Regulated computers are those that contain or have automatic access to certain categories of data, especially
- student data covered by the Family Educational Rights and Privacy Act (FERPA),
- patient or other protected health information (PHI), as defined in the Health Insurance Portability and Accountability Act (HIPAA),
- personnel, salary, benefits, or other human-resources data (including Social Security Numbers), and/or
- individual financial data subject to the safeguarding provisions of the Gramm-Leach-Bliley Act (GLB),
but also other data that falls under state and federal mandates and the institution is liable to protect. Examples are:
- Results of research that is the product of Federal or other contracts and grants whose provisions require the University to preserve, maintain, and provide access to those data in the future, to the extent specified in the contract or
- other financial data whose disclosure or loss might impair the University’s ability to manage its affairs.
Computers that do not themselves store sensitive data but are used to access sensitive data on other computers are a special, difficult case. As a general guideline, if computer A has automatic access to sensitive data on regulated computer B (that is, for example, A’s user does not need to enter a username and/or password to see data on B), then computer A is a regulated computer even if computer A is a staff member’s personal or home computer. If, however, A’s user can access sensitive data elsewhere only by authenticating manually (that is, entering username and password again), then computer A is not a regulated computer. Regardless, if someone administers a database or has major administrative responsibility over regulated computers, it is wise to treat any computer that person regularly uses as a regulated computer.
The larger the amount and variety of sensitive data accessible on a given computer, the narrower the functionality that computer should have and the stricter the control over access to that computer. For example, a server containing human-resources and payroll information for an entire department should not be used as a personal workstation, or to provide general informational Web pages to the public. Conversely, an individual’s workstation, which typically runs a large array of applications and accesses many different network services, is an inappropriate place to store substantial amounts of sensitive data.
In cases where it is difficult to decide whether a computer is a regulated computer, system administrators should consult IT Security for guidance. The principal focus of this policy is servers and workstations that routinely store non-trivial quantities of sensitive data. However, where risks are significant, it also applies to servers and workstations that contain or manage small sensitive datasets.
Computers found to contain sensitive data but not to implement appropriate security measures may be removed from the network by IT Services, if necessary without warning.
See Regulated Computer Policy – Overview to ensure you are in compliance.
Expiration Date: August 15, 2014
Policy Owner: sbookerc