College of Veterinary Medicine Information Security Policies

Updated March 2, 2008

"...safeguarding sensitive information is a responsibility that we must all share."
-- Joseph A. Alutto, Keynotes, 2/26/2008

The College of Veterinary Medicine has established three policies related to the security of our computing resources: Required Data Policy Training, Management of Restricted Data, and Backing up Data. Any questions regarding these policies should be addressed to the CVM Director of Information Technology, Don Krueger, Don.Krueger@cvm.osu.edu.  The University leadership is adamant about pursuing the goal of no security breaches in the future; we must do our part in this campaign. Thank you for your attention to these critical initiatives.

Data Policy Training

The Dean and Chairs are asking all College of Veterinary Medicine faculty and staff to take the Institutional Data Policy Training course by March 23, 2008. The web site to access the training is: http://buckeyesecure.osu.edu/Policy/InstitutionalDataTraining.

Management of Restricted Data

To greatly reduce the likelihood of a security breach within the College of Veterinary Medicine, the following policy measures are in place for managing restricted data:

• No restricted data can reside on personally-owned computing equipment.
• No restricted data can reside on any portable devices, such as laptops, external drives, PDAs, smart phones, and USB flash drives. All exceptions must be approved by the Dean and Director of IT prior to doing so, and an exception if made only applies to University-owned devices.
• No external service providers, colleagues or agents can store or use OSU restricted data without a contractual agreement that they provide the same security standards as the University. Restricted data must be identified and managed.

The most common question asked is: "What is restricted data?" This exactly why all faculty and staff need to take the Institutional Data Policy course referenced above. There is no simple answer to this question and that is one reason why all faculty and staff are being asked to take the Institutional Data Policy course. We are all required know what are public data, limited access data, and restricted data as defined by the University, and how to protect information. In addition, much of the restricted data that resides within the College may not reside on computers, but are in printed documents, printed spreadsheets, CDs, DVDs, and so forth. The training discusses these data sources and how to protect the information (identification, retention, and storage requirements.)

Backing up Data

Faculty, staff and students should backup their data at least once a week to minimize data loss in the event of a hardware failure. It is recommended that they always manually check to make sure the backup actually took place. VIS Help, 2-4146, should be contacted if there are any questions about system backups.

FAQs

Q. Why do I have to take the Institutional Data Policy Training course; I don't think I even have access to restricted data?

A: The University and College leadership feel it is essential that all employees of OSU have a base level of knowledge about how to responsibly use and protect our data resources. A single breach could negatively impact both our College's finances and its reputation. We must do all we can to educate ourselves so that we all take data security seriously.

Q: I attempted to take the Institutional Data Policy Training course by clicking on the link you provided, but was unable to do so.

A: Please contact carmen@osu.edu or call 8HELP.

Q: Who can I contact with questions about protecting data and devices?

A: You can call VIS Help at 2-4146.

Q: What if I suspect a data breach has occurred, i.e., I believe restricted data may have been compromised?

A: Contact the CVM Director of IT, Don Krueger, Don.Krueger@cvm.osu.edu, 7-4346, immediately. Data breaches vary in type and magnitude as do the responses to data breaches. Contacting the IT Director immediately will enable the College and University to respond quickly and appropriately to any potential data breach.