1 PURPOSEÂ
This standard shall establish the requirements and define the processes that apply when a ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û entity or non-community member seeks access to or disclosure of any electronic information that can only be accessed using a specific community member's ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û credentials. Additionally, the standard specifies the circumstances that information may be accessed and/or disclosed without the community member's consent.
2 SCOPEÂ
This standard applies to:
• Requests for access to or disclosure of information stored in ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û information technology resources accessible with a specific community members' ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û credentials or by the administrators of that resource.
• All information, including both institutional and personal, is captured, stored, processed, transmitted, or otherwise managed by a ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û information technology resource.
• All community members - internal or external to ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û seeking access or disclosure of the information described in this standard are subject to the requirements and processes defined.
Note: Institution-specific data sharing policy covering research data exempts this Standard.
3 STANDARDÂ
All information stored in ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û information technology resources is considered the property of ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û or one of its component institutions. ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û has a responsibility to protect the confidentiality, integrity, and availability of that information and preserve our community member's privacy. For this reason, access to institutional information stored in information technology resources is, by default, only provided where a legitimate business need exists and where the owners of that data have provided authorization.
Institutional information associated with a specific community member and requires using their ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û credentials to access accounts will be referred to as password-protected information for the remainder of this standard. This includes access to community members' accounts, ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û technology resources, and activity while accessing ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û technology resources.
×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û may access or disclose password-protected information without user consent only under the limited circumstances described in this standard.
3.1 Password-Protected Information Request Types
There are eleven distinct types of requests for password-protected information:
- Subpoena court order, search warrant, or another legal requirement
- Legal Hold (to preserve data)
- Conduct Investigation
- Freedom of Information/Right-to-Know Request
- Personal Information for a deceased community member
- Life & Safety Event
- Academic honesty investigation
- Cybersecurity investigation
- Regular information technology resource operations
- Request to delete/takedown publicly accessible content belonging to another community member
- Mission-critical business continuity
3.2 Subpoena, Court Order, Search Warrant, or Other Legal Requirement
All requests for password-protected information arising from a legal process, including subpoenas, court orders, search warrants, government investigations, or litigation, shall be referred to the ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û General Counsel's Office (GCO) before any action is taken.
3.3 Legal Holds
Legal holds, preserving a snapshot of specific records indefinitely but that do not involve a search of those records, shall be referred to the ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û GCO before taking action. Only members of the GCO shall access information preserved under a legal hold.
3.4 Conduct Investigations
Access to password-protected information related to a Human Resources (HR), Title IX Office, or Student Conduct Office investigations shall be referred to the ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û GCO for review before any action. Access to the information requested as part of an HR conduct investigation can only be given to HR personnel, the Director of the Title IX Office, the Director of the Student Conduct Office (as applicable), or the ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û GCO.
3.5 Freedom of Information Act/Right to Know Requests
Members of the public can request and receive certain types of institutional information of public record under the Freedom of Information Act (FOIA) or Right to Know (RTK). In some circumstances, these requests include password-protected information, requiring the assistance of Enterprise Technology & Services (ET&S) to fulfill. Before any action, FOIA and RTK requests shall be referred to the ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û GCO to determine the legitimacy and legality of the request. FOIA and RTK requests are not considered confidential. ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û community members whose password protected information is included in the target of a FOIA or RTK request shall be notified via e-mail using their institutional e-mail address prior to the search. As ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û is legally required to fulfill these requests, community members' consent is not applicable. NOTE: Student e-mail is not considered a public record for these purposes.
3.6 Access to Personal Information for Deceased Community Members
In circumstances where information contained in password-protected accounts associated with a deceased community member, a request shall be made in writing to Cybersecurity Governance, Risk, and Compliance (GRC) that specifies the following:
- Name of the community member
- Name of the requester
- The request for specific information may include search terms, e-mails sent to specific addresses, etc.
- The relationship of the requester to the deceased community member
Only the executor of the estate or the next of kin will be granted access to a deceased community member's information. Documentation is required to establish this relationship. The ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û GCO shall review and validate the legality of this documentation prior to any action. The ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û GCO and HR will authorize or decline the release of information.
Once the ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û GCO authorizes ET&S to provide the requested information, Cybersecurity GRC shall coordinate the provision of the information with the appropriate ET&S service lines. Cybersecurity GRC may require a management review of the appropriate administrative, academic, or business unit before releasing information.
Information provided to the community member’s executor or next of kin shall be restricted to the specific information approved by the GCO. No direct access to ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û information technology resources or ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û user credentials will be granted to the requester.
3.7 Access to Information Related to an Ongoing Event Impacting Life & Safety
In the event of an incident with potential life and safety considerations, ET&S shall be empowered to provide all available information that might, in the opinion of the emergency response team, help preserve life and safety. The following individuals shall have the power to authorize this kind of emergency access and use:
- Chief Information Officer
- Chief Information Security Officer
- Institutional Chief Operations Officer
- Institutional Chief of Police
- Institutional CEO
Emergency access and use of password-protected information shall utilize the least intrusive means to obtain only the information necessary to assess and resolve the emergency. The authorizing individual should weigh the need for access/use against other ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û or institutional concerns, including academic freedom, personal privacy, and integrity of institutional operations, and determine if the need for emergency access and use outweighs countervailing considerations.
The aforementioned leaders may verbally provide authorization for emergency access to the ET&S emergency response team member during an event. The authorizing ET&S member, Institutional CEO, or COO shall notify the appropriate institutional Chief of Police or Campus Safety director (if not the authorizing entity) of the emergency action taken.
The ET&S representative shall document the authorization and act as the primary point of contact for the emergency response team for the duration of the event.
3.8Â Access to Information Related to an Academic Honesty/Integrity Investigation
In circumstances where a faculty member suspects a violation of the institution's policy on academic honesty or integrity has occurred, they may request ET&S to assist the investigation by providing information regarding information technology resource usage. Resources may include but are not limited to network activity, application access, and activity.
Faculty shall submit requests for this type of information to ET&S in writing and require sign-off from either an Associate Dean, Dean, or the Registrar. ET&S shall treat this request as confidential and maintain an audit trail that includes the initial request and academic leadership sign-off.
Faculty members and academic departments making the request shall ensure the completion of all requirements defined in the relevant institution's policy. Requirements include but not are not limited to a notification to students and/or academic leadership and making any determinations about suspected violations and penalties.
Note: There are limits to the information available to ET&S. Requests will be met where possible and practical.
3.9Â Access to Information Related to a Cybersecurity Incident Investigation
In a declared cybersecurity incident, individuals within ET&S may require access to information, including password-protected information that exceeds the access those individuals would normally be granted to perform their assigned roles. In these circumstances, a Cybersecurity & Networking (CS&N) team representative shall submit a written request to Cybersecurity GRC. The Chief Information Security Officer (CISO) or Chief Information Officer (CIO) shall approve the request.
This request shall be considered confidential and not be discussed or shared with anyone outside the designated Incident Response Team or CS&N leadership. Community members whose password protected information is included in this request shall not be notified or asked for consent to preserve the confidentiality of the incident investigation. Access granted shall be limited to the minimum information necessary
4.0Â Access to Information During Regular Information Technology Resource Operations
×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û information technology resources require operational management and ongoing maintenance to ensure proper operation, the deployment of software or hardware updates, and adherence to regulatory and contractual obligations. Accordingly, to perform this work, ET&S-approved vendors and other authorized individuals may access password-protected information, solely for these purposes, without user consent or notification.
During this kind of access, ET&S personnel may observe password-protected information. Except as provided elsewhere in this standard, ET&S personnel is not permitted to seek out password-protected information that is not germane to the specific information technology resource operations and support activities being performed. Any unavoidable examination of password-protected information shall be limited to the minimum required to perform such duties. ET&S personnel are not exempt from the prohibition against personal or confidential information disclosure.
In their duties, ET&S personnel may inadvertently discover or suspect violations of law or ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û policy listed. In that case, they may preserve the data and report such violations using the appropriate reporting mechanism for the violation observed.
4.1Â Request to Take Down Publicly Accessible Content
A ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û entity may submit a request for access to password-protected information to remove publicly accessible content belonging to another community member. The community member should first attempt to reach a takedown agreement with the account owner serving the content. In cases wherein an agreement is not reached, Cybersecurity GRC will submit a petition to the content owner for removal on behalf of the requester. If consent is not granted, Cybersecurity will consult with the GCO and proceed with the request as deemed appropriate.
Note: The DMCA Compliance Standard addresses takedown requests related to copyrighted material.
4.2Â Access to Password Protected Information for mission-critical business continuity
Individuals may need access to information associated with an account to support mission-critical services.
Examples may include:
- Post-separation business continuity
- A faculty member requesting access to another faculty member's course in a learning management system
- A supervisor requesting access to a team member's e-mail account while that person is out on leave
If a ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û entity identifies a legitimate need to access the password-protected information of a ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û community member, every effort shall be made to obtain the information from the individual. However, if the direct transfer of information is not possible, a supervisor or an individual in the leadership hierarchy of the community member shall submit the request. The written consent of the community member is the preferred mechanism for approval. However, if consent is not available, written authorization from an appropriate institutional Vice President shall be required.
ET&S - Identity & Access Management (IAM) shall administer and facilitate these requests as outlined in this standard's roles and responsibilities section.
Access request requirements and limitations:
- A specific business need shall accompany the request; the IAM team may deny submissions lacking a legitimate business purpose
- The request shall name specific individual(s), and any access granted will be limited to the named individuals.
- Access granted shall be limited to the minimum password-protected information necessary to address the business need.
- Successful granting access does not alter or modify any intellectual property or content ownership rights addressed in other ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û and/or institutional policies or contracts.
- Requests granting access to e-mails or documents contained in a former employee's account, which is also an active or prior student, shall be limited to specific terms.
4.3Â Special Notice Regarding Personal Information
All information processed through or stored on institutional information technology resources (e.g., enterprise e-mail, cloud storage) is subject to discovery in legal proceedings and requests for the Right to Know Act. ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û advises community members that information they might consider private can be legitimately accessed or disclosed under any of the above-mentioned circumstances. Any personal information stored on ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û information technology resources is subject to disclosure.
4.4Â Transparency and Traceability
Anytime access to or disclosure of password-protected information requiring the involvement of ET&S is approved without community member consent, a record of that access or disclosure shall be created that includes, at a minimum, the following:
- The type of password-protected information requested
- A description of the password-protected information that was accessed or disclosed
- The justification for the access or disclosure
- The designated approver(s) name(s)
- Documentation supporting all required approvals
- Any notifications sent to the community member
These records shall be collected and maintained by Cybersecurity GRC under the oversight of the Chief Information Security Officer (CISO) for seven years.
DOCUMENT HISTORYÂ
- Drafted: R Boyce-Werner, AUG 2020. v01
- Revision History, ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û Cybersecurity GRC Standards Committee, APRIL 2023, v02
- Revised formatting, K SWEENEY 13 FEB 2024
- Revised formatting, K SWEENEY, 30 MAY 2024
- Reviewed by: Dr. David Yasenchock, Director Cybersecurity GRC, DEC 15, 2021, v02
- Approved by: Thomas Nudd, Chief Information Security Officer, DEC 21, 2021, v02