|| OFFICIAL |
This policy applies to all University workforce, faculty and student members (including, but not limited to: faculty, staff, students, temps, trainees, volunteers, and other persons as deemed appropriate) while conducting/performing work, teaching, research or study activity using University resources and includes all facilities, property, data and equipment owned, leased and/or maintained by the University or affiliates
Information Security Responsibility
July 23, 2007
Each member of the campus community is responsible for the security and protection of information resources over which he or she has control. Resources to be protected include networks, computers, software, and data. The physical and logical integrity of these resources must be protected against threats such as unauthorized intrusions, malicious misuse, or inadvertent compromise. Activities outsourced to off-campus entities must comply with the same security requirements as in-house activities.
REASON FOR POLICY
The university recognizes the role of information security and is committed to the protection and safeguarding of the confidentiality, integrity and availability of university information assets. This policy provides a framework for the management and responsibility of information security throughout the university.
General roles and responsibilities:
The Chief Information Security Officer has been assigned the responsibility for establishing, implementing, and monitoring the university's Information Security Program. User responsibilities range in scope from the administration of security controls for a large system such as PeopleSoft Human Resources to the protection of one's own access password. A particular individual often has more than one role. For those individuals with access to sensitive or critical information specific security responsibilities should be incorporated into objectives or job descriptions.
Administrators (Owners), their designee or individuals with functional ownership of data must:
Identify the information resources within areas under their control.
Define the purpose and function of the resources and ensure appropriate segregation of duties and that requisite education and documentation are provided as needed.
Establish acceptable levels of security risk for resources by assessing factors such as:
data classification (sensitive or non-sensitive);
the level of criticality or overall importance to the continuing operation of the campus as a whole, individual departments, research projects, or other essential activities;
impact to the operations of one or more units by unavailability or reduced availability of the resources;
the likelihood that a resource could be used as a platform for inappropriate acts towards other entities; and
limits of available technology, programmatic needs, cost, and staff support.
Ensure compliance with the university's general Information Security policies and standards.
Ensure that requisite security measures are implemented for the resources.
Providers (Custodians and System Administrators), caretakers and administrators of systems must:
Become knowledgeable regarding relevant security requirements and guidelines.
Analyze potential threats and the feasibility of various security measures in order to provide recommendations to Administrative Officials.
Implement security measures that mitigate threats, consistent with the level of acceptable risk established by administrative officials.
Establish procedures to ensure that privileged accounts are kept to a minimum and that privileged users comply with privileged access agreements.
Ensure compliance with the university's general information security policies and standards and establish procedures for their resource area in support of these policies and standards.
Communicate the purpose and appropriate use for resources under their control.
Users - Individuals who access and use campus information resources must:
Become knowledgeable about relevant security requirements and guidelines.
Protect the resources under their control, such as access passwords, security codes, facility cards/keys, computers, and data they download.
Participate in general security awareness program and regulatory specific training as required per job responsibilities.
Acknowledge acceptance of the Computer Notification Policy.
Users in supervisory roles must ensure that all university assets (information and devices) have been retrieved and access removed upon an employee's termination or transfer.
Responsibility for Privacy and Confidentiality:
Applications must be designed and computers must be used to protect the privacy and confidentiality of the various types of electronic data they process, in accordance with applicable laws and policies.
Proper authorization must be obtained prior to collecting, accessing, or disclosing client, student, or employee sensitive information in compliance with applicable laws, regulations, or university policies. Users who are authorized to obtain data must ensure that it is protected to the extent required by law or policy after they obtain it. For example, when sensitive data is transferred from a well-secured system such as PeopleSoft Financials to a user's location, adequate security measures must be in place at the destination computer to protect this data.
Responsibility for Compliance with Law and Policy:
Campus departments, units, or groups, for specific systems and activities under their purview, must comply with this and other university information security polices and standards as well as applicable laws and regulations. Reviews of systems and applicable laws and regulations should be routinely performed and risk assessments conducted validating compliance. These groups should, as appropriate and relevant to their area, establish security guidelines, standards, or procedures that support and refine the provisions of the university information security polices and standards for specific activities under their purview.
Individuals with administrative responsibility university wide or for university organizational units. The University Redbook (see http://louisville.edu/provost/redbook/chap2.html#SEC2.3.1) for more information.
Individuals who design, manage, and operate campus electronic information resources, e.g. project managers, system designers, application programmers, or system administrators.
Includes students, faculty, staff, administrators and other employees of the University of Louisville and its affiliated entities and any other individual having a computer account, email address or utilizing the computer, network or other information technology services of the University of Louisville.
Policy Authority/Enforcement: The University's Information Security Officer (ISO) is responsible for the development, publication, modification and oversight of these policies and standards. The ISO works in conjunction with University Leadership, Information Technology, Audit Services and others for development, monitoring and enforcement of these policies and standards.
Policy Compliance: Failure to comply with these policies and standards and/or any related information security and/or information technology policy, standard or procedure may result in disciplinary action up to and including termination of employment, services or relationship with the university and/or action in accordance with local ordinances, state or federal laws.
This policy is subject to change or termination by the University at any time. This policy SUPERSEDES all prior policies, procedures or advisories pertaining to the same subject.
This policy will be reviewed annually to determine if the policy addresses university risk exposure and is in compliance with the applicable security regulations and university direction. In the event that significant regulatory changes occur, this policy will be reviewed and updated as needed per the Policy Management process.
Approved July 23, 2007 by the Compliance Oversight Council
Shirley C Willihnganz, Executive Vice President and University Provost, Chair of the Compliance Oversight Council
1.0 / July 23, 2007 / Original Publication
1.1 / January 29, 2013 / Updated policy content
1.2 / September 24, 2014 / Reviewed content
2.0 / March 8, 2016/ Reviewed content modified for template format
2.0 / July 18, 2018 / Grammar and punctuation updates
Reviewed Date(s): March 8, 2016; June 12, 2017; July 18, 2018