Information Security Policies & Procedures Manual
Section 000: Introductory Material
The OSU Information Security Manual documents key elements of OSU’s Information Security Program, including Policies and Procedures required by Oregon law, Oregon University System Rules, and Information Security best practices. Its formation was specifically dictated by the Oregon University System Information Security Policy (OAR 580-055-0000) and the Oregon Consumer Identity Theft Protection Act of 2007 (more info at http://www.cbs.state.or.us/dfcs/id_theft.html).
OSU takes its responsibility to protect and care for the information entrusted to us by our students, faculty, staff, and partners seriously. Policies and Procedures outlined in this manual are meant to document how we will meet our responsibilities as stewards of information entrusted to us as an institution of higher education. This manual is not intended to be step by step guide for faculty and staff; however, elements of it may be required reading in certain circumstances.
Information Security Policies apply to all members of the OSU Community; however, in certain circumstances specific restrictions on information may be required by the terms of a grant, federal law, or departmental policies. In the event of an inconsistency or conflict, applicable law and the State Board of Higher Education’s policies supersede University policies and University policies supersede college, department or lower unit bylaws, policies, or guidelines.
These policies and procedures apply regardless of the media on which information resides. Specifically they apply to paper and traditional hard copy information, as well information on electronic, microfiche, CD\DVD, or other media. They also apply regardless of the form the information may take; for example: text, graphics, video or audio, or their presentation.
Information Security Policies and Procedures Manual
Appendix A: Data Classification by Data Element
Social Security Number
Driver’s License/State-issued Identification Number
Credit Card Number
Bank Account Number
Health Insurance Policy Number
Income Tax Records
Personally Identifiable Health Information, including Personally Identifiable Genetic Information
Classified Research Data
Personal Finance Disclosure/Information
Employee Performance Evaluations
Confidential Donor Information
Minutes from Confidential Meetings
Accusations of Misconduct and records from investigations
Common Identifiers: Date of Birth, Place of Birth, Mother’s Maiden Name
Demographic Information such as race, ethnicity, gender, sexual orientation or identity when personally identifiable
Privileged Attorney-Client Communications