There are several important security policies at my job that are worth noting here. They provide good general guidance for anyone working with sensitive data.
-
Data Classification System. There are four categories for data: public (DCL 1), sensitive (DCL 2), restricted (DCL 3), and highly restricted (DCL 4). You need to use great caution with restricted and highly restricted data.
- Public data has no serious restrictions.
- Sensitive data is data that is not openly shared with the public, but which is not formally restricted. Examples include faculty salaries, phone numbers, and internal memos.
- Restricted data is data covered by certain regulatory requirements such as FERPA. Examples include personally identifiable information about our students.
- Highly restricted data is similar to restricted data with the extra provision that there are specific regulatory provisions that dictate how this data must be protected. There are many examples, but the one most relevant to my work is HIPAA regulated data.
-
Email Management Policy. This policy outlines restrictions on the use of University email accounts and on conducting University work on non-University email accounts.
- You can use your University email account for personal use if it is not excessive. Anything that might overburden the network or interfere with use by other University employees is prohibited. Refer to 110.005 Acceptable Use Policy for details.
- Don’t use the password for your University email as the same password for any other non-University website.
- Don’t autoforward all your University email to a non-University email account.
- Don’t use a non-University email account for University business.
- Don’t send sensitive data as an unencrypted email attachment to external recipients. Don’t store unencrypted sensitive data in your email account for more than 30 days.
-
Zoom protected account. If you are sharing confidential information (such as protected health information) on a Zoom video conference, you need to use a secure Zoom account.
-
[Equal Employment/Educational Opportunity and Nondiscrimination Policy][eeo1]. While this is not a security policy per se, it is still worth documenting here. This policy defines discrimination and harassment and identifies the equity officers who can handle inquiries about this policy.
-
Conflict of interest. Alos not a securit policy, but important anyways, are the rules on conflict of interest. My consulting work with clients outside of UMKC qualifies as an outside interest (“An employment, consulting, or other professional activity or service, paid or unpaid, for a third party that is not part of the Employee’s University Responsibilities, and such activity or service for the third party nonetheless relates to work within the scope of the Employee’s University Responsibilities. This includes, without limitation, any activity or service that involves the use of the Employee’s expertise, the practice of the Employee’s profession, or any activity or service that contributes to the Employee’s professional competence or development”). An outside interest is not necessarily barred, but it does require reporting and possible management. You cannot use University materials or facilities and the work cannot interfere with your regular duties.
-
Reporting concerns. If you have information about unethical behavior, you have several options for reporting this: directly to your supervisor, your Dean, a trusted colleague, or a representative of Human Resources, Campus Police, or the Ethics and Compliance Office. You have have access to a hotline where you can submit reports including anonymous reports.
-
[Ethics, Compliance, and Audit Services][eth1]. This office provides independent auditing and consulting services to the UM System.