Information Security and Assurance
|History:||Issued||-- May 23, 2003|
|Re-Issued||-- October 4, 2011|
|Related Policies:||Protection of Human Subjects in Research ; Student Records Policy; Electronic Communications Policy|
|Additional References:||Office of General Counsel Gramm Leach Bliley Resources; PCI Data Security Standard; FERPA; Consumer Personal Information Security Breach Act (DC)|
|Responsible Official:||Chief Information Officer tel. 202-319-5373|
Information is critical to the University's teaching, learning and research mission, and to the administrative functions that support that mission. All members of the University community are responsible for protecting the security, confidentiality, integrity and availability of information against unauthorized access, use or disclosure in accordance with the requirements set forth in this policy. This policy applies to all University activities, whether on campus or off, and to all information regardless of the medium in which it is stored (paper, electronic, etc.)
A. Information means facts, records, results of academic discoveries, inventions and/or proprietary institutional data that is collected, generated, analyzed, and shared in the course of University business or activities.
B. Information Security and Assurance means that information required to carry out University activities is preserved accurately for day to day use and is available to those who need it, and that confidential information is protected against inappropriate access, use or disclosure.
C. Confidential Information refers to all information collected by, shared with, or reported to the University in the course of its business or activity that is protected by local, state or federal law or that the University is contractually obligated to protect. In addition, the University may designate information as confidential. Confidential information includes but is not limited to:
D. Mobile Device means an electronic device that is easily transportable and capable of accessing, storing, or transmitting information. Mobile devices include, but are not limited to: laptop computers; tablets; netbooks; cell phones; Smartphones (such as Blackberries, iPhones or Droids); flash or “thumb” drives; zip drives; and external hard drives.
E. Reasonable Expectation of Privacy. Except as noted in the Electronic Communications Policy and the Acceptable Use Policy, users of University systems may expect that their personal communications, activities, and information will not be monitored or examined by the University except as necessary to maintain quality of service, investigate a potential breach of security or violation of law, when required by law, upon departure from the University or in the event of unplanned leave of absence, at the user’s explicit request, or in emergency situations.
F. University Systems include University-owned or controlled computing networks, software, databases, services, facilities or other computing devices.
III. Information Security and Assurance Requirements
A. Basic Requirements
B. Additional Requirements for Protecting Confidential Information
C. Additional Requirements for Mobile Devices and Off-campus Computing
Mobile devices, as defined above, pose an increased security risk due to their portability. Employees must take extra care to secure such devices, particularly when traveling. Take the following steps in order to minimize the risk of theft or loss of data:
• Secure mobile devices out of sight, in a locked room, office or drawer, and with a locking cable where possible.
Employees who work from off-campus locations must take additional steps to protect information. Contact CPIT at tel (202) 319-4375 and see Home Computer Security for Off-Campus Computing for additional information and requirements for off-campus computing.
D. Reporting Potential Information Security Breaches
Immediately report potential information security breaches, or evidence of potential illegal activity, to the Assistant Director of Networks and Security at tel. (202) 319-5373, and to your immediate supervisor. Suspected breaches of HIPAA, FERPA or GLB protected data, or confidential data, must be reported directly to the Chief Information Officer at tel. (202) 319-5373. Do not take steps to investigate a potential security breach unless you are also on the Incident Response Team. Details regarding Incident Response roles and procedures are kept by CPIT.