Oversight of Electronic Information

Conduct campus oversight

Consistent with common practices in higher education, campuses are encouraged to form an electronic information management group composed of representatives of campus constituencies to review campus electronic information management activities and to establish a framework for an integrated data environment.

Since the academic enterprise collects and processes electronic information that may be subject to specific legal protections, e.g., protected health information, appropriate academic bodies should be included in campus planning to identify the proper management of academic electronic information resources as well as to ensure broad dissemination of policy, guidelines, and procedures to the academic community.

Recommendations for the management of institutional electronic information should be based on common principles that:

• ensure confidentiality, integrity, and availability of institutional information in electronic form for shared access by the University community, subject to authorization requirements and confidentiality standards,
• clarify roles and responsibilities for appropriate authorization for release or disclosure of electronic information subject to federal and state law or regulation, or University policy,
• maximize data consistency to support integration and minimize duplication in capturing, storing, and maintaining data, and
• facilitate electronic information sharing by providing a reliable and secure technical environment for managing electronic information and improving direct access to electronic information by authorized users.

Inventory and classify electronic information

Identification of the sensitivity of electronic information is necessary to determine appropriate practices to protect electronic information from unauthorized access or use and to protect the systems where that electronic information is stored or processed.Business and Finance Bulletin IS-2, Inventory, Classification, and Release of University Electronic Information identifies information security objectives and categories for classifying information. Unit and departmental management are advised to conduct inventories to accurately classify resources for which they are responsible. This work should also include risk assessments in order to determine the appropriate security measures to be deployed.

Develop IT security plan

When assessments indicate the presence of electronic information protected by law or policy, a security plan as outlined in Business and Finance Bulletin IS-3, Electronic Information Security should be developed.  Generally, electronic information that is subject to federal or state law, such as student or financial data, protected health information, or social security numbers, including research data containing such information, requires the highest level of protection.   In conformance to University policy, all systems that host highly protected electronic information must meet specific administrative, technical, and physical requirements. Systems may also be subject to additional operating regulations in accordance with vendor, partner, or funding agency agreements.   See IS-3, Appendix C Selected Security Controls for Common Vulnerabilities/Threats for recommended security measures.

Plan for emergencies

A fundamental element in information management is the advance thinking about possible mishaps or events that would result in loss or damage to data, impair regular functionality, or prevent access to information resources for an extended period of time. Solutions to address those eventualities should be identified in advance.  Planning should address identification of responsible individuals who are authorized to make decisions in response to such events, how to prevent these events from occurring, how to inform and train affected individuals, and how to recover from such events.  Business and Finance Bulletin IS-12, Continuity Planning and Disaster Recovery identifies recommended planning and response strategies for University of California electronic information resources. See the section on Continuity Planning and Disaster Recovery for additional information.