It is the responsibility of Georgia Tech, through the Chief Data Stewards, to implement procedures to effectively manage and provide necessary access to Institute Data, while at the same time ensuring the confidentiality, integrity, availability, accountability, and auditability (CIAAA) of the information. Appropriate implementation of the policy will ensure Institute compliance with the FTC’s Safeguards Rule under the Gramm-Leach-Bliley Act (GLBA), as well as the Family Educational Rights & Privacy Act (FERPA), and the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The Chief Data Stewards have defined the following guiding principles governing access to Institute Data by any individual conducting Georgia Tech operations:
- Inquiry-type access to official Institute Data will be as open as possible to individuals who require access in the performance of Institute operations without violating legal, federal, or State restrictions. Compelling justification is required to limit inquiry access to any data element.
- Data Users granted “create” and/or “update” privileges are responsible for their actions while using these privileges. That is, all campus units are responsible for the Institute Data they create, update, and/or delete.
- Any individual granted access to Institute Data is responsible for the ethical usage of that data. It will be used only in accordance with the authority delegated to the individual to conduct Georgia Tech operations.
Chief Data Stewards hereby delegate authority to Data Stewards for implementing the policy at the unit level.
Data Stewards will designate individuals to coordinate Institute Data access for each functional data grouping. The Data Coordinator will maintain records of authorized Data Users, and serve as contact point for the Data Administrator(s). The Data Coordinator will inform the appropriate Data Administrator on a timely basis of any changes that affect data access. Employees may request access to data through a designated Authorized Requester. Procedures for requesting data access will be provided by the Data Administrator(s).
Documentation of data elements and their appropriate use is the responsibility of the Data Stewards, Data Coordinators and Data Administrator(s).
Georgia Tech Institute Data shall be classified into four major categories that are defined as described in this section. The Data Stewards, in consultation with the Data Coordinators and Data Administrators, are responsible for defining which data elements and data views fall into each data category.
- Category I – Public Use: This information is targeted for general public use. Examples include Internet website contents for general viewing and press releases.
- Category II – Internal Use: Information not generally available to parties outside the Georgia Tech community, such as directory listings, minutes from non-confidential meetings, and internal (Intranet) websites. Public disclosure of this information would cause minimal trouble to the Institute. This category is the default data classification category.
- Category III - Sensitive: This information is considered private and must be guarded from disclosure; unauthorized exposure of this information could contribute to ID theft, financial fraud and/or violate State and/or Federal laws.
- Category IV – Highly Sensitive: Data which must to be protected with the highest levels of security, as prescribed in contractual and/or legal specifications.
OIT Access to Data
Office of Information Technology positions with direct responsibility in maintaining and supporting Institute Information Systems that contain data used to conduct operations of the Institute are not required to individually obtain approval for data access. Direct responsibilities of the position in relation to the access of data in these systems should be covered in each individual's Workload Assignment, as defined by their department head. OIT employees will be responsible for being familiar with the policy as it relates to his or her position and job duties. OIT Directorates will be responsible for conducting policy awareness training for new department hires and that policy awareness reminders occur on an annual basis.
Request for Review
Data Users may request that the Data Stewards and Chief Data Stewards review the restrictions placed on a data element, Data View, and/or the classification of data. All such requests will be submitted through an Authorized Requester to a Data Coordinator. The appropriate Chief Data Steward has final governance authority regarding matters of data restrictions and requests for access rights to Institute Data.
All employees, students, affiliates, contractors, consultants, vendors, or other consumers or users of Georgia Institute of Technology data, and all data (electronic, paper or otherwise) used to conduct operations of the Institute are covered by this policy. This policy does not address public access to data as specified in the Georgia Open Records Act. Furthermore, this policy does not apply to notes and records that are the personal property of individuals in the Georgia Tech community.
Cloud Computing/Cloud Services
A network of remote servers or services, hosted by third parties, used to store, manage, and process data. Examples of cloud computing services include Gmail, Hotmail, Yahoo Mail, DropBox, Rackspace, etc.
All information generated or owned by Georgia Tech. Also, information not generated by Georgia Tech, but which Georgia Tech has the duty to manage. This information can exist in any form including, but not limited to, print and electronic.
Faculty or staff member who has been assigned as the person directly responsible for the care and management of a certain type of data at Georgia Tech. Data Stewards are ultimately responsible for access to the data they manage. For example, the Registrar is responsible for approving access to student data.
Desktop computers, laptop computers, workstations, group access workstations, USB drives, small servers, cloud hosted virtual machines, and personal Network Attached Storage (NAS)
Mobile devices at Georgia Tech include, but are not limited to:
- Cellular telephones
- Smart phones (e.g. iPhones, Android Phones, BlackBerrys)
- Tablet computers (e.g. iPad, Kindle, Kindle Fire, Android Tablets)
- Wearable Devices (e.g. Google Glass, watch devices)
- Personal Digital Assistants
- Any other mobile device containing Georgia Tech data (e.g handheld scanning devices)
Laptops and USB drives are considered Endpoints for the purpose of this policy (see definition above).
Any computer system that hosts a campus unit or institute wide service, or acts as an authoritative source of data for the institute or campus unit.
The following paragraphs and referenced documents are intended to assist Authorized Requesters, Data Stewards, Data Coordinators, and Data Administrators with the unit-level implementation of the Data Access Policy.
Requesting Data Access
Detailed procedures and guidelines for requesting data access under this policy are contained in the Georgia Tech Data Access Procedures. These documents shall be updated on an “as needed” basis, reflecting any changes to the process and/or roles involved.
Protecting Sensitive Data
The internal computers, mobile devices, networks, application software and data repositories of Georgia Tech are critical resources of the Institute and must be protected against inappropriate access and/or disruption of service. Active measures are necessary to ensure data integrity and reduce the risk of system compromise, especially when sensitive information may be at risk. The rising frequency of security incidents involving network-attached devices significantly increases the probability that sensitive data, if not properly identified and protected, may be exposed to unauthorized viewing or modification. Established procedures for protection and release of sensitive information must be followed regardless of the platform used to store that data. The Data Protection Safeguards document is a comprehensive set of Technical (IT), Administrative (procedural), and Physical safeguards which need to be put in place in order to ensure adequate protection for each category of data, as described in the Data Categories section above. Any deviation from mandatory requirements must be documented and covered by adequate compensating control(s). The department of Internal Auditing is available to assist in reviewing compensating controls.
Data Stewards, in consultation with the Data Coordinators and Data Administrators, are responsible for:
- Categorizing and/or re-classifying data elements and views
- Granting selective access to Institute Data
- Educating authorized users on responsibilities associated with data access
- Informing technology specialists about data classifications to determine physical and/or logical controls required
On the other hand, it is the express responsibility of authorized users and their respective business units to safeguard the data they are entrusted with, ensuring compliance with all aspects of this policy and related procedures.
Sensitive Data as it pertains to Unit-Level Servers
Serving devices (servers) storing sensitive information shall be operated by professional system administrators, in compliance with all OIT security and administration policies, and shall remain under management oversight. Each such unit-level server storing sensitive or highly sensitive data shall be registered as outlined below, and shall have a Technical (IT) as well as an Administration point of contact.
Deans, Vice Presidents and Associate Vice Presidents, in their stewardship roles, are responsible for monitoring compliance with the Data Access Policy and associated guidelines by:
- Directing the reviews of, and responding to technical reports for, servers within units for which approval has been given to store sensitive information;
- Ensuring that all unit-level servers storing sensitive or highly sensitive data are registered with OIT Information Security: Refer to Data Protection Safeguards
- Coordinating with OIT Information Security to ensure that the server(s) providing this information to the campus network and Internet are secured through reasonable procedures; and
- Conducting periodic access control assessments of any sensitive information devices or services within their business units, in coordination with OIT Information Security.
Sensitive Data as it pertains to Endpoints and Mobile Devices
When storing Georgia Tech data on Georgia Tech owned or personally owned endpoints (e.g. desktops, laptops, or workstations), mobile devices, and devices that are not used or configured to operate as servers, the device must be configured as described in the Data Protection Safeguards document. Any deviation from mandatory requirements within the Data Protection Safeguards must be documented and covered by adequate compensating control(s). The department of Internal Auditing is available to assist in reviewing compensating controls.
Sensitive Data as it pertains to Cloud Computing Services
When using cloud computing services or storage with Georgia Tech data, Data Users must follow procedures described in the Data Protection Safeguards. Regulatory requirements, such as International Traffic in Arms Regulations (ITAR) and U.S. Export Controls, must be considered when utilizing cloud computing services. Category IV data (credit card data) is not covered by this policy statement, refer to the institute Credit Card Processing Policy.
Sensitive Data as it pertains to Email Services
Data Users must use official Georgia Tech email services when emailing Category III data. Using third party email services (e.g. Gmail, Hotmail, Yahoo Mail) to send or store Category III data is prohibited.
Upon approval, this policy shall be published on the Georgia Tech Policy Library. The following offices and individuals shall be notified via email and/or in writing upon approval of the policy and upon any subsequent revisions or amendments made to the original document:
- Chief Data Stewards, Data Stewards, Data Coordinators, Data Administrators
- Department Heads
- Unit-level business officers
In addition, the Georgia Tech Office of Information Technology shall provide training and awareness. Avenues for training and awareness will include:
- New employee orientation
- New faculty orientation
- Campus unit faculty/staff training and awareness sessions
Data Users are expected to respect the confidentiality and privacy of individuals whose records they access; to observe any restrictions that apply to sensitive data; and to abide by applicable laws, policies, procedures and guidelines with respect to access, use, or disclosure of information. The unauthorized storage, disclosure or distribution of Institute Data in any medium, except for legitimate Institute business or authorized academic use is expressly forbidden, as is the access or use of any Institute Data for one's own personal gain or profit, for the personal gain or profit of others, or to satisfy one's personal curiosity or that of others.
Each person affiliated with the Institute will be responsible for being familiar with the policy as it relates to him or her. Violations of the policy may result in loss of data access privileges, administrative sanctions (including termination or expulsion) as outlined in applicable Georgia Tech disciplinary procedures, as well as personal civil and/or criminal liability.
|3.0||Jimmy Lummis||Major review and revision|
|2.9.1||Jimmy Lummis||Modified section 4.2.1 to include updated sensitive server reporting process|
|2.9||Richard Biever||Changed Data Classification references to Data Categorization and added section 3.3.|