Protected Information Handling Policy

Policy Statement

This policy describes a set of requirements that apply to all persons who use information that has been designated as protected information.

Reason for Policy

The primary purpose of this policy is to ensure that the necessary policy and awareness exist so that University employees and students comply with all applicable laws and regulations. This document establishes minimum requirements for the proper handling and protection of Adelphi Protected Information.

Who Is Governed by this Policy

This policy applies to all Adelphi University employees, students, contractors, consultants, temporaries, and other workers including all personnel affiliated with third parties utilizing information that is owned by Adelphi University and has been designated as protected information.

Policy

1. In consultation with the Information Security Officer, the Information Owner must define requirements for protection, disclosure of, and/or access to protected information.
2. All information categorized as Regulated, Protected, Critical, or Controlled is considered Protected Information.
3. Protected Information may only be created, collected, stored, transmitted and/or processed if a need to do so exists, and if that need cannot be satisfied in any other way.
4. Protected Information must be securely destroyed when it is no longer needed.
5. Protected Information must be handled with due care.
6. 当发现受保护的资料在未经授权的情况下遗失，或怀疑发生遗失时，必须通知资讯保安主任，并可宣布发生资讯保安事故。

Guidance

Using due care to handle protected information includes the requirement to appropriately restrict access to the protected information by placing it on a network server that has restrictive access controls in place, password protecting it, or encrypting it using a strong encryption algorithm. Due care also requires that protected records in non-electronic format are stored in restricted locked areas, such as closed and non-accessible offices, locked desk drawers, or locked filing cabinets. In addition, transmission of protected documents to personal addresses or any other non-approved destinations is not allowed. Limit the amount of copies made of sensitive data, and do not copy sensitive files to unencrypted portable media.

Enforcement

任何违反本政策的员工可能会受到纪律处分，直至终止雇佣关系。

Definitions

Information Owner:有权对某些类别的信息作出明智决定的人或角色。

Forms

This policy does not have forms associated with it at this time. Upon periodic policy review this area will be evaluated to determine if additional information is needed to supplement the policy.

Related Information

This policy does not have related information at this time. Upon periodic policy review this area will be evaluated to determine if additional information is needed to supplement the policy.

Document History

• Last Reviewed Date: Fall 2017
• Last Revised Date: Fall 2017
• Policy Origination Date: June 18, 2009

Who Approved This Policy

Office of Information Technology