Fayetteville Policies and Procedures  926.0 

Data Loss Prevention

  1. Overview
    Data loss prevention (DLP) is a set of policies intended to prevent the loss or exposure of university data. DLP includes alerts, encryption, and other protective actions to prevent users from accidentally or maliciously sharing data that could put the university at risk. 

  2. Purpose
    Data loss prevention is a way for the university to screen, identify, and reduce the accidental or intentional release of sensitive data found in emails and files. To comply with business standards and industry regulations, it is important that the university protect data to prevent loss of confidentiality, integrity, and availability. 

  3. Scope
    Data loss prevention is applicable for all university data stored, processed, or passing through university-owned or managed systems and applications. 

  4. Definitions
    1. Sensitive data: All data classification levels above Public. See Fayetteville Policies and Procedures (FPP) 921.0 Data Classification for further clarification. These levels require data security and DLP policies to protect this data against loss of confidentiality, integrity, and availability.
    2. Data identification: The process of detecting Restricted, Highly Sensitive, or Sensitive (Internal) data, as defined in 921.0 Data Classification and labeling the data accordingly. 
  5. Policy
    1. Data Loss Prevention Methods
      The university has technical controls in place to prevent the loss of the confidentiality, integrity, and availability of university data at rest or in motion. The methods used to prevent the loss of data include:
      1. System monitoring of the activity without alerting the user
      2. Show a pop-up policy tip to the user that warns them that they may be trying to share a sensitive item inappropriately
      3. Block sharing, allow the user to override the block, and capture the user’s justification message
      4. Block sharing without the option to override
    2. Data Identification
      University users are responsible for being aware of the classification and controls of data they are accessing, using, modifying, or storing. See FPP 921.0 Data Classification and FPP 922.0 Data Management, Use, and Protection.
    3. Data loss prevention policies screen for and seek to address data transmission and storage regarding the following:
      1. Numbers and characters that could represent:
        1. Social Security numbers
        2. Student and employee ID numbers
        3. Personally Identifiable Information (PII) as defined in 921.0 Data Classification
        4. Driver’s license numbers
        5. Bank account information, including the routing number or the account number
      2. Other data classified above Public in 921.0 Data Classification
    4. This policy applies to data at rest and data in motion. Locations where data loss prevention is applied:
      1. Email
      2. Shared cloud-based file storage
      3. Chat and channel messages
      4. Supported operating systems
      5. On-premises and cloud repositories
  6. Reporting and Addressing Suspected Violations
    Anyone who has reason to believe that another person has violated this policy shall report the matter promptly to the Office of the CISO (Chief Information Security Officer) and/or their supervisor or department head. Failure to report a suspected violation is a violation of this policy. After a suspected violation of this policy has been reported or discovered, the issue will be handled as soon as possible to mitigate any harm to the university and its affiliates.

  7. Enforcement
    Violation of this policy may result in loss of access and disciplinary action up to and including termination. For additional information, see the Code of Computing Practices. Code of Computing Practices | VCFA | University of Arkansas (uark.edu). 

  8. Exemptions
    Exemptions from this policy must be approved. Any questions about the contents of this policy or the applicability of this policy to a particular situation should be referred to the Office of the CISO. Please see the Exemption policy.

  9. References
    1. SP (Special Publication) 800-53 Rev. 5, Security and Privacy Controls for Info Systems and Organizations | CSRC (nist.gov)
    2. Data Classification | VCFA | University of Arkansas (uark.edu)

August 8, 2022