Category: Information Technology
Responsible Office: Information Security Office
Responsible Executive: Vice President and Chief Information Officer (VPCIO)
Date Established: March 5, 2019
This standard defines how UB protects Category 2-Private Data. It supplements the Data Risk Classification Policy, Protection of University Data Policy, UB Minimum Security Standards for Desktops, Laptops, Mobile, and Other Endpoint Devices, UB Minimum Server Security and Hardening Standards, and the Data Access Procedure.
The security intent of this standard is (1) to define the safeguards required to maintain the confidentiality of Category 2-Private Data and (2) to minimize the risk of accidentally or intentionally making Category 2-Private Data publicly available.
The following safeguards are required to maintain the confidentiality of Category 2-Private Data:
Principles of Least-Privilege and Minimum-Necessary
In order to protect Category 2- Private Data, the university adheres to the information security principles of least-privilege (“need to know”) and minimum-necessary (“no more than needed or required for the intended task or use”). Adhering to the principles of least-privilege and minimum-necessary protects against unintentional inclusion, sharing, or possible publication of Category 2-Private Data along with Category 3-Public Data.
Examples of least-privilege include, but are not limited to:
Examples of minimum-necessary include, but are not limited to:
Dispose of Category 2-Private Data properly when no longer needed/when the retention period has been satisfied in accordance with the university’s Record Retention and Disposition Policy.
Category 2-Private Data encompasses a wide range of data types that fall between Category 1-Restricted Data and Category 3-Public Data. Category 2-Private Data is often used for University business and mission-related requirements. Therefore, specific instances of Category 2 –Private Data are more or less sensitive, depending upon the context or data with which it is stored or combined, and the manner in which the data is used.
This standard applies to all university employees, students, and third-party vendors who access, manage, store, or in other capacities use university data.
Includes university data not identified as Category 1 – Restricted Data, and data protected by state and federal regulations. This includes Family Educational Rights and Privacy Act (FERPA)-protected student records and electronic records that are specifically exempt from disclosure by the NYS FOIL. Category 2 – Private Data must be protected to ensure that they are not disclosed in a FOIL request. FOIL excludes data that if disclosed would constitute an unwarranted invasion of personal privacy. The National Institute Standards and Technology (NIST) Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations maps to the Category 2 – Private Data risk classification. However, systems housing the data should take reasonable measures to protect its accuracy.