data and Category 2 Private Data.
• Reporting concerns and possible incidents to management for proper institutional evaluation and response.
• Responsible for planning and policy-level responsibilities for data in their functional areas.

Data Trustee: Senior leader of the university (i.e., vice president, vice provost, dean) who has responsibility for areas that have systems of record. Data Trustees are responsible for:

• Assignment and oversight of data stewards.
• Adhere to the principles of least privilege and minimum-necessary.
• Classify university data in accordance with the Data Risk Classification Policy.
• Control university data by granting access, renewing access, and revoking access to Data Stewards, Data Managers, and/or Data Users. Data Trustees may delegate this responsibility to Data Stewards or Data Managers.
• Ensure that Data Stewards in their area are compliant with data governance principles.
• Establishment of data policies within their functional areas.
• Legal and regulatory compliance specific to their domain.
• Promotion of data quality and use.
• Report concerns and possible incidents to management for proper institutional evaluation and response.
• Responsible for ensuring that data stewards, data managers, and data users in their respective area(s) are compliant with data governance principles.
• Senior leaders of the university (vice-presidents, vice-provosts, and deans) who have responsibility for areas that have systems of record.

Data User: An individual who needs and uses university data as part of their assigned duties or to fulfill their role in the university community, with access as granted by a Data Trustee or Data Steward. Data users are responsible for:

• Access, retrieve, update, process, analyze, store, distribute, or in other manners use university data for the legitimate and documented conduct of university business.
• Adhere to the principles of least privilege and minimum-necessary.
• ·Comply with the Data Risk Classification Policy and secure Category 1-Restricted Data and Category 2 Private Data.
• Data Users who misuse data and/or illegally access data are subject to sanctions or penalties in accordance with employee relations policies. Sanctions or penalties are based on the standards outlined in university policy, state or federal regulations, and the appropriate collective bargaining agreements.
• Follow appropriate safeguards to protect data based on its classification.
• Following all university policies, procedures, and standards related to data security classification and security level, including applicable federal and state laws.
• Implementing appropriate safeguards to protect data.
• Maintaining the confidentiality, integrity, and availability of university data.
• Reporting concerns and possible incidents to management for proper institutional evaluation and response
• Successfully complete Handling Data Safely, prior to receiving data access.
• Use data for the purposes in which access is granted.

Information Security Officer( ISO): The ISO is responsible for:

• Conducting periodic security reviews of systems approved for storing and handling protected data
• Development and delivery of enterprise information security strategy, governance, and policy in support of institutional goals. Information security incidents must be reported to the ISO.
• Reviewing and approve departmental collection, storage, and transmission of data when necessary, according to its classification.
• Serving on the Cloud Services Review Committee.

Information Security and Privacy Advisory Committee (ISPAC): ISPAC is responsible for evaluating, developing, and recommending information security and privacy policies, procedures, and operations vital to protecting and sustaining the university’s mission.

Records Management Officer:

• Determines appropriate record disclosures pertaining to FOIL requests.

Vice President and Chief Information Officer (VPCIO)

The VPCIO provides leadership for development and delivery of information technology (IT) services to the university.  The VPCIO oversees an enterprise IT services organization, Computing, and Information Technology (CIT), and works in partnership with UB’s schools, colleges, and administrative IT units to enable a unified and productive IT experience for students, faculty, and staff.

Office of the Vice President and Chief Information Officer
Phone: 716-645-7979
Email: vpcio@buffalo.edu

Information Security Office
Phone: 716-645-6997
Email: sec-office@buffalo.edu

Records Management Officer
Phone: 716-645-1786

• Data Access Procedures
• Data Risk Classification
• Deleting Data Securely from Devices
• Desktop/Laptop Security by Disk Encryption
• Handling Data Safely Training
• Mobile Communication Devices
• Protection of University Data Policy
• Record Retention and Disposition
• Safety and Security Camera Applicable Use Policy
• Social Security Number (SSN) Access Request Procedure
• Social Security Number (SSN) Usage Guidelines
• Storing Restricted Data in UBbox
• Technology Guidance for Remote Computing and Telecommuting
• Tips for Protecting UB Data When Working with Vendors or Others
• UB Minimum Security Standards for Desktops, Laptops, Mobile and Other Endpoint Devices
• UB Minimum Server Security and Hardening Standards
• UBIT Policy, HIPAA, FERPA and the Breach Notification Act
• What is Restricted Data?

• Family and Educational Rights and Privacy Act (FERPA)
• FIPS 140-2
• Freedom of Information Law (“FOIL”)
• Health Insurance Portability and Accountability Act of 1996 (HIPAA)
• NYS Information Security Policy
• NYS Information Security Breach and Notification Act Download pdf
• Privacy Act of 1974
• State University of New York Privacy Policy
• SUNY Records Retention and Disposition Policy #6609