Skip to main content

Information Technology Security Policy

Version 1.0.1

Purpose

It is University policy to reasonably and appropriately protect the confidentiality, integrity, and availability of the University’s IT Resources commensurate with their risk and value while at the same time maintain accessibility.

Scope

This IT policy, and all policies referenced herein, shall apply to all members of the University community including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.

Policy Statement

  • You are responsible for safeguarding IT Resources which you use, access, and interact with, even if you do not have responsibility for managing them.
  • The University integrates information security principles into all aspect of the University's activities.
  • The University ensures that reasonable security policies, standards, controls, processes, practices, and procedures are established and used to manage information security issues and safeguard IT Resources.
  • The University follows a risk-based approach to protect the confidentiality, integrity, and availability of the assets as business needs and the IT Resources change.
  • The University operates IT security activities effectively, responsibly, and ethically, complying with all Federal, State, local laws, and regulations.
  • University policies and applicable agreements binding the University to ensure this policy is consistently applied and monitored through the University Information Security Office (UISO).
  • The UISO is responsible for the development and maintenance of this policy with consultation from the Office of Legal Counsel (OLC).
  • With oversight from the Board of Trustees, the University-wide Information Risk Management Board (IRMB), and in alignment with the University’s strategic plan, the Associate Vice President, Chief Information Security Officer (AVP-CISO) is responsible for approving and ensuring ongoing compliance of this policy.
  • The University’s Vice Presidents and Deans are responsible for championing this policy’s information security practices in their respective departments and schools and supporting any substantive revisions as recommended by the AVP-CISO.
  • The UISO is responsible for ensuring the IT Resources are secure from unauthorized access (to maintain appropriate confidentiality), unauthorized alterations (to maintain integrity), and available to authorized users (to maintain availability) enabling the University to meet its mission in an effective and timely manner.
  • The UISO is responsible for establishing and maintaining an information security program aligned to IT risk that includes developing, deploying, and maintaining reasonable security policies, processes, practices, procedures, guidelines, and technologies to protect IT Resources.
  • The UISO ensures the information security program:
    • complies with applicable laws, regulations, and University policies,
    • reviews and updates, as necessary, this and other related IT security policies,
    • will assist with training to support this policy.
  • The UISO coordinates with the Incident Response Team (IRT) in response to information security incidents, violations, or crimes committed under this policy.
  • The Department of Public Safety is responsible for working with UISO, for conducting investigations, for preparing reports for the appropriate authorities and providing support to authorities conducting their investigations.
  • Users should understand that the University does not guarantee the privacy of data and should seek further guidance from the UISO if they are unsure of their responsibilities under this policy.
  • The University’s IT Resources must not be used for non-University purposes without prior approval.
  • The OLC will provide legal guidance to this policy.

Definitions

IT Resources include computing, networking, communications, application, and telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and any related materials and services.

Related Policies and Procedures

Acceptable Uses of IT Infrastructure and Resources

Implementation Information
Review Frequency Annual
Responsible Person Director, IT Risk and Data Integrity
Approved By CISO
Approval Date May 22, 2018
Revision History
Version Date Description
1.0 05/23/2017 Initial published policy
1.0.1 05/22/2018 Updates to disclaimer statement, definitions, and scope

Policy Disclaimer Statement:

Deviations from policies, procedures, or guidelines published and approved by the University Information Security Office (UISO) may only be done cooperatively between the UISO and the requesting entity with sufficient time to allow for appropriate risk analysis, documentation, and possible presentation to authorized University representatives. Willful failure to adhere to UISO written policies may be met with University sanctions.