Access to Password Protected Information Standard

1 PURPOSE 

This standard shall establish the requirements and define the processes that apply when a Â̾ÞÈËÊÓƵ entity or non-community member seeks access to or disclosure of any electronic information that can only be accessed using a specific community member's Â̾ÞÈËÊÓƵ credentials. Additionally, the standard specifies the circumstances that information may be accessed and/or disclosed without the community member's consent.


2 SCOPE 

This standard applies to:

• Requests for access to or disclosure of information stored in Â̾ÞÈËÊÓƵ information technology resources accessible with a specific community members' Â̾ÞÈËÊÓƵ credentials or by the administrators of that resource.

• All information, including both institutional and personal, is captured, stored, processed, transmitted, or otherwise managed by a Â̾ÞÈËÊÓƵ information technology resource.

• All community members - internal or external to Â̾ÞÈËÊÓƵ seeking access or disclosure of the information described in this standard are subject to the requirements and processes defined.

Note: Institution-specific data sharing policy covering research data exempts this Standard.


3 STANDARD 

All information stored in Â̾ÞÈËÊÓƵ information technology resources is considered the property of Â̾ÞÈËÊÓƵ or one of its component institutions. Â̾ÞÈËÊÓƵ has a responsibility to protect the confidentiality, integrity, and availability of that information and preserve our community member's privacy. For this reason, access to institutional information stored in information technology resources is, by default, only provided where a legitimate business need exists and where the owners of that data have provided authorization.

Institutional information associated with a specific community member and requires using their Â̾ÞÈËÊÓƵ credentials to access accounts will be referred to as password-protected information for the remainder of this standard. This includes access to community members' accounts, Â̾ÞÈËÊÓƵ technology resources, and activity while accessing Â̾ÞÈËÊÓƵ technology resources.

Â̾ÞÈËÊÓƵ may access or disclose password-protected information without user consent only under the limited circumstances described in this standard.

3.1 Password-Protected Information Request Types

There are eleven distinct types of requests for password-protected information:

  • Subpoena court order, search warrant, or another legal requirement
  • Legal Hold (to preserve data)
  • Conduct Investigation
  • Freedom of Information/Right-to-Know Request
  • Personal Information for a deceased community member
  • Life & Safety Event
  • Academic honesty investigation
  • Cybersecurity investigation
  • Regular information technology resource operations
  • Request to delete/takedown publicly accessible content belonging to another community member
  • Mission-critical business continuity

All requests for password-protected information arising from a legal process, including subpoenas, court orders, search warrants, government investigations, or litigation, shall be referred to the Â̾ÞÈËÊÓƵ General Counsel's Office (GCO) before any action is taken.

Legal holds, preserving a snapshot of specific records indefinitely but that do not involve a search of those records, shall be referred to the Â̾ÞÈËÊÓƵ GCO before taking action. Only members of the GCO shall access information preserved under a legal hold.

3.4 Conduct Investigations

Access to password-protected information related to a Human Resources (HR), Title IX Office, or Student Conduct Office investigations shall be referred to the Â̾ÞÈËÊÓƵ GCO for review before any action. Access to the information requested as part of an HR conduct investigation can only be given to HR personnel, the Director of the Title IX Office, the Director of the Student Conduct Office (as applicable), or the Â̾ÞÈËÊÓƵ GCO.

3.5 Freedom of Information Act/Right to Know Requests

Members of the public can request and receive certain types of institutional information of public record under the Freedom of Information Act (FOIA) or Right to Know (RTK). In some circumstances, these requests include password-protected information, requiring the assistance of Enterprise Technology & Services (ET&S) to fulfill. Before any action, FOIA and RTK requests shall be referred to the Â̾ÞÈËÊÓƵ GCO to determine the legitimacy and legality of the request. FOIA and RTK requests are not considered confidential. Â̾ÞÈËÊÓƵ community members whose password protected information is included in the target of a FOIA or RTK request shall be notified via e-mail using their institutional e-mail address prior to the search. As Â̾ÞÈËÊÓƵ is legally required to fulfill these requests, community members' consent is not applicable. NOTE: Student e-mail is not considered a public record for these purposes.

3.6 Access to Personal Information for Deceased Community Members

In circumstances where information contained in password-protected accounts associated with a deceased community member, a request shall be made in writing to Cybersecurity Governance, Risk, and Compliance (GRC) that specifies the following:

  • Name of the community member
  • Name of the requester
  • The request for specific information may include search terms, e-mails sent to specific addresses, etc.
  • The relationship of the requester to the deceased community member

Only the executor of the estate or the next of kin will be granted access to a deceased community member's information. Documentation is required to establish this relationship. The Â̾ÞÈËÊÓƵ GCO shall review and validate the legality of this documentation prior to any action. The Â̾ÞÈËÊÓƵ GCO and HR will authorize or decline the release of information.

Once the Â̾ÞÈËÊÓƵ GCO authorizes ET&S to provide the requested information, Cybersecurity GRC shall coordinate the provision of the information with the appropriate ET&S service lines. Cybersecurity GRC may require a management review of the appropriate administrative, academic, or business unit before releasing information.

Information provided to the community member’s executor or next of kin shall be restricted to the specific information approved by the GCO. No direct access to Â̾ÞÈËÊÓƵ information technology resources or Â̾ÞÈËÊÓƵ user credentials will be granted to the requester.

In the event of an incident with potential life and safety considerations, ET&S shall be empowered to provide all available information that might, in the opinion of the emergency response team, help preserve life and safety. The following individuals shall have the power to authorize this kind of emergency access and use:

  • Chief Information Officer
  • Chief Information Security Officer
  • Institutional Chief Operations Officer
  • Institutional Chief of Police
  • Institutional CEO

Emergency access and use of password-protected information shall utilize the least intrusive means to obtain only the information necessary to assess and resolve the emergency. The authorizing individual should weigh the need for access/use against other Â̾ÞÈËÊÓƵ or institutional concerns, including academic freedom, personal privacy, and integrity of institutional operations, and determine if the need for emergency access and use outweighs countervailing considerations.

The aforementioned leaders may verbally provide authorization for emergency access to the ET&S emergency response team member during an event. The authorizing ET&S member, Institutional CEO, or COO shall notify the appropriate institutional Chief of Police or Campus Safety director (if not the authorizing entity) of the emergency action taken.

The ET&S representative shall document the authorization and act as the primary point of contact for the emergency response team for the duration of the event.

In circumstances where a faculty member suspects a violation of the institution's policy on academic honesty or integrity has occurred, they may request ET&S to assist the investigation by providing information regarding information technology resource usage. Resources may include but are not limited to network activity, application access, and activity.

Faculty shall submit requests for this type of information to ET&S in writing and require sign-off from either an Associate Dean, Dean, or the Registrar. ET&S shall treat this request as confidential and maintain an audit trail that includes the initial request and academic leadership sign-off.

Faculty members and academic departments making the request shall ensure the completion of all requirements defined in the relevant institution's policy. Requirements include but not are not limited to a notification to students and/or academic leadership and making any determinations about suspected violations and penalties.

Note: There are limits to the information available to ET&S. Requests will be met where possible and practical.

In a declared cybersecurity incident, individuals within ET&S may require access to information, including password-protected information that exceeds the access those individuals would normally be granted to perform their assigned roles. In these circumstances, a Cybersecurity & Networking (CS&N) team representative shall submit a written request to Cybersecurity GRC. The Chief Information Security Officer (CISO) or Chief Information Officer (CIO) shall approve the request.

This request shall be considered confidential and not be discussed or shared with anyone outside the designated Incident Response Team or CS&N leadership. Community members whose password protected information is included in this request shall not be notified or asked for consent to preserve the confidentiality of the incident investigation. Access granted shall be limited to the minimum information necessary

4.0 Access to Information During Regular Information Technology Resource Operations

Â̾ÞÈËÊÓƵ information technology resources require operational management and ongoing maintenance to ensure proper operation, the deployment of software or hardware updates, and adherence to regulatory and contractual obligations. Accordingly, to perform this work, ET&S-approved vendors and other authorized individuals may access password-protected information, solely for these purposes, without user consent or notification.

During this kind of access, ET&S personnel may observe password-protected information. Except as provided elsewhere in this standard, ET&S personnel is not permitted to seek out password-protected information that is not germane to the specific information technology resource operations and support activities being performed. Any unavoidable examination of password-protected information shall be limited to the minimum required to perform such duties. ET&S personnel are not exempt from the prohibition against personal or confidential information disclosure.

In their duties, ET&S personnel may inadvertently discover or suspect violations of law or Â̾ÞÈËÊÓƵ policy listed. In that case, they may preserve the data and report such violations using the appropriate reporting mechanism for the violation observed.

4.1 Request to Take Down Publicly Accessible Content

A Â̾ÞÈËÊÓƵ entity may submit a request for access to password-protected information to remove publicly accessible content belonging to another community member. The community member should first attempt to reach a takedown agreement with the account owner serving the content. In cases wherein an agreement is not reached, Cybersecurity GRC will submit a petition to the content owner for removal on behalf of the requester. If consent is not granted, Cybersecurity will consult with the GCO and proceed with the request as deemed appropriate.

Note: The DMCA Compliance Standard addresses takedown requests related to copyrighted material.

4.2 Access to Password Protected Information for mission-critical business continuity

Individuals may need access to information associated with an account to support mission-critical services.

Examples may include:

  • Post-separation business continuity
  • A faculty member requesting access to another faculty member's course in a learning management system
  • A supervisor requesting access to a team member's e-mail account while that person is out on leave

If a Â̾ÞÈËÊÓƵ entity identifies a legitimate need to access the password-protected information of a Â̾ÞÈËÊÓƵ community member, every effort shall be made to obtain the information from the individual. However, if the direct transfer of information is not possible, a supervisor or an individual in the leadership hierarchy of the community member shall submit the request. The written consent of the community member is the preferred mechanism for approval. However, if consent is not available, written authorization from an appropriate institutional Vice President shall be required.

ET&S - Identity & Access Management (IAM) shall administer and facilitate these requests as outlined in this standard's roles and responsibilities section.

Access request requirements and limitations:

  • A specific business need shall accompany the request; the IAM team may deny submissions lacking a legitimate business purpose
  • The request shall name specific individual(s), and any access granted will be limited to the named individuals.
  • Access granted shall be limited to the minimum password-protected information necessary to address the business need.
  • Successful granting access does not alter or modify any intellectual property or content ownership rights addressed in other Â̾ÞÈËÊÓƵ and/or institutional policies or contracts.
  • Requests granting access to e-mails or documents contained in a former employee's account, which is also an active or prior student, shall be limited to specific terms.

4.3 Special Notice Regarding Personal Information

All information processed through or stored on institutional information technology resources (e.g., enterprise e-mail, cloud storage) is subject to discovery in legal proceedings and requests for the Right to Know Act. Â̾ÞÈËÊÓƵ advises community members that information they might consider private can be legitimately accessed or disclosed under any of the above-mentioned circumstances. Any personal information stored on Â̾ÞÈËÊÓƵ information technology resources is subject to disclosure.

4.4 Transparency and Traceability

Anytime access to or disclosure of password-protected information requiring the involvement of ET&S is approved without community member consent, a record of that access or disclosure shall be created that includes, at a minimum, the following:

  • The type of password-protected information requested
  • A description of the password-protected information that was accessed or disclosed
  • The justification for the access or disclosure
  • The designated approver(s) name(s)
  • Documentation supporting all required approvals
  • Any notifications sent to the community member

These records shall be collected and maintained by Cybersecurity GRC under the oversight of the Chief Information Security Officer (CISO) for seven years.


DOCUMENT HISTORY 

  • Drafted: R Boyce-Werner, AUG 2020. v01
  • Revision History, Â̾ÞÈËÊÓƵ Cybersecurity GRC Standards Committee, APRIL 2023, v02
    • Revised formatting, K SWEENEY 13 FEB 2024
    • Revised formatting, K SWEENEY, 30 MAY 2024
  • Reviewed by: Dr. David Yasenchock, Director Cybersecurity GRC, DEC 15, 2021, v02
  • Approved by: Thomas Nudd, Chief Information Security Officer, DEC 21, 2021, v02