Boise State University Data Use Guidelines
Purpose
The purpose of this document is to provide guidance to members of the Boise State user community who extract, post or use Sensitive Information outside Boise State’s secured network and computing infrastructure.
The data covered by these guidelines include any type of Sensitive Information as defined in the Boise State Information Privacy and Data Security Policy #8060 and University Data Classification Standard.
Background
The Office of Information Technology (OIT) protects Boise State’s Sensitive Information from unauthorized access or inappropriate use by enforcing technical and procedural security controls for infrastructure based systems and applications (e.g. PeopleSoft, Oracle, etc…) that store and/or process Sensitive Information. However, the availability of local workstations, shared and portable drives, Boise State hosted and Web-based applications and services provides the opportunity for otherwise secure data to be extracted from hardened infrastructure systems and applications and then used outside of OIT data security controls.
System Security Category Designations
Boise State maintained infrastructure systems and applications (including hardware, software, managed cloud services and associated devices) store, process and protect various types of Sensitive Information under Boise State’s control. System security requirements directly correlate to data sensitivity levels as defined in the University Data Classification Standard.
For example, if Boise State systems or applications contain information designated as sensitive by laws or regulations then the data and system is considered as Level One with the highest potential risk to the University and campus community. The most stringent system security requirements have to be implemented to provide maximum security and data protection.
Systems or applications containing any personally identifiable information collected and retained by Boise State about any member or affiliate of the Boise State community, or any sensitive Boise State proprietary institutional information, are considered as Level Two. The risk to the University and campus community is slightly lower so system security requirements are slightly less but still provide a significant level of security and data protection.
Systems or applications containing solely public data is considered as Level Three have lowest level of risk to the University and the campus community and are not required to have any extraordinary system security requirements.
Appropriate Data Use
Members of the Boise State user community who use any of the services or devices listed in Table 1 below must do so in accordance with the policies, standards and guidelines that governs acceptable computer usage on campus. Before extracting data, users must ensure the security category level of the application or service is consistent with the level of protection required for the extracted data to be stored or processed and have obtained approval from your supervisor, manager or Data Owner (Contact the office of IT Governance, Risk & Compliance if there are questions about the use of sensitive information in any Boise State infrastructure system).
Sensitive Information belonging to multiple sensitivity levels must be treated according to the highest level of sensitivity. Boise State considers information (i.e. data) to be sensitive if it is, or has been, determined to be confidential because of state or federal laws, regulations, Boise State policy, or by agreement, whether the information is in physical or electronic format. Sensitive information includes the following categories of information:
Category 1 (Level One data)
Information designated as sensitive by laws or regulations, such as:
- Medical records covered by the Health Information Portability and Accountability Act (HIPAA)
- Banking and credit card records covered by the Payment Card Industry (PCI) data security standards. Academic records covered by the Family Education Right and Privacy Act (FERPA);
- An individual’s first name or first initial and last name, personal mark, or unique biometric or genetic print or image, in combination with one or more of the following data elements:
- SSN
- Driver’s license number, state identification card number, or other individual identification number issued by a unit
- Passport number or other identification number issued by the United States government
- Individual Taxpayer Identification Number
- Financial or other account numbers, a credit card number, or a debit card number that, in combination with any required security code, access code, or password, which would permit access to an individual’s account.
Information of this type carries a (High) security risk and is always sensitive if personal identifiers (e.g. name, SSN, Student or Employee ID,etc.) are, or can be, associated with the medical or banking records. This type of sensitive information receives the highest level of security protection within Boise State’s infrastructure systems and must never be extracted from those systems without prior written consent from the appropriate Boise State Data Owners.
Category 2 (Level Two data)
Boise State proprietary institutional information or personally identifiable information collected and retained by Boise State about any member or affiliate of the Boise State community that requires a Freedom of Information Request to disclose. This includes:
- Any individual or combination of data elements that, if disclosed without authorization, identify a specific individual and could place the individual’s privacy, or Boise State, at risk.
- Sensitive institutional information such as intellectual property, project proposals, or patent applications.
- Administrative Correspondence containing personally identifiable information or otherwise marked confidential due to its content.
This type of sensitive information carries a (Moderate) security risk and is protected securely within Boise State’s infrastructure systems and must be secured with the same level of protection if extracted from those systems.
Category 3 (Level Three data)
Public information not classified as Category 1 or 2 and carries a (Low) security risk and is not required to be secured.
Approved Security Category By Service/ Device
| Service/Device | 3 | 2 | 1 | Comments or Notes | Risk |
|---|---|---|---|---|---|
| Boise State Owned Workstations | X | X | Category 3 data can be stored locally on your Workstation. If Category 2 data storage is required then BitLocker(Windows OS) or FileVault2(Mac OS) full disk encryption must be installed and maintained. Category 1 data should never be stored outside of OIT controlled systems. | Moderate | |
| Boise State Owned Laptops or Surface device. | X | X | Category 3 data can be stored locally on the laptop. If Category 2 data storage is required then BitLocker(Windows OS) or FileVault2(Mac OS) full disk encryption must be installed and maintained. Category 1 data should never be stored on a mobile device of any type. | Moderate | |
| Personal Workstations | X | Personally owned workstations or laptops can only be used to store Boise State Category 3 Public information. | Low | ||
| Mobile Devices | X | Mobile devices, whether Boise State or personally-owned, can only be used to store Boise State Category 3 Public information. | Low | ||
| Boise State Google Apps and Email | X | X | * | Can only be used for some Category 1(FERPA) and all Category 2 or 3 data. *Google Apps email does meet FERPA data security requirements EXCEPT for SSN transmission. Google Apps does not meet HIPAA or export controlled data security requirements for Category 1 data. | Moderate |
| Non-Boise State Email | X | Never send Category 1 or 2 data through email (in text or attachments) regardless of the Non-Boise State email provider. NOTE: Category 2 data can be shared via an embedded document link (e.g. link to Google Apps document containing the data located within the Boise State Google Apps domain). | Moderate | ||
| Boise State Wordpress Sites | X | Can only be used to store Boise State Category 3 Public information. Never store Category 1 or 2 data in sites or within Secure Forms. | Low | ||
| Departmental Sites | X | can only be used to store Boise State Category 3 Public information. Never store Category 1 or 2 data in sites. | Low | ||
| Network File Share | X | X | Can only be used for Category 2 or 3 data. Make sure file share access is restricted to users with a business need to know. Category 1 data should never be stored outside of OIT controlled systems. | Moderate | |
| Public Cloud Storage(E.G. Dropbox) | X | Can only be used to store Boise State Category 3 Public information. Never store Category 1 or 2 data in public cloud storage sites. NOTE: Use of desktop data syncing tool is not permitted for Boise State data. | Low | ||
| Portable Electronic Storage Media | X | Can only be used to store Boise State Category 3 Public information. Never store Category 1 or 2 data on portable electronic storage media such as USB devices, CD/DVD ROM, or external hard drives. | Low | ||
| Encrypted Portable Electronic Storage Media | X | X | X | If you have a documented business need to store Category 1 or 2 data contact OIT to get an approved list of encryption controls and devices. NOTE: All storage of Level 1 data outside of OIT controlled systems must be explicitly approved by OIT and Boise State Data Owners. | High |
Users must assess the security level of any service or application not listed in Table 1 before posting or storing Sensitive Information in such locations. If you have question, please contact the office of IT Governance, Risk & Compliance.
Violation of these Data Use Guidelines or other campus policies may result in temporary or permanent restriction of access privileges to services, or other measures detailed in the Enforcement section of the 8060 – “Information Privacy and Data Security” policy.
Further Information on Data Sensitivity and Classification
Unspecified Data Types
Data types not specified in Boise State Policy #8060 Information Privacy and Data Security, Data Classification Standard or other policies or guidelines should be evaluated on a case-by-case basis. If unauthorized access or disclosure of data could cause financial or reputational harm to an individual or Boise State, DO NOT post or store such data to web-based applications or services.
Questions about whether certain data should or should not be stored on specific web-based applications, services or systems, should be directed to the Chief Information Security Officer at CISO@boisestate.edu or (208) 426-5701.