University Administrative Policies

 

UNM_Policy_Office-L communicates important policy announcements (such as policy approvals, revisions, or campus review-and-comment periods).




UNM Policy Office

MSC05 3357
1 University of New Mexico
Albuquerque, NM 87131

Physical Location:
Scholes Hall
114 A and B

Phone: (505) 277-2069

Administrative Policies and Procedures Manual - Policy 2520: Accessing and Safeguarding Personally Identifiable and Controlled Information

Date Originally Issued: 11-01-1991
Revised: 07-01-2001, 07-01-2011, 03-18-2019, 07-06-2020, 06-08-2023

Authorized by Regents' Policy 3.1 "Responsibilities of the President"
Process Owner:  Chief Information Officer

1. General

The University provides information and information systems (‘Systems’) to the University community in accordance with UAP 2500 ("Acceptable Information and Information System Use"), which applies to all users of University information and Systems. This policy describes additional responsibilities applicable to UNM community members in IT-related positions, or who are in a position where they require access to Personally Identifiable Information (PII)/ Controlled Unclassified Information (CUI) in order to perform their academic, administrative, clinical, and/ or research-related UNM work.

Management of University information and Systems must ensure and help enforce the rights and responsibilities provided for in UAP 2500, while also ensuring that reasonable and appropriate safeguards are in place to protect the availability, confidentiality, and integrity of University information and Systems. Therefore, any individual, department, or unit that operates a System must ensure that administrative, operational, physical, and technical controls are in place to protect PII/ CUI on those Systems. Additionally, controls must be documented in procedures to help ensure that safeguards are in place and are effective to consistently protect UNM information and Systems. UNM’s Information Security and Privacy Office (ISPO), and UNM Information Technologies (UNM-IT), are available to advise and assist individuals and departments in complying with this and other information security and privacy-related policies. Departmental information security guidelines, policies, procedures, and standards, as well as any periodic updates to those, shall be provided to the ISPO and to Office of University Counsel (OUC).

Deans, Directors, or designees are responsible for ensuring that reasonable and appropriate safeguards for information and Systems within their purview are in place and effective against unauthorized access, and other breaches of privacy and information security, through the implementation of appropriate administrative, operational, physical, and technical safeguards. Finally, prior to gaining access to information and Systems, all users of such Systems shall be required to agree to and comply with this and other UNM policies, including departmental policies and procedures, and including, but not limited to:

2.  Authorization for Access to Information and Systems

Access to information and Systems must be authorized by the appropriate Dean, Director, or designee, and also by the appropriate UNM Data Steward for the information contained in or accessible through the System. Data Stewards are University Officials, appointed to authorize access to the UNM information under their purview, and who also help ensure that safeguards required for accessing information under their prevue are defined, published, and promulgated. The appropriate Dean, Director, or designee is responsible for ensuring that all Systems within their purview comply with Data Steward required safeguards, as well as with the policies, procedures, and standards established through UNM’s Information Security Program, and any similar departmental policies and procedures.

3. Access to Personally Identifiable (PII) and/ or Controlled Unclassified Information (CUI)

Authorization for access to PII/ CUI will only be granted to individuals with a demonstrated need to access such information to perform their academic, administrative, clinical, and/ or research-related duties, and who have taken the required training applicable to the information and System being requested. Only the minimum, or least privileged level of access needed to perform those duties shall be granted, and access will be periodically reviewed and assessed by the appropriate Dean, Director, or designee, and/ or by the appropriate Data Steward.

3.1. Remote Access

“Remote access” is defined here as any User and/ or device connecting to a UNM network or System from outside the University, or University-managed facilities, for example, from home under an approved remote work agreement. UNM-IT, Deans, Directors, and designees, as well as Users, when remotely accessing Systems, share responsibility for ensuring appropriate safeguards are in place and in use to prevent unauthorized access to UNM information and Systems, and to prevent interruption to UNM Systems. Remote access must be secured as described in UNM’s Account Security Standard and Working with UNM Data Guideline.

3.1.1. User Responsibilities When Accessing UNM Information and Systems

Once approved, Users are responsible for ensuring appropriate physical security measures are in place at their remote location, and for helping to ensure secure use of UNM information and Systems. The ISPO is available to assist Users in identifying the appropriate protections necessary to help prevent theft of, or unauthorized access to University information and Systems. For non-UNM owned devices, Users are responsible for ensuring their devices, when used for remote access, are protected by least-permissive firewall software, and that software is in place, active, and up to date to prevent unauthorized and/ or malicious software from being downloaded or installed, and that the access device is current with respect to supported operating system and security-related patches and updates. 

UNM recommends, where possible, that Users do not copy or remove information from UNM Systems, and that they never copy or remove PII/ CUI, as described in Section 4.1.2. herein, onto any System or storage device, without authorization. Storage of PII/ CUI on a non-UNM computer is prohibited unless a formal written exemption is approved by the appropriate UNM Data Steward. Whenever stored remotely, PII/ CUI must be encrypted at rest.    

3.1.2.  High-risk PII/ CUI

Users should be especially careful when accessing or using the following types of information:

  • Export Controlled materials and other related CUI;
  • Confidential financial information, such as financial aid account information;
  • Account MFA, passphrases, and Personal Identification Numbers (PINs);
  • Social Security and/or credit card numbers;
  • Demographic information, such as gender and ethnicity;
  • Private cryptographic keys and related encryption mechanisms.
3.1.3. Remote Work

As described in detail in UAP: 2500, when working at an alternate work site, employees are responsible for the safety and security of all University-owned equipment, information and records, and materials. This includes remaining up-to-date with UAP 2550 ("Information Security"), and maintaining information security and record confidentiality and integrity in the same manner as when working at the regular University worksite. Please see UAP 3245 ("Remote Work"), for additional details on remote work arrangements.

4. Systems for Systems

Deans, Directors, or designees are responsible for ensuring reasonable and appropriate safeguards are implemented for information and Systems within their purview to protect such information and Systems from any unauthorized access and/ or interruption of Systems. In addition to implementing and documenting safeguards, periodic penetration and risk assessments shall be conducted in order to ensure that reasonably foreseeable risks to information and Systems are identified and addressed.

4.1. Safeguards to Protect Against Malicious and Unauthorized Software

All University Systems must have software installed, running, and automatically updated where technically possible, to prevent malware, ransomware, viruses, and other unauthorized software from being downloaded and/or installed.  For more information, please see IT’s Endpoint Detection and Response (EDR) knowledge article, or open an IT Help ticket.

4.2. Privacy and Confidentiality

Deans, Directors, or designees must take appropriate measures to ensure the privacy and confidentiality of information and Systems under their purview are enforced, in accordance with applicable laws, agreements, and policies, including but not limited to:

4.3. System Integrity

Deans, Directors, or designees may monitor and investigate systems under their control for appropriate use of resources, to protect or improve system performance, or in compliance with audit or legal requests. Departments must keep Systems and software up-to-date, especially with regard to supported Operating Systems and any security patches and updates, in compliance with UNM’s Vulnerability Management requirements. Please see Appendix D of UNM’s Vulnerability Management Program for specific requirements.

4.4. Business Continuity and Disaster Recovery (BC/DR)

For all computing systems that store or process PII/ CUI, Deans, Directors, or designees are responsible for developing, maintaining and periodically testing Business Continuity and Disaster Recovery (BC/DR) plans and procedures. All mission critical systems and systems that contain PII/ CUI must be protected by BC/DR procedures, including secure storage of backups at an appropriate distance from campus that meets the University’s Continuity of Operations needs.

4.5. Records Management

Deans, Directors, or designees are responsible for complying with agreements, and with local, state, and federal law regarding record retention, and for complying with University Records Management requirements for classification and retention of University information.

5. Information Security Violations

Deans, Directors, or designees should develop and implement processes to detect and correct any non-compliance with this and other University IT and information security policies and procedures, in collaboration with the ISPO. Suspected incidents must immediately be reported to the ISPO. Examples of such incidents include, but are not limited to:

  • Web site defacement or other evidence of unauthorized or malicious changes to Systems;
  • Account compromises or suspected compromises;
  • Reviews of application or system logs that show possible unauthorized access;
  • Non-compliance with this or other relevant IT or Information Security Policies.

If the ISPO receives a report that could involve a UNM healthcare-related entity, or PHI, they will immediately notify UNM HIPAA Privacy Office.

Misconduct related to access of PII/ CUI or Systems should be reported to Internal Audit, or to the Office of Compliance, Ethics, and Equal Opportunity (CEEO).

6. Sanctions

Users who do not demonstrate due care and diligence with regard to the duties of this policy, or in the use of UNM information and Systems as required by this Policy may be subject to sanctions, including withdrawal of use privilege and Accounts; disciplinary action up to and including expulsion from the University or discharge from a position; and legal prosecution. Loss of Account access may have very serious repercussions on employee’s and student’s ability to be successful in their roles and programs at UNM, even absent further sanctions.