Skip to main contentSkip to main navigationSkip to footer content

Data Management and Protection of Highly Sensitive Data Policy

Policy Purpose

This policy defines the handling, usage, storage, and management of “Highly Sensitive” University data. This policy is required for the University in order to align with UA System security and auditing mandates.

Policy Statement

It shall be the policy of the University of Arkansas-Fort Smith to preserve and protect “Highly Sensitive” data by all appropriate means.

Applicability

This policy applies to all University employees, students, auditors, or any persons that have access to the University’s Highly Sensitive data.

Definitions

Highly Sensitive data - Information that, if disclosed to unauthorized persons, would be a violation of federal or state laws, University policy, or University contracts. This includes all data defined by the state of Arkansas as Level C (Very Sensitive) or Level D (Extremely Sensitive).

Policy Procedure

Data Use:
1. It is the responsibility of each individual with access to “Highly Sensitive” data to understand the definition of “Highly Sensitive” data, and to use these “Highly Sensitive” data resources in an appropriate and ethical manner. Each individual must comply with all applicable federal, state, and local statutes. It is the responsibility of each individual with access to “Highly Sensitive” data resources to safeguard these resources.
2. Access, use or disclosure of Highly Sensitive data will be limited to the minimum that is necessary to achieve the legitimate purpose for which the data was accessed.
3. Highly sensitive data will be accessed, used or disclosed only for purposes consistent with applicable law and university policy.\

Data Management:
1. Access to “Highly Sensitive” data should be restricted to those individuals with an official need to access the data.
2. All servers containing “Highly Sensitive” data must be housed in a secure location and operated only by authorized personnel. These servers should maintain authentication, security, and system logs.
3. For all information system resources which contain or access data classified as “Highly Sensitive,” processes must be in place to ensure that access is logged, and ideally that activity is recorded and reviewed.
4. “Highly Sensitive” data transmitted across the network must use secure protocols such as SFTP (secure file transfer protocol), TLS (Transport Layer Security), SSH (secure shell), Microsoft RDP (remote desktop protocol), etc. Authentication (login) to “Highly Sensitive” data must also use secure authentication protocols.
Data Storage:
1. “Highly Sensitive” data should not be permanently stored on personal devices, including but not limited to desktops, laptops, iPads, smart tablets, etc. unless there is a valid University reason.
2. “Highly Sensitive” data should not be permanently stored on removable media, including but not limited to external hard drives, CDs, DVDs, and USB storage devices (e.g., thumb drives) unless there is a valid University reason. If data must be temporarily stored on personal devices or removable media, then the data must be encrypted at rest, according to encryption methods recommended by Information Technology Services. The data must be deleted immediately from personal devices or removable media as soon as it is no longer required.
3. For “Highly Sensitive” data stored on servers, access is to be secured by ACL’s (Access Control Lists) and by local server firewalls.
4. All individuals should routinely inventory their respective personal or removable devices for “Highly Sensitive” data.
5. All “Highly Sensitive” data files must be removed by approved University procedures from electronic devices and electronic media that are being surplused.
Data Breach Reporting:
1. Any accidental disclosure or suspected misuse of “Highly Sensitive” data must be reported immediately to the appropriate university officials. Appropriate university officials include immediate supervisors, the Director of Information Technology Services, the Vice Chancellor for Finance and Administration.

Enforcement

1. Failure to comply with requirements of this policy can result in loss of access to the data.

Policy Management

This policy is managed by the IT department. The IT Director and appointed IT personnel are the primary administrators of this policy. The responsible executive is the VCFA.

Exclusions

None Applicable

Effective and Approved Date

This internal policy was approved by Terry Meadows – Director of IT/CIO on 3/7/2023

Last Updated

10/31/2025 – Reformatted for accessibility by Terry Meadows Director of IT/CIO