UM IT Data Security Standard

   
Issued Under Authority of UM Information Security Policy
Responsible Office UM Information Security Office
Category Data Protection and Lifecycle

IN PLAIN LANGUAGE

Not all University data carries the same risk, and not all data needs the same level of protection. This standard sets the security expectations for how University data must be handled based on its classification — Confidential, Restricted, or Public. When in doubt, treat data as Restricted by default. Regardless of where data lives or how it's used, the rules are consistent: access should be limited to those who need it, sensitive data must be encrypted, data must be stored in approved locations, and it must be securely disposed of when no longer needed. Everyone who touches University data — faculty, staff, students, contractors, and vendors — shares responsibility for handling it appropriately.

1. Purpose

The purpose of this Standard is to define minimum requirements for protecting University Data throughout its lifecycle to preserve confidentiality, integrity, and availability. This Standard establishes security control expectations based on data classification and supports the University of Montana's academic, research, administrative, and service missions.

This Standard implements the data protection requirements established by the UM Information Security Policy and aligns with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0.

2. Scope

This Standard applies to:

  • All digital University Data, regardless of format or medium
  • All information systems, applications, devices, and services that store, process, or transmit University Data
  • All members of the University community, including employees, students, affiliates, contractors, and third parties acting on behalf of the University

This Standard applies across all University of Montana System campuses and environments, including on-premises, cloud-hosted, and third-party systems. It applies to digital University Data and information systems only. Non-digital records are governed by records management, privacy, and other applicable University policies.

3. Relationship to Data Governance

The UM Data Governance Policy defines:

  • Data ownership and stewardship roles
  • Data classification categories
  • Institutional authority for data management decisions

This Standard does not define or modify data classification. Instead, it establishes security control expectations that apply once data has been classified under the Data Governance framework.

4. Data Classification and Protection Model

University Data must be protected in accordance with its classification. The classification tiers used in this Standard align with the UM Data Governance Policy, which uses High Risk, Moderate Risk, and Low Risk as the authoritative tier names. This Standard uses combined labels — e.g., Confidential (High Risk) — to make both the label and the risk tier explicit.

Default classification: All University Data is assumed to be Moderate Risk unless otherwise classified as High Risk or Low Risk, consistent with the UM Data Governance Policy.

Confidential (High Risk) Data — Data whose unauthorized disclosure, alteration, or loss would cause significant harm to individuals or the University. Examples include social security numbers, protected health information (PHI), financial account information, passport numbers, and research data including trade secrets.

Restricted (Moderate Risk) Data — Data whose unauthorized disclosure, alteration, or loss would cause limited or moderate harm to the University's operations, assets, or reputation. Examples include employee and student ID numbers, course evaluations, contracts, and student education records as defined by FERPA. All University Data is assumed to be Moderate Risk unless otherwise classified.

Public (Low Risk) Data — Data approved for public release. Examples include course schedules, campus maps, policy documents, job postings, and press releases.

The highest classification of any data element within a dataset determines the classification of the entire dataset.

5. Roles and Responsibilities

5.1 Chief Information Security Officer (CISO)

The CISO is responsible for:

  • Establishing and maintaining this Standard
  • Approving exceptions to data security requirements
  • Escalating material data security risks to executive leadership

5.2 Data Stewards and Data Custodians

Data Stewards and Data Custodians, as defined by the Data Governance Policy, are responsible for:

  • Ensuring appropriate classification of University Data
  • Approving access to data within their purview
  • Ensuring security controls appropriate to classification are implemented

5.3 Information Technology Organizations

UM IT, UM System IT, and Distributed IT are responsible for:

  • Implementing technical controls required by this Standard
  • Ensuring systems handling University Data meet security requirements
  • Supporting monitoring, incident response, and remediation activities

5.4 All Users

All users are responsible for:

  • Handling University Data in accordance with its classification
  • Protecting data from unauthorized access or disclosure
  • Reporting suspected data security incidents promptly

6. Data Security Requirements

6.1 Access Control

  • Access to University Data must be based on documented business or academic need
  • Least privilege principles must be applied
  • Access must be reviewed periodically and removed when no longer required

6.2 Encryption

  • Confidential (High Risk) and Restricted (Moderate Risk) Data must be protected using encryption when stored or transmitted, where technically feasible
  • Encryption methods must use University-approved algorithms and key management practices

6.3 Storage and Location

  • University Data must be stored only in approved locations and systems
  • Confidential (High Risk) Data is subject to additional restrictions defined in applicable standards (e.g., Cloud Computing Security, Endpoint Management)

6.4 Transmission

  • Data transmission must use secure, authenticated channels appropriate to the data classification
  • Confidential (High Risk) and Restricted (Moderate Risk) Data must not be transmitted using unapproved methods

6.5 Logging and Monitoring

  • Access to Confidential (High Risk) and Restricted (Moderate Risk) Data must be logged where technically feasible
  • Logs must support monitoring, investigation, and compliance requirements

6.6 Data Retention and Disposal

  • University Data must be retained only as long as required by business, legal, or regulatory needs
  • Data must be disposed of securely in accordance with the IT Data Disposal & Media Sanitization Standard

7. Data Sharing and Third Parties

  • Sharing University Data with third parties requires appropriate approval and security review
  • Vendors handling University Data must comply with the Vendor Risk Management Standard
  • Data sharing agreements must define security responsibilities and controls

8. Incident Response

  • Suspected or confirmed data security incidents must be reported immediately
  • Data incidents must be handled in accordance with the Incident Response Standard

9. Exceptions

Exceptions to this Standard must:

  • Be documented with risk justification
  • Identify compensating controls where applicable
  • Be approved by the CISO or designee
  • Be reviewed periodically

10. Review and Maintenance

This Standard must be reviewed at least annually and updated as necessary to reflect changes in risk, technology, regulatory requirements, or institutional needs.

11. References

  • UM Information Security Policy
  • UM Data Governance Policy
  • UM Information Security Risk Management Standard
  • UM Incident Response Standard
  • UM Cloud Computing Security Standard
  • UM Endpoint Management & Configuration Standard
  • UM Vendor Risk Management Standard
  • NIST Cybersecurity Framework (CSF) 2.0
Print Article