System and Communications Protection Policy
Version 2.4
For Students, Faculty, Staff, Guests, Alumni
Purpose
The purpose of this policy is to ensure compliance with a systems and communication protection program that meets minimally acceptable security requirements and aims to uphold the principles of Confidentiality, Integrity, and Availability (CIA) and complies with the NIST Cyber Security Frameworks, along with any relevant regulatory, contractual, and institutional obligations.
Scope
This IT security policy, and all policies referenced herein, shall apply to all members of the University community, including faculty, students, administrators, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.
Policy Statement
- As summarized in the Information Security and Assurance Program document, mandatory security controls for IT Resources must be consistently designed, implemented, monitored, and assessed University-wide. Information Security and Assurance is responsible for oversight, compliance monitoring, and coordination with Data Owners and Data Custodians.
- Data Owners and Data Custodians must:
- Develop, adopt and adhere to documented processes to ensure IT Resources are securely transmitted and stored per the Data in Transit and Data at Rest policies.
- Protect the authenticity of communication sessions per the Server Certificate Security Policy.
- The process must protect and monitor information transmitted or received by IT Resources and employ architectural designs, software, development techniques, and engineering principles that promote adequate information security per the Information Technology Security Policy.
- Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and internal boundaries of IT Resources per the Firewall/Access Control List Policy.
- Prevent unauthorized and unintended information transfer via shared IT Resources per the Data Classification Policy.
- Prevent remote devices from connecting to both University IT Resources and external networks simultaneously per the IT Resources Remote Access Policy.
-
- Employ Federal Information Processing Standards (FIPS) validated cryptography to protect the confidentiality of information per the Disk Encryption Policy.
- Refer to the IT Security Policy Library for additional respective policies.
Definitions
Data Custodian is the individual to whom day-to-day actions have been assigned by the data owner and is responsible for the storage, maintenance, and protection of information.
Data Owner(s) are responsible for the information, security, and use of a particular set of information.
Federal Information Processing Standards (FIPS) are standards issued to establish requirements for various purposes, such as ensuring computer security and interoperability. They are intended for cases where suitable industry standards do not exist. Many FIPS specifications are modified versions of standards used in the technical communities, such as the American National Standards Institute (ANSI), the Institute of Electrical and Electronics Engineers (IEEE), and the International Organization for Standardization (ISO).
IT Resources include computing, networking, communications, application, telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and related materials and services.
Related Policies and Procedures
- Data in Transit Policy
- Data at Rest Policy
- Data Classification Policy
- Firewall/Access Control List Policy
- Information Security and Assurance Program
- Information Technology Security Policy
- IT Resources Remote Access Policy
- Server Certificate Security Policy
Implementation Information
| Review Frequency: | Annual |
|---|---|
| Responsible Person: | Senior Director of IT Security Operations and Assurance |
| Approved By: | CISO |
| Approval Date: | April 14, 2020 |
Revision History
| Version | Date | Description |
|---|---|---|
| 1.0 | 04/11/2020 | Initial document |
| 1.1 | 05/11/2021 | Annual review, changes to the purpose statement |
| 2.0 | 09/22/2021 | Updated policy statement to reflect the transition to CSF |
| 2.1 | 10/26/2022 | Updated links, Sr Director’s title, and UISO |
| 2.2 | 05/17/2023 | Updated policy statement |
| 2.3 | 06/10/2024 | Updated scope, policy statement, and disclaimer |
| 2.4 | 08/04/2025 | Updated purpose statement and policy statement |
Policy Disclaimer Statement
Deviations from policies, procedures, or guidelines published and approved by Information Security and Assurance (ISA) will only be considered cooperatively between ISA and the requesting entity with sufficient notice to allow for conducting appropriate risk analysis, documentation, review, and notification to authorized University representatives where necessary. Failure to adhere to ISA written policies may be met with University sanctions up to and including dismissal.