Editor's notes:
POLICY TITLE: Carnegie Mellon Data and Computer Security (Confidentiality of Administrative Data)
DATE OF ISSUANCE: This policy was originally issued in May 1990 as Chapter 1, Volume 7 of the Carnegie Mellon Policy Library. The information in this policy was most recently updated in April 2001.
ACCOUNTABLE DEPARTMENT/UNIT: Computing Services. Questions on policy content should be directed to Joel Smith, Vice Provost and CIO, x8-2649, joelms@andrew.cmu.edu.
ABSTRACT: This policy secures and protects administrative data in university-owned computing systems and addresses broader issues of the rights and responsibilities of authorized persons in the handling, as well as the security and protection, of university data.
Access to data residing in administrative systems and applications at Carnegie Mellon University is to be granted only to those individuals who must, in the course of exercising their responsibilities, use the specific information. Access to administrative data will be granted to university employees only. With special permission, a student may access data if the data pertains to that student or if that student is also an employee of the university. Individuals outside the university can be authorized access to university data only if that authorization is granted by an Executive Officer of the university.
Access and update capabilities/restrictions will apply to all administrative data, data stored on the Administrative Computing and Information Services (ACIS) computers and on mini-computers and micro-computers across campus. Security measures apply to administrative systems developed and/or maintained by university departments or outside vendors.
This policy only covers administrative aspects of academic and research units.
Carnegie Mellon University maintains data which are essential to performing university business. These data are to be viewed as valued resources over which the university has both rights and obligations to manage, secure, protect, and control. This policy secures and protects data defined as administrative data stored in and accessible by university-owned computing systems and accessible by university employees in their official university capacities. In addition, this policy addresses the broader data issues of the rights and responsibilities of authorized persons in the handling, as well as the security and protection, of university data.
The following topics are addressed in the "Procedures" and "Special Situations" sections of this policy:
Topic
These definitions apply to these terms as they are used in this policy:
Access capability
Authority granted to an individual which allows viewing of data residing in a computer system file. Access capability is generally managed through assignments of a user id and password.
Administrative data
Any data related to the administration of Carnegie Mellon University. This includes data used by both the central administration and the administrative units of the various colleges and departments.
Administrative systems and applications
Any computer system/application programming which supports administrative activities of the university. This includes systems or applications supporting both the central administration and the administrative units of the various colleges and departments.
Campus-wide access information
Information intended for campus use and not for external distribution. Unauthorized distribution of this information to external sources by any university employee is considered an abuse of privileged information.
Administrative Computing Security Committee
Group appointed by the president and responsible for the administrative computing security environment at the university. The group reports to the Assistant Vice President, ACIS.
Data Security Officer
The employee responsible for evaluating and monitoring system access. Evaluates requests for access to application databases.
Data Owner
The employee responsible for the data in the system, e.g., a division or department head. Responsibilities include evaluating/approving requests for access to specific data or groups of data.
Public information
Information that is available or distributed to the general public either regularly or upon request.
Restricted information, moderately sensitive/highly sensitive
Information intended for use only by individuals who require that information in the course of performing their university responsibilities, or information protected by federal and state regulations. Requests for access to this information must be authorized by the applicable department head AND dean/division head. If restricted information is to be accessed across multiple divisions or university-wide, the applicable vice president(s) or the provost must authorize its access.
university
Carnegie Mellon University including its colleges, academic and administrative departments and research units.
update capability
Access capability which allows an individual to alter, add or delete data in a computer system file.
user id
Character string which identifies an individual to a computer system, enabling access and/or update capabilities.
In order to control access and update capabilities, an individual residing in the user area responsible for the specific application will be designated as the Data Owner. This individual performs in a supervisory or managerial capacity and is responsible for the data residing in the designated system. The responsibilities of the Data Owner are to:
On an annual basis, the Data Owner and the Data Security Officer will review the current set of access and update capabilities granted to each individual on the system in order to ensure that no changes are necessary.
| Application | Data Types | Data Owner(s) |
|---|---|---|
| Admissions, Graduate | Prospects, Applicants, Admitted | Dean, Graduate Schools Department Heads |
| Admissions, Undergraduate | Prospects, Applicants, Admitted | Director, Admissions |
| Budget | Financial | Asst VP, Budgets |
| Career Services | Students | Director, Career Center |
| Oracle Financials | Financial | Asst VP Finance, Asst Provost, Research |
| Commencement | Students | Director, Enrollment Services |
| Computer Billing | Financial | Vice Provost, Computing Services |
| Degree Audit | Students | Department Heads |
| FCE | Faculty | Asst VP, Planning |
| Financial Aid | Student Financial Information | Director, Enrollment Services |
| Gift Accounting and Alumni System | Alumni, Friends, Corporations, Foundations | Director, Development Information Services |
| Housing | Students Facilities | Director of Housing Services |
| Human Resource Information System | Personnel, Applicants Salary, Appointments | Asst VP, Human Resources,
Asst VP, Financial Services Group |
| Inventory Control | Supplies | Asst VP, Business Services |
| Work Order Management | Facilities Maintenance | Asst VP, Facilities Mgt |
| Parking | Facilities Financial | Asst VP, Business Services |
| Design/Construction | Facilities, Plans | Asst VP, Facilities Mgt |
| Property Management (PAS) | Capital Assets | Asst VP, Finance |
| Student Accounts Receivable | Tuition, Student Fees | Director, Enrollment Services Asst VP, Finance |
| Space/Facilities Database | Facilities | Asst VP, Planning |
| Student Information (including QSIS) | Students Courses Facilities Records |
VP, Enrollment Services |
| Telecommunications | Facilities Financial |
Director, Telecommunications |
In addition to the Data Owner, others will process and handle data in the course of the administrative cycle. They too will be responsible for the security of the data. These individuals and divisions include:
The Data Security Officer is responsible for all systems-related security issues associated with a particular application. A Data Security Officer will be appointed by the Assistant Vice President, ACIS, for each application and will act as the contact person for establishing, altering or deleting computer user ids and determining data access needs within a system.
Administrative Computing and Information Services is responsible for the design, programming and maintenance of administrative applications. In designing or updating systems, Administrative Computing and Information Services must be aware of any security impacts of such designs and ensure that proper security control is programmed into each application to provide a secure computing environment and adequate protection of data. The Data Security Officer must convey application-specific security needs to the Assistant Vice President, ACIS.
Computing Services maintains and operates the equipment upon which most central server administrative applications reside. It is the responsibility of Computing Services to ensure adequate physical security over such equipment, restrict equipment access to authorized personnel only, and adequately assure that output containing confidential information is properly safeguarded. Responsibilities also include maintenance of operating system-level security specific to the computing equipment under their jurisdiction.
The Administrative Computing Security Committee, is responsible for the maintenance of a secure administrative processing environment at Carnegie Mellon. The committee formulates overall policy, addresses issues impacting computer security, and reviews situations involving violations of computer security policy.
Because different types of data require different levels of security, data is classified into four categories: Public Information, Campus-Wide Information, Restricted Information - Moderately Sensitive, and Restricted Information - Highly Sensitive. Each category is explained below. For detailed examples of accessibility by data type, see the Appendix, Table 2.
Public Information is available or distributed to the general public either regularly or upon request.
Campus-Wide Information is intended for campus use and not for external distribution. Distribution of this information to external sources by any university employee without proper approval is considered an abuse of privileged information.
Restricted Information - Moderately or Highly Sensitive is information intended for use only by individuals who require that information in the course of performing their university responsibilities or information protected by federal and state regulations. Requests for access to this information must be authorized by the applicable department head AND dean/division head. If restricted information is to be accessed across multiple divisions or university-wide, the applicable vice president(s) or the provost must authorize its access. In some instances, the president may be required to authorized access to restricted information.
Operating Systems used for administrative computing will provide for, at a minimum, the following security features:
READ, WRITE, EXECUTE, DELETE, CONTROL).
Database management software used in administrative application development will have the following features:
Applications developed in-house or purchased from a third party will be examined to determine:
The Data Security Officer and Administrative Computing and Information Services should examine application-level security on a system-by-system basis. Because of the complex interaction with other applications, the operating system, the underlying databases, as well as the needs of the user community and the nature of the data, there are many intervening factors which preclude an overall policy for application-level security. The security features of any new software will always be considered a priority in the selection and development of such software.
Interactive access to applications occurs in many ways, e.g.:
Terminals attached via networks are susceptible to monitoring and their passwords are insecure. Any local area network must be physically secure and is the responsibility of each person authorized to access administrative information to ensure the physical security of the local area network on which they operate. The login process should transmit only encrypted passwords across the network. Unauthorized persons shall not be permitted to access portions of the networks being used for transmitting university administrative data.
Periodic review and correction of network security weaknesses are undertaken jointly by the Administrative Computing and Information Services (ACIS) Department and the Data Communications Department of the Division of Computing Services. All weaknesses and security breaches will be reviewed by the Assistant Vice President, ACIS.
Backup and recovery procedures must be developed and maintained for all administrative computing systems and data. The following requirements must be met:
The Data Security Officer should periodically review backup and recovery procedures to ensure their continued applicability.
Passwords are a critical component to any computer security program. To properly control passwords and maintain their integrity, the guidelines below will be followed:
Generic user ids will not exist, except as the source for the production, maintenance, and development of application systems. In cases where many people log in under a single user id, audit trails and system statistics become ineffective in assigning responsibility.
Appropriate operating system security alarms will be activated, and available auditing tools will be in use.
When an employee terminates employment with a department or the university, follow the guidelines below.
If you wish to gain access to administrative data, follow the steps below:
If your request is approved by the Data Owner
If your request is denied by the Data Owner or the Data Security Officer
Sometimes when you request authorization to access data, you may also want to request the ability to update data within an administrative application. The responsibility for approving such capabilities rests solely with the Data Owner. In general, such update capabilities are to be limited to individuals working in the organizational area(s) supported by the specific application or system, e.g, only Payroll Office and Benefits Office staff members may update data within the Human Resource Information System. It is important to emphasize that data update capabilities will be limited to those who require the capabilities to successfully meet their job responsibilities.
The Data Security Officer ensures that update capabilities are made available only to authorized users and that data not authorized for update will be satisfactorily protected.
When new applications are being developed or significant changes are being made to existing systems, general guidelines will be established to define who should have data update capabilities.
If you are denied data update capabilities
You can appeal that decision to the Assistant Vice President, ACIS. The decision in these cases is final.
Just as care must be exercised in granting access or update capabilities to administrative data/systems, such care must also be extended to the distribution of administrative information generated by the university's administrative systems.
The Data Owner is responsible for determining:
The Data Owner must ensure that:
The Data Security Officer provides assistance in coordinating security measures over data distribution with Computing Systems and Administrative Computing and Information Services personnel.
In the course of accessing data or information, you might access restricted information within the particular database. It is the responsibility of the Data Owner to ensure that all individuals with access to restricted data are aware of the confidential nature of the information and the limitations, in terms of disclosure, that apply.
If you are aware of possible breaches in administrative data/computer security, you are strongly encouraged to report such occurrences to the Assistant Vice President, ACIS. Such reports will be held in strict confidence and promptly investigated by the committee. Likewise, Data Owners and Data Security Officers are responsible for reporting security breaches identified during the course of their responsibilities to the Administrative Computing Security Committee.
Upon notification of possible security breaches, the Administrative Computing Security Committee will investigate all facts related to the situation and recommend appropriate disciplinary action to university management. All matters involving university employees will be reviewed with the assistant vice president for human resources and/or the provost. Matters involving students will be reviewed with the dean of student affairs. Matters involving individuals not affiliated with the university will be reviewed with the university attorney.
All individuals with responsibility over or access to administrative data at Carnegie Mellon are expected to follow the policies and procedures in this document and to exercise discretion with regard to such information. Any university employee, student or non-university individual with access to administrative data who engages in unauthorized use, disclosure, alteration or destruction of data in violation of this policy will be subject to appropriate disciplinary action, including possible dismissal and/or legal action. The following steps will be taken:
The following table shows the responsibilities each party has in connection with this policy.
You (individual requesting access)
Administrative Computing Security Committee
Administrative Computing and Information Services
Assistant Vice president, ACIS
Computing Systems
Data Owner
Data Security Officer
Department Head/Supervisor
Questions about information in the Data and Computer Security Policy should be directed to the following people:
Contact
Joel Smith, Vice Provost and CIO
Telephone
(412) 268-2649
Electronic Mail Address
joelms@andrew.cmu.edu
The following table lists the different data types and their accessibility status. Data types are explained in detail in Table 3.
| Data Type | Public Information | Campus-Wide Information | Restricted, Moderately Sensitive | Restricted, Highly Sensitive |
|---|---|---|---|---|
| Employee Data | Government forms requiring salary data; (IRS Form 990) University Information |
None | Appointment Information Non-salary-related benefits enrollment information Biographical Information Employee Information Salary Surveys | EEO Information by employee Salary Information by employee Termination/Disability Information by employee |
| University Finances | Annual Reports | Internal Annual Reports
Quarterly Reports | Financial data by operating unit | None |
| Facilities | None | Building Use Information (Fact Book)
Building Floor Plans | Building Maintenance Information | None |
| Students | Directory Information as identified in the university policy on Privacy Rights of Students | None | Biographical Information Academic Information |
Financial Aid Information Parents' Financial Information Student Accounts Receivable Information Student's Payment Information Career Service Information |
| Alumnae(i) and Friends | None | None | Biographical Information | Gift and Pledge Information Financial Information Employment Information Biographical Information for Friends |
| Education and Instruction | Programs Offered Degrees Offered Courses Scheduled | Faculty Course Evaluation Results | Instructor Information | None |
| Research Activities | None | None | Proposal Information | None |
Data about Employees
Appointment Information - Non-salary-related
Benefits Enrollment/De-enrollment Information
Biographical Information
EEO Information
Employee Information
Salary Information
Termination/Disability Information
University Information
Data about Facilities
Building Use Information
Building Maintenance Information
Data about Students
Biographical Information
Academic Information
Financial Information
Career Services Information
Data about Alumnae(i) and Friends
Biographical Information
Financial Information
Data about Education and Instruction
Course Schedule Information
Instructor Information
Data about Research Activities
Proposal Title
Principal Investigators
Date of Funding
Amount and Distribution of Funding
Duration of Funding
Subject Information