PPM 10-1, Information Security

Responsible Office: Vice President for Information Technology

1.0 PURPOSE 

The purpose of the Information Security Policy is to:

  • Provide policy to secure Sensitive Information of University employees, students, and others affiliated with the University, and to prevent the loss of information that is critical to the operation of the University.
  • Provide reasonable and appropriate procedures to assure the confidentiality, integrity and availability of the University’s Information Technology Resources.
  • Prescribe mechanisms which help identify and prevent the compromise of information security and the misuse of University data, applications, networks and computer systems.
  • Define mechanisms which protect the reputation of the University and allow the University to satisfy its legal and ethical responsibilities with regard to its networks’ and computer systems’ connectivity to networks outside the University.
  • Provide written guidelines and procedures to manage and control information considered to be Sensitive Information whether in electronic, paper or other forms.
  • Protect the integrity and validity of University data.
  • Assure the Security and protection of Sensitive Information in the University’s custody, whether in electronic, paper, or other forms.

University Information Technology Resources are a valuable University asset and must be managed accordingly to assure their integrity, security and availability for lawful educational purposes. This document describes policy for use by all persons and/or organizations that have access to University data.

Readers should note that the appendices of this policy and any referenced standards are enforceable as part of the policy and are subject to change as approved by the President and Vice President for Information Technology.

The persons responsible for implementing this policy and their respective duties and/or responsibilities with respect to this policy are described in Appendix A.

2.0 REFERENCE

PPM 10-6, Mobile Device Policy

3.0 DEFINITIONS

3.1 Centralized Computer Systems - Computer hardware (including but not limited to Servers, Routers, Switches and Access Points) and software systems (including but not limited to Web hosts, customized databases, University databases, and faculty developed software for educational purposes) maintained by the IT Division and located in areas managed by IT personnel.

3.2 Computing Equipment - All hardware used to process, store, or transmit University data.

3.3 Data - Information contained in either University computer systems or in physical copy that is utilized for the purposes of conducting University business or learning. The terms “data” and “information” are used interchangeably throughout this policy.

3.4 Decentralized Computer Systems - Computer hardware (including but not limited to Servers, Routers, Switches and Access Points) and software systems (including but not limited to Web hosts, customized databases, University databases, and faculty developed software for educational purposes) maintained by any non- IT Division department.

3.5 Information Technology Resource (IT Resource) - A resource used for electronic storage, processing or transmitting of any data or information, as well as the data or information itself. This definition includes but is not limited to electronic mail, voice mail, local databases, externally accessed databases, CD-ROM, recorded magnetic media, photographs, digitized information, or microfilm. This also includes any wire, radio, electromagnetic, photo optical, photo electronic or other facility used in transmitting electronic communications, and any computer facilities or related electronic equipment that electronically stores such communications.

3.6 Kiosk - Computers located in public spaces designed to offer limited functionality with specialized hardware or software.

3.7 Lab - A collection of computers that are either available for general use or are in a secured academic environment that are intended for specific use by students, faculty or staff.

3.8 Mobile Device - Any handheld or portable computing device including running and operating system optimized or designed for mobile computer, such as Android, Blackberry OS (RIM), Apple's iOS, or Windows Mobile.  Any device running a full desktop version operating system is not included in this definition.

3.9 Portable Equipment – Laptops and other removable storage devices such as Flash Drives.

3.10 Public Information - Information that may be provided openly to the public.

3.11 Security - Measures taken to reduce the risk of (a) unauthorized access to IT Resources via logical, physical, managerial, or social engineering means; and/or (b) damage to or loss of IT Resources through any type of disaster, including cases where a violation of Security or a disaster occurs despite preventative measures.

3.12 Sensitive Information - Any data, electronic or physical copy, of which the compromise with respect to confidentiality, integrity, and/or availability could have a material adverse effect on 91Ƶ interests, the conduct of University programs or the privacy to which individuals are entitled.  Examples of such data would include that data protected by the Government Records Access and Management Act (GRAMA), Family Education Rights and Privacy Act (FERPA), Gramm-Leach-Bliley Act (GLBA) or other laws governing the use of data or data that has been deemed by the University as requiring protective measures.

3.13 User – All persons and/or organizations that have access to University data.

3.14 Workstation - Computers assigned to one or more University employees for conducting university business.

4.0 SCOPE

This policy covers paper-based and electronic data defined to include, but not be limited to, all information maintained, processed, or distributed by the University computer systems that contain data defined by law or policy as Sensitive Information. This policy also applies to all persons, and organizations that have access to University data.

This policy applies to all organizations within the University even though the data needed and used by those organizations are different. Additionally, all University owned devices including, but not limited to workstations, lab computers, and kiosks are affected by this policy unless otherwise stated. The principles of academic freedom and free exchange of ideas apply to this policy, which is not intended to limit or restrict those principles. This policy is intended to be in accordance with federal and state laws and regulations regarding information security.

Each organization within the University must appropriately apply this policy to make certain they are meeting the requirements regarding Information Security. It is recognized that the technology at some organizations may limit immediate compliance with the policy; such instances of non-compliance must be reviewed and approved by the Information Security Office (ISO) and the Information Security Task Force (ISTF). Reference Section S for more information about policy exceptions.

Note: This policy applies to mobile devices as applicable. For additional requirements pertaining to tablets and smartphones see Mobile Device Policy (PPM 10-6.) 

5.0 POLICY

5.1 Information Confidentiality and Privacy
All users are expected to respect the confidentiality and privacy of individuals whose records they access.  Users are responsible for maintaining the confidentiality of data they access or use and the consequences of any breach of confidentiality.

5.2 Handling Sensitive Information
The unauthorized addition, modification, deletion, or disclosure of Sensitive Information included in University data files is expressly forbidden.

5.3 Centralized/Decentralized Computing Systems
All computing systems will be in compliance with this policy and University Security standards regardless of whether they are centralized or decentralized.  Any decentralized computing systems that are unable to comply with the requirements of this policy may be required to relocate to the University Data Center at the discretion of the ISTF and ISO.

5.4 Sensitive Information Collection
Sensitive Information must only be collected for lawful and legitimate University purposes according to the requirements outlined in Board of Regents Rule R345, Information Technology Resource Security.

5.5 Public Information
Although there are no restrictions on disclosure of Public Information, the same precautions prescribed in this policy for protection of University data must be adhered to for the purpose of preventing unauthorized modification, deletion, etc. of Public Information.

5.6 Access Control
Access to University data and its resident computing system will be restricted to those users that have a legitimate business need and appropriate approvals for access to such information.  Users must ensure that Sensitive Information is secured from unauthorized access and are responsible for safeguarding this information and related computing systems at all times through use of strong passwords and as outlined in Appendix B. 

5.7 Remote Access
Only authorized Users will be permitted to remotely connect to University computer systems, networks and data repositories to conduct University related business as required by the Standard For Secure Remote Access.

5.8 Physical Security
The physical security of computing resources will be accomplished utilizing current industry standards and appropriate technology and plans as defined by the ISO.  Responsibility for Centralized Computing systems security will reside with the IT Division.  All other computing systems security will be the responsibility of the appropriate IT Specialist.  See the Physical Security section of Appendix B for specific requirements.

5.9 Data Security
Users will ensure Sensitive Information is secure and the integrity of records is safeguarded in storage and transmission. Users who handle Sensitive Information are responsible for the proper handling of this data while under their control.  Refer to the Data Security section of Appendix B for specific Data Security Requirements.

5.10 Backup and Recovery
Administrators of Centralized computing systems will back up essential University data according to a documented disaster recovery plan consistent with industry standards and store such data at a secure commercial site.  Decentralized computing systems will have available, at a minimum, a documented disaster recovery plan covering backup procedures, timelines, storage locations/procedures and recovery.

5.11 Security Incident Response and Handling
All suspected or actual security breaches of University, college or departmental system(s) will be reported immediately to the organization’s Data Security Steward who will consult with the ISO to assess the level of threat and/or liability posed to the University or affected individuals and respond according to Incident Response Guidelines maintained by the ISO.  The University will report and/or publicize unauthorized information disclosures as required by law or specific industry requirements.

5.12 Service Providers
Service providers utilized to design, implement, and service technologies must provide contractual assurance that they will protect the University’s Sensitive Information it receives according to University or commercially reasonable standards. Such contracts must be reviewed by University Legal Counsel for appropriate terminology regarding use and protection of Sensitive Information.

5.13 Training and Awareness
Each new University employee will be trained on the Acceptable Use Policy and University Information Security Policy as they relate to individual job responsibilities.  Such training will include information regarding controls and procedures to prevent employees from providing data to an unauthorized individual.  All employees will be required to complete additional security training as prescribed by the ISO.

5.14 Computer Labs
91Ƶ provides robust computing lab resources for utilization in legitimate and lawful academic endeavors.  Computing equipment in these labs will conform to all requirements of this policy with the addition of requirements stated in the Computing Lab Section of Appendix B.

5.15 Software
Only properly licensed software may be installed on University computer systems. 

5.16 Penalties and Enforcement
Penalties and enforcement of this policy will be in accordance with University policies. Appropriate disciplinary and/or legal action will be taken when warranted in any area involving violations of this policy.

5.17 Policy Review and Revision
This policy and its associated appendices will be subject to periodic review and revision.

5.18 Policy Clarification
For clarification or further information on any items in this policy, the User is encouraged to contact the ISO, their Data Security Steward or a member of the ISTF.

5.19 Exceptions to Policy
Any computing system that is unable to comply with this policy must file an exception.  Exceptions to this policy must be approved by the ISO based on academic or business need and reviewed by the ISTF.  The ISO will review exceptions annually for continued application and notify the exception holder of any concerns.

5.20 Additional Policies
Users should be aware that the Utah Board of Higher Education may implement other policies that may affect Information Security on campus.  The University adopts such policies and Users must comply with any such standards.

 

Revision History  
Creation Date: 04-13-04
Amended: 03-19-19