Data Management and Protection of Highly Sensitive Data Policy
Policy Purpose
This policy defines the handling, usage, storage, and management of 鈥淗ighly Sensitive鈥 University data. This policy is required for the University in order to align with UA System security and auditing mandates.
Policy Statement
It shall be the policy of the University of Arkansas-Fort Smith to preserve and protect 鈥淗ighly Sensitive鈥 data by all appropriate means.
Applicability
This policy applies to all University employees, students, auditors, or any persons that have access to the University鈥檚 Highly Sensitive data.
Definitions
Highly Sensitive data - Information that, if disclosed to unauthorized persons, would be a violation of federal or state laws, University policy, or University contracts. This includes all data defined by the state of Arkansas as Level C (Very Sensitive) or Level D (Extremely Sensitive).
Policy Procedure
Data Use:
1. It is the responsibility of each individual with access to 鈥淗ighly Sensitive鈥 data
to understand the definition of 鈥淗ighly Sensitive鈥 data, and to use these 鈥淗ighly
Sensitive鈥 data resources in an appropriate and ethical manner. Each individual must
comply with all applicable federal, state, and local statutes. It is the responsibility
of each individual with access to 鈥淗ighly Sensitive鈥 data resources to safeguard these
resources.
2. Access, use or disclosure of Highly Sensitive data will be limited to the minimum
that is necessary to achieve the legitimate purpose for which the data was accessed.
3. Highly sensitive data will be accessed, used or disclosed only for purposes consistent
with applicable law and university policy.\
Data Management:
1. Access to 鈥淗ighly Sensitive鈥 data should be restricted to those individuals with
an official need to access the data.
2. All servers containing 鈥淗ighly Sensitive鈥 data must be housed in a secure location
and operated only by authorized personnel. These servers should maintain authentication,
security, and system logs.
3. For all information system resources which contain or access data classified as
鈥淗ighly Sensitive,鈥 processes must be in place to ensure that access is logged, and
ideally that activity is recorded and reviewed.
4. 鈥淗ighly Sensitive鈥 data transmitted across the network must use secure protocols
such as SFTP (secure file transfer protocol), TLS (Transport Layer Security), SSH
(secure shell), Microsoft RDP (remote desktop protocol), etc. Authentication (login)
to 鈥淗ighly Sensitive鈥 data must also use secure authentication protocols.
Data Storage:
1. 鈥淗ighly Sensitive鈥 data should not be permanently stored on personal devices, including
but not limited to desktops, laptops, iPads, smart tablets, etc. unless there is a
valid University reason.
2. 鈥淗ighly Sensitive鈥 data should not be permanently stored on removable media, including
but not limited to external hard drives, CDs, DVDs, and USB storage devices (e.g.,
thumb drives) unless there is a valid University reason. If data must be temporarily
stored on personal devices or removable media, then the data must be encrypted at
rest, according to encryption methods recommended by Information Technology Services.
The data must be deleted immediately from personal devices or removable media as soon
as it is no longer required.
3. For 鈥淗ighly Sensitive鈥 data stored on servers, access is to be secured by ACL鈥檚
(Access Control Lists) and by local server firewalls.
4. All individuals should routinely inventory their respective personal or removable
devices for 鈥淗ighly Sensitive鈥 data.
5. All 鈥淗ighly Sensitive鈥 data files must be removed by approved University procedures
from electronic devices and electronic media that are being surplused.
Data Breach Reporting:
1. Any accidental disclosure or suspected misuse of 鈥淗ighly Sensitive鈥 data must be
reported immediately to the appropriate university officials. Appropriate university
officials include immediate supervisors, the Director of Information Technology Services,
the Vice Chancellor for Finance and Administration.
Enforcement
1. Failure to comply with requirements of this policy can result in loss of access to the data.
Policy Management
This policy is managed by the IT department. The IT Director and appointed IT personnel are the primary administrators of this policy. The responsible executive is the VCFA.
Exclusions
None Applicable
Effective and Approved Date
This internal policy was approved by Terry Meadows 鈥 Director of IT/CIO on 3/7/2023
Last Updated
10/31/2025 鈥 Reformatted for accessibility by Terry Meadows Director of IT/CIO