INFORMATION SECURITY

Policies, Standards & Guidelines

Policies

These are high-level statements of the University’s goals and objectives with the intent to be long-lasting.  They outline specific requirements or rules that must be met.

Standards

These are mandatory rules of measure; collections of system-specific or process-specific requirements that must be met.  Standards are designed to provide policies with the support structure and specific direction they require to be meaningful and effective.

Guidelines

These are recommended models or general statements designed to achieve policy objectives by providing a framework for developing or implementing procedures, processes, or practices; guidelines may utilize or refer to standards.

Security References and Information Technology-related policies from the Handbook of Operating Procedures:

Chapter 1 - Administration and Organization

1.3 EXECUTIVE OFFICERS

1.3.6 Vice President and Chief Information Officer

1.7 STANDING COMMITTEES

1.7.4 Computing Resources Committee

Chapter 2 - General Policies & Procedures

2.2. INFORMATION MANAGEMENT

2.2.1 Records and Information Management and Retention
(Records Retention Schedule)

2.2.2 Information Security

2.2.3 Family Educational Rights and Privacy

2.2.6 Release of Records and Requests for Personal Information

2.3 LEGAL AFFAIRS

2.3.2 Use of Copyrighted Material

2.4 ADMINISTRATIVE AND SUPPORT DEPARTMENTS

2.4.2 Internal Audit & Consulting Services

2.4.4 Library

2.4.5 Student Services

2.5 INSTITUTIONAL COMPLIANCE PROGRAM

2.5.1 Office of Regulatory Affairs amp; Compliance

2.6 MISCELLANEOUS

2.6.1 Safes

2.6.3 Fraud, Abuse, and False Claims Act

Chapter 4 - General Personnel Policies

4.4 BACKGROUND INFORMATION CHECKS

4.4.1 Criminal Background Checks for Security Sensitive Positions

4.5 EMPLOYMENT ADMINISTRATION

4.5.6 Ending Employment (Exit/Clearance Form)

4.5.16 Personnel Records

4.7 WORK AND LEAVE ADMINISTRATION

4.7.6 Telecommuting

4.10 EMPLOYEE DEVELOPMENT AND TRAINING

4.10.1 Compliance Training

4.10.4 Disciplinary Actions for Failing to Attend Compliance Training Sessions

Chapter 5 - Information Management & Services

5.2 SYSTEMS AND NETWORK OPERATIONS

5.2.4 Communications Infrastructure and Equipment

5.2.5 Protection of Information Resources

5.2.6 Electronic Mail Use and Retention

5.2.7 Using Electronic Communications for Broadcast E-Mail Notifications and Distribution of Information

5.2.8 Internet Use

5.4 EDUCATIONAL MEDIA RESOURCES

5.4.4 Copyrighted University Materials

5.5 INFORMATION MANAGEMENT CLIENT SUPPORT SERVICES

5.5.2 Organization and Services

5.5.4 Access to Central Resources

5.5.9 Lost or Stolen Communications Equipment

5.5.10 Software Policy

5.5.13 Technical Support Representative (TSR) Policy

5.8 INFORMATION SECURITY

5.8.1 Information Security Function

5.8.2 Definitions

5.8.3 Computer Crimes Law

5.8.4 Access Control and Password Management

5.8.4 Password Security Standard

5.8.5 Information Security Incident Reporting

5.8.5 Incident Response Guideline

5.8.6 Computer Incident Response Policy

5.8.7 Network Access Policy

5.8.8 Computer Network Security Configuration

5.8.9 Computer Malware Protection Policy

5.8.10 Information Resources Acceptable Use and Security Policy

5.8.11 Peer-to-Peer Access Policy

Unauthorized Peer-to-Peer (P2P) Software list

5.8.12 Portable Computing Policy

5.8.12 Device Naming Convention Standard

5.8.13 Security Monitoring

5.8.14 Administration of Security on Server Computers

5.8.14 Server Security Standard

Login banners

5.8.15 Not in use.

5.8.16 Administrative System Access Controls (ACE Program)

5.8.17 Information Security Training and Awareness Policy

5.8.18 Third-Party Management of Information Resources

5.8.18 Third-Party Risk Assessment Security Standard

Information Security Third-Party Assessment Survey

5.8.19 Administrative and Special Access Policy

5.8.20 Information Resources Privacy Policy

5.8.21 Data Classification

5.8.21 Protection By Data Classification Standard

5.8.22 Storage Media Control

5.8.22 Media Control (Accountability) Security Standard

5.8.22 Media Control (Data Destruction) Security Standard

5.8.22 Media Control (Data Destruction) Security Guidelines

5.8.23 Data Back-up Policy

5.8.23 Backup Security Guideline

5.8.24 Change Management Security Policy

5.8.25 Systems Development Life Cycle (SDLC) Policy

5.8.26 Electronic Information Security Risk Management

5.8.26 Electronic Information Security Risk Assessment Security Standard

5.8.27 Physical Security for Electronic Information Resources

5.8.27 Physical Security for Electronic Information Resources Standards

5.8.28 Administration of Security on Workstation Computers

5.8.28 Workstation Security Standard

5.8.28 Device Naming Convention Standard

5.8.29 Web Application Security

5.8.29

5.8.29 Web Application Security Standard

5.8.29

Chapter 6 - Fiscal Policies & Procedures

6.3 PROPERTY CONTROL

6.3.3 Deletion of State Property

Electronic Storage Device Disposal Request

Property Deletion Request

Software Deletion Request

6.3.8 Property Removal Permit

Property Removal Permit

Chapter 8 - Health and Safety

8.6 STUDENT RIGHT-TO-KNOW AND CAMPUS SECURITY ACT

8.6.1 Student Right-to-Know and the Clery Act

8.7 UNIVERSITY POLICE

8.7.2 Security

8.7.5 Property Removal

Property Removal Permit

8.7.7 Security Sensitive Positions

8.7.9 Key/Card Keys

8.7.10 Identification Badge Policy

8.7.11 Contractors and Vendors

Chapter 10 - Ethics, Standards of Conduct, and Relationships with External Entities

10.1 ETHICS, STANDARDS OF CONDUCT, AND RELATIONSHIPS WITH EXTERNAL ENTITIES

10.1.2 Code of Ethics and Standards of Conduct

10.1.3 Personal Use of University Resources, Equipment, and Assets

Chapter 11 - Patient Privacy Policies

11.1 GENERAL AND OVERSIGHT POLICIES

11.1.1 Notification of Privacy and Security Breaches

11.1.5 Patient Health Records

11.1.6 Confidentiality of Patient Health Information

Confidentiality/Security Acknowledgement

11.1.12 E-Mailing Protected Health Information

11.1.14 Securing Protected Health Information and Mobile Devices

11.4 EDUCATION

11.4.1 Education and Training on Patient Privacy

Chapter 12 - Intellectual Property

12.1 TECHNOLOGY DEVELOPMENT

12.1.1 Intellectual Property Policy