Data Use Standard

This standard applies to any individual who creates, processes, stores, shares, and/or destroys university data.

It's the responsibility of all data users to protect university data and to adhere to TU's safeguards. The safeguards listed in this standard might not reflect all use cases and protections as required by contracts, regulations, research and other agreements. For clarification or general guidance, contact the Office of Technology Services by submitting service request.

Definitions

  • Authentication: the process of determining whether someone or something is who they claim to be.
  • Authorization: a security mechanism used to determine privileges permissions or access levels related to information system resources.
  • Data Classification: how TU categorizes data and guidance on the proper handling of that data. Learn more. 
  • Data Minimization: the principle that creating, processing, storing and sharing university data must be relevant and limited to what's necessary.

Safeguards 

Level 1 - Public data generally does not have any specific requirements, however, access to change or modify public data should be carefully protected. 

General Use 

  • Access to any TU information system that contains data (including administrative access to Level 1 - Public data systems) requires an encrypted login process.
  • Accessing confidential data is not permitted from personal devices unless using Remote Access Gateway or . 
  • Do not access confidential data on public networks (e.g., coffee shop Wi-Fi). 
  • Do not save confidential data to local hard drives under any circumstance. 
  • Do not store, save or export any protected or confidential TU data on personal devices or unapproved information systems (such as PeopleSoft).
  • The principle of Data Minimization should be applied in all uses of university data.

Access Control

Information security controls that determine the methods and permissions for who and what can access information systems and data. 

Level 2 – Protected Data 

  • Authentication processed must be via an encrypted login process.
  • Authentication (preferably NetID-based) is required to access data.
  • Authorization rules (roles, permissions or other methods) must be defined for the data, and access to view or modify data should be restricted to only individuals who need it for business purposes. 
  • Data is stored on a TU managed information system or device.   

Level 3 – Confidential Data 

  • Follow all requirements for Level 2 – Protected Data.
  • NetID-based authentication must be used where feasible.
  • The individual accessing the data must have a signed confidentiality agreement  or equivalent on record. 

Storage and Transmission

Refers to storage (e.g. data-at-rest), sending/receiving (i.e. data-in-transit) and accessing (i.e. viewing, processing, etc.) data.

Level 2 - Protected Data 

  • Encryption should be used for sending/receiving data (e.g. HTTPS, SFTP or FTPS). 
  • Only store data on TU-managed information systems or devices.

Level 3 - Confidential Data 

  • Encryption is required for storage. Data must be stored on the secure file sharing service, an appropriate information system (e.g., PeopleSoft, Stratus, etc.), or other approved encrypted storage. 
  • Encryption is required for sending/receiving data transmission, which includes accessing a website with confidential data.
  • Paper/physical copies must be stored in a secure location (e.g., locked office or cabinet).

Media Sanitization and Disposal

Refers to the information security requirements of safely disposing of or reusing hard drives and other storage. 

Level 2 - Protected 

  • All electronic storage media and equipment (i.e., digital media) that is managed, owned, leased by Towson University and/or the state (including, but not limited to: workstations, servers, laptops, cell phones, tablets and multi-function printers/copiers) must be in compliance with OTS’ media and equipment disposal and reuse standard operating procedures and standards.   
  • Paper/physical copies must be disposed of by an approved shredding technique. 

Level 3 - Confidential Data 

  • Follow all requirements for Level 2 – Protected Data. 
  • Digital media must be erased using an Office of Information Security and Privacy approved security method.     

Copying and Printing

Information security requirements for physical paper and electric/digital information.

Level 2 - Protected Data 

  • Only print when there is a legitimate need.
  • Limit copies to authorized individuals.
  • Do not leave paper/copies/printouts unattended on a printer.
  • Retention of information must follow university retention policies. 

Level 3 - Confidential Data 

  • Follow all requirements for Level 2 - Protected data. 
  • Must have a signed confidentiality agreement on record. 
  • Paper/physical copies must be stored in a secure location (e.g., locked office or cabinet). 

Training and Awareness Education

Information security-related training required for those handling university data. 

Level 2 - Protected Data 

  • General security awareness training is highly recommended and might be required in certain circumstances. 
  • For system administrators, administrator-specific training is recommended. 

Level 3 - Confidential Data 

  • General security awareness training is required. 
  • For system administrators, administrator-specific training may be required. 
  • Applicable policy- and regulation- (e.g., FERPA, HIPAA, PCI) specific training may be required.

Support

Questions, comments or requests for exception to this standard must be directed to the Office of Technology Services (OTS) by submitting a service request.

Related Resources