Data security policy – IT-Directorate

Aamusted University Data Security Policies

Section 1: PURPOSE

Data security is of paramount importance at Aamusted University, and these policies are established to safeguard sensitive information, uphold privacy, and maintain the integrity of the university’s data assets. Adherence to these policies is essential to mitigate risks associated with unauthorized access, disclosure, or loss of data.

Section 2: DATA CLASSIFICATION

2.1 Sensitive Data:

– Sensitive data, including personally identifiable information (PII), financial records, and research data, must be identified and classified.

2.2 Data Ownership:

– Clear ownership of data must be established, ensuring accountability for its protection.

Section 3: ACCESS CONTROL

3.1 User Access:

– Access to sensitive data is granted based on job responsibilities and the principle of least privilege.
– Regular access reviews are conducted to ensure appropriateness and relevance.

3.2 Authentication:

– Multi-factor authentication is required for access to sensitive systems and data repositories.

Section 4: DATA TRANSMISSION AND STORAGE

4.1 Encryption:

– Sensitive data transmitted over the network must be encrypted to prevent interception.
– Data at rest must be stored in encrypted formats.

4.2 Secure File Transfer:

– Secure methods, such as secure FTP or encrypted email, must be used for transferring sensitive data.

Section 5: DATA RETENTION AND DISPOSAL

5.1 Data Lifecycle:

– Define and adhere to data retention schedules based on legal, regulatory, and business requirements.

5.2 Secure Disposal:

– Implement secure methods for the disposal of data, including shredding physical documents and secure wiping of electronic storage.

Section 6: INCIDENT RESPONSE AND REPORTING

6.1 Security Incidents:

– Establish a protocol for reporting and responding to security incidents promptly.

6.2 Breach Notification:

– In the event of a data breach, a clear process for notifying affected parties, regulatory bodies, and relevant stakeholders is in place.

Section 7: SECURITY AWARENESS AND TRAINING

7.1 Training Programs:

– Regular security awareness training is mandatory for all staff and faculty members.
– Specialized training is provided to personnel handling sensitive data.

Section 8: COMPLIANCE AND AUDITING

8.1 Regular Audits:

– Conduct regular audits to assess compliance with data security policies.
– Address any identified vulnerabilities promptly.

Section 9: POLICY REVIEW AND AMENDMENT

9.1 Review Cycle:

– These policies will be periodically reviewed by the Office of Information Technology and CIO.

9.2 Amendment Process:

– Amendments to these policies will be proposed based on evolving security threats, technological changes, and legal or regulatory requirements.