Executive Summary  

An information security program (ISP) is designed to protect information resources from a wide range of threats, ensure business continuity, and minimize business risk to ºÚÁÏÉç³Ô¹Ï University and members of the ºÚÁÏÉç³Ô¹Ï community. Information resource security is achieved by implementing applicable policies, processes, procedures, controls, standards, guidelines, organizational structures, and supporting technology. The information security program (ISP) governs the confidentiality, integrity, and availability of ºÚÁÏÉç³Ô¹Ï data, especially highly sensitive or critical data, and defines the responsibilities of departments and individuals for such data. 

Scope

This information security program applies to any person granted access to ºÚÁÏÉç³Ô¹Ï University information resources, including but not limited to students, faculty, staff, alumni, temporary employees, contractors, volunteers, friends of ºÚÁÏÉç³Ô¹Ï, and guests who have access to ºÚÁÏÉç³Ô¹Ï information resources. Such technology resources include but are not limited to data, images, text, recordings, and software which are stored on hardware or other digital storage media both on-campus and at outsourced locations. 

Policy and Procedures

The following foundational elements are designed to create a framework for the information security program (ISP), help ºÚÁÏÉç³Ô¹Ï adopt a control catalog, and comply with best practices in Information Security. 

• Inventory and Accountability of Information Assets: ºÚÁÏÉç³Ô¹Ï collects, stores, and uses various data as part of normal operations.  This information is stored in various systems that are inventoried and managed by the ºÚÁÏÉç³Ô¹Ï IT Enterprise team. 
• Sensitive Data Classification: Data classification is required to determine the relative sensitivity of information resources, which is the basis for protection and access control.  
• Data Risk Management:  ºÚÁÏÉç³Ô¹Ï's risk management cycle includes assessment, review, mitigation, and reporting based upon the university’s risk tolerance. 
• Identity and Access Management:   Ensures accurate identification of authorized users and provides access controls to the use of information resources. 
• Control Activity: Defined controls provide a system of checks and balances intended to identify irregularities, prevent abuse from occurring, and assist in resolving discrepancies that are introduced into the operation of the business. 
• IT Security Awareness: The goal of the information security awareness program is to strengthen the information security culture of ºÚÁÏÉç³Ô¹Ï through education, active learning, communication, and collaboration. 
• Physical Security: Physical security controls and secure areas are used to minimize unauthorized access, damage, and interference to information resources. This includes providing environmental safeguards and controlling physical access to equipment and ºÚÁÏÉç³Ô¹Ï data. 
• IT Contingency Planning: The ºÚÁÏÉç³Ô¹Ï IT contingency Plan is designed to minimize the impact of a disaster or disruptive incident on an organization's IT systems and operations, and to ensure that mission-critical functions can be quickly restored in the event of an outage or other disruption. 
• Security Incident Response: Effectively and efficiently handle and manage any security incidents that may occur within ºÚÁÏÉç³Ô¹Ï’s IT infrastructure. 

Responsibilities and Enforcement

Vice President/Chief Information Officer (CIO): ºÚÁÏÉç³Ô¹Ï’s Chief Information Security Officer is responsible for overseeing the organization’s technology infrastructure and ensuring that it aligns with the business goals and objectives.  The CIO will periodically present an update on the status of the ISP to the executive officers and the Board of Trustees.  

Assistant Vice President for Information Technology (AVPIT): The AVPIT of ºÚÁÏÉç³Ô¹Ï is responsible for managing the day-to-day operations of the university’s IT systems.  This includes ensuring that the ISP is properly implemented and maintained. 

IT Governance Committee: Works in conjunction with the CIO and AVPIT to review and recommend university policies regarding information security. 

Definitions

Access Controls: The process of controlling access to systems, networks and information based on business and security requirements of the user’s role within ºÚÁÏÉç³Ô¹Ï.  

Risk Tolerance: ºÚÁÏÉç³Ô¹Ï’s willingness to accept risk by either accepting, transferring, or mitigating risk exposures.  

Information Security Incident: An event that impacts or has the potential to impact the confidentiality, availability, or integrity of ºÚÁÏÉç³Ô¹Ï's information resources.  

Additional Documents and Policies

• Acceptable Use Policy
• Privacy and Personal Data Protection
• Email Responsibility and Computer Use Policy 
• Federal Trade Commission and Gramm _ Leach _ Bliley Act (GLBA)