Information Security Policy
This policy was posted for public comment from September 13 - 28, 2022.
Comments
read on 9/13/2022 |
Alright, simple. |
“Computer Resource, Electronic Resource, IT Resource and Personal Device have slightly nuanced definitions but could potentially be consolidated. For your consideration, I've noted potential definitions that may be entailed or implied interpretations within IT Resource.” The commenter continued to note that if including electronic communication within “college business operation,” then “electronic resource” is entailed within “computer resource” and “IT resource.” Further, the commenter noted that “computer resource,” “electronic resource,” and “personal device” appear entailed under “IT resource” if used to perform college business. |
Two commenters made several notes for minor grammar and clarity edits. |
The Data Governance Council commented, “While the policy acknowledges that the data governance council “establishes and maintains data classifications,” (IV.F.1) this policy seems to add some classifications. The policy has a classification for “sensitive” data (III.U) and “Confidential information” (III.G). These are both classifications that don’t exist in the current Data Classification Guide. Switching from “Confidential Information” to “Confidential Data” is also a suggestion to provide consistent language across documents." |
The Data Governance Council commented, “The council seeks clarification on the term “data handling” in section IV.F.2. We suggest the term “data transmission” may be more appropriate. Data handling is a broader term that encompasses all actions by data custodians and other data owners. Our reading of this policy suggests the intent of IV.F.2. is to establish OIT’s responsibilities in security data as it is moved or stored within a system or between systems. Alternatively, we would suggest just removing “Data handling” completely from the section and have it just referenced the encryption requirements. . . . The council seeks clarification on how we envision the IT technicians’ role established in IV.F.3. We suggest making this section clearer that this is about technical security of the data and not about general data management practices (i.e., definitions and data quality controls). The council is also interested to learn more about what tools and software IT technicians will use to “document” the procedures they are to establish under this section. |
Responses
Generally Favorable Comments on Revisions to the Policy
No response is necessary to these comments.
Confusion Between Computer Resource, Electronic Resource, IT Resource, and Personal Device Definitions
No change was made to the Policy. The Originator and his Information Security team would like to ensure the separation of these terms within the policy. To help maintain clarity, the department is working with the Policy Coordinator to create a reference table/Venn diagram to assist readers in clarifying what items qualify under what definitions.
Grammar and Clarity
These changes were accepted.Use of “Confidential Data” instead of “Sensitive Data” and “Confidential Information."
This comment, as it applies to “sensitive data,” was accepted. However, the request to delete the use of confidential information or data was not adopted because this term is more of a description of a characteristic of a particular type of data rather than a classification of the data.
Clarification on “Data Handling” and “IT Technicians"
No change was made in response to this comment. The term “data handling” should remain. As stated in the comments, data handling refers to how data is to be managed in any method. In addition, references to transmission, storage, location, etc., should remain.
IT Technician references a rule and should remain as it currently has been established without specific tools being listed. To list the tools would then require the rule to be rewritten each time the tools or methods are updated. The purpose of the rule is to be flexible and updatable as best practices evolve. Not to be rewritten each time a process is updated. Those are documented within OIT repositories.