IT Policy on Policies
Version 1.2
Purpose
This policy defines how policies regarding information security are developed at Fordham University.
Scope
This IT policy, and all policies referenced herein, shall apply to all members of the University community including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.
Policy Statement
- All IT policies must comply with University policies and contractual or regulatory requirements related to data security.
- All IT policies must be developed following the Procedure on Developing IT Policies.
- All IT policies must have a “Responsible Person.” This person is in charge of the authoring of the policy and its review. This person must be Director level or higher.
- All IT policies must have a review frequency of no less than semiannually and no more than two years.
- All IT policies must obtain the proper approvals to be valid. The AVP/CISO is responsible for all policies that directly impact Fordham IT.
- Policies that only impact Fordham IT directly require approval from the AVP/CISO.
- Policies that impact any party outside of Fordham IT must also receive the approval of the Office of Legal Counsel.
- All IT policies and related procedures must use the templates provided by the Director of IT Risk and Data Integrity or have been approved by the AVP/CISO.
- Procedures that are issued with a policy must follow the same approval process as it’s associated policy.
- Subsequent changes to procedure, if deemed minor, only require the approval of the Director of IT Risk and Data Integrity.
- Subsequent changes to the policy, regardless of scope, must obtain AVP/CISO approval or Legal Counsel approval as required when initially issued.
Related Policies and Procedures
- Acceptable Use of IT Infrastructure and Resources Policy
- Procedure on Developing IT Policies
- Procedure on Developing IT Procedures
Implementation Information
| Review Frequency: | Annual |
|---|---|
| Responsible Person: | Director, IT Risk and Data Integrity |
| Approved By: | CISO |
| Approval Date: | June 1, 2016 |
Revision History
| Version: | Date: | Description: |
| 1.0 | 06/01/2016 | Initial document |
| 1.0.1 | 05/23/2017 | Updated disclaimer and scope |
| 1.1 | 08/14/2019 | Updated policy statement |
| 1.2 | 03/23/2020 | Updated policy statement |
Policy Disclaimer Statement
Deviations from policies, procedures, or guidelines published and approved by the University Information Security Office (UISO) may only be done cooperatively between the UISO and the requesting entity with sufficient time to allow for appropriate risk analysis, documentation, and possible presentation to authorized University representatives. Failure to adhere to UISO written policies may be met with University sanctions.