These University of Hawaiʻi policies, State of Hawaiʻi Revised Statutes, and external regulations all have information security implications. Anyone accessing University of Hawaiʻi resources, including data, computer, and network resources, is responsible for ensuring compliance with all applicable policies and regulations.
Click on a link below to be directed to the appropriate table:
- UH Policies related to Information Security
- Hawaiʻi Revised Statutes
- External Standards and Regulations
UH Policies related to Information Security
| Policy | Title | How it Applies to UH |
|---|---|---|
| EP 2.210 [PDF] | Use and Management of Information Technology Resources Policy | Describes the appropriate use of UH information technology resources which applies to students, faculty, staff, and authorized guest users. |
| EP 2.214 | Institutional Data Classification Categories and Information Security Guidelines Minimum Security Standards |
The objective of this executive policy is to organize UH Institutional Data into data classification categories based on different levels of security risk and penalties that may result from the inadvertent exposure and inappropriate disclosure of those data. |
| EP 2.215 | UH Institutional Data Governance Policy UH Data Governance Website |
Establishes system-wide standards to protect the privacy and security of data and information under the stewardship of the University. |
| EP 2.216 | Institutional Records Management | Establishes institutional requirements for responsible records management. |
| EP 2.217 [PDF] | UH HIPAA Policy UH HIPAA Website |
To ensure that UH complies with the Health Insurance Portability and Accountability Act |
| EP 2.218 [PDF] | Online Approvals of Internal University Transactions | Describes institutional requirements regarding the use of online approvals and signatures |
| EP 2.219 | Student Online Data Protection Requirements for Third Party Vendors | This Policy sets forth the University’s expectations of how our Student Data shall be managed by external parties. |
| EP 7.208 | Systemwide Student Conduct Code | Describes the rules and regulations that UH students must comply with. |
| EP 8.200 | Policy on Contracts and Signing Authority | Policy on contracts that details Information Technology and Data Commitments that must be met before contracts are signed. |
| AP 2.215 | Mandatory Training on Data Privacy and Security | To describe the mandatory training and continuing education requirements for UH employees, students, and affiliates |
| AP 7.022 | Procedures Relating to Protection of the Educational Rights and Privacy of Students | Establishes procedures governing a UH student’s access to their own education records and access to education records by the public and other governmental agencies. |
| AP 8.710 | Credit Card Program | Procedures for processing credit card transactions in accordance with University policies, banking and payment card industry requirements, etc. |
Hawaiʻi Revised Statutes
| Law | Title | How it Applies to UH |
|---|---|---|
| HRS 92F | Uniform Information Practices Act (UIPA) | Requires the University to open government records for public inspection except Social Security numbers, personal records, etc. |
| HRS 487J | Social Security Number Protection | Requires the University to protect an individual’s Social Security number. |
| HRS 487N | Security Breach of Personal Information | Requires the University to provide notice if there has been a security breach of personal information. |
| HRS 487R | Destruction of Personal Information Records | Requires the University to securely dispose of personal information. |
External Standards and Regulations
| Standard/Regulation | Title | How it Applies to UH |
|---|---|---|
| HIPAA | Health Insurance Portability and Accountability Act UH HIPAA Website |
Regulates the use, disclosure, and protection of individuals’ health information. |
| FERPA | Family Educational Rights and Privacy Act | Requires the University to provide students with access to their education records, an opportunity to have the records amended, and some control over its disclosure. |
| FISMA | Federal Information Security Management Act | Requires federal agencies to implement an information security for information/information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor (e.g. UH), or other source. |
| GLBA | Gramm-Leach-Bliley Act (“Safeguards Rule”) UH GLBA Website |
Regulates how non-public personal information is to be protected. |
| FACTA | Fair and Accurate Credit Transactions Act (“Red Flags Rule”) | Requires an identity theft prevention program to identify and detect red flags and to prevent and mitigate identity theft. |
| PCI DSS | Payment Card Industry Data Security Standards | Requires the University to implement security controls around cardholder data to reduce credit card fraud. |
| DMCA | Digital Millennium Copyright Act (“OCILLA”) | Requires the University to take action on copyright infringement that originates on the network. |
| NDAA Section 889 | National Defense Authorization Act, Section 889 | Purchasing restrictions on federal contracts that involve covered telecommunications equipment or services. |