000 Introduction

Information Security Policies & Procedures Manual
Section 000: Introductory Material
Effective: 01/11/2010

The OSU Information Security Manual documents key elements of OSU’s Information Security Program, including Policies and Procedures required by Oregon law, Oregon University System Rules, and Information Security best practices. Its formation was specifically dictated by the Oregon University System Information Security Policy (OAR 580-055-0000) and the Oregon Consumer Identity Theft Protection Act of 2007 (more info at http://www.cbs.state.or.us/dfcs/id_theft.html).

OSU takes its responsibility to protect and care for the information entrusted to us by our students, faculty, staff, and partners seriously.  Policies and Procedures outlined in this manual are meant to document how we will meet our  responsibilities as stewards of information entrusted to us as an institution of higher education.  This manual is not intended to be step by step guide for faculty and staff; however, elements of it may be required reading in certain circumstances.

Information Security Policies apply to all members of the OSU Community; however, in certain circumstances specific restrictions on information may be required by the terms of a grant, federal law, or departmental policies.  In the event of an inconsistency or conflict, applicable law and the State Board of Higher Education’s policies supersede University policies and University policies supersede college, department or lower unit bylaws, policies, or guidelines. 

These policies and procedures apply regardless of the media on which information resides. Specifically they apply to paper and traditional hard copy information, as well information on electronic, microfiche, CD\DVD, or other media. They also apply regardless of the form the information may take; for example: text, graphics, video or audio, or their presentation.

Appendix A: Data Classification by Data Element

Information Security Policies and Procedures Manual
Appendix A: Data Classification by Data Element
Effective: 02/20/2014
Revised: 04/11/2014


Protected Information:

Social Security Number

Driver’s License/State-issued Identification Number

Visa/Passport Number

Credit Card Number

Bank Account Number

Health Insurance Policy Number

Income Tax Records

Personally Identifiable Health Information, including Personally Identifiable Genetic Information

Classified Research Data

Personal Finance Disclosure/Information

Identifiable Human Subjects Research Data designated as Level 3 by the Institutional Review Board (IRB)

Research Data with Export Control/ITAR limitations


Sensitive Information:

Data defined as confidential by the Family Educational Rights and Privacy Act (FERPA)

Employment Applications

Employee Performance Evaluations

Confidential Donor Information

Identifiable Human Subjects Research Data designated as Level 2 by the IRB

Minutes from Confidential Meetings

Accusations of Misconduct and records from investigations

Common Identifiers: Date of Birth, Place of Birth, Mother’s Maiden Name

Demographic Information such as race, ethnicity, gender, sexual orientation or identity when personally identifiable

Admission applications

Privileged Attorney-Client Communications

ID Photos