Top Information Security Concerns for Campus Executives & Data Stewards

Last reviewed: June 2017

1. What/Where is my data?

What data are in my part of the organization and where are they located?

a. Do I know where paper records that contain sensitive data are located and used?
b. Do I know where electronic sensitive data are located and used?
c. Do I know the quantity of data?
d. Is it possible to store sensitive data on removable media or portable devices and is it part of regular business processes?
e. Is data stored on home computers, personally owned devices, or personally managed devices as part of approved workflows?
f. Do I know if a third party has access to or holds data from my organization?

Top of page

2. How sensitive is it?

How sensitive is the data in my part of the organization?

a. Do I know what data my institution considers sensitive? (Many institutions have established data classification policies outlining multiple levels of data sensitivity - e.g., University of Michigan.)
b. What are the consequences if sensitive data gets into the wrong hands? Do I understand the impacts should the data no longer be available or if the integrity of the data is compromised?

Top of page

3. Who's responsible for it?

Who's responsible for the security of information in my part of the organization?

a. Have I clearly outlined employee roles and responsibilities for securing information?
b. Have I made information (training, policies, procedures) available to employees so that they understand how to protect data?
c. What is my role and responsibility for information in my part of the organization and how do I communicate that to employees?
d. How do I ensure the data protection policies of my institution are being followed?
e. Have I identified who the information asset owners/data stewards are? Do they understand that they are accountable or responsible for making decisions on risks associated with that information/data?
e. Whom may I rely on for assistance outside of my part of the organization and how do I contact them?

      i. Chief Information Security Officer?
      ii. Chief Information Officer?
      iii. Internal Audit?
      iv. General Counsel?
      v. Privacy/Compliance/Risk Officer?
      vi. Chief Financial Officer?
      vii. Others?

Top of page

4. Who has access to it?

a. Do only those with a business need have access to the data? How many people need to access the information? How often is the information accessed?
b. Are they authorized, documented and tracked?
c. Are authorization records periodically audited?
d. Do employee transition procedures (new employee, position changes, departure) include steps to update authorization records?
e. Have I made information (training, policies, procedures) available to users so that they understand how to protect data?
f. Do those with access to data know where to find information about how to protect it?

Top of page

5. Do I need to keep it?

a. How long is the institution required to keep each data type? Does my institution have a retention schedule?
b. What are the benefits of keeping the data and do the benefits outweigh the costs and risks?
c. Do I know the institutions procedures for secure disposal?

Top of page

6. What if it gets into the wrong hands?

a. Do I know how to recognize a data breach?
b. Do I know what my institution's procedures are to address it?
c. Do I know whom to notify in the event of a data breach?
d. Does anyone working with the data know how to identify a possible breach and notify the appropriate institutional staff? 

Top of page

Questions or comments? Contact us.

Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).