University of Hawaii Information Security Program
The University of Hawaii System encompasses 10 accredited campuses and additional education, training, and research centers on six islands throughout the State of Hawaii. This highly decentralized and complex organization is dedicated to the highest standards of scholarship and service, which requires an open flow of information and communication.
Unfortunately, over the last decade, the emergence of increasing abuse by criminals of personal information used by universities, such as social security numbers and credit card or other banking information, has challenged the decentralized culture of free flow of information. In today's world, access to personal information must be restricted to uses where it is necessary and close guarded wherever it is stored or used. Those individuals whose personal information has been entrusted to the University deserve no less.
While information security has long been the responsibility of each campus, as of 2011 the University leadership has committed to establishing and resourcing a new systemwide information security program. This approach is more cost-effective and comprehensive than is possible by continuing the decentralized approach that has been in use.
The University of Hawaii Information Security Program is comprised of the following strategic areas:
- Data Governance and Oversight
- Information Security Audits & Risk Assessments
- Information Security Policies & Procedures
- Identity Management & Access Controls
- Information Security Training and Awareness
Information Security Governance Structure
Additionally, the University has established an Information Security Governance Structure. This leadership group is tasked with ensuring that all information security policies, procedures and other initiatives are implemented and maintained within their authorities. This leadership group is comprised of senior campus administrators (appointed by their Chancellors) and IT Security Leads (technology support staff designated by their campus leadership or dean/director). This leadership group meets each semester and once during summer.
Keeping Personally Identifiable Information Private @ UH
Protecting Personally Identifiable Information (PII) is everyone's responsibility at the University of Hawaii. Understanding what PII is and how to protect it is extremely important to ensuring that the data does not get into the wrong hands or inadvertently exposed. If you suspect that data has been exposed, or someone is inappropriately handling sensitive information, please report it at firstname.lastname@example.org (or see Report Security Issues or Incidents.
What is Personally Identifiable Information?
Personally Identifiable Information (PII) is the type of information that needs to be protected because the inadvertent disclosure or inappropriate access requires a breach notification or is subject to financial fines. Information such as Social Security Numbers, Driver's License numbers or Hawaii Identification Card numbers, Financial Account numbers, PCI-DSS information, and Health information, including anything covered by the Health Insurance Portability and Accountability Act (HIPAA) are categorized as "Regulated" by the University of Hawaii.
New University Data Governance and Data Classification Policies
E2.215 Institutional Data Governance - Established to provide principles governing the management and use of data and information at the University, including, but not limited to, the collection and creation, privacy and security, and integrity and quality of that data and information.
E2.214 Data Classification Categories - Established to organize UH Institutional Data into data classification categories based on the different levels of security risk and penalties that may result from the inadvertent exposure and inappropriate disclosure of those data. The categories are: Public, Restricted, Sensitive, and Regulated.
New University HIPAA Policy and HIPAA Compliance Officer
JT Ash, the University of Hawaii HIPAA Compliance Officer can be reached at email@example.com or (808) 956-7241.
Do you handle PII, "UH Sensitive", or "UH Regulated" data?
If at any point you handle or view any sensitive data or regulated data, you must acknowledge the online General Confidentiality Notice, found at https://www.hawaii.edu/its/acer/. The general confidentiality notice identifies the types of information that is considered sensitive and confidential (note that it is not exhaustive). The document also identifies the responsibilities of people who have access to sensitive information.
You should also take the Information Security Awareness Training found in Laulima. This brief course goes over various topics, such as data breaches, securing information, and policy. A link to the Security Awareness Training could be found here: https://www.hawaii.edu/infosec/training/.
Do you store "UH Regulated" data electronically or in paper format?
According to Hawaii Revised Statutes (HRS) 487N-7, any personal information system (regardless if it is paper-based or electronic) needs to be reported. For the University of Hawaii, this information needs to be reported in the Personal Information Survey site. This information survey MUST be reviewed and updated yearly.
Are you responsible for a server running on the UH Network?
If you are hosting a server on the University of Hawaii network (regardless if it is behind a firewall) MUST be registered on the Server Registration site. In addition to registering your server, it must be scanned for vulnerabilities and sensitive information yearly. More information on this requirement can be found here: https://hawaii.edu/askus/1312.
Information Security is ALL OUR Responsibility
Remember: Everyone is responsible for the privacy of sensitive information. This task should not be left for one person to accomplish. It requires everyone's understanding and participation to be effective. Everyone should know and understand the procedures of securing data at the University of Hawaii.