Institutional information – data – is increasingly becoming UCSF’s lifeblood and most critical asset. Concurrently, data is growing enormously in complexity and volume while regulatory requirements are becoming ever more stringent. These factors have made the data management process progressively more important.
Everyone at UCSF has a role to play in protecting our data. UCSF 650-16 Addendum A - UCSF Roles and Responsibilities for Securing Institutional Information and IT Resources describes these roles and their key responsibilities. Everyone, at a minimum, is a “workforce member” and must adhere to UC Policy BFB-IS-3: Electronic Information Security and UCSF Policy 650-16: Information Security and Confidentiality. People and Units have additional responsibilities based on their role within the institution. For example, a unit that manages data like employee information, financial data, or medical records is an “Institutional Information Proprietor” and must assign the related responsibilities to individuals within the unit. Another example is a department that delivers a particular IT service, as they would then own the responsibilities of a “Service Provider.” Additional information to help you understand your responsibilities is available in the UCOP Quick Start Guide by Role.
Data Security Lifecycle
Proper oversight of data throughout its life cycle is critical to optimize its utility and minimize the potential for errors and breaches. Below are examples of questions that should be asked, and measures taken within each of the four phases pictured above.
- What is the data classification? The article Know Your Data describes how to properly classify, work with, and secure your data based on UC policies that require impacts to be measured in the following areas:
- Loss of critical UCSF operations
- Negative financial impact (actual money lost, lost opportunities, value of the data itself)
- Damage to UCSF’s reputation
- Potential for regulatory or legal action
- Violation of UCSF’s mission, policies, or principles
- Requirement for corrective action or repairs
- What regulatory requirements apply to the data? Regulations that protect the security and privacy of data are on the rise. UCSF is subject to many of these regulations, including the following:
- Is a risk assessment required? UCSF is required by a number of laws, regulations and policies to assess the risk of compromise to information systems that create, store, process, or transmit UCSF data, and any new platform that will handle P3 (sensitive) or P4 (restricted) data must undergo a security risk assessment. The UCSF risk assessment process collects information about the security controls implemented on a system or application and uses that information to score its security compliance.
- Based on the data classification, what are the policy, legal, and access requirements? UCSF Policy 650-16 Addendum F, UCSF Data Classification Standard describes the policy, legal, and access requirements for each type of data.
- How will the data be kept safe? UCSF Policy 650-16 Addendum B, UCSF Minimum Security Standards for Electronic Information Resources describes the minimum-security measures for UCSF data and should be used to create a data management plan that addresses:
- System Inventory and Protection Level Classification (PLC)
- Transmission of Restricted Information
- Physical Security
- System Management Agent
- Network Access Control (NAC)
- Host-Based Firewall
- Security Endpoint Detection and Response Agent (EDR)
- Device Encryption
- Encrypted Authentication
- Software Patch Updates
- Application and Website Security
- Enterprise Vulnerability Management
Use and Share including Transmitting Data Electronically
- How long should the data be kept? Data should be stored in accordance with the UC Records Retention Schedule.
- How is paper media destroyed? Secure disposal bins should be used. Your manager can order one from the vendor, Shred-it, by contacting their customer service at 1-800-MYSHRED (1-800-697-4733) or ShreditCare@stericycle.com and creating a requisition in BearBuy.
- How is electronic media destroyed? Contact the IT Service Desk or call 415-514-4100. IT will collect and arrange for the destruction of any electronic media (hard drives, tapes, etc.) that contains restricted or sensitive data, including PII (personally identifiable information) and PHI (patient health information), free of charge.
- Can data be left in the cloud or in the possession of a third party after a project is completed? If your data is stored in a cloud-hosted environment or with a vendor, be sure to work with them to retrieve or properly dispose of your data. UCSF purchasing agreements have specific requirements for how vendors must handle disposition of UCSF data at the end of the agreement.
Take the quiz on protecting your data. Everyone who passes the quiz is entered to win one of six $50 Amazon Gift Cards.