目的

The purpose of this policy is to establish the framework for administering the University's institutional data.

权威

弗吉尼亚法典第23条.第1-1301条，经修正, grants authority to the Board of 访问ors to make rules and policies concerning the institution. 第七节.第01(a)(6)条 访客委员会章程 grants authority to the 总统 to implement the policies and procedures of the Board relating to University operations.

重组高等教育财政和行政运作法; 弗吉尼亚法典第23条.1-1000等序列.，经修订

定义

应用程序管理员 -具有管理应用程序或系统权限的个人, 谁负责确保适当的控制, 机制, and processes are in place to meet the security requirements necessary to protect an information technology resource.

数据分类 -在信息安全的背景下, it is the classification of data based on its level of sensitivity and the impact to the University should that data be disclosed, 改变, 或擅自销毁.

数据元素 -电子记录保存, a combination of characters or bytes referring to one separate item of information such as name, address, 和年龄.

数据合规性所有者 - 数据遵从性所有者了解其权限下数据的遵从性要求, 指定其数据的合规级别, 并批准访问和使用数据.

• University 数据合规性所有者 oversee compliance for data that is shared or leveraged across the University, 比如HR, 金融, 金融援助, 和学生FERPA数据.
• Departmental 数据合规性所有者 oversee the data that is specific to the departmental application or system that is not overseen by one or more of the University Data compliance Owners.

数据用户 - Those authorized to access institutional data and information in order to perform their assigned duties or to fulfill their role in the University community.

资讯保安主任(ISO) -最靠谱的网赌软件的雇员, 由院长或指定人员任命, who is responsible for developing and managing 最靠谱的网赌软件's information security program.

机构数据 - Recorded information that documents a transaction or activity by or with any appointed board member, 官, 或大学雇员. 不考虑物质形式或特征的, 记录的信息如果产生，就是机构记录, 收集, 收到了, 或根据法律或与大学业务交易有关而保留的资料. The medium upon which such information is recorded has no bearing on the determination of whether the recording is an institutional record. 机构记录包括但不限于人事记录, 学生记录, 学习成绩, 财务记录, 病人记录和行政记录. 记录格式/媒体包括但不限于电子邮件, 电子数据库, 电子文件, 纸, audio, video, 和图片.

个人身份信息 - Personally identifiable information (PII) is defined as data or other information that is tied to or which otherwise identifies an individual or provides information about an individual in a way that is reasonably likely to enable identification of a specific person and make personal information about them known. 用于ODU的分类, 某些个人信息可以被视为公开的, 例如FERPA下指定的目录信息, or confidential or restrictive based on ability to use the information for harmful purposes such as identity theft.

RESEARCH和学术数据(“RESEARCH数据”) - Digitally recorded information (necessary to support or validate a research project's observations, 发现, 或输出. 具体来说，这些数据是:

1. Acquired and/or maintained by University employees and/or students in performance of research and/or in pursuit of a scholarly activity;
2. 学术的:为追求RESEARCH或学术功能而创建或更新的;
3. 支持RESEARCH或学术发现所必需的, 确立发明的有效性, 并证明知识产权的所有权.

系统合规性 - The manager or departmental head responsible for operation and maintenance of a University IT system or overseeing hosted systems under their purview. 系统合规性 are responsible for the overall compliance and security of their system.

范围

This policy applies to all users of 最靠谱的网赌软件 information technology resources and governs all information technology resources either owned by or operated for University business through contractual arrangements. 用户可以包括员工、学生、志愿者和机构访客. 员工包括所有员工, 管理员, 教师, 全职或兼职, 以及由大学支付报酬的机密或非机密人员. Students include all persons admitted to the University who have not completed a program of study for which they were enrolled; student status continues whether or not the University's programs are in session. 访客包括供应商和他们的员工, 学生家长, 志愿者, 客人, 不请自来的客人, 以及所有其他居住在房产上的人, 租赁, or otherwise controlled by the University or using information technology that is provided by the University.

此策略是指所有已拥有的数据, 使用, 创建, 或由大学维护，无论是单独控制还是共享, 独立或联网. 它适用于自有、租赁、运营或承包设备上的所有数据源.

政策声明

数据管理与分类

It is the policy of 最靠谱的网赌软件 that the framework for the administration of institutional data is built upon the accepted standards of practice, 对机构数据的理解, 以及数据管理中涉及的角色和职责.

机构数据及其处理基础设施的安全性, 传播, 或存储是按照公认的信息安全管理标准进行的, 如ISO/IEC 27001/2, 信息 技术 - Security Techniques - Code of Practice for information security controls, 行业最佳做法和同类高等教育机构的做法.

Data classifications and associated protective controls account for academic and business needs for sharing or restricting information and the impact associated with such needs. 数据分类通知安全决策，例如存储数据的位置, 授权和访问需求, 业务连续性和灾难恢复计划, 并保存在风险评估文件中. Data classification levels along with certain transmission and storage expectations are found in 信息技术标准02.数据管理和分类.

RESEARCH和学术数据

RESEARCH and scholarly data are generally not considered institutional data and are governed by the RESEARCH和学术数据 Governance Committee (RSDGC). The RSDGC is a University-level committee charged with oversight of the policy and guidelines for the management of and access to the University's RESEARCH Data in accordance with University policies and applicable law.

角色和职责

数据合规负责人的具体责任, 数据用户, 应用程序管理员, 监督委员会, 其他安全角色在内部进行了标识 信息技术标准01.2.IT安全的角色和职责.

违反此政策应报告给大学的信息安全官员. 任何教师, staff or student found to have violated this policy may be subject to the appropriate disciplinary action.

程序

1. 数据遵从性所有者审查和识别数据元素. 中概述的数据分类级别 信息技术标准02.数据管理和分类 数据遵从性所有者做出分类决定.

2. System compliance owners in collaboration with the data compliance owner will conduct a System Risk Assessment in accordance with 资讯科技标准08.1.0 -风险评估标准 适用于所有维护敏感数据的新系统和托管系统. 完成的系统风险评估将转交给信息安全主任.

记录保留

适用的记录必须保留，然后按照 联邦记录保留时间表.

负责人员

资讯保安主任

相关信息

访客委员会政策第1424号，知识产权政策

大学政策3500 -计算机资源的使用

大学政策3501 -信息技术访问控制政策

大学政策3505 -信息技术安全政策

大学政策4100 -学生记录政策

大学政策5350 -RESEARCH和学术数字数据管理政策

信息技术标准02.4.IT资产控制

资讯科技标准05.1.IT安全事件处理

资讯科技标准05.2.0 -数据泄露通知

资讯科技标准05.3.0 -威胁检测

资讯科技标准06.6.0 -安全监控和日志

RESEARCH志愿者或访问Academics协议办公室