1. Policy
Issued: May 3, 2019
Last Revised: July 31, 2025
Last Reviewed: July 31, 2025
Applies to: Faculty (including part-time, adjunct and visiting faculty), postdoctoral scholars, staff and students (including graduate/undergraduate student workers and graduate assistants) employed by University of Southern California (“USC“ or the “University“) and including those working for the University’s health system (“USC Employees”); third parties including vendors, affiliates, consultants, and contractors when using USC-Owned Technology Resources; iVIP (guests with electronic access) as well as any other users of USC-Owned Technology Resources, including retirees, independent contractors, or others (e.g., temporary agency employees) who may be given access on a temporary basis to University systems. This policy continues to apply to individuals who are on sabbatical or other leaves, or who are visiting other institutions.
2. Policy Purpose
This Data Protection policy establishes the cybersecurity expectations for University of Southern California (“USC”) data.
3. Scope and Application
This policy identifies the minimum requirements for safeguarding USC data for all USC departments, schools, and units (DSU) inclusive of Keck Medical affiliates, retirees, emeriti, consultants, etc. who have access to USC technology resources, including USC email, as well as any other users of the USC network infrastructure, including independent contractors or others (e.g., temporary agency employees) who may be given access on a temporary basis to University systems.
4. Definitions
For more definitions and terms: USC Cybersecurity Policies Terms and Glossary
| Term | Definition |
|---|---|
| Academic Need | An academic need supports a scholarly purpose, including but not limited to research, academic assignments, and any activities required to complete USC coursework |
| Business Need | A business need supports a financial or other legitimate operational purpose, including but not limited to payroll, human resources, operations, and other business management functions |
| Confidential | Data that includes regulated or sensitive information requiring compliance efforts if accessed by unauthorized parties or which could cause legal, financial, reputational, or operational harm if disclosed. “Confidential” data includes, but is not limited to: • All information safeguarded by Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), Payment Card Industry Data Security Standard (PCI DSS), the Family Education Rights Privacy Act (FERPA), and California Financial Information Privacy Act (CFIPA) • Nonpublic Personal Information (NPI) • Regulated Personally Identifiable Information (PII) • Special communications indicated as Attorney-Client Privilege • Trade Secrets • USC Business Financials and Business Strategy and other data and information may be classified as Confidential if in USC’s best interest. |
| Confidential-Controlled Data | Confidential-Controlled Data is a subcategory of Confidential Data that applies to any unclassified data designated by a government agency as Controlled Unclassified Information (CUI), or equivalent or higher level of sensitivity. This includes Covered Defense Information, including Controlled Technical Information (CTI) and any other information that has military or space application where the data provider (e.g. research sponsor) has imposed safeguarding or dissemination controls for reasons of national security. This subcategory does not include classified information, which is outside the scope of this policy. |
| Data Owner | Individual or Official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal. |
| Data Security Addendum (DSA) | A legal document used during the procurement process that is designed to safeguard and limit the unauthorized disclosure and use of personal information and proprietary technical data between a vendor and USC |
| Electronic Media | Electronic media (i.e., “soft copy”) are devices that contain memory storage such as hard drives, random access memory (RAM), read only memory (ROM), discs, and flash memory. Equipment that contain such devices including; phones, mobile computing devices, networking devices, and any additional type of device that stores information |
| Hard Copy Media | Hard copy media are physical representations of information, most often associated with paper printouts |
| High Value Asset (HVA) | USC information systems that create, process, transmit or store High Value Information (HVI) |
| High Value Information (HVI) | Data that if inappropriately disclosed, accessed, used, disrupted, modified or destroyed, could cause significant impact, as defined by the Information Risk Standard, to USC’s reputation and public confidence. High Value Information (HVI) could be Confidential, Internal Use, or Public data. “High Value Information (HVI)” includes, but is not limited to: • Confidential Student personally identifiable information combined with academic performance details • Confidential Title IX case information • Publicly available historical information that may be the only data set like it in the world |
| Internal Use Only | Data that includes all information used to conduct USC business, unless categorized as “Confidential” or “Public”. “Internal Use Only” classification includes, but is not limited to: • Non-regulated Personally Identifiable Information • In-process contracts and agreements • Employee performance evaluation information • Audit reports • Network diagrams • Non-public USC policies • Information involving USC strategy and implementation plans • Internal USC memos and emails • USC and employee ID numbers |
| Public Data | Data that is not regulated and is generally made available through public interfaces and requires no safeguarding mechanisms. “Public” data includes, but is not limited to: • USC community memos • Marketing and promotional materials • Academic calendars • Course catalogs • Advertising material • Public web content and media • Press releases • Public announcements • Public relations documents • Campaigns and outreach • Job postings |
| Third Party | Any outside individual or entity who is not a university student, faculty or staff employee who contractually interacts with or on behalf of USC. This includes but is not limited to vendors, consultants, contractors, and research and business partners |
| USC-Owned Technology Resources | Technology resources owned, licensed, or developed by USC, including but not limited to: network-based communication services (USC networks, email accounts, instant messaging platforms, and cloud-based repositories); USC-issued computers and electronic devices (desktops, laptops, mobile phones, tablets, servers, satellite phones, and pagers) purchased or leased using university funds; and any USC-developed or licensed software. |
5. Policy Details
Objective
The objective of this policy is to establish security requirements for all information accessed, handled, created, or captured, collected, shared, and disposed by USC; all information contained on USC owned media, which is transmitted by USC; and all information that USC has a legal or contractual obligation to safeguard.
Policy Requirements
5.1 – All information should be classified into one of the three defined classes; “Public”, “Internal Use Only”, and “Confidential,” unless required otherwise by regulatory agencies
5.2 – System Owners will ensure “Internal Use Only” data will be masked, anonymized, or de-identified, if used outside its intended purpose.
5.3 – System Owners will ensure “Confidential” data will be masked, anonymized, or de- identified, if used outside its intended purpose.
5.4 – Data Owners will review the information classification of their data on an annual basis.
5.5 – Data Owners are responsible for ensuring the appropriate administrative, physical and technical safeguards are in place when using, storing, transmitting, or sharing information.
5.6 – Data Owners will ensure individuals who have access to “Confidential” and “Confidential- Controlled” information have taken targeted cybersecurity training as defined in the Cybersecurity Awareness Training Policy. This is in addition to any other education or training that may be required by the party providing the data to the Data Owner, or by USC under other policies.
5.7 – Data Owners are responsible for the sanitization and disposal process of assets containing data and will document that the process is completed. Data destruction and retention will comply with USC’s Records Management Policy and the appropriate use, retention, and destruction practices of that policy.
5.8 – Data Owners will verify all hard copy media are appropriately destroyed when no longer needed.
5.9 – Data Owners will verify all electronic media/soft copies are securely disposed of when no longer needed.
5.10 – Data Owners will verify all electronic media are properly and completely removed from assets before disposal or re-deployment of the media.
5.11 – All data shall only be retained for as long as it meets an Academic or Business Need and in compliance with USC’s Records Management Policy.
5.12 – Covered Individuals will purge emails with personally identifiable data reports in compliance with USC’s Records Management Policy and will not store emails beyond 16 months.
6. Procedures
N/A
7. Forms
N/A
8. Responsibilities
| POSITION or OFFICE | RESPONSIBILITIES |
|---|---|
| USC Office of Cybersecurity | 1. Develop and review exceptions to the policy 2. Monitor activity relative to the policy requirements as well as provide periodic communications and training designed to support the policy and related procedures, as needed |
| USC Personnel | 1. Understand and comply with this policy 2. In any situations where it is not clear if the actions being contemplated are permitted, seek guidance from their supervisor or USC Office of Cybersecurity |
| SVPs, Deans, Department Chairs and Supervisors/Managers of departments, schools, and units | 1. Set expectations with USC Personnel to comply with this policy |
9. Related Information
Compliance Measurement
The USC Office of Cybersecurity and the Office of Audit Services will collectively monitor compliance with this policy, USC’s cybersecurity policies and standards, and applicable federal and state laws and regulations using various methods, including but not limited to periodic policy attestations. Compliance with cybersecurity policies will be monitored regularly in conjunction with USC’s monitoring of its cybersecurity program. Audit Services will conduct periodic internal audits to ensure compliance.
Exceptions
Any requested exceptions to the policy will be submitted to secgovrn@usc.edu and evaluated in accordance with the decision criteria defined by the USC Office of Cybersecurity issues and exceptions management processes.
Non-Compliance
Violation of this policy may lead to this being classified as a serious misconduct, which is grounds for discipline in accordance with the Faculty Handbook, staff employment policies, and the Student Handbook, as appropriate. Any disciplinary action under this policy will consider the severity of the offense and the individual’s intent and could include termination of access to the USC network, USC systems and/or applications, as well as employment actions up to and including termination, and student disciplinary actions up to and including expulsion.
10. Contacts
Please direct any questions regarding this policy to:
| OFFICE | PHONE | |
|---|---|---|
| USC Office of Cybersecurity | trojansecure@usc.edu |