The Catholic University of America

Information Security and Assurance Policy

Archived 3/9/15

I. Introduction

Information is critical to the University's teaching, learning and research mission, and to the administrative functions that support that mission. All members of the University community are responsible for protecting the security, confidentiality, integrity and availability of information against unauthorized access, use or disclosure in accordance with the requirements set forth in this policy. This policy applies to all University activities, whether on campus or off, and to all information regardless of the medium in which it is stored (paper, electronic, etc.)


II. Definitions

A. Information means facts, records, results of academic discoveries, inventions and/or proprietary institutional data that is collected, generated, analyzed, and shared in the course of University business or activities.


B. Information Security and Assurance means that information required to carry out University activities is preserved accurately for day to day use and is available to those who need it, and that confidential information is protected against inappropriate access, use or disclosure.


C. Confidential Information refers to all information collected by, shared with, or reported to the University in the course of its business or activity that is protected by local, state or federal law or that the University is contractually obligated to protect. In addition, the University may designate information as confidential. Confidential information includes but is not limited to:

• Financial information as specified by the Financial Services Modernization Act of 1999 (Gramm Leach Bliley Act or GLB);

• Protected Health Information (PHI) as specified by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH);

• Education records of students as defined by the Family Educational Rights Privacy Act of 1974 (FERPA);

• Human subject research information which falls under the jurisdiction of the University's Institutional Review Board (IRB);

• Patient records protected by the DC Mental Health Information Act of 1978;

• Confidential medical records used to provide an employee with a reasonable accommodation under the Americans with Disabilities Act of 1990 (ADA);

• Payroll records or other documentation pertaining to an employee’s compensation;

• Employment and/or personnel information;

• Controlled information or technology pursuant to the International Traffic in Arms Regulations (ITAR) or Export Administration Regulations (EAR) that does not fall under the Fundamental Research Exclusion or other exclusions to ITAR/EAR; and

• Payment card data (such as credit/debit card numbers, security codes or PINs) covered by the Payment Card Industry (PCI) standards.


D. Mobile Device means an electronic device that is easily transportable and capable of accessing, storing, or transmitting information. Mobile devices include, but are not limited to: laptop computers; tablets; netbooks; cell phones; Smartphones (such as Blackberries, iPhones or Droids); flash or “thumb” drives; zip drives; and external hard drives.


E. Reasonable Expectation of Privacy. Except as noted in the Electronic Communications Policy and the Acceptable Use Policy, users of University systems may expect that their personal communications, activities, and information will not be monitored or examined by the University except as necessary to maintain quality of service, investigate a potential breach of security or violation of law, when required by law, upon departure from the University or in the event of unplanned leave of absence, at the user’s explicit request, or in emergency situations.


F. University Systems include University-owned or controlled computing networks, software, databases, services, facilities or other computing devices.

III. Information Security and Assurance Requirements
The University grants to assigned individuals the reasonable, minimum access to information necessary to accomplish their institutional or pedagogical goals. All members of the University community are responsible for protecting the security, confidentiality, integrity and availability of information entrusted to them against unauthorized access, use or disclosure in accordance with the following requirements:

A. Basic Requirements

• Do not share information collected for a specific purpose with those outside the University community without notification and consent.
• Be familiar with and follow the requirements of the University's Electronic Communications Policy and the Acceptable Use Policy.
• Treat credentials for access to University systems as confidential. Such credentials are non-transferable.
• Use strong passwords to access University systems and to secure personal computers.
• Do not write down passwords where they are easily accessible to others.
• Never share usernames and/or passwords, including your own.
• Do not save fixed passwords in University web browsers or e-mail.
• Log out from the system when you are finished working, or if you will be away from your computer for more than a few minutes.
• Do not download e-mail attachments from unknown senders.
• Do not download or install computer programs or software without prior approval from the Center for Planning and Information Technology (CPIT).


B. Additional Requirements for Protecting Confidential Information

• Do not access confidential information unless you have a legitimate need to know that information.
• Do not share confidential information with those who do not have a legitimate need to know that information. Confidential information may be disclosed to third parties only pursuant to a contract wherein the third party is required to implement and maintain University-approved safeguards.
• Do not post confidential information on a publicly-accessible computer or website.
• Do not leave paper documents containing confidential or potentially sensitive information where they are accessible to those who do not have a legitimate need to know that information. Such documents should be stored in a secure or locked suite, office, desk, or file cabinet.
• Do not e-mail confidential data unless the communication is encrypted.
• Fax confidential data only after confirming that the receiving fax machine is located in a secure area accessed only by those with a legitimate need to see the information being transmitted.
• If you are unsure whether you are authorized to access, share, transmit or otherwise use confidential information, ask your supervisor or contact the Office of General Counsel (202-319-5142) or the Compliance Officer (202-319-6735).


C. Additional Requirements for Mobile Devices and Off-campus Computing

Mobile devices, as defined above, pose an increased security risk due to their portability. Employees must take extra care to secure such devices, particularly when traveling. Take the following steps in order to minimize the risk of theft or loss of data:


• Secure mobile devices out of sight, in a locked room, office or drawer, and with a locking cable where possible.

• Do not access, store or transmit proprietary, sensitive or confidential information via such devices without prior approval. Contact CPIT for information and assistance with encrypting such devices.

• If accessing University data using cell phones or Smartphones, secure such devices with a password.

Employees who work from off-campus locations must take additional steps to protect information. Contact CPIT at tel (202) 319-4375 and see Home Computer Security for Off-Campus Computing  for additional information and requirements for off-campus computing.


D. Reporting Potential Information Security Breaches


Immediately report potential information security breaches, or evidence of potential illegal activity, to the Assistant Director of Networks and Security at tel. (202) 319-5373, and to your immediate supervisor. Suspected breaches of HIPAA, FERPA or GLB protected data, or confidential data, must be reported directly to the Chief Information Officer at tel. (202) 319-5373. Do not take steps to investigate a potential security breach unless you are also on the Incident Response Team. Details regarding Incident Response roles and procedures are kept by CPIT.