Data Protection


What is the USD security policy on Data Protection


  • CIS Control 3


Protect against cybersecurity threats, establish cybersecurity norms, enhance cybersecurity maturity 


Data Protection

Policy Statement: The University recognizes the critical importance of protecting sensitive data to maintain the confidentiality, integrity, and availability of information assets. This policy establishes guidelines for implementing data protection measures to safeguard University data against unauthorized access, disclosure, and misuse.

Policy Implementation:

  1. Data Classification:

    • The University will classify data based on its sensitivity, criticality, and regulatory requirements, following a standardized classification scheme.
    • Data classification levels may include categories such as public, internal, confidential, and restricted, with corresponding access controls and protection measures.
  2. Data Inventory:

    • The University will inventory based on type, uses, and sensitivity
    • Data flow and usage documentation will be created for sensitive data
  3. Access Controls:

    • Access controls will be implemented to restrict access to sensitive data based on the principle of least privilege, ensuring that only authorized users have access to data necessary for their job functions.
    • Access to sensitive data will be granted based on formal authorization processes and reviewed periodically to ensure appropriateness.
    • Data should be segmented based on sensitivity.
  4. Data Encryption:

    • The University will encrypt sensitive data both in transit and at rest using strong encryption algorithms and protocols.
    • Encryption mechanisms will be applied to protect data stored on servers, databases, mobile devices, and removable media to prevent unauthorized access in the event of a security breach.
  5. Data Loss Prevention (DLP):

    • The University will implement data loss prevention technologies and solutions to monitor, detect, and prevent unauthorized transmission or leakage of sensitive data.
    • Endpoint and browser agents will be installed
    • DLP controls will include policies, procedures, and technical controls to enforce data protection policies and prevent data exfiltration.
    • Data will be encrypted on end-user devices
    • Data will be encrypted on removable media
    • Data will be encrypted in transit
    • Data will be encrypted at rest
    • Logging of access, modification, or disposal of sensitive data will occur.
  6. Data Retention and Disposal:

    • The University will establish data retention and disposal policies to govern the lifecycle of data from creation to disposal.
    • Data retention periods will be defined based on legal, regulatory, and business requirements, and data will be securely disposed of at the end of its lifecycle using approved methods.

Compliance and Enforcement: All members of the University community are responsible for adhering to this policy and actively participating in data protection activities.

Policy Review: This policy will be reviewed annually to ensure alignment with emerging threats, changes in technology, and regulatory requirements. Updates will be made as necessary to maintain the effectiveness and relevance of data protection practices.

This policy provides a framework for implementing CIS Control 3 within a university environment, focusing on data protection measures to safeguard sensitive information and ensure compliance with privacy regulations and industry best practices.

Please contact the Service Desk if you need further assistance

Print Article


Article ID: 8937
Tue 3/5/24 8:10 AM
Wed 5/22/24 3:41 PM
KCS Article Status
WIP: Only Problem & some Environment captured
Not Validated: Complete & Resolution captured, confidence lacks in structure, content, no feedback
Validated: Complete & reusable, used by licensed KCS user, confidence in resolution & std. compliance

Related Articles (5)

How do I restrict or encrypt a document to protect it
What are the the data classification categories or types?
Who is on the Data Governance Management Committee
Roles used in Data Governance at USD under the SD Board of Regents