Adopted April 9, 1997

Updated November 12, 2001

 

Table of Contents:

1.0 Introduction

The University of Wisconsin Oshkosh maintains data which are essential to performing University business. These data are to be viewed as valuable resources over which the university has both rights and obligations to manage, protect, secure and control.

2.0 Policy


2.1 Purpose

This policy secures and protects data stored on and accessible by university-owned computing systems and utilized by university employees and students in support of the educational mission of the university. In so doing, it ensures that:

1. The University is able to meet its record-keeping and reporting obligations as required by state and federal law, the Board of Regents, and UW System Administration.

2. The University is able to comply with the Family Educational Rights and Privacy Act of 1974 (the Buckley Amendment) and other statutes and policies protecting the rights of individuals.

3. The University is able to comply with the Wisconsin Public Records Statutes and other laws and policies providing for access to data.

4. University data integrity and accuracy is consistently maintained.

5. Authorized individuals are assured of timely and reliable access to necessary data.

6. Unauthorized individuals are denied access to computing resources or other means to retrieve, modify or transfer data.

This policy also addresses the issue of the rights and responsibilities of authorized persons in the handling, security and protection of University data. In view of the fact that security measures may introduce additional overhead in terms of time and effort, the objective of this policy is to ensure secure data while minimizing impediments to its access.

The Assistant Vice Chancellor for Information Technology is responsible for the implementation of this policy.

Return to top.

2.2 Scope

The policies and guidelines established herein govern the management and accessibility of University operational data regardless of the environment in which it resides. The term 'operational data' is meant to encompass only that data which is necessary for the daily execution of the University's mission. This may include, but is not restricted to, administrative data, student and payroll records, personnel records, and accounting information. The environment in which this data is found may include, but is not limited to, the central mainframe, mini-computers, campus network servers, individual personal computers (PCs), and data as it is found on any other medium (printouts, screen dumps, microfiche, etc.).

This policy's scope of authority applies to all employees of the University, students, alumni, and authorized persons with interests in specialized segments of the University, such as Research, University Facilities, Employee/Student/Alumni data, or Education/Instruction.

Return to top.

3.0 Definitions

These definitions apply to the following terms as they are used in this policy:

3.1 Legal Custodian --An administrative officer within the University, given scoped responsibility by the Chancellor, according to state statutes, for managing specific information resources within a functional area. A list of current appointees and their areas of responsibility are available from the Office of Information Technology, or electronically at this location.

3.2 Data Steward -- An individual appointed by a Legal Custodian to manage a subset of the data designated as being within the area of responsibility of that Custodian. A Data Steward is the person primarily responsible for the accuracy, privacy, and integrity of University data. All University data must have an identified Data Steward. A list of current appointees and their assigned areas of responsibility are available from the Office of Information Technology, or electronically at this location

3.3 Data User -- Any individual requiring access to University data in the course of meeting the requirements of their position or an educational curriculum.

Return to top.

4.0 Data Ownership and Accountability

4.1 University of Wisconsin Oshkosh

The University of Wisconsin Oshkosh retains the exclusive right and use of all computer assets, including data. Within this context, it is considered the Legal Custodian of all University data.

4.2 Specific Roles

A list of current appointees to those positions referenced in the following sections is available from the Office of Information Technology, or electronically at this location

4.2.1 Legal Custodian

Pursuant to c. 19.33(4), Wisconsin Statutes, and in accordance with the Wisconsin Public Records Statutes, the Chancellor must designate Legal Custodians of specific records. These individuals perform in a supervisory or managerial capacity and are responsible for the data residing in a designated system.

In addition to those duties defined by the relevant statutes, additional University responsibilities of the Legal Custodian may include:

1. Oversee the creation and disposition of the data records for which they have been assigned responsibility.

2. Determine what data are appropriate for distribution and update.

3. Determine the validity of all requests for access to, and update capability for, area-specific data or applications.

4. Periodically review the current set of access capabilities granted to all individuals on the system to ensure that the status is current and accurate.

5. Oversee the activities of all Data Stewards assigned to their functional area.

4.2.2 Data Steward

In support of the Legal Custodian, responsibility for managing specific categories of data is assigned to Data Stewards. For example, the Director of Human Resources is responsible for the classified employee payroll information. With regard to data access and security, these data stewards have the authority and responsibility to:

1. Assist the Legal Custodian with evaluation and approval of requests for access to records, in accordance with the Wisconsin Public Records Law and the Buckley Amendment.

2. Define and approve the degree and nature of access to their data.

3. Coordinate with the Office of Information Technology for adequate backup of data.

4. Coordinate the creation and purging of data in a manner consistent with current record-keeping policies and regulations.

4.2.3 Data Security Officer

The Data Security Officer has responsibility for implementing, monitoring, and coordinating the standards, procedures, and guidelines necessary to administer access to University data.

Specifically, the Security Officer has the responsibilities to:

1. Install, maintain, and operate data security software.

2. Maintain records indicating the identity of each Data Steward who has the responsibility for granting user access to data and the scope of their granting authority.

3. Implement the control of user access to University data, as determined by Data Stewards or Legal Custodians.

4. Review data security procedures within individual units as needed, disseminating information regarding access requests, security awareness, passwords, virus protection, and the reporting of security violations.

5. Create and maintain policy regarding the responsible usage of computing resources and outline the proper conduct expected of all data users.

6. Maintain current data access authorization records. This will entail the creation of new records in response to valid requests for data access, the removal of records for users transferring to another functional unit or leaving the University, and the modification of existing records to accommodate a name change or additional job requirements.

7. Establish and monitor system activity accounting and audit trail records in a manner consistent with University and Internet guidelines.

8. Serve as de facto Data Steward for data items not assigned to other stewards, until such time as an individual can be permanently designated.

4.2.4 Database Administrator

The Database Administrator (DBA) has responsibility for the management of and implementation of access to all data contained within the University database management system. The DBA is to act as the administrator of the information resource in accordance with established policies and procedures, but will in no sense dictate the usage of University data, nor determine individual access rights to data elements, records, or files contained within the database. This will remain the responsibility of the data stewards.

4.2.5 Data User

All departmental units and individuals have the responsibility to ensure that:

1. Privacy and confidentiality of data is maintained in a manner consistent with the laws and regulations relating to that data.

2. Every effort is made to assure and maintain the accuracy of data.

3. Data is correctly and appropriately used as defined by, but not limited to, applicable state and federal law. Sanctions for the inappropriate use of data are also defined by these regulations.

4. Data security is not compromised by the sharing of user access ids or passwords.

5. Proper records management disposal methods are used when data is considered no longer valid or useful.

6. Online conduct and utilization of computing resources is consistent with the guidelines set forth in the University of Wisconsin Oshkosh Statement of Acceptable Use of Computing Resources.

In addition, several departments operate third-party or in-house-developed systems on individual PCs, inter-office local area networks or other hardware. Other departments own and operate turnkey systems. The departments have complete responsibility for these systems, to include:

7. Secure computing resources, computer rooms, department office areas, and other work areas.

8. Establish policies, procedures, and standards for security and maintenance of software and data, such as backup policies and procedures.

Return to top.

5.0 Proper Management of Data

5.1 Data Capture

1. The Legal Custodian is responsible for complete, accurate, valid, and timely data capture. These responsibilities may be delegated to Data Stewards.

2. Electronic data should be captured at or near its creation point, as identified by the Legal Custodian.

5.2 Data Storage

1. An official data storage location for each data element should be identified by the Legal Custodian.

2. Data element names, formats, and values should be consistent with University standards.

3. Archiving requirements and strategies for storing historical data should be determined by the Legal Custodian, in coordination with the Office of Information Technology.

5.3 Data Validation and Correction

1. The accuracy of any data element may be questioned by any authorized data user. The data user has the responsibility to help correct the perceived problem by supplying as much detailed information regarding correct usage of the data as is possible.

2. The Legal Custodian or delegated Data Steward is responsible for responding to questions and correcting verified inconsistencies in data elements.

3. Upon written identification and notification of erroneous data, corrective measures should be taken as soon as possible, in accordance with the consensus of the users, to correct the cause of the error; correct the data in the official data storage location; and notify users who have received or accessed erroneous data, of the changes.

5.4 Data Accessibility

Legal Custodians are responsible for providing accessible, meaningful, and timely University data. This activity may be assigned to Data Stewards or other University officials, within the confines of predefined authorization guidelines.

Accessibility to University data may be considered any of the following:

1. Hard copy reports issued by various administrative offices.

2. Interactive terminal access through the University communications infrastructure.

3. Data downloaded and accessed from a unit/departmental computer or downloaded to an individual user's personal computer. If University data is downloaded to a college or department, the responsibility for implementing, monitoring, and enforcing University data access and resource usage policies shall reside with the College Dean or Departmental Chair authorized to receive the data.

5.5 Data Security

1. All University data should be secured, with access granted to a data user on a "need-to-know" basis, and within the confines of predefined access guidelines and security requirements. The Legal Custodian, through the Data Stewards, has the ultimate responsibility for determining security requirements and access authorization.

2. All Data Users of University data must be cognizant of the level of access they have been provided, and of their responsibility to maintain the inherent privacy and integrity of that data. Effective data security is not possible without the cooperation of users who understand the reasons for data security and comply with established security measures.

5.6 Data Disposal

1. The Legal Custodian is responsible for determining what data within the functional area are to be retained and for how long. This authority may be delegated to a Data Steward.

2. At the point at which data is considered no longer useful or legally required, it must be removed from general access in a manner consistent with its content and medium. Disk-based datasets may be archived to tape and moved off-site or deleted. Tapes may be erased and reused or permanently archived. Reports and printouts may be recycled as is, or shredded prior to disposal, depending on legal or institutional requirements.

3. Data Users are responsible for the proper disposal of data residing on individual personal computers.

5.7 Data Documentation

Documentation of data elements is the ultimate responsibility of the Legal Custodian. This information should be provided to the Office of Information Technology (IT), who will oversee its archival and general availability. All data documentation so gathered will be maintained in machine-readable format in a University Data Dictionary. In essence, IT is the Data Steward for the University Data Dictionary.

5.8 Data Disputes

Due to the common occurrence of some data elements within several University systems, questions may arise as to the precedence of ownership or responsibility for that data element. A typical example might be social security number, which is frequently used by Registration, Human Resources, Financial Aid, and others. In this instance, the data element may be considered to have more than one Data Steward. If the Data Stewards are unable to arrive at a consensus as to the appropriate use of a data element, a meeting of the responsible parties will be convened by a designated representative of the Office of Information Technology in an effort to resolve the data dispute.

Return to top.

6.0 Procedures

In the course of creating and administering controlled access to University data, various procedures must be defined and formalized to achieve this end. These procedures, listed below, with an accompanying explanatory cover page and their relevant forms, are available from the Office of Information Technology, or electronically at this location.

Appendix 6.1 Requesting Authorization for Data Access
Appendix 6.2 Modification of Existing Data Access Authorization
Appendix 6.3 Managing Systems for Employee Turnover
Appendix 6.4 Reporting Breaches of Data Security
Appendix 6.5 Requesting Computer System Activity Information
Appendix 6.6 Sanctions for Unauthorized Data Access or Disclosure

Return to top.

7.0 References

7.1 Wisconsin Public Records Statutes

7.2 Family Educational Rights and Privacy Act of 1974 (FERPA or Buckley Amendment)

7.3 University of Wisconsin Oshkosh Statement of Acceptable Use of Computing Resources

Return to top.

8.0 Revisions

As an ongoing document, the University of Wisconsin Oshkosh Data Access and Data Security Policy will be maintained and revised as required by the Office of Information Technology (IT), in cooperation with data owners and computer systems users groups. All data users are encouraged to correspond with IT regarding any suggestions for improving this document. When corresponding, please refer to the document title and cite an appropriate section and page number reference.

Copies of this document or related standards documents are available from the Office of Information Technology, or electronically at http://www.uwosh.edu/it/it.html.

Return to top

Appendix A - University of Wisconsin Oshkosh
Legal Custodians of Specific Records

Pursuant to s. 19.33(4), Wis. Stats., the following individuals are designated as University of Wisconsin Oshkosh Legal Custodians. This document supplements the University Data Access and Data Security Policy.

Academic, Unclassified, and Classified Personnel Records

Office of Human Relations, acting through Lori Worm, Interim Director of Human Resources

Affirmative Action Records

Office of Affirmative Action, acting through Beth Heuer, Affirmative Action Officer

Student Records

Office of Registration/Academic Advisement, acting through Lisa Danielson, Interim Registrar

Financial, Contractual, Business, and Related Records

Office of Administrative Services, acting through Tom Sonnleitener, Vice Chancellor for Administrative Services

All Other Records

Office of the Chancellor

Return to top.

Appendix B - University of Wisconsin Oshkosh
Current Data Stewards

This document supplements the University Data Access and Data Security Policy.

Student Systems

UG Information- Lisa Danielson
GR Information- Greg Wypiszynski
UG Transcripts- Lisa Danielson
GR Transcripts- Greg Wypiszynski
Student Accounts- Gary Moeller
Financial Aids- Beatriz Contreras
CDR- Mike Watson
UG Admissions- Jill Endries
GR Admissions- Greg Wypiszynski
UG Pre-admission- Jill Endries
GR Pre-admission- Greg Wypiszynski

Personnel Data Base

Faculty Payroll- Lori Worm
Classified Payroll- Lori Worm
C.A.S. program- Linda Freed
Grants- Linda Freed
Faculty Contracts- Lori Worm
Overload Payments – Lori Worm

Shared Financials System (SFS)

General Ledger- Gary Moeller
Purchasing- Jim Johnson
Report Distribution- Gary Moeller

Other Financial Systems

Student Payroll- Gary Moeller
Payroll Encumbrance- Lori Worm
University Foundation- Tom Keefe

This document supplements the University Data Access and Data Security Policy.

Food Service

MLS files- Mitch Kilcrease

Residence Life

HSG files – Tom Fojtik

University Mailing

UMS general files- Tom Keefe

Testing and Research Services

TST files- JoAnn Konkel

Facilities and Equipment

Equipment Inventory- Bruce Williams
Physical Facilities- Steve Arndt
Keys-  
Telephone Billing- Mary Hale
Library Periodicals- Barbara Fahey

Computing Resources

Computer Utilization- Ken Splittgerber
Weekly Activity- Ken Splittgerber
Magnetic Tape Inventory- Ken Splittgerber

Return to top.

Appendix C - University of Wisconsin Oshkosh
Position Titles and Current Incumbents

This document supplements the University Data Access and Data Security Policy.

Chancellor: Richard Wells

Provost/Vice Chancellor: Keith Miller

Associate Vice Chancellor: Craig Fiedler

Assistant Vice Chancellor for Graduate School and Research: Nancy Kaufman

Assistant Vice Chancellor for Information Technology: John Berens

Director of Human Resources: Lori Worm

Director of General Accounting: Gary Moeller

Data Security Officer: William Wurzbach

Database Administrator: William Wurzbach

Return to top.

Appendix D - University of Wisconsin Oshkosh
Laws Related to Data/Information Issues

This document supplements the University Data Access and Data Security Policy.

FEDERAL: Privacy and Protection Act of 1974, Family Educational Rights and Privacy Act of 1974 (FERPA or the Buckley Amendment), 1986 Electronic Communications Privacy Act, and The Computer Fraud and Abuse Act of 1989.

STATE: Wisconsin Statutes 1992-93, (41st Edition) (Chapter 19, Public Records and Property, ss. 19.31 - 19.39; Chapter 939, Crimes - General Provisions, ss. 939.32(2), 939.50(3), 939.51(3), 939.66(4), 939.72(3); Chapter 943, Crimes Against Property, ss. 943.70).

Return to top.

Appendix E - 6.1 Requesting Authorization for Data Access

This document supplements the University Data Access and Data Security Policy.

The following cover letter and request forms may be used when making an initial request for data access for a new user of the Online Administrative Computing System. For modification of the data access profile of an already-existing user of the system, see 6.2 Modification of Existing Data Access Authorization.

Requests for initial campus network logons or email access fall outside the scope of this policy paper, and should be directed to Academic Computing Services, or emailed to ACSHELP@uwosh.edu.

Return to top.

Appendix F - 6.2 Modification of Existing Data Access Authorization

This document supplements the University Data Access and Data Security Policy.

Once a system logon has been established for a given user, following the procedures outlined in 6.1 Requesting Authorization for Data Access, future modification of that user's security profile may be effected in any of several ways, whichever is most convenient for the requestor. The only requirements are that, for the purposes of audit review, the request contain the following minimum information:

1. A short paragraph stating the name of the user for whom security profile modification is desired, the office in which they work, and the nature of the access requested. This may include, but is not limited to, new CICS transaction ids, generic requests for access to database-related programs, the ability to update specific fields on an already-accessible transaction screen, update capability against an existing dataset, a change of name, etc.

2. The signature, or a valid electronic equivalent, of the user's immediate supervisor or departmental chair.

3. A time-stamp, system-generated or hand-written, indicating the date and time of the modification request.

This request may take the form of an email message from the requestor's mail account or a handwritten or typed request, preferably on letterhead, sent through intercampus mail. The email request should be sent to Security@uwosh.edu . The intercampus mail request should be sent to the attention of the Data Security Officer.

Requests for initial access to the Shared Financials System (SFS) should direct their requests to the Director of General Accounting in the Budgets and Controller Office.  Requests for initial access to the Student Information System (SIS) should direct their requests to the Registrar in the Registration/Academic Advisement Office.

Again, as stated in 6.1 Requesting Authorization for Data Access, requests for modification of campus network logons or email access fall outside the scope of this policy paper, and should be directed to Academic Computing Services, or emailed to ACSHELP@uwosh.edu.

Return to top.

Appendix G - 6.3 Managing Systems for Employee Turnover

This document supplements the University Data Access and Data Security Policy.

In most cases, once a person has been assigned a particular security access profile, they will tend to keep that profile for an extended period of time, with very little, if any, change. Those modifications which do take place will usually be of the nature outlined in 6.2 Modification of Existing Data Access Authorization. Certain personnel activities, however, warrant a different course of action. These usually take the form of a departmental transfer, reclassification, termination, or retirement. In any situation such as this, the Data Security Officer should be notified in as timely a manner as possible of the pending event. This will allow the user's security profile to be modified to accommodate their new work responsibilities, and deny them access to information they no longer require for their work, or ensure that their logon is removed from the system, to preclude future unauthorized data access.

Notification to the Data Security Officer may take the form of a telephone call, an email message or a short note outlining the nature and timeframe of the personnel action. Email should be directed to Security@uwosh.edu. While most of this information will also be made available to the Data Security Officer by the Human Resources Office, it will not be as timely as direct notification from the office of interest, and will not convey any information as to the identity of the replacement personnel involved, who may also require access modification. Coordination and cooperation between the Data Security Office and a client office will help ensure a smooth transition during the employee turnover process.

Return to top.

Appendix H - 6.4 Reporting Breaches of Data Security

This document supplements the University Data Access and Data Security Policy.

It is incumbent upon every user to adhere to security policies and procedures and to call to the attention of the Office of Information Technology those whom they feel are violating these procedures. Every effort will be made to ensure total anonymity. If a user should encounter or observe a flaw in system or network security, this discrepancy must be reported to the Office of Information Technology. Individuals must refrain from exploiting any such lapse in security.

For online administrative computing system security problems, notify the Data Security Officer by telephone, personal visit, inter-campus mail, or an email message sent to Security@uwosh.edu

For email, network or academic computing system violations, contact Academic Computing Services by telephone, personal visit, inter-campus mail, or an email message sent to ACSHELP@uwosh.edu .

Return to top.

Appendix I - 6.5 Requesting Computer System Activity Information

This document supplements the University Data Access and Data Security Policy.

The following cover letter and request form are used when requesting information regarding the activity of an individual on a University-controlled computer system. In all cases, this request should be initiated by an office previously designated for this purpose. Requests from unauthorized individuals will not be honored. The following are the appropriate offices to contact:

1. Individual requests for restraining action, eg. stop unsolicited or harassing email:

Students: contact the Dean of Students

Faculty/Academic Staff/Classified Staff: contact the Director of Human Resources

2. Faculty or staff requests for system information regarding student activity:

Contact the Dean of Students

3. Departmental requests for system information regarding faculty/staff system activity:

Contact: the Director of Human Resources

4. Outside agency requests for action or access to system information (e.g., system activity logs, login/logoff reports, etc.):

Contact the Network Manager

Return to top.

Appendix J - 6.6 Sanctions for Unauthorized Data Access or Disclosure

This document supplements the University Data Access and Data Security Policy.

Violation of the policies described herein for use of computing resources will be dealt with seriously. Violators are subject to disciplinary procedures of the University, may lose computing privileges or account and network access, and may also be subject to prosecution by state and federal authorities under laws including, but not limited to: The Privacy and Protection Act of 1974; Wisconsin Statutes 199293, (41st Edition) (Chapter 19, Public Records and Property, ss. 19.31 19.39; Chapter 939, Crimes General Provisions, ss. 939.32(2), 939.50(3), 939.51(3), 939.66(4), 939.72(3); Chapter 943, Crimes Against Property, ss. 943.70); The Wisconsin Computer Crimes Act; The 1986 Electronic Communications Privacy Act; The Computer Fraud and Abuse Act of 1989. The sanction and appeal process will vary, depending upon the classification of the offender within the University community.

Suggested courses of action are described by, but are not limited to:

a. Student Wisconsin Administrative Code, Section UWS 14 and UWS 17. These regulations are also maintained in a separate document entitled Student Discipline Code, which is available in the Dean of Student's Office.

b. Classified Staff Administered by the Human Resources Office, pursuant to the current University of Wisconsin System Classified Employees Work Rules; Chapter 230.34(1) of Wisconsin Statutes; Section 24 of Wisconsin Administrative Code; and existing collective bargaining agreements.

c. Academic Staff / Faculty The University of Wisconsin Oshkosh Faculty and Academic Staff Handbook and specific departmental procedures, as warranted.

d. Other Subject to the procedures of the organization or group with which they are affiliated, revocation of computing privileges, and possible state and federal prosecution.

Return to top.