University of Hawaiʻi Information Security Program

The University of Hawaiʻi System encompasses 10 accredited campuses and additional education, training, and research centers on six islands throughout the State of Hawaiʻi. This highly decentralized and complex organization is dedicated to the highest standards of scholarship and service, which requires an open flow of information and communication.

Unfortunately, over the last decade, the emergence of increasing abuse by criminals of personal information used by universities, such as social security numbers and credit card or other banking information, has challenged the decentralized culture of free flow of information. In today’s world, access to personal information must be restricted to uses where it is necessary and close guarded wherever it is stored or used. Those individuals whose personal information has been entrusted to the University deserve no less.

While information security has long been the responsibility of each campus, as of 2011 the University leadership has committed to establishing and resourcing a new system-wide information security program. This approach is more cost-effective and comprehensive than is possible by continuing the decentralized approach that has been in use.

The University of Hawaiʻi Information Security Program is composed of the following strategic areas:

Data Governance and Oversight
Information Security Audits & Risk Assessments
Information Security Policies & Procedures
Identity Management & Access Controls
Information Security Training and Awareness

Information Security Governance Structure

Additionally, the University has established an Information Security Governance Structure. This leadership group is tasked with ensuring that all information security policies, procedures and other initiatives are implemented and maintained within their authorities. It is composed of senior campus administrators (appointed by their Chancellors) and IT Security Leads (technology support staff designated by their campus leadership or dean/director). This leadership group meets each semester and once during summer.

Keeping Personally Identifiable Information Private @ UH

Protecting Personally Identifiable Information (PII) is everyone’s responsibility at the University of Hawaiʻi. Understanding what PII is and how to protect it is extremely important to ensuring that the data does not get into the wrong hands or inadvertently exposed. If you suspect that data has been exposed, or someone is inappropriately handling sensitive information, please report it at infosec@hawaii.edu (or see Report Security Issues or Incidents).

What is Personally Identifiable Information?

Personally Identifiable Information (PII) is the type of information that needs to be protected because the inadvertent disclosure or inappropriate access requires a breach notification or is subject to financial fines. Information such as Social Security Numbers, Driver’s License numbers or Hawaiʻi Identification Card numbers, Financial Account numbers, PCI-DSS information, and Health information, including anything covered by the Health Insurance Portability and Accountability Act (HIPAA) are categorized as “Regulated” by the University of Hawaiʻi.

New University Data Governance and Data Classification Policies

E2.215 Institutional Data Governance — Established to provide principles governing the management and use of data and information at the University, including, but not limited to, the collection and creation, privacy and security, and integrity and quality of that data and information.

E2.214 Data Classification Categories — Established to organize UH Institutional Data into data classification categories based on the different levels of security risk and penalties that may result from the inadvertent exposure and inappropriate disclosure of those data. The categories are: Public, Restricted, Sensitive, and Regulated.

Do you handle PII, “UH Sensitive”, or “UH Regulated” data?

If at any point you handle or view any sensitive data or regulated data, you must acknowledge the online General Confidentiality Notice, found at https://www.hawaii.edu/its/acer/ . The general confidentiality notice identifies the types of information that is considered sensitive and confidential (note that it is not exhaustive). The document also identifies the responsibilities of people who have access to sensitive information.

You should also take the Information Security Awareness Training found in Laulima. This brief course goes over various topics, such as data breaches, securing information, and policy. A link to the Security Awareness Training could be found here: https://www.hawaii.edu/infosec/training/.

Do you store “UH Regulated” data electronically or in paper format?

According to Hawaiʻi Revised Statutes (HRS) 487N-7, any personal information system (regardless if it is paper-based or electronic) needs to be reported. For the University of Hawaiʻi, this information needs to be reported in the Personal Information Survey site . This information survey MUST be reviewed and updated yearly.

Are you responsible for a server running on the UH Network?

If you are hosting a server on the University of Hawaiʻi network (regardless if it is behind a firewall) MUST be registered on the Server Registration site . In addition to registering your server, it must be scanned for vulnerabilities and sensitive information yearly. More information on this requirement can be found here: https://hawaii.edu/askus/1312 .

Information Security is ALL OUR Responsibility

Everyone is responsible for the privacy of sensitive information. This task should not be left for one person to accomplish. It requires everyone’s comprehension and participation to be effective. Everyone should know and understand the procedures of securing data at the University of Hawaiʻi.