Managing IT resources

Classify and protect University information and systems

All members of the University community have a responsibility to protect University information. University information is classified into one of three levels based on its sensitivity: confidential, official use only and public. The criticality of your department’s information systems is based on their importance or risk relative to the goals and objectives of your unit, including uninterrupted operation and essential business functions. Criticality categories are used to determine the requirements for availability and integrity: mission critical, critical or moderate.

It is incumbent upon each University department to inventory the University information assets in its custody, assess their confidentiality and criticality, and protect them according to UD classification and protection requirements.

At the device level, unless your department has designated someone else to manage your personal workstation, laptop, smartphone, or other electronic access device, you are its system administrator. As a system administrator, you are responsible for safeguarding your computer’s stored information and for keeping it safe from unauthorized users and processes (e.g., worms, bots, viruses, etc.). You may also be responsible for a departmental server, computing site, or subnet. System administrator responsibilities can range from a single laptop or workstation to multiple physical or virtual servers.


IT has assembled a list of best practices to assist you in establishing basic protections over the University information assets processed, stored, or transmitted by systems in your care.

Each system you administer is most likely connected directly to the Internet via the University’s network. To maintain the free and unimpeded exchange of scholarly information, the University does not selectively monitor, filter, or block information passing over its network. It is incumbent upon system administrators to protect University information resources against the risks of being connected to a high-speed, open network.

Back to top

IT vendors

UD information assets may be processed or stored by and accessible to IT vendors. Before making University information available to vendors, you must ensure it is adequately protected.

Cloud usage guidelines form a framework for when and how to use the cloud to store or process University information.  Contractual assurances and/or a vendor controls review may be required depending on the information’s classification.  Information classification is based on your assessment of risk to the University information in your care.

Google Apps guidelines - Google Apps's robust communication and collaboration features are available to the entire UD community to enrich teaching, learning, research, and service. While Google Apps is appropriate for much communication and collaboration, the sensitivity and nature of the information (information classification) and any applicable privacy and security policies, laws, regulations or other restrictions must be carefully considered before you choose to store information in Google Apps.

Consultants and contractors - Your job might include working with contractors who have access to University information. Consultants and IT vendor employees may be engaged to install, operate, or maintain information systems in your unit. If so, you may be responsible for ensuring the contractor complies with all University privacy and security policies. Before accessing University information, all contractors must be familiar with Contractor Conditions of Use.

Back to top