As part of an ongoing effort to effectively secure and manage information, George Washington University officials are meeting with faculty and staff across the institution this spring to discuss a new information management strategy and the university’s revised Information Security and Records Management policies.
Designed to help faculty and staff understand how to properly create, protect, share, retain, archive and dispose of information, the university recently enhanced its Information Security Policy and Records Management Policy to provide updated policy language, guidance and resources for responsible and secure management of information.
“Stories of data losses due to cyber breaches and theft are in the news almost every day,” said Ed Schonfeld, senior associate vice president and chief compliance officer. “We can have the best chance for success in protecting the university’s information if we follow three points: know the university information in your care, take the proper steps to protect it, and know when to dispose of it.”
The updated Information Security Policy includes a new classification of information types, differentiating between regulated, restricted and public information. Regulated and restricted information require the most care and cannot be shared with the general public.
Regulated information is protected by local, national or international statute. Examples include personal health information, student academic and financial records and personally identifiable data, such as Social Security numbers. It requires the highest level of security.
Restricted information differs from regulated information in that restricted information is not protected by statute but must be secured to maintain the privacy of personal information and GW’s information assets. Distribution and access to restricted information must be limited to appropriate university faculty, staff, students or authorized users, according to the policies. Examples include library records, internal directory information, payroll or tax data, salary or benefits information, financial records and GWid information.
Public information, like press releases or public event information, has no restrictions for access and is free to disseminate as necessary.
The Office of Compliance and Privacy, Division of IT, and Office of the Senior Vice President and General Counsel worked together to develop the strategy. An information management web page has been published on the Office of Compliance and Privacy’s website. The site includes guidance for categorizing information (regulated, restricted, public), details on how to secure information based on category, a record retention schedule that informs users how to long to retain information, and a one page, printable handout that highlights the key points of GW’s information management strategy.
The Division of IT provides several resources to the GW community to enable faculty and staff to effectively follow the information management strategy. “The resources support encryption, secure document storage, anti-virus protection and IT security training,” said David Steinour, the university’s chief information officer.
“Protecting GW’s information assets is a shared responsibility for the GW community,” said George Guzman, director of compliance and data privacy. “With clear policies, informed guidance and resources, and active participation from GW faculty and staff, we will work to reduce the risk of information loss to the university.”