Section: Administrative
Policy Number: 1-15
Policy Name: Information Security Policy
Date: July 1993; October 6, 2005


    The University's information is one of its vital assets. The purpose of the Information Security Policy is to protect this asset by establishing employee responsibility for the security of the University's information. The Personal Non-Public Information Policy 1-22 expands on the Information Security Policy by establishing requirements for protecting personal, non-public information and notifying individuals whose high risk personal information may have been disclosed by a security breach. This policy applies to all University full-time, part-time and miscellaneous wages employees.


    It is the policy of the University to protect its information assets and allow the use, access and disclosure of such information only in accordance with University interests and applicable laws and regulations. All University employees providing services or working with the University's information are responsible for protecting it from unauthorized access, modification, destruction or disclosure.

    "The University's information" is defined as any information within its purview, including information which it may not own but which is governed by laws and regulations to which the University is held accountable. It includes all student record data, all personnel data, all University financial data, all student life data, all departmental administrative data, all alumni and donor data, and all other data that pertains to, or supports the administration of the University. This data may be facts, records, reports, planning assumptions or any information meant only for internal use.

    This policy encompasses the safekeeping of the University's information in whatever physical form, such as printed, audio, video and electronic.


    Unit administrators shall develop and administer information security programs that appropriately classify and protect information under their control. The protection of the University's information must be part of the overall business plan.

    Unit administrators are responsible for:

    establishing access and utilization criteria

    defining the criteria for archiving the information to satisfy retention requirements

    determining the value of proprietary information to the functioning of the University and defining reasonable requirements for protecting the asset

    developing a workable plan for resuming operations in the event a disaster destroys the information

    specifying information control and protection requirements to be adhered to by employees processing and using the information.

    monitoring compliance and enforcing the policy.

    However, since information security measures must cover the entire flow of information in the University, the implementation of the information security policy cannot be delegated to only unit administrators. As custodians of the University's information, all employees must adhere to established procedures to ensure that they use the University's information only as required by the normal functions of their duties and that they safeguard it properly according to its sensitivity, proprietary and/or critical nature.


    Employees who violate this policy may be subject to disciplinary action in accordance with University due process.

Related Links: Policy 1-22 "Personal Non-Public Information (PNPI) Policy"

Submitted by: Information Technologies