Skip to main content

Policy 8060 Custodians – Data Security Guideline

Updated February 2016

Establishing internal standards and procedures

Custodians establish internal standards and procedures for the creation, retention, distribution and disposal of information under their control. These standards must meet the Minimum Security Standards for Systems set by the Chief Information Security Officer (CISO), the university’s records retention policy, as well as other university policies, contractual agreements, and governing federal, state and local laws. Custodians may impose additional requirements to enhance security as long as they are consistent with the above authorities.

Determining Authorizations

Custodians must determine who is authorized to have access to their information. They must ensure those with access have a need to know the information and understand the security requirements for that information. Where applicable, custodians must ensure those with access to confidential information have signed a confidentiality agreement covering the information they are responsible for.


Custodians must keep records documenting the creation, distribution and disposal of all confidential information.

Incident Reporting

Custodians must report suspected or known compromises of their information to their managers and per the university’s Incident Response Procedure on the same business day that they become aware of the compromise.