The Department Head should ensure that their employees are aware of information security policies, standards, procedures, and responsibilities concerning the information they handle.
Information security is the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities (from ISO/IEC 27002:2005, Code of Practice for Information Security Management).
The Information Security Executive Committee (ISEC) evaluates information security issues and makes recommendations for protecting University information and computer systems through policy, awareness, incident response, and resource planning.
The Computer Services department has an Information Security Unit to assist departments in assessing and managing risks for University information. For help in assessing risks, contact the Information Security Office.
Information is one of our most important assets and protecting it is one of our top priorities. All users play a critical role in protecting information. Each department is responsible for the information it receives, creates, transmits or stores. Information that can identify an individual, referred to as PII (Personally Identifiable Information), including but not limited to student grades and health information, is protected from improper disclosure by federal and state law. The University classifies data on five levels as specified in the Data Classification Levels policy.
Data levels three through five must be fully protected in accordance with federal and state laws and University policy. Contact the Information Security Unit for questions or assistance.
Credit card information should never be handled without the consent of the University Bursar.
Protecting information consists of understanding what data is being handled and employing a combination of controls among people, processes and technology.
People must understand their role and responsibility in the safe handling of University information and associated processes.
Processes must be in place to safely handle and maintain information. Suggestions for protecting information include:
Contact the Information Security Unit for help with safe and proper storage, transmission, and handling of sensitive information.
All hardware (e.g., workstations, laptops, printers, multi-function copiers, fax machines) assigned to a department must have the data removed from any storage device it contains (e.g., hard drive, memory card) and written validation that the data is removed before it is physically moved to be retired or redeployed. All paper that contains PII or PHI must be shredded using cross-shredding.
Any device (e.g., hard drive, thumb drive, cd) that contains electronic PII or PHI must be ‘wiped’ following guidelines specified by Property Control. Contact the Computer Services Help Desk for questions or assistance, and please refer to the Component Integration and Removal.
If you have a server that is not managed by the Computer Services department, contact the Information Security Unit for risk assessments and standards for protection.
Contact The Office of Web and New Media for questions or assistance with University web pages.
Suspected or confirmed information security incidents, data breaches or disclosures (e.g., lost/stolen mobile device such as laptops, smartphones, thumb drives that contains PII (personally identifiable information), emailing/mailing PII to unintended recipients) must be immediately reported. If you suspect University information has been breached (compromised), follow the instructions on the Information Security website.
Yes, these policies apply to any data held by the University. Paper documents with information in Levels 3-5 of the Data Classification Policy should be kept out of public view when in use and stored in a locked file cabinet when not in use. When the documents are no longer needed and are outside any data retention requirements, they should be shredded in a cross-cut shredder.
The Information Security Officer (ISO) should be notified immediately. See the Information Security website for our data incident process.
Yes. When dealing with University information, it, and the device carrying it, must be protected according to University policy.
Contact the Information Security Officer for a risk assessment to determine the type of information that will be stored on the server.
The Information Security Officer. See Information Security for the process.
A variety of penalties can be imposed depending on the nature of the loss. Information at the University is governed by several government regulations and each specified the penalties for infractions. Criminal penalties are a possibility.
Most printers, copiers, and multi-function devices contain storage devices such as hard drives, flash memory, etc., that may have images of documents processed by them. Some of this information may be sensitive so we must make sure it remains confidential. Disposing of these devices without sanitizing the storage device can lead to data leaks.
Departments who maintain their own Web pages should make sure that they are coded securely using the OWASP Top 10 vulnerability listing as a guide. Also, be sure not to display, or link to, any information not considered public.