IT Security Policy on Policies
Version 1.5
For Students, Faculty, Staff, Guests, Alumni
Purpose
This policy defines how IT security policies regarding information technology are developed at Fordham University.
Scope
This IT security policy, and all policies referenced herein, shall apply to all members of the University community, including faculty, students, administrators, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.
Policy Statement
-
All policies must be developed following the Procedure on Developing IT Security Policies.
-
All policies must have a “responsible person” assigned to the policy. This person is in charge of authoring the policy and its review. This person must be at the director level or higher.
-
All policies must have a review frequency of no less than one year and no greater than three years.
-
All policies must obtain the proper approvals to be valid.
-
The AVP/CISO is responsible for all policies related to information security and the University’s IT Resources.
-
Policies may also require approval from the Office of Legal Counsel (OLC).
-
All policies and related procedures must use the templates provided by the Senior Director of IT Security and Assurance or have been approved by the AVP/CISO and CIO approval, as applicable.
-
Initial procedures issued with a policy must also follow the same approval process as its associated policy.
-
Significant changes to policies, regardless of scope, must obtain AVP/CISO and CIO approval, as applicable.
-
If required, changes to policies should receive the OLC’s approval.
-
Minor changes to policies or procedures only require the approval of the Senior Director of IT Security and Assurance.
Related Policies and Procedures
- Acceptable Use of IT Infrastructure and Resources Policy
- Procedure for Developing IT Security Policies
- Procedure for Developing IT Security Procedures
Implementation Information
| Review Frequency: | Triennial |
|---|---|
| Responsible Person: | Senior Director of IT Security and Assurance |
| Approved By: | CISO |
| Approval Date: | June 1, 2016 |
Revision History
| Version | Date | Description |
|---|---|---|
| 1.0 | 06/01/2016 | Initial document |
| 1.0.1 | 05/23/2017 | Updated disclaimer and scope |
| 1.1 | 08/14/2019 | Updated policy statement |
| 1.2 | 03/23/2020 | Updated policy statement |
| 1.3 | 03/04/2021 | Updated purpose and statement |
| 1.4 | 08/07/2023 | Updated policy statement, scope |
| 1.5 | 03/20/2024 | Updated policy statement, updated policy disclaimer |
Policy Disclaimer Statement
Deviations from policies, procedures, or guidelines published and approved by Information Security and Assurance (ISA) will only be considered cooperatively between ISA and the requesting entity with sufficient notice to allow for conducting appropriate risk analysis, documentation, review, and notification to authorized University representatives where necessary. Failure to adhere to ISA written policies may be met with University sanctions up to and including dismissal.