Page 5 of 7
Non-Restricted, Internal Restricted, Sensitive or Highly Sensitive Data, including but not limited to
Data in the DePaul's information systems, files and data warehouse or other databases or
downloaded data, be made available to parties external to the University for anything other than
legitimate educational and/or business purposes and must have the approval of the appropriate
Data Steward and, in the case of Highly Sensitive Data, the Director of Information Security.
Protection from Unauthorized Access and Use: Users shall use reasonable and appropriate
means to protect all Data under their control or possession from unauthorized access or use. This
includes protecting Data that is archived, and disposing of Data in a responsible manner appropriate
to the Data Classification. Users shall promptly report any suspected unauthorized use of Data to
the Director of Information Security. Users should consult the "Security Classifications & Controls
Matrix" (attached as an appendix hereto) to gain an understanding of "best practices" for protecting
Data from unauthorized use.
Administering User Access:
Data stewards must have formal processes for the administration of user access to the data under
their responsibility. At a minimum, these processes must include:
• Granting Data Access to Others: Data Stewards may receive requests to provide Data or
access to Data to others. They may grant such access only as authorized and in accordance
with this Policy or other relevant University policies. Data Stewards who grant access must
maintain copies of the appropriate Access Request Form in their records according to the
Record Retention schedule. These records must be made available to the Director of
Information Security or others authorized to review the records upon request. All data
access requests must be made through an Access Request Form. Data Stewards are
responsible for developing an appropriate Access Request Form for systems they manage if
the access is not granted through the PeopleSoft and BlueSky Access Request Form. Access
request forms must contain, at a minimum: full employee information (name, employee ID
number and user name) for user to be authorized, description of access requested (including
explicit mention of any highly sensitive information requested) and business purpose for the
access, supervisor information of approving supervisor, Data Steward information of
approving Data Steward and date of request. Access requests must be signed by the
appropriate supervisory party, the Data Steward, and the employee. The employee signature
must certify that the User agrees to maintain the Confidentiality of the Data and the
password in accordance with this Policy, including protecting the password from
unauthorized use.
• Terminating Access to University Data: Once a person is no longer employed in a
position that requires access to Data (due to employment termination, transfer, change of
job duties, or other event), his/her access must be promptly removed. (Refer to the
Termination Process Checklist for more information. Additionally, a person may be
removed from access to Data at any time as determined by the Director of Information
Security, Data Steward and/or appropriate supervisor/manager.
The individual's supervisor/manager is responsible for notifying the Data Steward of an
employee's change in job status, official roles or responsibilities that result in changes in
requirements of access to Data. This information must be relayed to NetAdmin in terms of
what access must be changed. Additionally, Human Resources shall provide notice to