PURDUE UNIVERSITY VICE PRESIDENT FOR BUSINESS SERVICES AND ASSISTANT TREASURER TO: Deans, Directors, and Heads of Schools, Divisions, Departments, and Offices, and Regional Campus Chancellors RE: BUSINESS OFFICE MEMORANDUM No. 180 Security of Data on the Administrative Data Processing Center's Computing Equipment DATE: 18 March 1987 BACKGROUND: During recent years, the Administrative Data Processing Center (ADPC) has experienced substantial growth, both in the volume of data needed to support the administrative processes of the University and in the needs for, and methods of, accessing data by centralized and decentralized management. This growth has mandated the need for a formal system to assure that data stored on ADPC equipment are secure from unauthorized access, changes, copying, or use. The 1986 session of the Indiana General Assembly enacted legislation addressing the protection of data and establishing stringent penalties for violations. Further federal privacy acts apply to some data stored on ADPC equipment and must be followed (see Executive Memorandum No. C-2, Disclosure University Records: Procedures for Use in Connection with the "Access to Public Records" Law, and in Response to Third-Party Subpoenas; and Executive Memorandum No. B-44, University Policy Regarding the "Family Educational Rights and Privacy Act of 1974" (as Amended)). The purpose of this memorandum is to establish University-wide data security policies and procedures for data on the ADPC computing equipment, recognizing these circumstances. POLICIES: 1. All data, programs, and procedures (hereafter called "data") gathered, stored, or maintained on ADPC equipment are the property of Purdue University. This ownership of data extends to copies of these data on individual microcomputers, minicomputers, or mainframe computers, whether the equipment or networks are located on the West Lafayette campus, regional campuses, or elsewhere. 2. These data shall be used only for, and in the conduct of, University business. 3. Responsibility for these data resides with the various University departments who create and maintain them. The head of the department (or his/her designee) is authorized to grant permission to access data controlled by that department to other University departments and their staff members when necessary for the efficient management of the University. Specific permission to access, change, or copy data must be granted in writing before the action will be permitted. 4. When permission is granted to access such data, the user is expected to maintain the confidentiality of these data and to use them as specified in #2 above. 5. All entry to the ADPC on-line network will be specifically authorized by the assignment of a code and password that represents an individual user. The password assigned to an individual must be kept confidential and not disclosed in any way. 6. Any violation by employees of these policies constitutes grounds for disciplinary action which may include suspension, termination, and prosecution under state and federal laws. Any violation by students may constitute grounds for disciplinary action by the Dean of Students which could include suspension or expulsion from the University and prosecution under state and federal laws. PROCEDURES: 1. Responsibility for maintaining the security of data on the ADPC equipment is assigned to the ADPC Director. When data is transferred to non-ADPC equipment or other media, the responsibility for security of the data transfers to the head of the receiving department. 2. A Security Administrator within the ADPC organization will perform, among others, the following duties: (a) Assign access codes to individuals authorized to nter the on-line network, after certification by their department head. (b) Coordinate the granting (or denial) of permission to access, change, or copy data between the department responsible for maintaining and controlling the data and the individual or department making the request. (c) Require that authorized users periodically change their access codes to ensure the maintenance of confidentiality. (d) Report annually to all department heads, directors, and vice presidents the names of individuals on their staffs who are authorized to enter the on-line network and request verification that they continue to be authorized. (e) Report at least annually to the departments responsible for maintaining and controlling the various data the names of individuals authorized to access, change, or copy their data. (f) Require before initial authorization to access the network and annually thereafter that all individuals authorized to enter the on-line network sign an "Acknowledgement of Responsibilities" form, reminding them of the policies and procedures they have agreed to follow. 3. Violations, or attempts at violation, of the policies and procedures established in this memorandum should be reported to the ADPC Director who will recommend appropriate action. QUESTIONS: Questions concerning these policies and procedures should be directed to the ADPC Director or ADPC Security Administrator at the West Lafayette campus, or the Data Processing Directors at the regional campuses. Howard S. Lyon Vice President for Business Services and Assistant Treasurer