Information Security Policy

Policy Name:  Information Security Policy

Policy Number: IT-6001

Effective: Legacy

Revised: 2020/02  

Policy Statement

 The University grants to assigned individuals the reasonable and appropriate, minimum access to information necessary to accomplish their institutional or pedagogical goals. All members of the University community are responsible for protecting the security, confidentiality, integrity and availability of information entrusted to them against unauthorized access, use or disclosure in accordance with the following requirements:

  1. Basic Requirements for all Information: All members of the University community are required to:
    1. Be familiar with and follow the requirements of the University’s Electronic Communications Acceptable Use Policy. See Policy #2.8.1
    2. Treat credentials for access to University Systems (as defined herein) as confidential. Such credentials are non-transferable.
    3. Use passwords on all systems used for University business that are of sufficient length and complexity to reasonably protect them from being guessed by humans or computers. Passwords must be changed immediately if there is suspicion of compromise.
    4. Never write down passwords where they are easily accessible to others.
    5. Never share usernames and passwords, including your own.
    6. Never save passwords that access University Systems (as defined herein) on public computers.
    7. Avoid storing passwords wherever possible. Some applications permit users to script or store their ID and password. Web browsers sometimes intercept logins and offer to auto-complete logins by filling in the username and password based on what was typed previously.  Such features should be avoided since they expose passwords to theft.
    8. Lock or logout of your computer when you are finished working, or any time you leave your computer.
    9. Never download email attachments from unknown senders.
    10. Never download or install computer programs, applications, or other software to any University System without the prior approval of Information Technology Services.

     

    If you have questions about any software, hardware or any University Systems, consult with the Information Technology Help Desk.
  2.  

  3. Additional Requirements for Protecting Confidential Information:
    1. Do not access any Confidential Information (as defined herein) unless you have been expressly authorized to have access and you have a legitimate need to know such Confidential Information.
    2. Do not share Confidential Information (by email or other means) except when such sharing is in full compliance with all University policies, and only with those who have a legitimate need to know such Confidential Information. Confidential Information may only be disclosed to third parties in full compliance with applicable law or pursuant to a contract approved by the University wherein the third party is required to implement and maintain University approved safeguards.
    3. Avoid using home computers shared with other family members to gain remote access to Confidential Information. Rather, use a properly secured computer with appropriate anti-virus and software firewalls that is not shared with others.
    4. Only scan or make copies of Confidential Information to the extent necessary.
    5. Do not post Confidential Information on a publicly accessible computer or website.
    6. Do not leave documents containing Confidential Information where they are accessible to others. Such documents should be stored in a physically secured area such as a secure or locked suite, office, desk, or file cabinet.
    7. When possible, Confidential Information should be emailed in an encrypted format, especially when exchanging Confidential Information externally.
    8. Do not fax Confidential Information unless no other options exist. If faxing Confidential Information is necessary, use a cover sheet that informs the recipient that the information is Confidential Information and set fax machines to print a confirmation page after sending the fax
    9. If you are unsure whether you are authorized to access, share, transmit or otherwise use Confidential Information, seek appropriate permission.
  4.  

  5. Additional Best Practices for Mobile Devices and Off-Campus Computing:
    1. Mobile Devices (as defined below) pose an increased security risk due to their portability. Always take extra care to secure such devices, particularly when traveling. Take the following steps in order to minimize the risk of theft or loss of data:
      1. Secure all Mobile Devices out of sight, in a locked room, office or drawer, or use a locking cable where possible.
      2. If accessing Information of the University using Mobile Devices, secure such devices with a strong password and follow mobile security best practices.
      3. Store Confidential Information files or other data critical to the University's operations on regularly maintained (backed up) servers or other University storage resources such as network fileshares, OneDrive, Google Drive, or SharePoint. Do not store Confidential Information only on Mobile Devices with no back-up.
      4. Promptly report all lost or stolen University-owned Mobile Devices to Information Technology Services.
  6.  

  7. Reporting Potential Information Security Breaches:
  8. Immediately report any actual or suspected Information security breaches, or evidence of potential illegal activity, to the Information Technology Help Desk.  Suspected breaches of any University Systems, or inappropriate disclosure of Confidential Information, must be reported directly to the Chief Information Officer.

     

  9. Data and Media Disposal:
    1. When the University retires or otherwise removes computing, network, or office equipment (including telephones, copiers or fax machines) or other Information assets that may contain Confidential Information from the business, specific steps must be taken to scrub or otherwise render the media unreadable.
    2. Deleting files or reformatting disks is not sufficient to prevent data recovery. Either physically destroy media, according to applicable waste disposal regulations, or scrub it using data wiping software that meets generally accepted data destruction standards.
  10.  

  11. Sanctions:
    1. Any violation of this Policy may result in disciplinary action or other sanctions. Sanctions may include (in accordance with applicable law) denial or removal of access privileges to University Systems, suspension, work assignment limitations, or more severe penalties up to and including termination or expulsion. If the University suspects illegal activities, it may report them to the applicable authorities and aid in any investigation or prosecution of the individuals involved.
    2. The University may treat any attempt to bypass or circumvent security controls as a violation of this Policy. For example, sharing passwords, deactivating anti-virus software, removing or modifying secure configurations, or creating unauthorized network connections are prohibited unless the Information Technology Help Desk has granted an exception.
  12.  

  13. Other Definitions:
    1. Confidential Information refers to all Information collected by, shared with, or reported to the University in the course of its business or activity that is protected by local, state or federal law, or that may cause harm to the University, its employees, or other entities or individuals if improperly disclosed, or that is not otherwise publicly available. Harms may relate to an individual’s privacy or legal or regulatory liabilities. Confidential Information includes:
      1. Information relating to an individual that reasonably identifies the individual and, if compromised, could cause harm to that individual or to the University. Examples include, Social Security numbers, driver license numbers or identification card numbers, credit or debit card numbers, bank account information, and student grades or disciplinary information;
      2. University financial data;
      3. employee, student, and alumni lists;
      4. University program or project plans;
      5. University contracts, including contracts with employees and external parties;
      6. communications or records regarding internal University matters and assets, including operational details and audits;
      7. University policies, procedures, standards, and processes;
      8. any information designated as “confidential” or some other protected information classification by an external party and subject to a current non-disclosure or other agreement;
      9. information regarding employees, including payroll records and employment or personnel information (such as health or disability information, disciplinary or grievance information, annual review information);
      10. any summaries, reports, or other documents that contain Confidential Information; and
      11. drafts, summaries, or other working versions of any of the above.
    2. Mobile Device means an electronic device that is easily transportable and capable of accessing, storing, or transmitting information. Examples include laptop computers, tablets, mobile phones, and portable storage devices.
    3. University Systems include University-owned or controlled computing networks, software, databases, services, facilities or other computing devices.