Information Security Standards

CONFIDENTIAL DATABASES

GENERAL

The university maintains multiple databases sources, some of which may contain confidential or sensitive data. The disclosure of confidential data may expose the university to significant liability. The disclosure of sensitive data may cause a threat to the security of operations of the university, even if there is no monetary penalty.

APPLICABILITY

This procedure applies to all university owned or maintained database systems.

PROCEDURES

1. Databases with sensitive information will be stored on a separate database server or in a separate instance from the non-sensitive databases.

2. Databases will be promoted from DEV to QA, and QA to PROD for database structure only. Data will not be transferred from DEV to QA or PROD, nor from QA to PROD.

3. Passwords must comply with the university standard for passwords, both for user and service accounts.

4. Table and field names must comply with the university standard for database and field names. Misleading names must not be used.

5. If practical, the field names used within access software should not be identical to the names of the database fields. This is especially important if the field names may be visible to the user, such as in web-based applications.

6. Databases may be reviewed at any time, and databases on all non-sensitive database servers will be reviewed at least annually to ensure that they do not contain sensitive data. If sensitive data is found, the owner of the database will be required to make corrections.

7. If a database is redesigned so that it does not contain sensitive or confidential data, then it will be moved to a standard database server or instance.

HISTORY

Created August 12, 2013

Last Updated March 31, 2014