Information Technology Security Policy

Purpose

The University's policy is to protect the IT Resources' confidentiality, integrity, and availability commensurate with their risk and value while maintaining accessibility.

Scope

This IT policy, and all policies referenced herein, shall apply to all members of the University community, including faculty, students, administrators, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.

Policy Statement

• In alignment with the University's strategic plan and oversight from the Board of Trustees, the Information Risk Management Board (IRMB) and the Associate Vice President for IT/Chief Information Security Officer (AVP/CISO) are responsible for approving and ensuring compliance with this policy.
• The University must:
  • Integrate information security principles into all aspects of the University's activities.
  • Ensure that reasonable security policies, standards, controls, processes, practices, and procedures are established and maintained to safeguard IT Resources.
  • Follow a risk-based approach to protect the assets' confidentiality, integrity, and availability as business needs and IT Resources change.
  • Operate IT security activities effectively, responsibly, and ethically, complying with all global, federal, state, and local laws and regulations.
• By upholding confidentiality, integrity, and availability, Information Security and Assurance (ISA) must:
  • Secure IT Resources from unauthorized access and alterations.
  • Ensure IT Resources are available to authorized Users.
  • Maintain an information security program aligned with the University IT risk posture that develops, deploys, and supports reasonable security policies, processes, practices, procedures, guidelines, and technologies to protect IT Resources.
  • Provide training to support this policy.
  • Coordinate with the Incident Response Team (IRT) in response to information security incidents, violations, or crimes arising from or relating to the misuse of IT Resources.
  • Work with Public Safety in conducting investigations, preparing reports for the authorities, and supporting authorities conducting their investigations.
• The University's Vice Presidents and Deans are responsible for championing this policy's information security practices in their departments and schools by supporting recommendations by the AVP/CISO.
• Users must safeguard IT Resources when using, accessing, and interacting with them.

Definitions

IT Resources include computing, networking, communications, application, telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and related materials and services.

Related Policies and Procedures

Acceptable Uses of IT Infrastructure and Resources

Implementation Information

 Revision History