15.50 – NMSU Institutional Data Security

PART 1: PURPOSE

This Rule provides for the secure management of NMSU institutional data.

PART 2: RULE

1. Definition of Institutional Data: Institutional data is defined as all information, documents and other data, regardless of physical form or location that is used, created, received, maintained or held by or on behalf of NMSU in the course of university business.
2. Authorized Access to Institutional Data: Access to, distribution and/or any other use of institutional data is based on an employee’s position and duties. Such access shall be granted and monitored through the employee’s supervisor by the appropriate records custodian and the appropriate vice president, dean or director.  All employees shall comply with applicable federal and state laws, including FERPA, GLBA, and HIPAA, as well as with applicable university policies relating to the secure access, maintenance, distribution, storage or other use of institutional data. (See also ARP 15.60 – 15.64)
   1. Transmission of university data to other persons or entities affiliated with NMSU, such as third party vendors, must have prior approval by the appropriate vice president/dean/director and the appropriate records custodian.
   2. Employees shall not transfer their authority for access to institutional data to any person.
   3. Employees with access to institutional data shall not access, distribute or otherwise use such information for any purpose other than those required to perform their job duties. (See RPM 18.55 Inspection of Public Records for distinct procedures available to request public institutional information in one’s personal capacity.)

PART 3: NON-DISCLOSURE NOTIFICATION FORM

All employees authorized to access NMSU central computer systems, including but not limited to Banner and COGNOS, shall be given and shall sign a Non-Disclosure of Sensitive/Confidential Information Employee Notification form.  A copy of this form is available at Administration Non Disclosure.  The lack of a signed Non-Disclosure form shall not relieve the employee of the responsibility to comply with applicable state and federal law and NMSU policies relating to the secure access, maintenance, distribution, storage or other use of institutional data. Employees with access to institutional data shall not access, distribute or otherwise use such information for any purpose other than those required to perform their job duties. (See ARP 15.60 – 15.64) Distinct procedures are available to request public institutional information in one’s personal capacity. (See ARP 18.40 – Inspection of Public Records)

PART 4: INFORMATION STORED ON DESKTOP COMPUTERS AND PORTABLE COMPUTING DEVICES

Users with access to institutional data shall maintain reasonable measures to ensure the security of the data. The following requirements must be observed:

1. Institutional data shall only be stored on university-owned computers or on computers owned by contractors to the university.
2. Institutional data must be removed from computing devices when the data is no longer required.
3. Regular backups shall be performed on computing devices that store university data.
4. Institutional data should be encrypted on computing devices that store university data.
5. Institutional data shall not be stored on removable media unless approved by the appropriate data custodian.

PART 5: INFORMATION SECURITY ON DESKTOP AND PORTABLE COMPUTING DEVICES

All desktop computers and portable computing devices that hold institutional data, including university-owned devices used at home, shall:

1. Have automatic updates enabled to the operating system and virus protection as appropriate.
2. Require a password for access when started or rebooted.
3. Use a password-protected screen saver that locks access when unattended.
4. Not run file sharing software, in particular software that allows the sharing of music and videos.

PART 6: INFORMATION SECURITY ON SERVERS

All servers on which university-owned data are maintained shall follow existing university policy and administrative rules and procedures.  Servers shall also:

1. Have automatic updates enabled.
2. Have a trained, full-time employee assigned as the primary system administrator of the server.  Students and temporary staff shall not be the primary contact for the server.
3. Reside on a physically separate subnet than that of desktop computers.
4. Have all unnecessary services turned off and/or removed from the server.
5. Have backups of data, operating system and applications performed regularly. The backup media should be stored offsite in a secure storage area.
6. Have a firewall enabled.
7. Not be used as a desktop or personal computer.
8. Use a web browser only for the download/update of software.