Personal Information Protection Compliance Review Protocol

Scope:

The Personal Information Protection Compliance Review Protocol covers all users of computers, electronic devices, and media capable of storing Detroit Mercy Protected data or Detroit Mercy Sensitive data as defined in the Acceptable Use & Security Policy.

Purpose:

The purpose of this protocol is to ensure that all departments of University of Detroit Mercy are in, and remain in, compliance with the policies established for the security of Detroit Mercy Protected data or Detroit Mercy Sensitive data.

Policy:

Each department will conduct compliance reviews in accordance with the Detroit Mercy Protected and Detroit Mercy Sensitive Data Identification Policy.

Each department head will designate one individual as the department’s primary data steward and one individual as the department’s alternate data steward. If the primary data steward is unable to perform their listed duties, the alternate data steward will perform those duties. The duties of the two data stewards cannot be delegated further. Each department will communicate the names of the designated data stewards to ITS. The primary data steward has primary responsibility for the security of information within their department. This will be the same person who is responsible for ensuring the department performs the necessary scans as defined in the Detroit Mercy Protected and Detroit Mercy Sensitive Data Identification Policy. The role of the designated individual may be rotated. The alternate data steward will assist the primary data steward and perform the functions of the primary data steward if the primary data steward is unavailable to do so.

The primary data steward will be responsible for conducting the review of his/her department, reviewing scan results, ensuring compliance with all policies listed in the appendix in the Applicable Policies Covered section, confirming that all devices covered by the Detroit Mercy Protected and Detroit Mercy Sensitive Data Identification Policy were scanned, and certifying that their office meets the identified security standards.

ITS and HR will train the data stewards on information security policies. Each department shall provide additional training to their data stewards on the local, state, and federal regulations or standards on information security that apply to their department. The primary data steward will be responsible to make certain that all employees, student employees, and outside parties used by, their department is fully aware of the University of Detroit Mercy’s information security policies. They will arrange special training as needed by contacting subject matter experts.

Questions about this policy:

If you have questions about this policy, please contact the ITS at its@udmercy.edu.  

Policy adherence:

Failure to follow this policy can result in disciplinary action as provided in the Student Handbook and Employee Policies & Procedures. Disciplinary action for not following this policy may include termination, as provided in the applicable handbook or employment guide.

Appendix:

Applicable Policies Covered

Definitions:

Primary data steward – The person who has primary responsibility for the security of information within their department. This will be the same person who is responsible for ensuring the department performs the necessary scans as defined in the Detroit Mercy Protected and Detroit Mercy Sensitive Data Identification Policy.

Alternate data steward – The person who will assist the primary data steward, and perform the functions of the primary data steward if the primary data steward is unavailable to do so.

Exceptions:

Exceptions to this policy will be handled in accordance with the Acceptable Use & Security Policy.

Emergencies:

In emergency cases, actions may be taken by the Information Security Incident Response Team (ISIRT) in accordance with the procedures in the Incident Response Policy. These actions may include rendering systems inaccessible.

History:

  • June 1, 2021: Initial policy