Examples of Confidential data include (but are not limited to):

PERSONAL DATA

• ● Student information covered under the Family Educational Rights and Privacy Act (FERPA) in accordance with SAP 13.02.99.M0.01
  ● Sensitive personal information as defined by Texas Government Code §521.002
  ● Government-issued identification numbers (e.g. SSN, drivers license, passport numbers)

HEALTH DATA

• ● Protected health information covered under the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)
  ● Personal health records not otherwise covered under HIPAA (e.g., HR records for individuals with disabilities)

FINANCIAL DATA

• ● Individual financial information subject to Gramm-Leach-Bliley Act (GLBA)
  ● Data that falls under the European Union General Data Protection Regulation (GDPR)
  ● Financial records, including account numbers (e.g. bank account numbers, debit or credit card numbers) and tax records

RESEARCH DATA

• ● Export controlled information covered under the International Traffic in Arms Regulation (ITAR) or Export Administration Regulations (EAR)
  ● Human subject data and IRB-controlled research data
  ● Most research data as defined by SAP 15.99.03.M1.03: “the recorded factual material commonly accepted in the scientific community as necessary to validate research findings.”

ADMINISTRATIVE DATA

• ● Records pertaining to information security process and protocols
  ● Authentication credentials or verifiers (e.g. passwords, passphrases, biometric information, private encryption keys, etc)
  ● Research Compliance & Administration records (contracts, grants, IRB documentation)
  ● Recordings or data from surveillance cameras (AVST installations)

ACCESS

• 1.1

  Access to Confidential data shall be limited to those with a documented business need, as determined by the Data Steward or a Data Manager.

• 1.2

  In accordance with security control SA-4, access to Confidential data must be granted only by explicit authorization. Documentation of that authorization shall be maintained by the Data Steward or a Data Manager.

• 1.3

  In accordance with security control AC-3, access to Confidential data must be managed, monitored, and logged.

• 1.4

  In accordance with security controls AU-6 and AU-11, access logs should be available for auditing and review, and retained for a time sufficient to support investigations of information security events.

• 1.5

  In accordance with security control AC-19, any mobile computing device containing Confidential data must be protected from unauthorized access by passwords or other means.

• 1.6

  In accordance with security control IA-2, multifactor authentication is required to access Confidential data across the network.

• 1.7

  In accordance with security control MA-2, any Confidential data must be removed from associated media before equipment is removed from university facilities for off-site maintenance or repair.

STORAGE

• 2.1

  All information resources that store or process confidential information are defined as moderate impact resources at minimum. In accordance with SAP 29.01.03.M0.05, those information resources must reside in a Texas A&M enterprise data center.

• 2.2

  In accordance with security controls RA-2, AC-19, and SC-13, Confidential data must be encrypted in storage.

• 2.3

  In accordance with security controls AC-19 and MP-7, any removable computer media containing Confidential data must be encrypted.

• 2.4

  In accordance with security control MP-6, computer media containing Confidential data must be protected prior to release to a third party.

• 2.5

  In accordance with security control AC-19, unattended devices containing Confidential data must be kept physically secured.

• 2.6

  In accordance with security control AC-19, any information resource containing Confidential data must be encrypted, updated, and protected with anti-virus software and a personal firewall—even personally-owned equipment.

• 2.7

  In accordance with security control CM-3, information resources containing Confidential data must implement a documented change control process

TRANSMISSION

• 3.1

  In accordance with security controls SC-8 and SC-13, Confidential data must be encrypted in transit.

• 3.2

  In accordance with security control SC-8 Confidential data transmitted in an email message must be encrypted.

MONITORING

• 4.1

  In accordance with security controls SI-4, AU-2, AU-3, AU-4, AU-5, and AU-6, information systems containing Confidential data must enable effective logging and monitoring of system and security events.

• 4.2

  In accordance with security control AU-9, security logs must be protected from tampering and unauthorized access.

• 4.3

  In accordance with security control AU-11, security logs must be retained for a time sufficient to support investigations of information security events.

• 4.4

  In accordance with security control RA-2, information resources containing Confidential data must use data loss prevention software that is provided and managed by the Technology Services.

INCIDENT REPORTING

• 5.1

  In accordance with security control IR-6, any known or suspected unauthorized disclosure of Confidential data must be reported to the CISO.

• 5.2

  In accordance with security control IR-8, any known or suspected instance of unauthorized access or use of Confidential data must be reported to the CISO.

DISPOSAL

• 6.1

  In accordance with security control MP-6 and MA-2, information resources containing Confidential data must be sanitized prior to disposal or surplus.