Electronic Security of Detroit Mercy Protected & Detroit Mercy Sensitive Data Policy

Electronic Security of Detroit Mercy Protected & Detroit Mercy Sensitive Data Policy Scope:

This policy covers any data that has been classified as either Detroit Mercy Protected data or as Detroit Mercy Sensitive data and is stored electronically (covered electronic documents).

Purpose:

The purpose of this policy is to provide security practices for employees, student employees, consultants, or agents of the University of Detroit Mercy and any parties who are contractually bound to handle data produced by Detroit Mercy, who produce or have access to covered electronic documents.

Policy:

Additional precautions shall be used by any departments or individuals who have access to covered electronic documents. These additional precautions include:

Encryption

ITS provides and requires full disk encryption technology to protect all University managed computers identified during the compliance review as containing covered electronic documents.

Users who know that their computer will store covered electronic documents should, in accordance with Detroit Mercy’s Encryption Policy, contact the ITS Help Desk at helpdesk@udmercy.edu to request an installation of the full disk encryption software. ITS will provide training in using encryption software to the users of these systems.

Storage of Covered Electronic Documents

Users shall store covered electronic documents on approved network storage instead of local hard drives or any form of removable media. In cases of a granted exception, the computer must run a full disk encryption product provided by ITS.

Detroit Mercy Protected data must never be stored on unapproved media. Detroit Mercy Sensitive data can be stored for remote access upon permission of the department owning the data. The acceptable storage options for Detroit Mercy Sensitive data are listed below in order of preference:

  1. Networked storage
  2. University-owned laptop running approved encryption software
  3. Portable drive using approved encryption software
  4. CD/DVD/Disk saved as an encrypted file using approved encryption software

Passwords

The user shall protect any resources that house covered electronic data with a password. This password must meet or exceed the current ITS password standards described in the Password Standard Policy.

Limited access – At Detroit Mercy

All areas that contain computers storing covered electronic documents should only be accessible to employees, student employees, consultants, or agents of the University of Detroit Mercy that have a business need for access. Individuals not affiliated with the University of Detroit Mercy must not have unsupervised access. Department heads or their designee will work with Campus Safety to control access through either a physical key or via a badge reader. Areas that cannot be locked cannot be used to house computers that store covered documents. Department heads or their designee will identify individuals who need to access these areas to perform their job function and will communicate the names of these individuals and their required access to Campus Safety. When leaving their desk in an area containing computers with access to covered documents, individuals shall either lock their computer or log off.  Off-campus access requires the use of the University’s Virtual Private Network (VPN).

Limited access – Outside of Detroit Mercy

Non-Detroit Mercy spaces used by contracted 3rd parties should only be accessible by individuals the contractor has approved to access covered electronic documents. All areas that contain computers storing covered documents must not provide unsupervised access to the public. Areas that cannot be locked cannot be used to house computers that store covered documents. When leaving their desk in an area containing computers with access to covered documents, individuals shall either lock their computer or log off.

Data Loss Prevention

The University has employed technologies designed to protect against the intentional or inadvertent transmission or sharing of covered electronic documents.  These technologies protect the following services:

  • Email
  • OneDrive
  • Others may be added at the time of deployment

If an individual attempts to send or share any covered electronic documents using these services, the action will be logged and they will receive a notification stating why the content may violate University policy.

Any of the following actions may follow:

  • Action has been prevented
  • Content will be blocked
  • User will be provided an opportunity to justify the action
  • Content will be encrypted

Training

ITS and HR will make training materials available to all staff with access to covered electronic documents which will cover all issues raised in this policy in greater detail.

Questions about this Policy:

If you have questions about this policy, please contact the ITS at its@udmercy.edu.  

Policy adherence:

Failure to follow this policy can result in disciplinary action as provided in the Student Handbook and Employee Policies & Procedures. Disciplinary action for not following this policy may include termination, as provided in the applicable handbook or employment guide.

Exceptions:

Exceptions to this policy will be handled in accordance with the Acceptable Use & Security Policy.

Emergencies:

In emergency cases, actions may be taken by the Information Security Incident Response Team (ISIRT) in accordance with the procedures in the Incident Response Policy. These actions may include rendering systems inaccessible.

Appendix:

Policies Referenced

Definitions

Covered electronic documents – Any data that has been classified as either Detroit Mercy Protected data or as Detroit Mercy Sensitive data and is stored electronically.

History:

  • June 1, 2021: Initial Policy