Information Security Policy
Section: | Information Technologies Policies |
Policy Name: | Information Security Policy |
Policy Owner: | Executive Vice President |
Responsible University Office: | Information Technologies |
Origination Date: | July 1993 |
Revisions: | October 6, 2005; May 2013; February 26, 2018 |
Legacy Policy Number: | 1-15 |
- SCOPE OF POLICY
- This policy expands upon the data governance framework established by the University Data Governance Policy to address requirements, roles, and responsibilities related to the security of IT resources.
- Privacy and security practices protect University information and allow the use, access, and disclosure of such information in accordance with University missions and applicable laws, regulations, contracts, and/or funding agency requirements.
- This policy establishes responsibility to manage IT resources in accordance with the security standards and controls set forth in this policy. The confidentiality, integrity, and availability of University information must be maintained and protected to support the University’s missions and to comply with laws, regulations, and contractual obligations.
- This policy establishes a University-wide information security framework to:
- Protect against unintentional, unlawful, or unauthorized disclosure, alteration, or destruction of sensitive information that could potentially result in harm to the University, members of the University community, other organizations, or the nation.
- Protect against anticipated threats to the security of IT resources.
- Comply with federal, state, and local law; University policies; and agreements that bind the University to implement applicable security controls.
- This policy applies to all individuals who have access to IT resources used for University purposes and encompasses the safekeeping of University information in any form—including, but not limited to, spoken, printed, audio, video and digital/electronic media—and in all locations—including, but not limited to, in storage media, in e-communications, in the cloud, and on personal devices. Note: for the purposes of this policy, “University purposes” do not include students or employees accessing or updating their individual University information.
- DEFINITIONS
- “Availability” means ensuring timely and reliable access to and use of University information.
- “Confidentiality” means preserving authorized restrictions on University information access and disclosure, including means for protecting personal privacy and proprietary information.
- “Council for Data Governance (CDG)” is the University council responsible for overseeing the appointment and action of data trustees for each of the University’s functional areas. It includes the Chief Information Officer, VP & General Counsel, and other members as appointed by the President and/or his or her delegates.
- “Data Security Advisory Committee (DSAC)” is the University council responsible for coordinating information security and risk management efforts and monitoring and recommending necessary security actions to the University. It is chaired by the director of IT Security Policy & Compliance and includes delegates as may be appointed from time to time by data trustees and/or the chair.
- “Data steward” is an individual within the University who is the primary institutional authority for a particular data set and who is principally responsible for the management and security of that data set across the institution.
- “Data stewardship” is the responsible oversight of a data set, including principal responsibility for the establishment of standards and guidelines for appropriately managing and securing that data across the institution.
- “Data trustee” is an executive officer of the University who has the highest level of strategic and policy-setting authority and responsibility for his or her functional area.
- “End user” is any individual who accesses and/or utilizes IT resources.
- “Functional area” is one or more units that have primary responsibility for managing a core University mission or business function.
- “Integrity” means guarding against improper modification or destruction of University information, and includes ensuring non-repudiation and authenticity.
- “IT device” is any device involved in the accessing, processing, storage, or transmission of University information and making use of the University IT infrastructure or attached to the University network. These devices include, but are not limited to, desktop computers, laptop computers, personal digital assistants, server systems, network devices such as routers or switches, and printers.
- “IT resources” are the full set of University owned or controlled information technology devices and data involved in the processing, storage, accessing, and transmission of information.
- “Local support provider” is an individual or unit with primary responsibility for the installation, configuration, security, and ongoing maintenance of an IT device.
- “Privacy” means (1) an individual’s ability to conduct activities without concern of or actual observation and (2) the appropriate protection, use, and release of information about individuals.
- “Security controls” are the administrative, operational, and technical requirements and recommended best practices for meeting security standards.
- “Security standards” are the requirements for achieving risk management objectives and compliance with laws, regulations, and policies.
- “Unit” means a University department, school, institute, program, office, initiative, center, or other operating unit.
- “Unit head” is a University official with the highest level of authority over the day-to-day management or oversight of a unit’s operation.
- “University information” is defined as any information within the University’s purview, including information that the University may not own but that is governed by laws and regulations to which the University is held accountable. University information encompasses all data that pertains to or supports the administration and missions, including research, of the University.
- “University information classifications” are the categories of University information that have different security requirements based on their potential impact due to a loss of confidentiality, integrity, or availability.
- POLICY STATEMENTS
- All IT resources must be managed in compliance with applicable federal, state, and local laws; University policies; and agreements.
- University of Delaware Information Technologies (IT) is authorized to develop, promulgate, and enforce information security program requirements for the University. These requirements may include policies, procedures, security standards and controls, roles, and responsibilities for the protection of IT resources.
- All end users must comply with the requirements mandated by this policy, including administrative, operational, and technical security controls.
- POLICY STANDARDS AND PROCEDURES
- All end users are responsible for protecting IT resources by complying with appropriate administrative, operational, and technical security standards and controls commensurate with the requirements for its classification. The University Information Classification Policy establishes the University information classifications.
- The Secure UD Data Governance & Security Program (Secure UD DGSP) establishes administrative, operational, and technical mandates for the security and management of IT resources.
- Exceptions to this policy, including exceptions to the requirements of the Secure UD DGSP, must be justified by operational or technical needs and must be submitted to and approved by unit heads.
- Roles and responsibilities
- Data trustees
- Define risk tolerance related to security threats to University information entrusted to their care.
- Are ultimately accountable for the implementation of reasonable and appropriate security controls to protect the confidentiality, integrity, and availability of IT resources within their functional areas.
- Require annual assessments of security controls within their functional areas and report the results to IT.
- Data stewards
- Require the implementation of reasonable and appropriate security controls to protect the confidentiality, integrity, and availability of IT resources within their stewardship.
- Information Technologies
- Maintain overview responsibility for implementation of this policy.
- Establish policy requirements, including security standards and controls, and monitor and enforce compliance.
- Develop a comprehensive security program that includes risk assessments, best practices, education, and training.
- Having IT assume this responsibility does not abrogate the responsibility of individuals and units to comply with policy requirements.
- Train and educate the University community on this policy.
- Monitor technological developments, trends, and changes in laws and regulations and update this policy as appropriate.
- Conduct annual reviews of minimum technical requirements and update this policy, with appropriate review.
- Assist units in understanding risk and in identifying and implementing security controls to protect IT resources.
- Issue critical security notices to units.
- Develop, implement, and maintain University-level security monitoring and analysis.
- The Data Security Advisory Committee (DSAC)
- Assist in the implementation of this policy.
- In consultation with the VP & General Counsel, monitor federal, state, and local laws and regulations affecting information security and privacy.
- Stay abreast of evolving best practices in information security and privacy in higher education.
- Assess risks to University information and recommend updates to this policy, including the Secure UD DGSP, as necessary.
- Unit heads
- Assume primary compliance responsibility for the IT resources under their control.
- Identify local support providers and report those individuals or units to IT.
- Develop and implement an information security plan for the unit consistent with the requirements of this policy and commensurate with the specific security needs of the unit.
- Thoroughly understand the security risks impacting University information under their control. Security risks should be documented and reviewed with the appropriate data steward so that he or she can determine whether greater resources need to be devoted to mitigating these risks. IT can assist unit heads with gaining a better understanding of their security risks.
- Ensure the implementation of reasonable and appropriate security controls to protect the confidentiality, integrity, and availability of IT resources within their units.
- Approve exceptions to this policy based on operational or technical needs.
- Report to data trustees the unit’s compliance with information security requirements at least annually.
- Local support providers
- Maintain knowledge of the IT devices for which they are responsible.
- Implement, at the direction of the unit head, security controls for the IT devices for which they are responsible.
- Understand and document the configurations and characteristics of the IT devices for which they are responsible.
- Recommend security controls and practices for the IT devices for which they are responsible.
- End users
- Adhere to unit procedures for implementing security controls.
- Data trustees