FAQ - Need Help?

What are Cybersecurity Policies?

Cybersecurity Policies are a formal set of rules issued by an organization to ensure all authorized users of information technology resources and assets comply with rules and guidelines. Security Policies can provide additional benefits to an organization as well:

  • Allows for policy consistency across an organization. Policies should be clear, concise, and leave no room for interpretation.
  • Details and upholds discipline and accountability. Policies should inform users about their responsibilities related to what they can and cannot do while using an organizations technology resources and assets. They should also outline the disciplinary actions for violating policy.
  • Helps to educate users on security.

If policies set the rules and expectation for use of information technology resources and assets, then what are Security Standards?

Security Standards provide the methods, guidelines, references to frameworks to ensure efficiency. They establish a common language, and contain technical specification or other criteria, with the goal being to improve the security of information technology.

When do new policies come into enforcement?

Policies are considered living documents and should be reviewed annually, at the very least. This allows Information Technology staff and other stakeholders an opportunity to update documentation when necessary. There should always be an announcement to vested parties when a new policy is being published or an existing policy has been revised, which should include details 鈥 e.g., where to locate the policy, date it comes into enforcement.

What if our current processes are not in compliance, or we expect a process will not be compliant with a new policy?

While we ask all business units to make reasonable efforts to comply with policies and standards, we understand there are situations where 100% compliance may not be possible. If your group has a process or system which cannot comply with 最快开奖直播搅珠结果 policies or standards, we ask you contact the Cybersecurity GRC group assist with an exception.

We need an exception. How do we start the process?

You can email the Cybersecurity GRC group at Cybersecurity.GRC@usnh.edu or submit a ticket via TeamDynamix

We have an exception, now what?

Exceptions are not meant to be a set and forget solution. Rather, the exceptions should be reviewed annually to determine if updates are required as often times processes and systems can change.

Who can we contact for more information regarding policies, standards, exceptions, or simply to ask a question?

Please reach out to Cybersecurity.GRC@usnh.edu with any questions you may have.

What is a Security Review?

The Security Assessment Review (SAR) process, administered by Cybersecurity Governance, Risk, and Compliance (GRC), is required whenever institutional information classified as anything other than Public will be captured, stored, processed, transmitted, or otherwise managed by a third party (e.g., vendor, service provider). 听Reviews can also be performed if requested by the relevant data steward, Service Line Leaders (SLL), Chief Information Security Officer (CISO) or the Chief Information Officer (CIO).

Information classification types are identified in the 最快开奖直播搅珠结果 Information Classification Policy.听

Why is a Security Review necessary?

When 最快开奖直播搅珠结果 information is captured or stored in non-最快开奖直播搅珠结果 information technology resources, stored in non-最快开奖直播搅珠结果 facilities, or handled by non-最快开奖直播搅珠结果 persons, it is subjected to unknown risks. Those who are responsible for appropriate handling of such information must understand what type of information is involved, what level of protection it requires, what the risks are to the information, and how those risks will be mitigated.

The 最快开奖直播搅珠结果 Security Assessment Review (SAR) process assists in the identification of the risks associated with information being placed into non-最快开奖直播搅珠结果 information technology resources or handled by non-最快开奖直播搅珠结果 persons.听 The key factor used to assess risk in these circumstances is the institutional information that will be captured, stored, processed, transmitted, or otherwise managed by a third-party.

What Documentation is needed from the vendor?

最快开奖直播搅珠结果 uses the HECVAT (Higher Education Community Vendor Assessment Tool) developed and maintained by Educause as the basis of its security assessment review program.Often, we work with vendors who engage with other higher education institutions and may have previously completed the HECVAT, which we will accept if it is a recent version - v2.10, v2.11, or v3.0. More information can be found on the .

We will also accept a SOC 2 Type 2 Report in lieu of the HECVAT. A SOC 2 Type 2 report is an assessment of a company鈥檚 safeguards and controls used to protect customer data over a given time frame performed by a third-party.

We may also request the vendor provide additional听documentation听to assist with our review; including听but not limited to:

  • Information Security Policy
  • Disaster Recovery Plan
  • Business Continuity Plan
  • Privacy Policy
  • Terms and Conditions

What determines which HECVAT the vendor should complete?

There are two versions of the HECVAT 鈥 the HECVAT Full and the HECVAT Lite.听 Any third-party product that will capture, store, process, transmit, or otherwise manage RESTRICTED information must complete the HECVAT Full.听 Simple engagements and LTIs that will integrate into Canvas can use the HECVAT Lite as long as there is no financial transaction processing.

When听should the documentation be obtained from the vendor?

As early in the procurement/implementation process as possible. However, we do understand vendors may not provide this information to the institution prior to a contract or agreement being in place. If there is a contract or agreement, we would request an opportunity to review any language pertaining to information security. Upon reviewing the contract, we reserve the right to request the addition of the 最快开奖直播搅珠结果 Data Security Addendum if we determine it is within the best interest of 最快开奖直播搅珠结果.听

How can I request a Security Assessment Review?

You can request a review by submitting a ticket - .

The requested documentation has been submitted for a review. What happens next?

Once we receive a completed HECVAT and the supplement, we will begin our review. During this time we will identify any concerns, questions which may need more information or clarification, or the need for additional documentation from the vendor. Once our initial review has been completed, we will provide feedback to the business unit which may include requests for more information, if necessary.听听

Who should I contact if we have questions regarding a Security Review?

If there are questions regarding a Security Review, please contact:

  • Kelly Sweeney听- Cybersecurity GRC Analyst
  • Tomi Gibson - Cybersecurity GRC Analyst
  • Dr. David Yasenchock - Director, IT Governance, Risk, and Compliance
  • Tom Nudd - CISO
  • Cybersecurity.GRC@usnh.edu

Enterprise Technology & Services (ET&S) recognizes that there are times听when business needs, academic activities, and/or research project requirements make it impossible or impractical to comply with听the established Technology/Cybersecurity Policies & Standards and understands that there are circumstances where exceptions must be allowed.听

Exceptions are temporary exemptions from Policy or Standard compliance.

Some examples of exceptions are:

  • Use of software that requires a device running on old operating system
  • Processes involving community members or administrators sharing accounts
  • Servers or other information technology resources with vulnerabilities that cannot be fixed because of extenuating circumstances
  • Business processes that cannot meet requirements because of resource constraints

The exception process, defined in the听Cybersecurity Exception Standard, provides members of the 最快开奖直播搅珠结果 community with a single point of contact to request exceptions to all Technology/Cybersecurity Policies & Standards.听 Requiring documented exceptions enables Cybersecurity & Networking to better manage cybersecurity risk across all 最快开奖直播搅珠结果 institutions.听

To request an exception, submit a ticket via TeamDynamix and provide as much of the information below as possible:

  • The Policy or Standard for which the exception is being requested
  • Business reason or justification explaining why an听exception is needed
  • Administrative, academic, or business unit requesting the exception
  • Head of the requesting unit
  • Describe why compliance is not possible (e.g. the total cost to comply with the Policy or Standard or the negative impact to 最快开奖直播搅珠结果 community members including an estimate of the number of community members that may be negatively impacted)
  • List of the business units, business processes, information technology resources, and institutional information to which the exception applies
  • How long will the exception be needed

Requests for exceptions are handled by Cybersecurity Governance, Risk, & Compliance (GRC).听 When a request is submitted, a ticket is created which allows the requester to view the status of the request and communicate directly with the Cybersecurity GRC team in the听.

Submit an exception request ticket via the听

The ticket will include fields highlighted in the听最快开奖直播搅珠结果 Risk Exception Form听(downloads word document ). Please provide as much information as possible. If you have any questions, contact Cybersecurity GRC.

Ever have one of your emails get reported to IT as a Phishing attempt? Microsoft incorrectly tag your email as Spam? This document provides tips on how to draft an email you can feel confident about sending to coworkers.

How to Prevent Your Emails from Being Reported as Spam or Phishing听

Enterprise Technology & Services (ET&S) places significant value on our ability to establish and maintain a trusted relationship with the 最快开奖直播搅珠结果 community.听 In order to maintain that trust, it is essential that all ET&S employees, sponsored users, and student workers understand their responsibilities in relation to maintaining the confidentiality, integrity, and availability of 最快开奖直播搅珠结果 (最快开奖直播搅珠结果) institutional information and information technology resources and protecting the privacy of each individual community member.

The purpose of this agreement is to codify the responsibilities of all ET&S employees, sponsored users, and student workers for maintaining the confidentiality, integrity, availability, and privacy of institutional information and information technology resources. The following agreement is between you and 最快开奖直播搅珠结果, on behalf of its component institutions.

The full agreement can be reviewed here - 最快开奖直播搅珠结果 ET&S Confidentiality Agreement

The Higher Education Compliance Alliance has a Compliance Matrix that lists key federal laws and regulations governing colleges and universities. The matrix can be used for general guidance and is a tool to help understand different regulatory requirements.

HIPAA information is classified as Restricted information at 最快开奖直播搅珠结果 (review the 最快开奖直播搅珠结果 Information Classification Policy听for more information on classifications).听Sharepoint and Teams can store this type of data when properly configured.听If you require a HIPAA compliant Sharepoint or Teams location,听t to the Office 365 team.听

NEVER store Restricted information on Sharepoint or Teams without first consulting the Office 365 Team.

Additional information on .


最快开奖直播搅珠结果, Zoom, and HIPAA compliance -听The 最快开奖直播搅珠结果 has entered into a Business Associate Agreement with Zoom Video Communications for use of their Zoom web conferencing platform for healthcare-related needs under HIPAA. 听Zoom provides a secure, encrypted communications platform for all uses. 听The BAA allows for 最快开奖直播搅珠结果 to use Zoom in ways that meet the specific requirements that exist for handing of electronic healthcare听records.

For individuals or departments with HIPAA approved Zoom account - All recording functions will be disabled and locked. Users will not be able to use Zoom for any recording purposes. This will apply to all meetings setup by anyone with a HIPAA compliant Zoom account.听Never听use Kaltura or other tools to record Zoom meetings where HIPAA information is present.


Questions? Contact Cybersecurity.GRC@usnh.edu

How to register for the 最快开奖直播搅珠结果 Cybersecurity Training

  1. To access the 最快开奖直播搅珠结果 Online Learning Center, go to the听.

  1. Access your course Catalog by clicking on the blue Catalog box on the right side of the screen.

catalog screenshot

  1. Search for courses in the top right-hand corner of the catalog by using the 鈥渟earch catalog鈥 function.
Search course screenshot

  1. Search for the 最快开奖直播搅珠结果 Cybersecurity course by:

听 听 听Course ID: CS1

听 听 听OR

听 听 听Title: 最快开奖直播搅珠结果 Cybersecurity Fundamentals

  1. Click on the Course ID or Title to be taken to the main course page.

  1. Click on the orange 鈥淭ake Course鈥 button in the top right-hand corner to begin the training.
    take course

Protection of Common Data Elements听

University data is often characterized by category or use of the data and then classified in accordance with the legal or contractual controls placed on it. However, data elements within compliance programs often warrant different levels of protection. While some data elements offer little risk and require no special protection, inappropriate handling of other data elements might result in criminal or civil penalties, identity theft, and/or personal or organizational loss.听

This table identifies some common data elements by category and the associated classification. These categories are subject听to change based on University polices, guidelines and changes to local, state, or federal law.听When using this table consider:听

  1. Not all data elements are listed. Absence of a data element does not mean that it requires no protection.听

  1. Quantity/amount of data must be considered. One thousand records of one data element may have more value together than one record of an element with a seemingly higher protection factor.听

  1. Combination of data elements can increase the value. For example, The Family Educational Rights and Privacy Act (FERPA) identifies Personally Identifiable Information (PII) as information that can identify a person even though the name may not be given.听

Personnel Information (Human Resources)听

Personnel Information Elements听

Information Classification听

Social Security Number (SSN)听

Restricted 鈥 NH Data Privacy Act (when combined with a name or other uniquely identifiable personal information).听

Driver鈥檚 License number听

Restricted 鈥 NH Data Privacy Act (when combined with a name or other uniquely identifiable personal information).听

State Identification Number听

Restricted 鈥 NH Data Privacy Act (when combined with a name or other uniquely identifiable personal information).听

Genetic Information听

Restricted 鈥 Genetic Information Nondiscrimination Act (GINA). Information must be safeguarded as health information in accordance with The Health Insurance Portability and Accountability Act of 1996 (HIPAA).听

Disability Status听

Restricted听

Military Disability听

Restricted听

Status Ethnicity/Race听

Protected听

Gender Status听

Protected听

Name听

Public听

Date of Birth (DOB)听

Protected听

Employee Identification Number (EMPLID)听

Sensitive 鈥 An EMPLID is not considered Restricted or Protected Data and is not afforded special protection. EMPLIDs uniquely identify staff and faculty members without using Restricted鈥疍ata such as SSNs. Routine shared use of EMPLIDs is sometimes necessary for university functions. Share EMPLIDs only with those who have a reason to use them. Combinations of information increase the value of data. EMPLIDs when used in combination with name or DOB increase the security risk.听

Home Address听

Protected 鈥 Not releasable by State Statute.听

Home Phone Number听

Protected 鈥 Not releasable by State Statute.听

Work Address听

Public 鈥 Not protected by any legal or contractual controls.听

Work Phone Number听

Public 鈥 Not protected by any legal or contractual controls.听

Business Email Address听

Public 鈥 Not protected by any legal or contractual controls.听

Payroll Information听

Payroll Information Elements听

Information Classification听

Social Security Number Bank Information (routing/account numbers)听

Restricted 鈥 NH Data Privacy Act and Gramm-Leach-Bliley Act鈥(GLBA)听

Salaries听

Not Protected 鈥 Not protected and is public only through official channels.听

Work Study Awards听

Sensitive 鈥 Protect this information as it is indicative of financial need. Some work study is non-need based and does not require protection.听

Employee Verification (i.e., salaries)听

Not Protected 鈥 Human Resources (HR) will only verify what the Bank or Third Party was told by employee听

Protected Health Information (PHI)听

Protected Health Information (PHI) Elements听

Information Classification听

Past, present, or future physical or mental health or condition of an individual.听

Restricted 鈥 HIPAA 鈥 If the information identifies or provides a reasonable basis to believe it can be used to identify an individual, it is considered individually identifiable health information. The HIPAA privacy rule lists 18 identifiers that are not to be used with a health record.听

Provision of health care to an individual. Includes past, present, or future payment for the provision of health care to an individual.听

Restricted 鈥 HIPAA 鈥 If the information identifies or provides a reasonable basis to believe it can be used to identify an individual, it is considered individually identifiable health information. The HIPAA privacy rule lists 18 identifiers that are not to be used with a health record.听

Identifiers 鈥 18 specific identifiers by HIPAA Privacy Rule (includes such information as name, geographic information, dates, contact information, medical record and account numbers, biometric identifiers, photos, and other uniquely identifying number, characteristic or code)听

Restricted 鈥 HIPAA 鈥 Those working with protected health information need to be familiar with the identifiers as listed by the HIPAA Privacy Rule and protect them accordingly. These identifiers by themselves may not be restricted data, but when associated in any way with the Personal Health Information elements listed above, they are restricted under HIPAA.听

Student Data (Registrar)听

Student Data Elements

Information Classification听

Social Security Number (including historical student identification number when it was SSN)听

Restricted 鈥 NH Data Privacy Act & FERPA (When combined with a name or other uniquely identifiable personal information).听

Driver鈥檚 License Number听

Restricted 鈥 NH Data Privacy Act & FERPA (When combined with a name or other uniquely identifiable personal information).听

State Identification Number听

Restricted 鈥 NH Data Privacy Act & FERPA (When combined with a name or other uniquely identifiable personal information).听

The following elements are considered Directory information:听

  • Name听

  • Address听

  • Phone听

  • Number听

  • Date of Birth听

  • Class Level听

  • Dates of Attendance听

  • Degree Awarded听

  • Status Enrollment Status (full or part-time)听

  • Honors and Awards听

  • Program of Study听

  • Most recent previous educational institution attended听

  • Participation in sports and activities听

  • Appropriate personal athletic statistical data听

  • Email Address听

Protected or Unclassified 鈥 FERPA 鈥 This is not protected and can be openly shared鈥痷nless asked by the student to be suppressed.鈥疶herefore, prior to any disclosure, one must check each student鈥檚 FERPA election to determine whether the student data may be disclosed.听

Academic Standing (i.e., probation, suspension, etc.)听

Protected 鈥 FERPA听

Note: Students鈥 entire educational record is considered protected information under FERPA. For example, a class schedule includes information about any student taking a course.听

Class Schedule听

Protected 鈥 FERPA听

Note: Students鈥 entire educational record is considered protected information under FERPA. For example, a class schedule includes information about any student taking a course.听

Degree Audit (including courses remaining to complete a degree)听

Protected 鈥 FERPA听

Note: Students鈥 entire educational record is considered protected information under FERPA. For example, a class schedule includes information about any student taking a course.听

Grade Point Average (GPA)听

Protected 鈥 FERPA听

Note: Students鈥 entire educational record is considered protected information under FERPA. For example, a class schedule includes information about any student taking a course.听

Grades听

Protected 鈥 FERPA听

Note: Students鈥 entire educational record is considered protected information under FERPA. For example, a class schedule includes information about any student taking a course.听

Transcript听

Protected 鈥 FERPA听

Note: Students鈥 entire educational record is considered protected information under FERPA. For example, a class schedule includes information about any student taking a course.听

Student Identification Number (EMPLID)听

Protected 鈥 FERPA 鈥 Unlike a staff and faculty member EMPLID, a student identification (ID) number is Protected Data and requires protection under FERPA. When a student worker鈥檚 EMPLID is used for employment, this EMPLID remains protected by FERPA. 鈥 This ID number is not a personal identification number under the NH Data Privacy Act and is not protected by that law.听

Information on former students 鈥 Student records not to include SSN or Driver鈥檚 License/State Identification Number听

Protected 鈥 FERPA 鈥 Educational Records collected when an individual was a student is protected in accordance with FERPA, for the life of the record.听

Protected FERPA or Unclassified 鈥 Information that was collected as directory information when an individual was a student is not protected unless asked by the student for it to be suppressed, while the individual was a student.听

Not classified by FERPA 鈥 Information about a former student (i.e. alumni information) collected after the student graduated听

Donor Information听

Donor Information Elements听

Information Classification听

Social Security Number听

Restricted 鈥 NH Data Privacy Act & GLBA听

Bank Account Number听

Restricted 鈥 NH Data Privacy Act & GLBA听

Financial Account Information听

Restricted 鈥 GLBA or Payment Card Industry Data Security Standard (PCI or PCI-DSS) 鈥 Not to be stored without specific permission.听听

Name听

Protected 鈥 When associated with donation(s) not made public听

Giving History (Amount/what donated)听

Protected 鈥 When associated with donation(s) not made public听

Address听

Protected听

Telephone/Fax Numbers听

Protected听

Email听

Protected听

Employment Information听

Protected听

Family Information听

Protected听

Interests, Affiliations or Sports听

Protected听

Other donor info (e.g. Age, Sex, Degree Information)听

Sensitive听

Payment Card听

Payment Card Elements听

Information Classification听

Credit/Debit Card Number听

Restricted 鈥 PCI-DSS & NH Data Privacy Act听听听

(Primary Account Number 鈥 PAN)听

Restricted 鈥 PCI-DSS & NH Data Privacy Act听听听

Cardholder Name听

Restricted 鈥 PCI-DSS & NH Data Privacy Act听听

Expiration Date听

Restricted 鈥 PCI-DSS & NH Data Privacy Act听听

Service Code听

Restricted 鈥 PCI-DSS & NH Data Privacy Act听听

Authentication data听

Restricted 鈥 PCI-DSS 鈥 Never to be stored.听听

Card Verification Code or Value (CAV2/CVC2/CVV2/CID) Number听

Restricted 鈥 PCI-DSS 鈥 Never to be stored.听听

Personal Identification Number (PIN/PIN Block)听

Restricted 鈥 PCI-DSS 鈥 Never to be stored.听听

Full Magnetic Stripe Data听

Restricted 鈥 PCI-DSS 鈥 Never to be stored. See鈥

Masked Credit/Debit Card Number (no more than first 6 and last 4 digits)听

Sensitive听听

Procurement听

Procurement Elements听

Information Classification听

Pre-Award Contract Bids听

Protected听

Awarded Contracts听

Sensitive/Public 鈥 Freedom of Access Act鈥(FOAA) 鈥 subject to public record requests.听

Purchasing Card (P-Card) Numbers听

Protected 鈥 P-Card protection requirements differ from payment cards accepted by a university merchant activity. However, all credit card numbers are high target theft items.听听

Information Security听

Information Security Elements (IT)听

Information Classification听

Authentication Credentials (such as a password key or token)听

Restricted 鈥 Requires the same protection as the level of information that is protected by those credential听

Access & Authorization Information听

Generally Sensitive 鈥 May Require the same protection as any information that could lead to unauthorized access at the level of information that is protected by a system听

Vulnerability Scanning Results听

Generally Sensitive 鈥 May Require the same protection as any information that could lead to unauthorized access at the level of information that is protected by a system听

Risk Assessment Results听

Generally Sensitive 鈥 May Require the same protection as any information that could lead to unauthorized access at the level of information that is protected by a system听

Intrusion Detection Alerts听

Generally Sensitive 鈥 May Require the same protection as any information that could lead to unauthorized access at the level of information that is protected by a system听

Security Architecture & Design听

Generally Sensitive 鈥 May Require the same protection as any information that could lead to unauthorized access at the level of information that is protected by a system听

Security Incident Response听

Generally Sensitive 鈥 May Require the same protection as any information that could lead to unauthorized access at the level of information that is protected by a system听

Other Data听

Other Data Types听

Information Classification听

Export Control Research听

Restricted 鈥 International Traffic in Arms Regulations (ITAR), Export Administration Regulations鈥(EAR) 鈥 Specific elements not listed. Requires additional protection. Refer to appropriate regulation.听

Human Subject Research听

Depends on Research- Common Rule (45 CFR 46, 102(d)) -听听

Department of Defense (DoD) Controlled Unclassified听

Restricted 鈥 Requires additional protection.听