Information Technology Security Policy
Version 1.2
For Students, Faculty, Staff, Guests, Alumni
Purpose
The University's policy is to protect the IT Resources' confidentiality, integrity, and availability commensurate with their risk and value while maintaining accessibility.
Scope
This IT policy, and all policies referenced herein, shall apply to all members of the University community, including faculty, students, administrators, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.
Policy Statement
- In alignment with the University's strategic plan and oversight from the Board of Trustees, the Information Risk Management Board (IRMB) and the Associate Vice President for IT/Chief Information Security Officer (AVP/CISO) are responsible for approving and ensuring compliance with this policy.
- The University must:
- Integrate information security principles into all aspects of the University's activities.
- Ensure that reasonable security policies, standards, controls, processes, practices, and procedures are established and maintained to safeguard IT Resources.
- Follow a risk-based approach to protect the assets' confidentiality, integrity, and availability as business needs and IT Resources change.
- Operate IT security activities effectively, responsibly, and ethically, complying with all global, federal, state, and local laws and regulations.
- By upholding confidentiality, integrity, and availability, Information Security and Assurance (ISA) must:
- Secure IT Resources from unauthorized access and alterations.
- Ensure IT Resources are available to authorized Users.
- Maintain an information security program aligned with the University IT risk posture that develops, deploys, and supports reasonable security policies, processes, practices, procedures, guidelines, and technologies to protect IT Resources.
- Provide training to support this policy.
- Coordinate with the Incident Response Team (IRT) in response to information security incidents, violations, or crimes arising from or relating to the misuse of IT Resources.
- Work with Public Safety in conducting investigations, preparing reports for the authorities, and supporting authorities conducting their investigations.
- The University's Vice Presidents and Deans are responsible for championing this policy's information security practices in their departments and schools by supporting recommendations by the AVP/CISO.
- Users must safeguard IT Resources when using, accessing, and interacting with them.
Definitions
IT Resources include computing, networking, communications, application, telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and related materials and services.
Related Policies and Procedures
Acceptable Uses of IT Infrastructure and Resources
Implementation Information
Review Frequency
|
Triennial |
---|---|
Responsible Person
|
Senior Director, IT Security Operations and Assurance |
Approved By
|
CISO
|
Approval Date
|
May 22, 2018
|
Revision History
Version
|
Date
|
Description
|
---|---|---|
1.0
|
05/23/2017
|
Initial policy
|
1.0.1
|
05/22/2018
|
Updates to disclaimer statement, definitions, and scope
|
1.1 | 07/15/2020 | Updated policy statement |
1.2 | 09/21/2023 | Updated purpose, scope, policy disclaimer, and policy statement |
Policy Disclaimer Statement
Deviations from policies, procedures, or guidelines published and approved by Information Security and Assurance (ISA) will only be considered cooperatively between ISA and the requesting entity with sufficient notice to allow for conducting appropriate risk analysis, documentation, review, and notification to authorized University representatives where necessary. Failure to adhere to ISA written policies may be met with University sanctions up to and including dismissal.