91´ÎÔª

UM Information Security Office

DOCUMENT HISTORY

Date	Document Version	Revision Description	Author
4/4/2024	1.0	New Document	Neff, CISO
9/8/2024	1.1	Minor Revisions	Neff, CISO
3/5/2025	1.2	Minor Revisions	Ashworth, IR
7/7/2025	1.3	Minor Revisions	IR/OSPI/CISO
9/10/2025	1.4	Minor Revisions	Neff, CISO

Approvals

Approval Date	Approved Version	Approver Role	Approver
9/8/2024	1.1	CISO	Neff, CISO

INTRODUCTION

In the 91´ÎÔª System (UM System), security and compliance are ongoing, mission-critical business processes and are obligatory for all members of the University community. This standard outlines the measures we take to ensure data resilience in the face of evolving threats and to uphold external compliance regulations.

This standard applies to anyone who accesses, uses, or controls University computer and data resources, including, but not limited to, faculty, administrators, staff, researchers, students, those working on behalf of the University, guests, contractors, consultants, visitors, and/or individuals authorized by affiliated institutions and organizations.

All access to data is granted to employees as part of their job at the University based on the principle of “minimum necessary.” The data security standard defines the minimum-security requirements that must be applied to the data classifications defined in the UM Data Governance Policy. Some data elements, such as credit card numbers, student records, and protected health information are regulated data and have additional security requirements defined in external standards. Access and use of university data are covered by the UM Data Governance Policy.

DEFINITIONS

Refer to UM Data Governance Policy.

STANDARD

This standard outlines the security measures for protecting data classified as High Risk, Moderate Risk, and Low Risk.

Requirements for High Risk Data

• Labeling: Must be marked as “Confidential” if the system allows for labeling.
• Access control: Individuals must be granted access to High Risk Data on a least-privilege basis. No person or system may access the data unless a documented business process requires it. When access is required, the Data Steward or Data Custodian must grant permission to use the data.
• Access auditing: Access auditing for files containing High Risk Data should be enabled.
• Sharing: Access to High Risk Data can be granted only by a Data Steward or Data Custodian. No individual may share High Risk Data with another individual to whom a Data Steward or Data Custodian has not given access.
• Idle access: Devices that can be used to access High Risk Data must automatically lock after some period of inactivity, using screensaver passwords, automatic logout, or similar controls.
• Protection:
  • Transmission: High Risk Data must be protected during transmission using secure methods that ensure both confidentiality and authenticity. Transmission mechanisms must follow industry best practices and be approved by the Information Security Office (ISO).
  • Storage: High Risk Data must be protected at rest using secure, university-approved encryption or equivalent safeguards. Storage must ensure that only authorized individuals have access, and that encryption keys or credentials are managed securely. Storage of High Risk Data on portable or personal devices is discouraged unless specifically approved and protected accordingly.
• Retention: High Risk Data should only be stored for as long as necessary to accomplish the documented business process, in alignment with the MUS General Record Retention Schedule.
• Destruction: When High Risk Data is no longer needed, it should be destroyed by applicable policies, using methods resistant to data-recovery attempts such as cryptographic data destruction utilities, on-site physical device destruction, or NAID-certified data destruction service. See Montana University BOR IT Policy 1308 and UM Data Disposal and Media Sanitization Standard.
• Incident Notification: If there is a potential security incident that may place High Risk Data at risk of unauthorized access, the Data Steward and UM Information Security Office (ISO) must be notified. See UM Incident Response Policy.

For security, privacy, and regulatory reasons, those creating, managing, or storing research data must be especially attuned to its classification and appropriate security measures. Research data classified as Confidential or Restricted must be stored on University-controlled devices and systems, not personal devices or personally acquired services. The appropriate University units must vet data sharing agreements. Researchers must ensure that data is secured and available only to those approved for access.

Requirements for Moderate Risk Data

• Labeling: No special requirements.
• Access control: Individuals must be granted access to Moderate Risk Data on a least-privilege basis. No person or system may access the data unless a documented business process requires it. When access is required, the Data Steward or Data Custodian must grant permission to use the data.
• Protection:
  • Transmission: Moderate Risk Data must be protected during transmission using appropriate safeguards to prevent unauthorized access or alteration. Secure transmission methods should be selected based on the sensitivity of the data and approved by the ISO.
  • Storage: Moderate Risk Data must be stored in a manner that protects it from unauthorized access or misuse. Encryption or other suitable safeguards must be used where feasible. Encryption keys or access credentials must be managed responsibly and shared only with individuals with a legitimate business need.
• Sharing: Moderate Risk Data may be shared among University employees according to a well-defined business process approved by the Data Steward. It may be released publicly only according to well-defined business processes and with the permission of the Data Steward.
• Idle access: Devices that can be used to access Moderate Risk Data must automatically lock after some period of inactivity, using screensaver passwords, automatic logout, or similar controls.
• Retention: Moderate Risk Data should only be stored for as long as necessary to accomplish the documented business process.
• Destruction: When Moderate Risk Data is no longer needed, it should be destroyed by applicable policies, using methods resistant to data-recovery attempts such as cryptographic data destruction utilities, on-site physical device destruction, or NAID-certified data destruction service. See Montana University BOR IT Policy 1308 and UM Data Disposal and Media Sanitization Standard.
• Incident notification: If there is a potential security incident that may place Restricted Data at risk of unauthorized access, the Data Steward and the UM Information Security Office (ISO) must be notified.

Requirements for Low Risk Data

• Access control: Access to data classified as Low Risk is generally available to the public. The use, access, or alteration of Low Risk Data will not be restricted so long as its release to the public will not hurt the University or an individual community member.
• Protection: Low Risk Data will be protected from unauthorized modification or misuse (integrity). Applicable system security standards will be implemented for systems that store, process, or transmit Low Risk Data.
• Sharing: Low Risk data may be freely shared and released publicly without obtaining permission from a Data Steward or Data Custodian.
• Retention: Low Risk Data may be stored for as long as necessary; there are no policies governing the retention of Low Risk Data.
• Incident notification: If there is a potential security incident that may place Low Risk Data at risk of unauthorized modification, the UM Information Security Office (ISO) must be notified.

REFERENCES

• Montana University System BOR IT Policy 1308
• UM Data Disposal and Median Sanitization Standard
• UM Data Governance Policy