Policy Overview

What is this purpose of this policy?

This policy aims to improve data access, accuracy, and integrity, while applying appropriate security controls and protection to manage risk. It contains definitions for different types of university data, guidelines for accessing and responsibly using that data, and instructions about what to do in the case of a data compromise. In order to protect university data, the policy establishes a framework to allow the university to comply with all federal and state laws, regulations, and policies pertaining to data management, classification and incident response.

Why does OSU have this policy?

This policy exists because of the critical role that data plays in the 21st century university. Much of the data that the university owns is protected by law; It is vital that OSU manage the data in a way that maximizes utility while minimizing risk.

Read Full Policy

Who is this policy for?

This policy applies to all university units, employees, students, visitors, contractors, and affiliates, and anyone who produces, manages or accesses university data.

Data Classifications

All university data carries one of three classifications that dictate access and use. These are Unrestricted, Sensitive and Confidential. Each classification has its own set of instructions and requirements for the access, use, and care of the information.

Learn more about data classifications and storage.

Data Access

Access to data is key to making an informed decision to enhance student success and meeting the goals of the university.

Accessing and maintaining data.

Roles and Responsibilities

The President of the university has ultimate oversight responsibility and authority over institutional provisions for data management, classification, and incident response.

The Provost is the Data Trustee for the university, and, as delegated by the President, has the authority for all decisions regarding data usage and classification for university business. The Provost approves information management and security policies proposed by the Vice Provost for Information Services (VPIS).

The Vice Provost for Information Services (VPIS) is responsible for developing institutional policies and instituting programs to ensure the security, integrity, and availability of the university’s information systems and assets. The VPIS reports to the Provost on such matters.

The Chief Information Security Officer (CISO) serves as Director of the Office of Information Security and is responsible for:

  1. ensuring that institutional policies, procedures, and standards related to information security are implemented, maintained, and enforced;
  2. coordinating the institution’s response to information security incidents;
  3. promoting training and awareness of the secure use of information, computing, and network resources; and
  4. managing and assessing the information security operations of the institution.

The Data Governance Council, appointed by the Provost and advisory to the VPIS, reviews and recommends policy and procedure for managing the data of the university. Where information is shared amongst systems, the Data Governance Council will recommend processes to the VPIS.

Deans, Vice Presidents, Vice Provosts and Department Heads are responsible for:

  1. promoting understanding of and compliance with university data management, classification, and incident response policies within their units; and
  2. ensuring that adequate technical and procedural means and resources are in place to maintain the prescribed standards of care within their units.

Data systems administrators are responsible for ensuring that:

  1. any system containing university data is appropriately secured;
  2. the appropriate use of information systems;
  3. permissions are managed appropriately to conform to university policy; and
  4. all legal and compliance requirements are met.

Data stewards are responsible for:

  1. ensuring, within their units, compliance with federal and state laws, rules, and regulations, university policies and procedures, and contractual obligations regarding the release of information to non-university entities;
  2. supporting the use of data to conduct university business;
  3. supporting appropriate practices for data use and data quality, and developing business processes that ensure the accuracy of data;
  4. recommending and implementing appropriate information access procedures;
  5. ensuring the accuracy of university data within their area of defined responsibility;
  6. defining processes for the collection and storage of data; and
  7. recommending appropriate levels of training for access and use of information under their stewardship by relevant staff.

All members of the OSU community, including employees, students, and business partners, must:

  1. comply with university policies, procedures, and guidelines associated with information security;
  2. meet or exceed the minimum safeguards as required by university policy;
  3. comply with handling instructions for data as provided by university policy and procedures;
  4. report unauthorized data access, data misuse, or data quality issues to their supervisor, the appropriate data steward, or the Office of Information Security; and
  5. complete training on the appropriate use and protection of university data, as required by the university.