Policies

Policies

To protect data and assure that information technology at OSU is available and secure, the university has developed policy in three key areas: information access, acceptable use of resources, and network administration. Each of these policies is designed to serve the university's interests by balancing the need to protect our data and infrastructure with the recognition of the critical role that technology plays in the achievement of the university's strategic goals. The Vice Provost for Information Services is the policy officer for technology and data policies at OSU. 

University Data Management, Classification and Incident Response

This policy aims to improve data access, accuracy, and integrity while applying appropriate security controls and protection to manage risk.

Overview Full Policy

Acceptable Use of Computing Resources

This policy defines the expectations for user’s behavior and use of the university’s computing environment and resources to assure their appropriate use.

Full Policy

University Network Administration

This policy regulates the use of the wired and wireless networks used to access the university network.

Full Policy

University Data Management, Classification, and Incident Response

Policy Overview

What is this purpose of this policy?

This policy aims to improve data access, accuracy, and integrity, while applying appropriate security controls and protection to manage risk. It contains definitions for different types of university data, guidelines for accessing and responsibly using that data, and instructions about what to do in the case of a data compromise. In order to protect university data, the policy establishes a framework to allow the university to comply with all federal and state laws, regulations, and policies pertaining to data management, classification and incident response.

Why does OSU have this policy?

This policy exists because of the critical role that data plays in the 21st century university. Much of the data that the university owns is protected by law; It is vital that OSU manage the data in a way that maximizes utility while minimizing risk.

Read Full Policy

Who is this policy for?

This policy applies to all university units, employees, students, visitors, contractors, and affiliates, and anyone who produces, manages or accesses university data.

Data Classifications

All university data carries one of three classifications that dictate access and use. These are Unrestricted, Sensitive and Confidential. Each classification has its own set of instructions and requirements for the access, use, and care of the information.

Learn more about data classifications and storage.

Data Access

Access to data is key to making an informed decision to enhance student success and meeting the goals of the university.

Accessing and maintaining data.

Roles and Responsibilities

The President of the university has ultimate oversight responsibility and authority over institutional provisions for data management, classification, and incident response.

The Provost is the Data Trustee for the university, and, as delegated by the President, has the authority for all decisions regarding data usage and classification for university business. The Provost approves information management and security policies proposed by the Vice Provost for Information Services (VPIS).

The Vice Provost for Information Services (VPIS) is responsible for developing institutional policies and instituting programs to ensure the security, integrity, and availability of the university’s information systems and assets. The VPIS reports to the Provost on such matters.

The Chief Information Security Officer (CISO) serves as Director of the Office of Information Security and is responsible for:

  1. ensuring that institutional policies, procedures, and standards related to information security are implemented, maintained, and enforced;
  2. coordinating the institution’s response to information security incidents;
  3. promoting training and awareness of the secure use of information, computing, and network resources; and
  4. managing and assessing the information security operations of the institution.

The Data Governance Council, appointed by the Provost and advisory to the VPIS, reviews and recommends policy and procedure for managing the data of the university. Where information is shared amongst systems, the Data Governance Council will recommend processes to the VPIS.

Deans, Vice Presidents, Vice Provosts and Department Heads are responsible for:

  1. promoting understanding of and compliance with university data management, classification, and incident response policies within their units; and
  2. ensuring that adequate technical and procedural means and resources are in place to maintain the prescribed standards of care within their units.

Data systems administrators are responsible for ensuring that:

  1. any system containing university data is appropriately secured;
  2. the appropriate use of information systems;
  3. permissions are managed appropriately to conform to university policy; and
  4. all legal and compliance requirements are met.

Data stewards are responsible for:

  1. ensuring, within their units, compliance with federal and state laws, rules, and regulations, university policies and procedures, and contractual obligations regarding the release of information to non-university entities;
  2. supporting the use of data to conduct university business;
  3. supporting appropriate practices for data use and data quality, and developing business processes that ensure the accuracy of data;
  4. recommending and implementing appropriate information access procedures;
  5. ensuring the accuracy of university data within their area of defined responsibility;
  6. defining processes for the collection and storage of data; and
  7. recommending appropriate levels of training for access and use of information under their stewardship by relevant staff.

All members of the OSU community, including employees, students, and business partners, must:

  1. comply with university policies, procedures, and guidelines associated with information security;
  2. meet or exceed the minimum safeguards as required by university policy;
  3. comply with handling instructions for data as provided by university policy and procedures;
  4. report unauthorized data access, data misuse, or data quality issues to their supervisor, the appropriate data steward, or the Office of Information Security; and
  5. complete training on the appropriate use and protection of university data, as required by the university.

Data Access

 

Oregon State University is the owner of all institutional data available in all-types of university electronic storage systems. An individual’s access to university data is on a need-to-know basis, having access to information necessary for performing business functions. There are two central systems for accessing university data and information:

Administrative data systems

The need for access to university Administrative Data Systems is generally identified in an individual’s job description. Requests for systems access is through completion of the Request for Access form. This form covers access requests for student, human resources and finance information systems.  

CORE 

OSU's Cooperative Open Reporting Environment (CORE) system provides a uniform reporting platform for the university community. Access to CORE is an automatic assignment-based process determined by an employee’s position classification or job profile. Security (access) Levels for all positions to Data Areas were defined by the university’s Data Stewards with an incorporation of overrides based on individual Banner access security groups. However, access to Student Data beyond the default, requires completion of the Registrar’s Student Data Request for Access form. To learn more about the CORE assignment-based access, see CORE Access and Security.

Other Systems

In addition to these central data sources, there are various cases where a college or business unit may have need for institutional data within their business units. There are many considerations and responsibilities that accompany this type of data access. An overview of the process and related resources are presented below. 

Data Governance

 

OUR MISSION

To enable data-driven decision making campus-wide by balancing the security and privacy of data and the availability of data. 

 

PURPOSE AND VISION

In aligning with the priorities established for Oregon State University, the mission of the Data Governance Program is to allow for and facilitate campus-wide data-driven decision making.

The program seeks to:

  • Identify what data sources exist today and/or what data sources OSU should capture
  • Define who within OSU is responsible and accountable for the management of that data

 

GOALS AND OBJECTIVES

OSU strives to be a data-driven university, giving members of the community immediate access to information that allows informed decisions, planning and action.

We must balance an environment of university-wide access to data and information while ensuring the security and appropriate use.

There should be a single truth so that all parts of the university are using the same references.

 

PRINCIPLES

Data is a strategic asset of the university, but only to the extent that it is available, accurate and actionable.

All data and information are owned by the university.

We will trust our employees, and also have the highest expectations for appropriate use and care of data.