"Requests for access to information for multiple divisions or university-wide must be signed by the provost or appropriate vice president. Authorization is to be granted to employees who have job responsibilities requiring the information requested... Any university employee, student or non-university individual with access to administrative data who engages in unauthorized use, disclosure, alteration or destruction of data in violation of this policy will be subject to appropriate disciplinary action, including possible dismissal and/or legal action." Marty Rimm claims in footnote 40 that he obtained "detailed" data on CMU users including sex, nationality, age, and marital status. This policy suggests that the provost or a vice president helped him. ------------ University Policy begins here Editor's notes... POLICY TITLE: Data and Computer Security (Confidentiality of Administrative Data) DATE OF ISSUANCE: This policy was originally issued in May 1990 as Chapter 1, Volume 7 of the Carnegie Mellon Policy Library. It was most recently revised in December 1994. ACCOUNTABLE DEPARTMENT/UNIT: Administrative Computing and Information Services. Questions on policy content should be directed to Len Brush, assistant vice president for administrative computing and information services, x83888. NOTE: Some graphics within the original policy document -- charts, tables, forms, exhibits -- could not be easily transferred to the Andrew b-board system. Omission indicators were placed throughout the document, where appropriate. Please also note that all pagination references were omitted, since they apply only to hard copies of documents. ----------------- Published Policy: ----------------- POLICY STATEMENT Access to data residing in administrative systems and applications at Carnegie Mellon University is to be granted only to those individuals who must, in the course of exercising their responsibilities, use the specific information. Access to administrative data will be granted to university employees only. With special permission, a student may access data if the data pertains to that student or if that student is also an employee of the university. Individuals outside the university can be authorized access to university data only if that authorization is granted by an Executive Officer of the university. Access and update capabilities/restrictions will apply to all administrative data, data stored on the Administrative Computing and Information Services computers and on mini-computers and micro-computers across campus. Security measures apply to administrative systems developed and/or maintained by university departments or outside vendors. This policy only covers administrative aspects of academic and research units. REASON FOR POLICY Carnegie Mellon University maintains data which are essential to performing university business. These data are to be viewed as valued resources over which the university has both rights and obligations to manage, secure, protect, and control. This policy secures and protects data defined as administrative data stored in and accessible by university-owned computing systems and accessible by university employees in their official university capacities. In addition, this policy addresses the broader data issues of the rights and responsibilities of authorized persons in the handling, as well as the security and protection, of university data. CONTENTS [Editor's note: Page numbers have been omitted.] The following topics are addressed in the "Procedures" and "Special Situations" sections of this policy: TOPIC -Security Administration -Ownership of Administrative Data -Stewardship of Administrative Data -Data Accessibility -Computing Security Procedures -Establishing Minimum Security Measures -Establishing Backup and Recovery Procedures -Protecting and Managing Passwords -Managing Systems for Employee Turnover -User Security Procedures -Requesting Authorization for Administrative Data Access Capabilities -Requesting Authorization for Administrative Data Update Capabilities -Distributing Administrative Information -Maintaining Confidentiality of Restricted Data -Reporting Data Security Breaches -Enforcing Penalties for Unauthorized Data Access or Disclosure WHO DOES THIS POLICY APPLY TO? *Employees *Alumnae(i) *Students with special permission *Trustees *Authorized persons with interests in: -University Finances -Education/Instruction -Research -University Facilities -Employee Data -Student/Alumni Data RELATED DOCUMENTS * University Policies: -Computing and Information Resources Code of Ethics [posted as COMP-SERV: Computing Ethics] -Discipline (for students) [posted as STUD-AFF: Student Discipline.1-.2] -Disciplinary Guidelines (for staff) [posted as EMPLOY: Staff Discipline) -Privacy Rights of Students [posted as REGISTRAR: Student Privacy Rights] -Statement on Individual Responsibilities in Shared Computing Environments [posted as PROVOST: Shared Computing] DEFINITIONS These definitions apply to these terms as they are used in this policy: *access capability* Authority granted to an individual which allows viewing of data residing in a computer system file. Access capability is generally managed through assignments of a user id and password. *administrative data* Any data related to the administration of Carnegie Mellon University. This includes data used by both the central administration and the administrative units of the various colleges and departments. *administrative systems and applications* Any computer system/application programming which supports administrative activities of the university. This includes systems or applications supporting both the central administration and the administrative units of the various colleges and departments. *campus-wide access information* Information intended for campus use and not for external distribution. Unauthorized distribution of this information to external sources by any university employee is considered an abuse of privileged information. *Administrative Computing Security Committee* Group appointed by the president and responsible for the administrative computing security environment at the university. The group reports to the Administrative Computing and Information Services Executive Steering Committee. *Data Security Officer* The employee responsible for evaluating and monitoring system access. Evaluates requests for access to application databases. *Data Owner* The employee responsible for the data in the system, e.g., a division or department head. Responsibilities include evaluating/approving requests for access to specific data or groups of data. *public information* Information that is available or distributed to the general public either regularly or upon request. *restricted information, moderately sensitive/highly sensitive* Information intended for use only by individuals who require that information in the course of performing their university responsibilities, or information protected by federal and state regulations. Requests for access to this information must be authorized by the applicable department head AND dean/division head. If restricted information is to be accessed across multiple divisions or university-wide, the applicable vice president(s) or the provost must authorize its access. *university* Carnegie Mellon University including its colleges, academic and administrative departments and research units. *update capability* Access capability which allows an individual to alter, add or delete data in a computer system file. *user id* Character string which identifies an individual to a computer system, enabling access and/or update capabilities. SECURITY ADMINISTRATION OWNERSHIP OF ADMINISTRATIVE DATA In order to control access and update capabilities, an individual residing in the user area responsible for the specific application will be designated as the Data Owner. This individual performs in a supervisory or managerial capacity and is responsible for the data residing in the designated system. The responsibilities of the Data Owner are to: * Ensure proper operating controls over the application in order to maintain a secure processing environment; * Ensure accuracy and quality of data residing in application; * Approve all requests for access to and update capability for the specific application; * Ensure system issues impacting the quality of data within the system are properly reported and adequately resolved. On an annual basis, the Data Owner and the Data Security Officer will review the current set of access and update capabilities granted to each individual on the system in order to ensure that no changes are necessary. TABLE 1 DATA OWNERS BY APPLICATION APPLICATION DATA TYPES DATA OWNER(S) -------------------------------------------------------------------------- Admissions, Graduate Prospects, Applicants, Dean, Graduate Schools Admitted Department Heads -------------------------------------------------------------------------- Admissions, Prospects, Applicants, Director, Admissions Undergraduate Admitted -------------------------------------------------------------------------- Budget Financial Asst VP Planning and Budgets -------------------------------------------------------------------------- Career Services Students Director, Career Center -------------------------------------------------------------------------- CIMFAS (Accounting) Financial Asst VP Finance -------------------------------------------------------------------------- Commencement Students Registrar -------------------------------------------------------------------------- Computer Billing Financial Director, Computer Services -------------------------------------------------------------------------- Degree Audit Students Department Heads -------------------------------------------------------------------------- FCE Faculty Registrar -------------------------------------------------------------------------- Financial Aid (SAMS) Student Financial Director, Information Financial Aid -------------------------------------------------------------------------- Food Services Students Director, Facilities Special Events -------------------------------------------------------------------------- Gift Accounting Alumni, Friends, Director, Development and Alumni System Corporations, Foundations Information Services -------------------------------------------------------------------------- Housing Students Dean of Student Facilities Affairs -------------------------------------------------------------------------- Human Resource Personnel, Applicants Asst VP Human Information System Salary, Appointments Resources Asst VP Finance -------------------------------------------------------------------------- Inventory Control Supplies Asst VP Business Services -------------------------------------------------------------------------- Work Order Management Facilities Maintenance Asst VP Facilities Mgt -------------------------------------------------------------------------- Parking Facilities Asst VP Business Financial Services -------------------------------------------------------------------------- PMS Facilities, Plans Asst VP, (Design/Construction) Facilities Mgt --------------------------------------------------------------------------Prope rty Management Capital Assets Asst VP Finance (PMIS) -------------------------------------------------------------------------- Student Accounts Tuition, Student Fees Cashier Receivable Asst VP Finance -------------------------------------------------------------------------- Space/Facilities Facilities Asst VP Finance Database -------------------------------------------------------------------------- Student Information Students Registrar Courses Facilities Records -------------------------------------------------------------------------- Telecommunications Facilities Director of Financial Computing Services -------------------------------------------------------------------------- University Personnel Asst VP Human Information System Students Resources Financial Registrar Budgets Asst VP Finance Asst VP Business Services -------------------------------------------------------------------------- STEWARDSHIP OF ADMINISTRATIVE DATA In addition to the Data Owner, others will process and handle data in the course of the administrative cycle. They too will be responsible for the security of the data. These individuals and divisions include: Data Security Officer The Data Security Officer is responsible for all systems-related security issues associated with a particular application. A Data Security Officer will be appointed by the Administrative Computing and Information Services Executive Steering Committee for each application and will act as the contact person for establishing, altering or deleting computer user ids and determining data access needs within a system. Administrative Computing and Information Services Administrative Computing and Information Services is responsible for the design, programming and maintenance of administrative applications. In designing or updating systems, Administrative Computing and Information Services must be aware of any security impacts of such designs and ensure that proper security control is programmed into each application to provide a secure computing environment and adequate protection of data. The Data Security Officer must convey application-specific security needs to Administrative Computing and Information Services. Computing Systems Computing Systems maintains and operates the equipment upon which most mainframe-driven, administrative applications reside. It is the responsibility of Computing Systems to ensure adequate physical security over such equipment, restrict equipment access to authorized personnel only, and adequately assure that output containing confidential information is properly safeguarded. Responsibilities also include maintenance of operating system-level security specific to the computing equipment under their jurisdiction. Administrative Computing Security Committee The Administrative Computing Security Committee, appointed by the president and accountable to the Administrative Computing and Information Services Executive Steering Committee, is responsible for the maintenance of a secure administrative processing environment at Carnegie Mellon. The committee formulates overall policy, addresses issues impacting computer security, and reviews situations involving violations of computer security policy. DATA ACCESSIBILITY Because different types of data require different levels of security, the university has classified data into four categories: Public Information, Campus-Wide Information, Restricted Information - Moderately Sensitive, and Restricted Information - Highly Sensitive. Each category is explained below. For detailed examples of accessibility by data type, see the Appendix, Table 2 [at the end of the post ACIS: Data Security.2, which follows]. _Public_Information_ is available or distributed to the general public either regularly or upon request. _Campus-Wide_Information_ is intended for campus use and not for external distribution. Distribution of this information to external sources by any university employee without proper approval is considered an abuse of privileged information. _Restricted_Information--Moderately_or_Highly_Sensitive_ is information intended for use only by individuals who require that information in the course of performing their university responsibilities or information protected by federal and state regulations. Requests for access to this information must be authorized by the applicable department head AND dean/division head. If restricted information is to be accessed across multiple divisions or university-wide, the applicable vice president(s) or the provost must authorize its access. In some instances, the president may be required to authorized access to restricted information. COMPUTING SECURITY PROCEDURES ESTABLISHING MINIMUM SECURITY MEASURES OPERATING SYSTEMS Operating Systems used for administrative computing will provide for, at a minimum, the following security features: * Discretionary access controls, where individual users can be included/excluded from accessing files and other objects or from achieving certain forms of access (READ, WRITE, EXECUTE, DELETE, CONTROL). * Prevention of disk scavenging (obtaining disk space that contains another user's data). * Notification to the data owner/computer operator/data security officer of security breaches (unauthorized attempts to access certain files or the system). Maintenance of an audit record of security events, as well as authorized or unauthorized file access. * Ability to audit changes to user id files and mounts/dismounts of disks and tapes. * Ability for idle terminals logged into applications to be disconnected after a 15-minute period. * An encryption system to provide a high level of security for sensitive data transmission files. * Login features such as - Automatic disconnection on multiple login failures - Break-in detection and disabling user ids for a period of time after detection - Automatic id expiration - Access restrictions based on user id, time of day and day of week - Control over dial-up or network access to restricted data and systems DATABASE MANAGEMENT SYSTEMS Database management software used in administrative application development will have the following features: * Ability to designate the database "private" or "public" * Access capabilities which can be restricted at the table and field levels * Access capabilities which can be restricted based on user, time of day, day of week * Audit trails/journals which record important system activity * Control checkpoints APPLICATIONS Applications developed in-house or purchased from a third party will be examined to determine: * Security features used by the software (such as secondary passwords, captive user ids, etc.) * Security enhancements or improvements needed to meet acceptable security levels. * Interaction with other systems and related security implications. The Data Security Officer and Administrative Computing and Information Services should examine application-level security on a system-by-system basis. Because of the complex interaction with other applications, the operating system, the underlying databases, as well as the needs of the user community and the nature of the data, there are many intervening factors which preclude an overall policy for application-level security. The security features of any new software will always be considered a priority in the selection and development of such software. NETWORK Interactive access to applications occurs in two ways: * Terminal attachment to systems via a local area network * Direct attachment to the serial lines Terminals attached via networks are susceptible to monitoring and their passwords are insecure. The local area network must be physically secure or the login process must transmit only encrypted passwords for the network. ESTABLISHING BACKUP AND RECOVERY PROCEDURES Backup and recovery procedures must be developed and maintained for all administrative computing systems and data. The following requirements must be met: * Provisions for regular backup of data residing on the system. * Storage of backup media at a location remote from the processing center. * Approved Disaster Recovery Plan written and implemented to cover situations in which hardware and/or software cannot run in its normal environment. The Data Security Officer should periodically review backup and recovery procedures to ensure their continued applicability. PROTECTING AND MANAGING PASSWORDS Passwords are a critical component to any computer security program. To properly control passwords and maintain their integrity, the guidelines below will be followed: * Passwords will automatically expire every 90 days, or more frequently in cases of user ids with access to very sensitive data. * Users must never give out their personal password to anyone; sharing of passwords is a violation of this policy. * As part of the educational process, the Data Security Officer will provide users with guidelines for selecting and changing their passwords. * A password monitoring program will run weekly to check for _insecure_ passwords. For example, the program would check to see if the user's first, last or middle name, user id, or other common words like "system," are used as passwords. If a user is found to have an insecure password, the program will notify them to change it. If the password has not been changed within one week, the user will again be notified, and the Data Security Officer will also be notified. _Generic_ user ids will not exist, except as the source for the production, maintenance, and development of application systems. In cases where many people log in under a single user id, audit trails and system statistics become ineffective in assigning responsibility. Appropriate operating system security alarms will be activated, and available auditing tools will be in use. MANAGING SYSTEMS FOR EMPLOYEE TURNOVER When an employee terminates employment with a department or the university, follow the guidelines below. * Immediately change or remove the passwords for those user ids to which an employee leaving the university has had access or update capabilities. This standard practice serves to protect the employee in the event of any problems and the university systems against possible tampering. Monitoring such user ids is primarily the responsibility of user area management, with assistance from the Data Owner and the Data Security Officer. * When an employee's termination is processed by the Human Resource Information System, the Computer Billing System will automatically receive notification. Upon receiving this notification, the user id will be suspended, and the Data Security Officer will be alerted so that any necessary files may be retrieved and the user id is deleted. Reinstatement will require the same level of authorization as establishing a new user id. ********************************************************************** [Please see the next post, ACIS: Data Security.2, for the remainder of this policy.] ********************************************************************** ------------------------------------- Continued from ACIS: Data Security.1: ------------------------------------- USER SECURITY PROCEDURES REQUESTING AUTHORIZATION FOR ADMINISTRATIVE DATA ACCESS CAPABILITIES If you wish to gain access to administrative data, follow the steps below: 1. Complete a "Request for Data Access" form (Exhibit A [not included in this posting]). Make sure that you and your immediate supervisor have signed the form. This form certifies that access to the specific application or data sets is related to the completion of your work responsibilities. 2. Send the form to the Data Owner who reviews the form and evaluates the request with respect to the data that will be made available. *If your request is approved by the Data Owner* 1. The Data Owner signs the form as evidence of approval. 2. The form is forwarded to the Data Security Officer. 3. The Data Security Officer reviews the form and ensures that the action to be taken will not breach data security from a systems perspective. The Data Security Officer is also responsible for identifying the most appropriate method of granting your request. 4. Upon approving the request, the Data Security Officer will initiate the proper action through either the Accounts Coordinator or Administrative Computing and Information Services to physically set up your user id on the specific system and/or application. 5. Once this process has been completed, you will receive a new user id and password, along with the original request form and any necessary instructions. *If your request is denied by the Data Owner or the Data Security Officer* 1. The form will be returned to you with an explanation of the reason(s) for rejection. 2. If you have been denied access, you may appeal to the Administrative Computing Security Committee for review. The judgment of the committee is final in all cases. REQUESTING ACCESS TO RESTRICTED INFORMATION 1. Requests for access to restricted information for a department or a division must be authorized by the applicable department head and dean/division head. 2. Requests for access to information for multiple divisions or university-wide must be signed by the provost or appropriate vice president. Authorization is to be granted to employees who have job responsibilities requiring the information requested. 3. State whether you require one-time access or continual access. REQUESTING AUTHORIZATION FOR ADMINISTRATIVE DATA UPDATE CAPABILITIES Sometimes when you request authorization to access data, you may also want to request the ability to update data within an administrative application. The responsibility for approving such capabilities rests solely with the Data Owner. In general, such update capabilities are to be limited to individuals working in the organizational area(s) supported by the specific application or system, e.g, only Payroll Office and Benefits Office staff members may update data within the Human Resource Information System. It is important to emphasize that data update capabilities will be limited to those who require the capabilities to successfully meet their job responsibilities. The Data Security Officer ensures that update capabilities are made available only to authorized users and that data not authorized for update will be satisfactorily protected. When new applications are being developed or significant changes are being made to existing systems, general guidelines will be established to define who should have data update capabilities. *If you are denied data update capabilities* You can appeal that decision to the Administrative Computing Security Committee. The decision of the committee in these cases is final. DISTRIBUTING ADMINISTRATIVE INFORMATION Just as you must exercise care in granting access or update capabilities to administrative data/systems, such care must also be extended to the distribution of administrative information generated by the university's administrative systems. The Data Owner is responsible for determining: * What data within administrative systems are appropriate for distribution. * The audience for distribution. * The methods and timing of distribution. The Data Owner MUST ensure that: * The information distributed is in compliance with any regulatory requirement (e.g., Buckley amendment) or university policy (e.g., employee salaries are not made available to the public). * The distribution methods or non-system data storage (i.e., paper or diskettes) provide adequate security over the information contained on the particular media. The Data Security Officer provides assistance in coordinating security measures over data distribution with Computing Systems and Administrative Computing and Information Services personnel. MAINTAINING CONFIDENTIALITY OF RESTRICTED DATA In the course of accessing data or information, you might access restricted information within the particular database. It is the responsibility of the Data Owner to ensure that all individuals with access to restricted data are aware of the confidential nature of the information and the limitations, in terms of disclosure, that apply. * When accessing restricted information, you are responsible for maintaining its confidentiality. The granting of a user id and password assumes that you will maintain confidentiality over appropriate information without exception. * The release of restricted data without the express approval of the Data Owner or outside the guidelines established for such data will not be tolerated. * Unauthorized release of restricted information will result in appropriate disciplinary action, including possible dismissal. Review of such cases will be the responsibility of the Administrative Computing Security Committee, which will recommend the appropriate action to university management. All matters involving university employees will be reviewed with the assistant vice president for human resources and/or the provost. Matters involving students will be reviewed with the dean of student affairs. Matters involving individuals not affiliated with the university will be reviewed with the university attorney. REPORTING DATA SECURITY BREACHES If you are aware of possible breaches in administrative data/computer security, you are strongly encouraged to report such occurrences to the Administrative Computing Security Committee. Such reports will be held in strict confidence and promptly investigated by the committee. Likewise, Data Owners and Data Security Officers are responsible for reporting security breaches identified during the course of their responsibilities to the Administrative Computing Security Committee. Upon notification of possible security breaches, the Administrative Computing Security Committee will investigate all facts related to the situation and recommend appropriate disciplinary action to university management. All matters involving university employees will be reviewed with the assistant vice president for human resources and/or the provost. Matters involving students will be reviewed with the dean of student affairs. Matters involving individuals not affiliated with the university will be reviewed with the university attorney. ENFORCING PENALTIES FOR UNAUTHORIZED DATA ACCESS OR DISCLOSURE All individuals with responsibility over or access to administrative data at Carnegie Mellon are expected to follow the policies and procedures in this document and to exercise discretion with regard to such information. Any university employee, student or non-university individual with access to administrative data who engages in unauthorized use, disclosure, alteration or destruction of data in violation of this policy will be subject to appropriate disciplinary action, including possible dismissal and/or legal action. The following steps will be taken: 1. Upon the identification of a potential breach of security or a misuse of information, the Administrative Computing Security Committee will meet to review the specific situation. 2. The Committee will present a recommendation to university management for action. All matters involving university employees will be reviewed with the assistant vice president of human resources and/or the provost. Matters involving students will be reviewed with the dean of student affairs. Matters involving individuals not affiliated with the university will be reviewed with the university attorney. RESPONSIBILITIES The following table shows the responsibilities each party has in connection with this policy. *You* (individual requesting access) - Complete "Request for Data Access" form. - Get required signatures for form. - Use system, application and data responsibly. - Maintain data confidentiality of restricted data. - Report incidents of possible security breaches. *Administrative Computing Security Committee* - Reports to the Administrative Computing and Information Services Executive Steering Committee. - Ensures maintenance of a secure processing environment. - Recommends university policy regarding administrative data and computer security. - Addresses issues impacting computer security. - Reviews situations involving violations of computer security policy. *Administrative Computing and Information Services* - Designs, programs, tests, and/or maintains administrative applications. - Analyzes security impacts of programs. - Ensures that proper control is built within a system to provide a secure computing environment and to protect data. *Administrative Computing and Information Services Executive Steering Committee* - Appoints Data Security Officers. *Computing Systems* - Operates the equipment on which most of the administrative applications reside. - Ensures adequate physical security over the equipment. - Ensures proper processing of administrative applications within user-established timetables. - Assures that output containing restricted information is properly safeguarded. - Maintains security at operating system level specific to the various types of machinery. *Data Owner* - Determines what data are appropriate for distribution and update. - Ensures proper operating controls over the application to maintain a secure processing environment. - Ensures accuracy and quality of data residing in application. - Approves all requests for access to and update capability for the specific application. - Ensures system issues impacting the quality of data within the system are properly reported and adequately resolved. - Reviews annually, in conjunction with the Data Security Officer, the current set of access capabilities granted to all individuals on the system to ensure that the status is current and accurate and that no changes are necessary. *Data Security Officer* - Evaluates and controls all system access. - Acts as contact person for the establishment, alteration or deletion of computer user ids and data access needs within a system. - Evaluates and resolves all systems-related security issues for a particular application. - Provides guidelines for system security, e.g., changing passwords. - Reviews annually, in conjunction with Data Owner, the current set of access capabilities granted to all individuals on the system. *Department Head/Supervisor* - Communicates specific security needs to Administrative Computing and Information Services. - Communicates employee terminations and status changes immediately to Data Security Officer to ensure proper deletion/revision of user ids, access and update capabilities to administrative applications. CONTACTS Questions about information in the Data and Computer Security Policy should be directed to the following people: Contact Telephone Electronic Mail Address ------- --------- ----------------------- Asst VP Administrative (412) 268-3888 LB1Z@ANDREW Computing and Information Services Hours 8:30AM to 5:00 PM EXHIBITS The following exhibits are examples of "Data Request Forms" for different systems and applications: * Template * UIS - Employee Information * UIS - Student Information [Editor's note: Exhibit section has been deleted from this post.] APPENDIX The following table lists the different data types and their accessibility status. Data types are explained in detail in Table 3. TABLE 2 ACCESSIBILITY OF DATA BY TYPE Data Public Campus-Wide Restricted, Restricted, Type Information Information Moderately Highly Sensitive Sensitive -------------------------------------------------------------------------- Employee Government University Appointment EEO Data forms Information Information Information requiring by employee salary data; Non-salary (IRS Form 990) -related Salary benefits Information enrollment by employee information Termination Biographical /Disability Information Information by employee Employee Information Salary Surveys --------------------------------------------------------------------------Unive rsity Annual Internal Financial data None Finances Reports Annual by operating unit Reports Quarterly Reports -------------------------------------------------------------------------- Facilities None Building Use Building None Information Maintenance (Fact Book) Information Building Floor Plans -------------------------------------------------------------------------- Students Directory None Biographical Financial Information as Information Aid identified in Information the university Academic policy on Information Parent's "Privacy Rights Financial of Students" Information Student Accounts Receivable Information Student's Payment Information Career Service Information -------------------------------------------------------------------------- Alumnae(i) None None Biographical Gift and and Friends Information Pledge Information Financial Information Employment Information Biographical Information for Friends -------------------------------------------------------------------------- Education Programs Faculty Instructor None and Offered Course Information Instruction Evaluation Degrees Results Offered Courses Scheduled -------------------------------------------------------------------------- Research None None Proposal None Activities Information -------------------------------------------------------------------------- TABLE 3 EXAMPLES OF DATA TYPES SPECIFIC INFORMATION PER DATA TYPES DATA ABOUT EMPLOYEES *Appointment Information - Non-salary-related* -Appointment Begin Date/End Date -Change Type -Entry Date -Department Number -Budget Line Number -% Full-Time/Normal Hours -Work Study Indicator -Authorized Centers -Contractual Joint Appointment Indicator/% -Primary Appointment Indicator -Directory Indicator -Courtesy Indicator *Benefits Enrollment/De-enrollment Information* -Plan Name/Subplan Name/Coverage -Dependent Information *Biographical Information* -Social Security Number -Name -Birth Date -Marital Status -Home Address -Home Phone -Directory Indicator *EEO Information* -Race -Sex -Veteran Information -Disability Information *Employee Information* -Full-Time/Part-Time Status -Employment Status -Relationship -Employment Date -Leave of Absence Type -Leave of Absence Begin Date/End Date -Tenure Code and Date -Union Code and Seniority Date -Visa Type -Visa Country -Visa Expiration Date *Salary Information* -Tax Type -Salary Amount -Amount Type -Pay Method -Shift Differential 2/3 -Check Distribution Number -Budgeted Salary -Salary Grosses, Taxes and Net Pay -Salary Deductions/Reductions -Distribution Information -Direct Deposit Information -Job Class Code/Name *Termination/Disability Information* -Termination Date -Termination Type -Disability Type *University Information* -Directory Title -Home Department Name/Number -PAN Mailing Department Name/Number -University Address -University Phone -Computer ID DATA ABOUT FACILITIES *Building Use Information* -Building Description -Floor -Room Number -Use Code -Detail Code -Area (sq footage) -Departments Controlling Space -Program Classification Codes -Percentage Splits - Department or Program Classification Codes *Building Maintenance Information* -Maintenance Work Performed -Work Order Costing -Work Order Charges DATA ABOUT STUDENTS *Biographical Information* -Social Security Number -Student Name -Address -Birthdate -Sex -Race -Parent Information *Academic Information* -Courses Taken -Grades -QPA -Standardized Test Scores *Financial Information* -Charges -Payments -Parent Financial Information -Financial Aid -Housing Information -Food Services Information *Career Services Information* -Career Interests -Employment Qualifications -Employment Plans -Positions Offered -Salaries Offered DATA ABOUT ALUMNAE(I) AND FRIENDS *Biographical Information* -Social Security Number -Name -Address -Marital Status -Spouse Name *Financial Information* -Employer -Salary -Gifts to University -Pledges to University DATA ABOUT EDUCATION AND INSTRUCTION *Course Schedule Information* -Course -Section -Instructor -Units -Restrictions *Instructor Information* -Social Security Number -Name -Teaching Load -Faculty Course Evaluations DATA ABOUT RESEARCH ACTIVITIES *Proposal Title* *Principal Investigators* *Date of Funding* *Amount and Distribution of Funding* *Duration of Funding* *Subject Information* [Index deleted]