Data Protection

Issue/Question

What is the USD security policy on Data Protection

Environment

  • CIS Control 3

Cause

Protect against cybersecurity threats, establish cybersecurity norms, enhance cybersecurity maturity 

Resolution

Data Protection

Policy Statement: The University recognizes the critical importance of protecting sensitive data to maintain the confidentiality, integrity, and availability of information assets. This policy establishes guidelines for implementing data protection measures to safeguard University data against unauthorized access, disclosure, and misuse.

Policy Implementation:

  1. Data Classification:

    • The University will classify data based on its sensitivity, criticality, and regulatory requirements, following a standardized classification scheme.
    • Data classification levels may include categories such as public, internal, confidential, and restricted, with corresponding access controls and protection measures.

  2. Access Controls:

    • Access controls will be implemented to restrict access to sensitive data based on the principle of least privilege, ensuring that only authorized users have access to data necessary for their job functions.
    • Access to sensitive data will be granted based on formal authorization processes and reviewed periodically to ensure appropriateness.

  3. Data Encryption:

    • The University will encrypt sensitive data both in transit and at rest using strong encryption algorithms and protocols.
    • Encryption mechanisms will be applied to protect data stored on servers, databases, mobile devices, and removable media to prevent unauthorized access in the event of a security breach.

  4. Data Loss Prevention (DLP):

    • The University will implement data loss prevention technologies and solutions to monitor, detect, and prevent unauthorized transmission or leakage of sensitive data.
    • DLP controls will include policies, procedures, and technical controls to enforce data protection policies and prevent data exfiltration.

  5. Data Retention and Disposal:

    • The University will establish data retention and disposal policies to govern the lifecycle of data from creation to disposal.
    • Data retention periods will be defined based on legal, regulatory, and business requirements, and data will be securely disposed of at the end of its lifecycle using approved methods.

Compliance and Enforcement: All members of the University community are responsible for adhering to this policy and actively participating in data protection activities.

Policy Review: This policy will be reviewed annually to ensure alignment with emerging threats, changes in technology, and regulatory requirements. Updates will be made as necessary to maintain the effectiveness and relevance of data protection practices.

This policy provides a framework for implementing CIS Control 3 within a university environment, focusing on data protection measures to safeguard sensitive information and ensure compliance with privacy regulations and industry best practices.

Please contact the Service Desk if you need further assistance

Details

Article ID: 8937
Created
Tue 3/5/24 8:10 AM
Modified
Wed 4/17/24 7:05 PM
KCS Article Status
WIP: Only Problem & some Environment captured
Not Validated: Complete & Resolution captured, confidence lacks in structure, content, no feedback
Validated: Complete & reusable, used by licensed KCS user, confidence in resolution & std. compliance
Validated

Related Articles (5)

Classify and Protect Office Documents
How do I restrict or encrypt a document to protect it
Data Classification Categories
What are the the data classification categories or types?
Data Governance Management Committee
Who is on the Data Governance Management Committee
Data Governance Roles
Roles used in Data Governance at USD under the SD Board of Regents