Data Security and Access Policy (C-34)
OFFICE OF THE PRESIDENT
EXECUTIVE MEMORANDUM No. C-34
November 11, 1994
To: Vice Presidents, Deans, Directors, and Heads of Schools, Divisions, Departments, and Offices
Re: Data Security and Access Policy Statement
All administrative data and information are University resources. They are owned by the University and are shared as appropriate to meet the needs of the University and its various constituencies.
Purdue University maintains administrative computing resources, including data and information, that are essential to performing University business. These are University assets over which the University has both rights and obligations to manage, secure, protect, and control.
This policy applies to administrative computing resources regardless of where they reside. It requires that members of the University community act in accordance with this policy, relevant laws, contractual obligations, and the highest standards of ethics. This policy includes centralized and decentralized administration, audit, and control of access and security. An audit trail of the updates made to data is recorded for periodic review by security administrators and/or Internal Audit.
The goals for these policy statements are as follows:
- To assure employees access to relevant data they need to conduct University business;
- To prevent unauthorized access to systems, data, facilities, and networks; and
- To prevent any misuse of, or damage to, computer assets or data.
University employees are granted access to those data and information resources required to carry out the responsibilities of their position. No University employee will knowingly damage or misuse computing resources or data.
Access capabilities/restrictions apply to all administrative computing resources owned by the University. Safeguards are taken to ensure the security of the resources and to maximize the integrity of the information.
Access privileges are determined based on the duties and responsibilities of each position. Users with access privileges are assigned an access Identification Number (ID). Use of another person's access ID is prohibited.
While recognizing the University's responsibility toward data security, the procedures established to protect those data must not unduly interfere with the efficient conduct of University business or be unduly expensive to implement.
All University employees with an access ID have inquiry access to core data (i.e., data used by multiple University departments or by a single department across multiple business functions) on a need to know basis, without restriction or prior authorization, for use in conducting University business, except in those instances where legal, ethical, internally-imposed, or externally-imposed constraints require restricting access to certain specific data. Employees requiring access to restricted data are assigned specific access codes which they are responsible for protecting from misuse.
The employee's need to access data does not equate to casual viewing. It is the employee's obligation, and his/her supervisor's responsibility, to ensure that access to data is only to complete assigned functions.
Some University employees have update access to certain core data based on their duties and responsibilities. These privileges are granted by those stewards responsible for the data.
Inquiry and update access privileges to departmental data (i.e., data used by a single department) for employees outside the department that developed the data must be granted by that department.
Centralized computer facilities that house core data will be protected in a physically secure location with controlled access. Computer facilities that process departmental data may require physical security depending on the value and sensitivity of the data they process, the resources they access, and their cost. This security is the responsibility of the department.
Any exceptions to this policy must be approved by the President upon the recommendation of the Administrative Computing Steering Committee and/or the Executive Vice Presidents. Questions regarding this policy should be referred to the Vice President for Management Information and Long Range Budget Planning who is responsible for implementing this policy.
This policy supersedes Business Office Memorandum No. 180. Nothing in this policy changes or supersedes Executive Memorandum No. C-2 regarding Disclosure of University Records or Executive Memorandum No. B-44 regarding the "Family Educational Rights and Privacy Act."
Steven C. Beering