Detroit Mercy Protected and Detroit Mercy Sensitive Data Identification Policy

Scope:

This policy covers all computers and electronic devices capable of storing or transmitting electronic data that are owned or leased by the University of Detroit Mercy, consultants or agents of the University of Detroit Mercy, and any parties who are contractually bound to handle data produced by Detroit Mercy.

Purpose:

The purpose of this policy is to ensure that Detroit Mercy Protected or Detroit Mercy Sensitive data is not inappropriately stored on Detroit Mercy computers and electronic devices through systematic electronic examination.

Policy:

Frequency

All departments will perform a Personal Information Security Compliance (PISC) Review at least every 6 months. Departments are free to perform PISC Reviews more frequently if they see a need to do so. All departments must maintain a schedule for performing their PISC Reviews.

Covered Systems

During a PISC Review, departments are responsible for scanning workstations, laptops, portable devices, and any servers that are managed by the department.  Portable devices that store electronic data should be attached to a computer during the PISC Review.  ITS will perform PISC Reviews for all servers that they manage.

Collection Method & Methodology

Scan results shall be stored on each machine that is scanned. The primary data steward or the alternate data steward in each department will be responsible for examining each scan result to determine if the machine or device houses Detroit Mercy Protected or Detroit Mercy Sensitive data.

Measurement & Reporting

The primary data steward or the alternate data steward in each department will create and send a summary of their scan results to ITS. This summary of scan results will include the number of computers and electronic devices that contain either Detroit Mercy Protected data or Detroit Mercy Sensitive data, and the number that contains neither.  Scan results will also include any machines which were believed to not contain Detroit Mercy Protected data or Detroit Mercy Sensitive data but were found to contain either data type.  ITS will create and provide a summary report to the Information Technology Executive Steering Committee.

Follow-up & Training

Any users who regularly use a computer or electronic device identified by a scan as inappropriately containing Detroit Mercy Protected data or Detroit Mercy Sensitive data without proper authorization may be required to complete online training on the use and storage of Detroit Mercy Protected data and Detroit Mercy Sensitive data.

Detroit Mercy ITS will install software that is capable of scanning for Detroit Mercy Protected data and Detroit Mercy Sensitive data on all Detroit Mercy computers and electronic devices subject to this Policy.  Only software approved by ITS to scan for and identify Detroit Mercy Protected data and Detroit Mercy Sensitive data may be used during a PISC review.

Search Terms

The scanning software will search for the patterns that are specified in the Appendix.  If additional patterns are identified, they will be added to the Appendix.

Questions about this policy:

If you have questions about this policy, please contact ITS at its@udmercy.edu.

Policy adherence:

Failure to follow this policy can result in disciplinary action as provided in the Student Handbook and Employee Policies & Procedures. Disciplinary action for not following this policy may include termination, as provided in the applicable handbook or employment guide.

Appendix:

Policies referenced

Definitions

Personal Information Security Compliance (PISC) Review – Occurs when a department follows the Personal Information Security Compliance Review Protocol.

Regular expression – A pattern, such as 9 consecutive digits or 3 consecutive digits then 2 consecutive characters.  Any item which matches the regular expression will be flagged by the scanning software.

Search Terms

The following regular expressions will be flagged by the scanning software as possible matches for sensitive data:

  • SSN9 – 9 consecutive digits
  • SSN324 – 3 consecutive digits, a dash, 2 consecutive digits, a dash, and 4 consecutive digits
  • AMEX – 4 consecutive digits, a dash, 6 consecutive digits, a dash, and 5 consecutive digits
  • VMCD – 4 consecutive digits, a dash, 4 consecutive digits, a dash, 4 consecutive digits, a dash, and 4 consecutive digits 

History:

  • June 1, 2021: Initial Policy