Information Technology Security Policy

Version 1.2

For Students, Faculty, Staff, Guests, Alumni

Purpose

The University's policy is to protect the IT Resources' confidentiality, integrity, and availability commensurate with their risk and value while maintaining accessibility.

Scope

This IT policy, and all policies referenced herein, shall apply to all members of the University community, including faculty, students, administrators, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.

Policy Statement

In alignment with the University's strategic plan and oversight from the Board of Trustees, the Information Risk Management Board (IRMB) and the Associate Vice President for IT/Chief Information Security Officer (AVP/CISO) are responsible for approving and ensuring compliance with this policy.
The University must:
- Integrate information security principles into all aspects of the University's activities.
- Ensure that reasonable security policies, standards, controls, processes, practices, and procedures are established and maintained to safeguard IT Resources.
- Follow a risk-based approach to protect the assets' confidentiality, integrity, and availability as business needs and IT Resources change.
- Operate IT security activities effectively, responsibly, and ethically, complying with all global, federal, state, and local laws and regulations.
By upholding confidentiality, integrity, and availability, Information Security and Assurance (ISA) must:
- Secure IT Resources from unauthorized access and alterations.
- Ensure IT Resources are available to authorized Users.
- Maintain an information security program aligned with the University IT risk posture that develops, deploys, and supports reasonable security policies, processes, practices, procedures, guidelines, and technologies to protect IT Resources.
- Provide training to support this policy.
- Coordinate with the Incident Response Team (IRT) in response to information security incidents, violations, or crimes arising from or relating to the misuse of IT Resources.
- Work with Public Safety in conducting investigations, preparing reports for the authorities, and supporting authorities conducting their investigations.
The University's Vice Presidents and Deans are responsible for championing this policy's information security practices in their departments and schools by supporting recommendations by the AVP/CISO.
Users must safeguard IT Resources when using, accessing, and interacting with them.

Definitions

IT Resources include computing, networking, communications, application, telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and related materials and services.

Related Policies and Procedures

Acceptable Uses of IT Infrastructure and Resources

Implementation Information

Review Frequency	Triennial
Responsible Person	Senior Director, IT Security Operations and Assurance
Approved By	CISO
Approval Date	May 22, 2018

Revision History

Version	Date	Description
1.0	05/23/2017	Initial policy
1.0.1	05/22/2018	Updates to disclaimer statement, definitions, and scope
1.1	07/15/2020	Updated policy statement
1.2	09/21/2023	Updated purpose, scope, policy disclaimer, and policy statement

Policy Disclaimer Statement

Deviations from policies, procedures, or guidelines published and approved by Information Security and Assurance (ISA) will only be considered cooperatively between ISA and the requesting entity with sufficient notice to allow for conducting appropriate risk analysis, documentation, review, and notification to authorized University representatives where necessary. Failure to adhere to ISA written policies may be met with University sanctions up to and including dismissal.