91¶ÌÊÓƵ

, grants authority to the Board of Visitors to make rules and policies concerning the institution. Section 7.01(a)(6) of theÌýÌýgrants authority to the President to implement the policies and procedures of the Board relating to 91¶ÌÊÓƵ operations.

Restructured Higher Education Financial and Administrative Operations Act,Ìý

Application AdministratorsÌý- Individuals with administrative application or system privileges, who are responsible to ensure that appropriate controls, mechanisms, and processes are in place to meet the security requirements necessary to protect an information technology resource.

Data ClassificationÌý- In the context of information security, it is the classification of data based on its level of sensitivity and the impact to the 91¶ÌÊÓƵ should that data be disclosed, altered, or destroyed without authorization.

Data ElementÌý- In electronic recordkeeping, a combination of characters or bytes referring to one separate item of information such as name, address, or age.

Data Compliance OwnersÌý-ÌýData Compliance Owners understand the compliance requirements for the data under their purview, designate the compliance level of their data, and approve the access to and use of the data.

• 91¶ÌÊÓƵ Data Compliance Owners oversee compliance for data that is shared or leveraged across the 91¶ÌÊÓƵ, such as HR, Finance, Financial Aid, and Student FERPA data.
• Departmental Data Compliance Owners oversee the data that is specific to the departmental application or system that is not overseen by one or more of the 91¶ÌÊÓƵ Data compliance Owners.

Data UsersÌý- Those authorized to access institutional data and information in order to perform their assigned duties or to fulfill their role in the 91¶ÌÊÓƵ community.

Information Security Officer (ISO)Ìý- The Old Dominion 91¶ÌÊÓƵ employee, appointed by the President or designee, who is responsible for developing and managing Old Dominion 91¶ÌÊÓƵ's information security program.

Institutional DataÌý-ÌýRecorded information that documents a transaction or activity by or with any appointed board member, officer, or employee of the 91¶ÌÊÓƵ. Regardless of physical form or characteristic, the recorded information is an institutional record if it is produced, collected, received, or retained in pursuance of law or in connection with the transaction of 91¶ÌÊÓƵ business. The medium upon which such information is recorded has no bearing on the determination of whether the recording is an institutional record. Institutional records include but are not limited to personnel records, student records, academic records, financial records, patient records and administrative records. Record formats/media include but are not limited to email, electronic databases, electronic files, paper, audio, video, and images.

Personally Identifiable InformationÌý-ÌýPersonally identifiable information (PII) is defined as data or other information that is tied to or which otherwise identifies an individual or provides information about an individual in a way that is reasonably likely to enable identification of a specific person and make personal information about them known. For the purposes of classification at ODU, certain PII can be considered public, such as that designated as directory information under FERPA, or confidential or restrictive based on ability to use the information for harmful purposes such as identity theft.

Research and Scholarly Data ("Research Data")Ìý-ÌýDigitally recorded information (necessary to support or validate a research project's observations, findings, or outputs. Specifically, data that are:

1. Acquired and/or maintained by 91¶ÌÊÓƵ employees and/or students in performance of research and/or in pursuit of a scholarly activity;
2. Created or updated in pursuit of a research or scholarly function;
3. Necessary to support research or scholarly findings, establish validity of inventions, and prove ownership of Intellectual Property Rights.

System Compliance OwnersÌý- The manager or departmental head responsible for operation and maintenance of a 91¶ÌÊÓƵ IT system or overseeing hosted systems under their purview. System Compliance Owners are responsible for the overall compliance and security of their system.

This policy applies to all users of Old Dominion 91¶ÌÊÓƵ information technology resources and governs all information technology resources either owned by or operated for 91¶ÌÊÓƵ business through contractual arrangements. Users may include employees, students, volunteers, and visitors to the institution. Employees include all staff, administrators, faculty, full- or part-time, and classified or non-classified persons who are paid by the 91¶ÌÊÓƵ. Students include all persons admitted to the 91¶ÌÊÓƵ who have not completed a program of study for which they were enrolled; student status continues whether or not the 91¶ÌÊÓƵ's programs are in session. Visitors include vendors and their employees, parents of students, volunteers, guests, uninvited guests, and all other persons located on property owned, leased, or otherwise controlled by the 91¶ÌÊÓƵ or using information technology that is provided by the 91¶ÌÊÓƵ.

This policy refers to all data owned, used, created, or maintained by the 91¶ÌÊÓƵ whether individually controlled or shared, stand-alone or networked. It applies to all data sources found on equipment owned, leased, operated, or contracted.

Data Administration and Classification

It is the policy of Old Dominion 91¶ÌÊÓƵ that the framework for the administration of institutional data is built upon the accepted standards of practice, the understanding of institutional data, and the roles and responsibilities involved in the management of the data.

The security of institutional data and the infrastructure upon which it is processed, transmitted, or stored is patterned after accepted standards for management of information security, such as ISO/IEC 27001/2, Information Technology - Security Techniques - Code of Practice for information security controls, industry best practices and practices of comparable higher education institutions.

Data classifications and associated protective controls account for academic and business needs for sharing or restricting information and the impact associated with such needs. Data classification informs security decisions such as location of stored data, authorization and access requirements, continuity of operations and disaster recovery planning, and are maintained in risk assessment documents. Data classification levels along with certain transmission and storage expectations are found inÌý.

Research and Scholarly Data

Research and scholarly data are generally not considered institutional data and are governed by the Research and Scholarly Data Governance Committee (RSDGC). The RSDGC is a 91¶ÌÊÓƵ-level committee charged with oversight of the policy and guidelines for the management of and access to the 91¶ÌÊÓƵ's Research Data in accordance with 91¶ÌÊÓƵ policies and applicable law.

Roles and Responsibilities

The specific responsibilities of Data Compliance Owners, Data Users, Application Administrators, oversight committees, and other security roles are identified withinÌý.

Violations of this policy should be reported to the 91¶ÌÊÓƵ's Information Security Officer. Any faculty, staff or student found to have violated this policy may be subject to the appropriate disciplinary action.

1. Data elements are reviewed and identified by the data compliance owner. Using the data classification levels outlined inÌýÌýdata compliance owners make classification determinations.

2. System compliance owners in collaboration with the data compliance owner will conduct a System Risk Assessment in accordance withÌýfor all new and hosted systems that maintain sensitive data. The completed System Risk Assessment will be forwarded to the Information Security Officer.

Applicable records must be retained and then destroyed in accordance with theÌý.

Ìý

Information Security Officer

Ìý

• Board of Visitors Policy 1424, Policy on Intellectual Property
• 91¶ÌÊÓƵ Policy 3500 - Use of Computing Resources
• 91¶ÌÊÓƵ Policy 3501 - Information Technology Access Control Policy
• 91¶ÌÊÓƵ Policy 3505 - Information Technology Security Policy
• 91¶ÌÊÓƵ Policy 4100 - Student Record Policy
• 91¶ÌÊÓƵ Policy 5350 - Research and Scholarly Digital Data Management Policy
• Office of Research Volunteer or Visiting Scholar Agreement