University Policies

Data Security and Handling Policy

Approved by: President
Effective Date: June 26, 2023
Revision Date: June 25, 2024

POLICY STATEMENT

The purpose of this policy is to define the appropriate use and storage of Western Illinois University (WIU) data by all users.

SCOPE (WHO SHOULD READ THIS POLICY)

WIU Data Security and Handling Policy applies to any individual who has access to WIU data.

DEFINITIONS

  • Algorithm: A clearly specified mathematical process for computation; a set of rules that, if followed, will give a prescribed result.
  • Computing resources: Any resource used to perform computing operations/processes, such as a tablet, computer, phone, flash drive, CD, camera, smart television, etc.
  • Encryption: The process of converting information or data into a code that hides the information's true meaning , especially to prevent unauthorized access.
  • Hashed: Hashing is the process of transforming any given key or a string of characters into another value. This is usually represented by a shorter, fixed-length value or key that represents and makes it easier to find or employ the original string. The result is known as a hash.
  • Multi-factor authentication: Multi-factor Authentication (MFA) is an authentication method that requires the user to provide two or more verification factors to gain access to a resource. Factors are generally considered to be something you have (i.e. possession of a token, phone, etc.), something you know (i.e. password), or something you are (i.e. fingerprint, retina scan, etc.).
  • RACF: Resource Access Control Facility (RACF) is an add-on software product that provides basic security for a mainframe system, protecting resources by granting access only to authorized users of the protected resources.
  • Salted: Password salting is a technique to protect passwords stored in databases by adding a string of 32 or more characters and then hashing them.
  • Sensitive data: Sensitive data, as defined by the university’s Administrative Handbook’s Sensitive Data Handling Procedures is: Information intended for limited use within the university that, if disclosed, could be expected to have a serious adverse effect on the operations, assets, or reputation of the university, or the university's obligations concerning information privacy.

POLICY

The university and all members of the university community are obligated to respect and to protect university data. The university reserves the right to examine computer records or monitor activities of individual computer users (a) to protect the integrity or security of the computing resources or protect the university from liability, (b) to investigate unusual or excessive activity, (c) to investigate apparent violations of law or university policy, and (d) as otherwise required by law. Personal use of university computing resources is strictly prohibited for any reason, per the Ethics Act. Users should be aware that the university may be legally compelled to disclose information relating to business or personal use of the computer network to governmental authorities or, in response to a Freedom of Information Act (FOIA) request, for the context of litigation or a served subpoena.

All university areas accepting, working with, or transmitting sensitive data are required to take appropriate measures, to protect sensitive data under their care. Measures are considered appropriate if protective measures are consistent with laws, regulations, and best practices to the greatest extent possible and feasible. Data security requirements are applicable to all electronic data, regardless of medium of storage or transmission (i.e. local drives, servers, wireless, LAN, etc.).

  • There should be only one authoritative source for electronic university records. Because of the strength of RACF security and the technology available on the mainframe to support encryption at rest, the mainframe should be the authoritative source, when feasible.
  • Proper use of sensitive data begins by evaluating your business process for the need to take in or store sensitive data and if indeed it is needed, ensure that appropriate protection (obfuscation, masking, one-way hash, encryption, etc.) is applied throughout the data lifecycle. Sensitive data must never exist on university systems unprotected.
  • Sensitive data must be encrypted at rest and in transit utilizing the National Institute of Standards and Technology Cryptographic Standards and Guidelines.
  • The requirement to protect sensitive data extends to backup copies of sensitive data especially when this data is outside of university control, such as with a vendor, in transit, or stored off university property.
  • Direct access to data from the internet is prohibited. Requests for data should be proxied between a requesting segment and a segment hosting the data.
  • Use of default passwords is strictly prohibited.
  • Use of generic accounts is strictly prohibited.
  • Password storage must be encrypted, hashed and/or salted with a NIST compliant algorithm.
  • Information systems containing sensitive data should utilize multi-factor authentication enabled.
  • Access to information systems with sensitive data must be reviewed on a periodic basis.
  • Access to information systems and/or sensitive data must be revoked in a timely manner.
  • Configuration of all computing resources should be based on least privilege concepts. All unnecessary services and ports should be disabled by default. Configurations should be based on secure best practice guidelines.
  • Database management must be performed over secure channels.
  • When developing and configuring applications, do not connect to a database as a user with administrative/owner privileges, unless required. Instead, make use of customized user roles with appropriately limited privileges.
  • Data stored on any system not managed or controlled by the university (i.e. third party hosted applications) must be assessed to determine appropriate security measures are in place to protect the confidentiality, integrity, and availability of university data. Data security should be commensurate with university policy requirements.
  • All computing resources should maintain security updates/patching.
  • Hard drive encryption must be enabled on all desktop and laptop computers.
  • Personal use of university provided resources (i.e. email, web space, computer, etc.) is strictly prohibited.

RESPONSIBILITIES (Implementation and Enforcement)

University Technology is responsible for, implementing, enforcing, updating and maintaining this policy.

RESOURCES