Pol-Information Security Responsibility

policy information security responsibility modified Tue Oct 11 2022 15:15:25 GMT-0400 (Eastern Daylight Time)

UofL Logo

University of Louisville

OFFICIAL
UNIVERSITY
ADMINISTRATIVE
POLICY

POLICY NAME

Information Security Responsibility

EFFECTIVE DATE

July 23, 2007

POLICY NUMBER

ISO-001 v2.0

POLICY APPLICABILITY

This policy applies to all University workforce, faculty and student members (including, but not limited to: faculty, staff, students, temps, trainees, volunteers, and other persons as deemed appropriate) while conducting/performing work, teaching, research or study activity using University resources and includes all facilities, property, data and equipment owned, leased and/or maintained by the University or affiliates

REASON FOR POLICY

The university recognizes the role of information security and is committed to the protection and safeguarding of the confidentiality, integrity and availability of university information resources. In conjunction with the university’s Information Management and Classification Standard, this policy provides a framework for the management and responsibility of information security throughout the university. 

POLICY STATEMENT

Each member of the university community is responsible for the security and protection of information resources over which they have control. Resources to be protected include networks, devices, software, systems, and data. The physical and logical integrity of these resources must be protected against threats such as unauthorized intrusions, malicious misuse, or inadvertent compromise. Activities outsourced to off-campus entities must comply with the same security requirements as in-house activities.

STANDARDS

General roles and responsibilities:

The Chief Information Security Officer has been assigned the responsibility for establishing, implementing, and monitoring the university's Information Security Program. User responsibilities range in scope from the administration of security controls for enterprise systems to the protection of one's own password. A particular individual may have more than one role. For those individuals with access to sensitive or critical information specific security responsibilities should be incorporated into objectives or job descriptions.  

Data Steward (Owner), a senior official within a college, department or unit (or their designee) with functional ownership and management responsibility for information resources. The Data Steward will:

  1. Identify and approve use and sharing of the information resources under their control.
  2. Define the purpose and function of the resources and ensure appropriate segregation of duties and that requisite education and documentation are provided as needed.
  3. Establish acceptable levels of security risk for resources by assessing factors such as:
    • Data classification (sensitive or non-sensitive) per the Information Management and Classification Standard;
    • The level of criticality or overall importance to the continuing operation of the campus as a whole, individual departments, research projects, or other essential activities;
    • Impact to the operations of one or more units by unavailability or reduced availability of the resources;
    • The likelihood that a resource could be misused; and
    • Limits of available technology, programmatic needs, cost, and staff support.
  4. Ensure compliance with the university's general Information Security policies and standards.
  5. Ensure that requisite security measures are implemented for the resources.

Data Custodian, functional or technical caretaker with operational responsibility for specific data or systems. Data Custodians will: 

  1. Be knowledgeable of and adhere to relevant security requirements and guidelines.
  2. Analyze potential threats and the feasibility of various security measures in order to provide recommendations.
  3. Implement and monitor physical and logical security measures that mitigate threats, consistent with the level of acceptable risk.
  4. Establish procedures to ensure that privileged accounts are kept to a minimum and that privileged users comply with privileged access agreements.
  5. Ensure compliance with the university's general information security policies and standards and establish procedures for their resource area in support of these policies and standards.
  6. Communicate the purpose and appropriate use for resources under their control.  

Users, Individuals who have been granted access to university information resources, accounts, or other information technology services of the university for the performance of their assigned duties. Users include, but are not limited to faculty and staff, students, vendors, volunteers, contractors, or other affiliates of the university.  Users will:

  1. Be knowledgeable about and adhere to relevant security requirements and guidelines.
  2. Access only information resources for which they have been authorized and only through established authorization and control processes.
  3. Protect the resources under their control, such as passwords, security codes, facility cards/keys, devices, and data accessed or under their control.
  4. Disseminate data to others only when authorized and to carry out job responsibilities.
  5. Participate in general security awareness program and regulatory specific training as required per job responsibilities.
  6. Acknowledge acceptance of security responsibilities.        
  7. User’s in supervisory roles must ensure that all university assets (information and devices) have been retrieved and access removed upon an employee's termination or transfer.

Responsibility for Privacy and Confidentiality:

Systems and applications must be designed, and devices must be used to protect the privacy and confidentiality of the various types of electronic data they process, in accordance with applicable laws and policies.

Proper authorization must be obtained prior to collecting, accessing, or disclosing client, student, employee, or university sensitive information in compliance with applicable laws, regulations, or university policies. Users who are authorized to obtain data must ensure that it is protected to the extent required by law or policy after they obtain it. For example, when sensitive data is transferred from a secured enterprise system to a user's device or storage location, adequate security measures must be in place at the destination location to protect this data.

Responsibility for Compliance with Law and Policy:

University departments, units, or individuals, for specific systems and information under their purview, must comply with this and other university information security polices and standards as well as applicable laws and regulations. Reviews of systems and applicable laws and regulations should be routinely performed and risk assessments conducted validating compliance. These groups should, as appropriate and relevant to their area, establish security guidelines, standards, or procedures that support and refine the provisions of the university information security polices and standards for specific activities under their purview.

RESPONSIBILITIES

Policy Authority/Enforcement: The University's Information Security Officer (ISO) is responsible for the development, publication, modification and oversight of these policies and standards. The ISO works in conjunction with University Leadership, Information Technology Services, Audit Services and others for development, monitoring and enforcement of these policies and standards.

Policy Compliance: Failure to comply with these policies and standards and/or any related information security and/or information technology policy, standard or procedure may result in disciplinary action up to and including termination of employment, services or relationship with the university and/or action in accordance with local ordinances, state or federal laws.

ADMINISTRATIVE AUTHORITY

Vice President for Risk, Audit, and Compliance

RESPONSIBLE UNIVERSITY DEPARTMENT/DIVISION

Information Security Compliance Office
502-852-6692
isopol@louisville.edu

Thanks and appreciation to University of California, Berkeley for elements of this document (http://security.berkeley.edu/IT.sec.policy.html)

HISTORY

This policy is subject to change or termination by the University at any time. This policy SUPERSEDES all prior policies, procedures or advisories pertaining to the same subject.

This policy will be reviewed annually to determine if the policy addresses University risk exposure and is in compliance with the applicable security regulations and university direction. In the event that significant regulatory changes occur, this policy will be reviewed and updated as needed per the Policy Management process.

Approved July 23, 2007 by the Compliance Oversight Council
Shirley C Willihnganz, Executive Vice President and University Provost, Chair of the Compliance Oversight Council

Revision Date(s):

1.0 / July 23, 2007 / Original Publication

1.1 / January 29, 2013 / Updated policy content

1.2 / September 24, 2014 / Reviewed content

2.0 / March 8, 2016 / Reviewed content modified for template format

2.0 / July 18, 2018 / Grammar and punctuation updates

2.0 / January 18, 2021 / Review with content clarity updates, add reference to Information Mgt Standard

2.0 / June 23, 2022 / Minor edit

Reviewed Date(s):  March 8, 2016, June 12, 2017, July 18 ,2018, January 18, 2021; June 23, 2022

The University Policy and Procedure Library is updated regularly. In order to ensure a printed copy of this document is current, please access it online at http://louisville.edu/policies.