Category 2

Category 2: Mandatory use in order to comply with institutional policies

Examples:

1. A contract developer is hired from a consulting firm to assist in developing a core administrative system. The developer will use his or her own laptop (provided by the consulting firm) and will have institutional data stored on that laptop. Your institutional policy on mobile computing devices requires full disk encryption software as well as other baseline security practices. The developer's laptop must comply with the requirements of your mobile computing policy.
2. Your institution is contracting with a third-party for W2 processing. Your institutional policy on the handling of Social Security numbers requires that they be encrypted with 1024 bit keys while stored in any sort of file or database.
   

Relevant Themes:

• Data Definition
• Data Protection After Contract Termination
• Data Sharing
• Data Transmission (including Encryption)
• Financial Information
• General Data Protection
• Indemnification as a Result of Security Breach
• Intellectual Property Protection
• Notification of Security Incidents
• Protected Health Information (HIPAA)
• References to Third Party Compliance With Applicable Federal, State, and Local Laws and Regulatory Requirements
• References to Third Party Compliance With University Policies, Standards, Guidelines, And Procedures
• Security Incident Investigations
• State Breach Notification Laws
• Student Education Records (FERPA)
• Use of Data

Questions or comments? Contact us.

Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).