Policies

Policies

To protect data and assure that information technology at OSU is available and secure, the university has developed policy in three key areas: information access, acceptable use of resources, and network administration. Each of these policies is designed to serve the university's interests by balancing the need to protect our data and infrastructure with the recognition of the critical role that technology plays in the achievement of the university's strategic goals. The Vice Provost for Information Services is the policy officer for technology and data policies at OSU. 

University Data Management, Classification and Incident Response

This policy aims to improve data access, accuracy, and integrity while applying appropriate security controls and protection to manage risk.

Overview Full Policy

Acceptable Use of Computing Resources

This policy defines the expectations for user’s behavior and use of the university’s computing environment and resources to assure their appropriate use.

Full Policy

University Network Administration

This policy regulates the use of the wired and wireless networks used to access the university network.

Full Policy

University Data Management, Classification, and Incident Response

Policy Overview

What is this purpose of this policy?

This policy aims to improve data access, accuracy, and integrity, while applying appropriate security controls and protection to manage risk. It contains definitions for different types of university data, guidelines for accessing and responsibly using that data, and instructions about what to do in the case of a data compromise. In order to protect university data, the policy establishes a framework to allow the university to comply with all federal and state laws, regulations, and policies pertaining to data management, classification and incident response.

Why does OSU have this policy?

This policy exists because of the critical role that data plays in the 21st century university. Much of the data that the university owns is protected by law; It is vital that OSU manage the data in a way that maximizes utility while minimizing risk.

Read Full Policy

Who is this policy for?

This policy applies to all university units, employees, students, visitors, contractors, and affiliates, and anyone who produces, manages or accesses university data.

Data Classifications

All university data carries one of three classifications that dictate access and use. These are Unrestricted, Sensitive and Confidential. Each classification has its own set of instructions and requirements for the access, use, and care of the information.

Learn more about data classifications and storage.

Data Access

Access to data is key to making an informed decision to enhance student success and meeting the goals of the university.

Accessing and maintaining data.

Roles and Responsibilities

The President of the university has ultimate oversight responsibility and authority over institutional provisions for data management, classification, and incident response.

The Provost is the Data Trustee for the university, and, as delegated by the President, has the authority for all decisions regarding data usage and classification for university business. The Provost approves information management and security policies proposed by the Vice Provost for Information Services (VPIS).

The Vice Provost for Information Services (VPIS) is responsible for developing institutional policies and instituting programs to ensure the security, integrity, and availability of the university’s information systems and assets. The VPIS reports to the Provost on such matters.

The Chief Information Security Officer (CISO) serves as Director of the Office of Information Security and is responsible for:

  1. ensuring that institutional policies, procedures, and standards related to information security are implemented, maintained, and enforced;
  2. coordinating the institution’s response to information security incidents;
  3. promoting training and awareness of the secure use of information, computing, and network resources; and
  4. managing and assessing the information security operations of the institution.

The Data Governance Council, appointed by the Provost and advisory to the VPIS, reviews and recommends policy and procedure for managing the data of the university. Where information is shared amongst systems, the Data Governance Council will recommend processes to the VPIS.

Deans, Vice Presidents, Vice Provosts and Department Heads are responsible for:

  1. promoting understanding of and compliance with university data management, classification, and incident response policies within their units; and
  2. ensuring that adequate technical and procedural means and resources are in place to maintain the prescribed standards of care within their units.

Data systems administrators are responsible for ensuring that:

  1. any system containing university data is appropriately secured;
  2. the appropriate use of information systems;
  3. permissions are managed appropriately to conform to university policy; and
  4. all legal and compliance requirements are met.

Data stewards are responsible for:

  1. ensuring, within their units, compliance with federal and state laws, rules, and regulations, university policies and procedures, and contractual obligations regarding the release of information to non-university entities;
  2. supporting the use of data to conduct university business;
  3. supporting appropriate practices for data use and data quality, and developing business processes that ensure the accuracy of data;
  4. recommending and implementing appropriate information access procedures;
  5. ensuring the accuracy of university data within their area of defined responsibility;
  6. defining processes for the collection and storage of data; and
  7. recommending appropriate levels of training for access and use of information under their stewardship by relevant staff.

All members of the OSU community, including employees, students, and business partners, must:

  1. comply with university policies, procedures, and guidelines associated with information security;
  2. meet or exceed the minimum safeguards as required by university policy;
  3. comply with handling instructions for data as provided by university policy and procedures;
  4. report unauthorized data access, data misuse, or data quality issues to their supervisor, the appropriate data steward, or the Office of Information Security; and
  5. complete training on the appropriate use and protection of university data, as required by the university.

Data Access

 

Oregon State University is the owner of all institutional data available in all-types of university electronic storage systems. An individual’s access to university data is on a need-to-know basis, having access to information necessary for performing business functions. There are two central systems for accessing university data and information:

Administrative data systems

The need for access to university Administrative Data Systems is generally identified in an individual’s job description. Requests for systems access is through completion of the Request for Access form. This form covers access requests for student, human resources and finance information systems.  

CORE 

OSU's Cooperative Open Reporting Environment (CORE) system provides a uniform reporting platform for the university community. Access to CORE is an automatic assignment-based process determined by an employee’s position classification or job profile. Security (access) Levels for all positions to Data Areas were defined by the university’s Data Stewards with an incorporation of overrides based on individual Banner access security groups. However, access to Student Data beyond the default, requires completion of the Registrar’s Student Data Request for Access form. To learn more about the CORE assignment-based access, see CORE Access and Security.

Other Systems

In addition to these central data sources, there are various cases where a college or business unit may have need for institutional data within their business units. There are many considerations and responsibilities that accompany this type of data access. An overview of the process and related resources are presented below. 

Data Governance

 

OUR MISSION

To enable data-driven decision making campus-wide by balancing the security and privacy of data and the availability of data. 

 

PURPOSE AND VISION

In aligning with the priorities established for Oregon State University, the mission of the Data Governance Program is to allow for and facilitate campus-wide data-driven decision making.

The program seeks to:

  • Identify what data sources exist today and/or what data sources OSU should capture
  • Define who within OSU is responsible and accountable for the management of that data

 

GOALS AND OBJECTIVES

OSU strives to be a data-driven university, giving members of the community immediate access to information that allows informed decisions, planning and action.

We must balance an environment of university-wide access to data and information while ensuring the security and appropriate use.

There should be a single truth so that all parts of the university are using the same references.

 

PRINCIPLES

Data is a strategic asset of the university, but only to the extent that it is available, accurate and actionable.

All data and information are owned by the university.

We will trust our employees, and also have the highest expectations for appropriate use and care of data.

 

 

 

Acceptable Use of University Information

This policy explains how we share OSU-specific information, and the obligations held by individuals with this information to use and secure it appropriately. It relates to all OSU-specific information, including student, employee, and financial records, received by individuals through the performance of their duties, provision of services, or participating in programs. Every individual who has access to OSU-specific information is expected to adhere to this policy regardless of how the information was received or the format in which it was received. Non-OSU employees must read and sign this policy as a condition of access to and use of University information.

Information about access to data is available at http://is.oregonstate.edu/policies/university-data-management-classification-and-incident-response/data-access

Below is a listing of the most broadly utilized OSU-specific information and the associated data stewards. Not all information or data stewards are listed and individuals are advised to seek information regarding the security and access of OSU-specific information not listed below by contacting Information Services.

Student

data steward

Course Catalog

Registrar

Class Schedule

Registrar

Recruitment

Admissions

Admissions

Admissions

General Student

Registrar

Registration

Registrar

Accounts Receivable

Business Affairs

Academic History

Registrar

Curriculum, Advising & Program Planning

Registrar

 

Finance

 

Accounts Payable

Business Affairs

Accounts Receivable

Business Affairs

Budget

Budget & Fiscal Planning

Payroll

Business Affairs

Fixed Assets

Business Affairs

FOAPAL Elements

Joint Ownership: Business Affairs &

Budget & Fiscal Planning

 

Financial Aid

Financial Aid

 

Employee

 

Payroll

Business Affairs

All Other

Human Resources

 

OSU employees in positions requiring access to the Banner database or data warehouses will find the access request procedure at http://oregonstate.edu/dept/computing/banner/access.html.

Use and Release of Information

  • Individuals may request and utilize information needed to perform the scope of their responsibilities to the University. Individuals may not utilize information for a task that is not within the direct scope of their responsibilities without the prior approval of the appropriate data steward.
  • Release of student data must follow the guidelines as available at http://oregonstate.edu/registrar/guidelines-release-information. Release of employee data must follow the guidelines as available at: http://oregonstate.edu/admin/hr/document/pdf/guidelines-release-employee-records . All requests for records coming from outside the University are to be reviewed by the appropriate data steward prior to release. The data steward will consult with the General Counsel’s office as appropriate for compliance with the public records law.
  • Aggregate (summary data, not person specific) information, extracted from information systems or reports, may be released internally or externally if it has already been publicly released with the approval of the records custodian. Aggregate data that has not been published by the University may be released only with the prior approval of the appropriate data steward.
  • Subpoenas or other requests from law enforcement authorities for student or employee records should be referred to the Office of the Registrar for students or the Office of Human Resources for employees.

Expectations for Responsible Use of Information

  • Respect electronic computing resources and systems and your impact upon them.
  • Information is available for your use in your official role at OSU only. No additional uses of information or sharing of information may be made without appropriate authorization.
  • Removal of the official record copy of documents from the office where they are maintained is permissible only when authorized to do so and in the performance of official duties.
  • Keep all passwords and access codes confidential and out of sight of others
  • Keep all confidential information and records, however maintained or stored, safeguarded against inappropriate use or access by others.
  • Report any infractions in the use or release of information to the appropriate records custodian.

Violations

Users who violate this policy may be subject to disciplinary actions and/or criminal and civil penalties and may be denied access to University computing resources. Such actions will be taken as determined appropriate in consideration of the severity and frequency of the violation(s). Violations will be handled through the University disciplinary procedures applicable to the relevant user and may include referring suspected violations of applicable law to appropriate law enforcement agencies