|
 |
 |
 |
 |
 |
|
Definitions
Protected data top
The data comprising personal information governed by these guidelines is
defined as protected data. This protected data includes an individual's
first and last name in combination with any of the following:
- social security number AND/OR
- driver's license number AND/OR
- financial account or credit card number in combination with any password
that would permit access to the individual's financial account
Computing System top
A computing system is any server, desktop, laptop computer, or PDA (Personal
Data Assistant) that contains or provides network access to protected data.
Lead Campus Authority top
The Lead Campus Authority for UCR is the Associate Vice Chancellor for Computing
and Communications (C&C). The Lead Campus Authority is responsible for ensuring
that the campus incident response process and UCOP (and campus) notification
procedures are followed. The Lead Campus Authority will coordinate campus
procedures with various campus constituencies (VCA, Audit and Advisory Services,
UCR's Locally Designated Official (LDO), UCR's Director of Financial Controls
and Accountability, campus counsel, etc.) as appropriate and will maintain
as robust a database as possible of campus systems containing protected
data.
Responsible Administrative Official
(e.g. Dean, Associate Dean, Vice Chancellor, Assistant Vice Chancellor,
etc.) top
The UCR individual who is ultimately responsible for oversight of data or
computing systems within a given functional area.
Data Proprietor (e.g. MSO, CFAO, Associate Dean, Assistant Vice Chancellor
etc.) top
Data Proprietors are responsible for identifying which computing systems
contain protected data or have access to protected data (please see the
note below relating to Control Records). They will ensure that appropriate
procedures are deployed governing access to protected data and adequate
security plans, consistent with Business and Finance Bulletin IS-3, are
in place for computing systems within their jurisdiction. Data Proprietors
will work with C&C to maintain an inventory of systems containing protected
data. An up-to-date systems inventory will usually include the system's
location and use, its custodian, and type of security protection. Data Proprietors
will inform their Data Custodians, affected staff within their jurisdiction,
and third-party users, of University policy and their responsibilities regarding
any use they may make of protected data.
Data
Custodian (e.g. Systems Administrator, Database Administrator, etc)
top
Data Custodians are responsible for protecting the resources under their
control, such as access passwords, computers, and downloaded data. Contractual
arrangements with outside affiliates must include the third-party user's
obligations regarding protected data. Data Custodians will ensure implementation
of adequate security measures for computing systems containing protected
data (e.g. monitoring access logs for computing systems housing protected
data can disclose unauthorized access or anomalous activity) as well as
appropriate encryption strategies for both the transmission and storage
of protected data. Departments may wish to consult with C&C for assistance
in determining strategies appropriate to their particular technological
environment.
Control Records top
A Control Record is a database, spreadsheet, or any other electronic file
containing a list of computing systems that contain protected data. Control
records must contain the following:
- name of computing system data custodian
- physical location of computing system
- description of logical access and security controls
- description of protected data stored on the system
Control Records must be updated and supplied to the Lead Campus Authority
at least once per year or at any time a system containing protected data
is deployed or significantly modified.
Third-Party
User top
A Third Party User is an authorized external contractor or affiliate who
uses UCR data containing protected information.
|
|
|
|
|
|
|