Policies & Compliance

These University of Hawaiʻi policies, State of Hawaiʻi Revised Statutes, and external regulations all have information security implications. Anyone accessing University of Hawaiʻi resources, including data, computer, and network resources, is responsible for ensuring compliance with all applicable policies and regulations.

Click on a link below to be directed to the appropriate table:

UH Policies related to Information Security

Policy Title How it Applies to UH
EP 2.210 [PDF] Use and Management of Information Technology Resources Policy Describes the appropriate use of UH information technology resources which applies to students, faculty, staff, and authorized guest users.
EP 2.214 Institutional Data Classification Categories and Information Security Guidelines
Minimum Security Standards
The objective of this executive policy is to organize UH Institutional Data into data classification categories based on different levels of security risk and penalties that may result from the inadvertent exposure and inappropriate disclosure of those data.
EP 2.215 UH Institutional Data Governance Policy
UH Data Governance Website
Establishes system-wide standards to protect the privacy and security of data and information under the stewardship of the University.
EP 2.216 Institutional Records Management Establishes institutional requirements for responsible records management.
EP 2.217 [PDF] UH HIPAA Policy
UH HIPAA Website
To ensure that UH complies with the Health Insurance Portability and Accountability Act
EP 2.218 [PDF] Online Approvals of Internal University Transactions Describes institutional requirements regarding the use of online approvals and signatures
EP 2.219 Student Online Data Protection Requirements for Third Party Vendors This Policy sets forth the University’s expectations of how our Student Data shall be managed by external parties.
EP 7.208 Systemwide Student Conduct Code Describes the rules and regulations that UH students must comply with.
EP 8.200 Policy on Contracts and Signing Authority Policy on contracts that details Information Technology and Data Commitments that must be met before contracts are signed.
AP 2.215 Mandatory Training on Data Privacy and Security To describe the mandatory training and continuing education requirements for UH employees, students, and affiliates
AP 7.022 Procedures Relating to Protection of the Educational Rights and Privacy of Students Establishes procedures governing a UH student’s access to their own education records and access to education records by the public and other governmental agencies.
AP 8.710 Credit Card Program Procedures for processing credit card transactions in accordance with University policies, banking and payment card industry requirements, etc.

Hawaiʻi Revised Statutes

Law Title How it Applies to UH
HRS 92F Uniform Information Practices Act (UIPA) Requires the University to open government records for public inspection except Social Security numbers, personal records, etc.
HRS 487J Social Security Number Protection Requires the University to protect an individual’s Social Security number.
HRS 487N Security Breach of Personal Information Requires the University to provide notice if there has been a security breach of personal information.
HRS 487R Destruction of Personal Information Records Requires the University to securely dispose of personal information.

External Standards and Regulations

Standard/Regulation Title How it Applies to UH
HIPAA Health Insurance Portability and Accountability Act
UH HIPAA Website
Regulates the use, disclosure, and protection of individuals’ health information.
FERPA Family Educational Rights and Privacy Act Requires the University to provide students with access to their education records, an opportunity to have the records amended, and some control over its disclosure.
FISMA Federal Information Security Management Act Requires federal agencies to implement an information security for information/information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor (e.g. UH), or other source.
GLBA Gramm-Leach-Bliley Act (“Safeguards Rule”)
UH GLBA Website
Regulates how non-public personal information is to be protected.
FACTA Fair and Accurate Credit Transactions Act (“Red Flags Rule”) Requires an identity theft prevention program to identify and detect red flags and to prevent and mitigate identity theft.
PCI DSS Payment Card Industry Data Security Standards Requires the University to implement security controls around cardholder data to reduce credit card fraud.
DMCA Digital Millennium Copyright Act (“OCILLA”) Requires the University to take action on copyright infringement that originates on the network.
NDAA Section 889 National Defense Authorization Act, Section 889 Purchasing restrictions on federal contracts that involve covered telecommunications equipment or services.