The University of Hawaiʻi System encompasses 10 accredited campuses and additional education, training, and research centers on six islands throughout the State of Hawaiʻi. This highly decentralized and complex organization is dedicated to the highest standards of scholarship and service, which requires an open flow of information and communication.
Unfortunately, over the last decade, the emergence of increasing abuse by criminals of personal information used by universities, such as social security numbers and credit card or other banking information, has challenged the decentralized culture of free flow of information. In today’s world, access to personal information must be restricted to uses where it is necessary and close guarded wherever it is stored or used. Those individuals whose personal information has been entrusted to the University deserve no less.
While information security has long been the responsibility of each campus, as of 2011 the University leadership has committed to establishing and resourcing a new system-wide information security program. This approach is more cost-effective and comprehensive than is possible by continuing the decentralized approach that has been in use.
The University of Hawaiʻi Information Security Program is composed of the following strategic areas:
- Data Governance and Oversight
- Information Security Audits & Risk Assessments
- Information Security Policies & Procedures
- Identity Management & Access Controls
- Information Security Training and Awareness
Information Security Governance Structure
Additionally, the University has established an Information Security Governance Structure. This leadership group is tasked with ensuring that all information security policies, procedures and other initiatives are implemented and maintained within their authorities. It is composed of senior campus administrators (appointed by their Chancellors) and IT Security Leads (technology support staff designated by their campus leadership or dean/director). This leadership group meets each semester and once during summer.
Keeping Personally Identifiable Information Private @ UH
Protecting Personally Identifiable Information (PII) is everyone’s responsibility at the University of Hawaiʻi. Understanding what PII is and how to protect it is extremely important to ensuring that the data does not get into the wrong hands or inadvertently exposed. If you suspect that data has been exposed, or someone is inappropriately handling sensitive information, please report it at firstname.lastname@example.org (or see Report Security Issues or Incidents).
E2.215 Institutional Data Governance — Established to provide principles governing the management and use of data and information at the University, including, but not limited to, the collection and creation, privacy and security, and integrity and quality of that data and information.
E2.214 Data Classification Categories — Established to organize UH Institutional Data into data classification categories based on the different levels of security risk and penalties that may result from the inadvertent exposure and inappropriate disclosure of those data. The categories are: Public, Restricted, Sensitive, and Regulated.
If at any point you handle or view any sensitive data or regulated data, you must acknowledge the online General Confidentiality Notice, found at https://www.hawaii.edu/its/acer/ . The general confidentiality notice identifies the types of information that is considered sensitive and confidential (note that it is not exhaustive). The document also identifies the responsibilities of people who have access to sensitive information.
You should also take the Information Security Awareness Training found in Laulima. This brief course goes over various topics, such as data breaches, securing information, and policy. A link to the Security Awareness Training could be found here: https://www.hawaii.edu/infosec/training/.
According to Hawaiʻi Revised Statutes (HRS) 487N-7, any personal information system (regardless if it is paper-based or electronic) needs to be reported. For the University of Hawaiʻi, this information needs to be reported in the Personal Information Survey site . This information survey MUST be reviewed and updated yearly.
If you are hosting a server on the University of Hawaiʻi network (regardless if it is behind a firewall) MUST be registered on the Server Registration site . In addition to registering your server, it must be scanned for vulnerabilities and sensitive information yearly. More information on this requirement can be found here: https://hawaii.edu/askus/1312 .
Everyone is responsible for the privacy of sensitive information. This task should not be left for one person to accomplish. It requires everyone’s comprehension and participation to be effective. Everyone should know and understand the procedures of securing data at the University of Hawaiʻi.