Information Security Policy



Similar documents
California State University, Sacramento INFORMATION SECURITY PROGRAM

UNIVERSITY OF ROCHESTER INFORMATION TECHNOLOGY POLICY

Responsible Access and Use of Information Technology Resources and Services Policy

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

BERKELEY COLLEGE DATA SECURITY POLICY

Records & Information Management Policy

INFORMATION TECHNOLOGY Policy 8400 (Regulation 8400) Data Security

BUSINESS ASSOCIATE AGREEMENT

Virginia Commonwealth University School of Medicine Information Security Standard

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Professional Solutions Insurance Company. Business Associate Agreement re HIPAA Rules

M E M O R A N D U M. Revised Information Technology Security Procedures INFORMATION TECHNOLOGY SECURITY PROCEDURES. I. General

STANDARD ADMINISTRATIVE PROCEDURE

University of Tennessee's Identity Theft Prevention Program

CODE OF BUSINESS CONDUCT AND ETHICS

SAMPLE TEMPLATE. Massachusetts Written Information Security Plan

HIPAA BUSINESS ASSOCIATE AGREEMENT

TOURO UNIVERSITY WORLDWIDE AND TOURO COLLEGE LOS ANGELES IDENTITY THEFT PREVENTION POLICY 1.0 POLICY/PROCEDURE 2.0 PURPOSE 3.0 SCOPE 4.

ACRONYMS: HIPAA: Health Insurance Portability and Accountability Act PHI: Protected Health Information

Credit Union Board of Directors Introduction, Resolution and Code for the Protection of Personal Information

Information Security Policy

DEPARTMENT OF TAXATION AND FINANCE SECURITY OVER PERSONAL INFORMATION. Report 2007-S-77 OFFICE OF THE NEW YORK STATE COMPTROLLER

SAMPLE BUSINESS ASSOCIATE AGREEMENT

HIPAA Business Associate Agreement

The Manitoba Child Care Association PRIVACY POLICY

Index .700 FORMS - SAMPLE INCIDENT RESPONSE FORM.995 HISTORY

COLLINS CONSULTING, Inc.

Who Should Know This Policy 2 Definitions 2 Contacts 3 Procedures 3 Forms 5 Related Documents 5 Revision History 5 FAQs 5

Approved By: Agency Name Management

Montclair State University. HIPAA Security Policy

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

DEPARTMENTAL POLICY. Northwestern Memorial Hospital

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.

United Cerebral Palsy of Greater Chicago Records and Information Management Policy and Procedures Manual, December 12, 2008

HIPAA Employee Training Guide. Revision Date: April 11, 2015

INFORMATION EXCHANGE AGREEMENT BETWEEN THE SOCIAL SECURITY ADMINISTRATION AND THE STATE OF [NAME OF STATE], [NAME OF STATE AGENCY]

Disclaimer: Template Business Associate Agreement (45 C.F.R )

BUSINESS ASSOCIATE AGREEMENT

HIPAA and Privacy Policy Training

ADMINISTRATIVE MANUAL Policy and Procedure

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE ADDENDUM

Standard: Information Security Incident Management

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY

Approved by: Vice President, Human Resources & Corporate Resources and Vice President, Treasury & Compliance Date: October 14, 2009

What is FERPA? This act is enforced by the Family Policy Compliance Office, U.S. Department of Educational, Washington, D.C.

FDU - Records Retention policy Final.docx

Title: Data Security Policy Code: Date: rev Approved: WPL INTRODUCTION

UNIVERSITY OF MASSACHUSETTS RECORD MANAGEMENT, RETENTION AND DISPOSITION POLICY

HIPAA BUSINESS ASSOCIATE AGREEMENT

Business Associate Agreement

R345, Information Technology Resource Security 1

Contact: Henry Torres, (870)

Southern Law Center Law Center Policy #IT0014. Title: Privacy Expectations for SULC Computing Resources

APPROVED BY: DATE: NUMBER: PAGE: 1 of 9

UNIVERSITY PHYSICIANS OF BROOKLYN, INC. POLICY AND PROCEDURE. No: Supersedes Date: Distribution: Issued by:

Office 365 Data Processing Agreement with Model Clauses

MOREHOUSE COLLEGE. Standards of Conduct Guide

ADMINISTRATIVE DATA MANAGEMENT AND ACCESS POLICY

BUSINESS ASSOCIATE PRIVACY AND SECURITY ADDENDUM RECITALS

CHAPTER 12 IDENTITY PROTECTION AND IDENTITY THEFT PREVENTION POLICIES

INFORMATION SECURITY MANAGEMENT POLICY

BUSINESS ASSOCIATE ADDENDUM

NMSU Procedural Guidelines (Policy Security Cameras on University Premises)

The E-Discovery Process

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services

Wellesley College Written Information Security Program

Accepting Payment Cards and ecommerce Payments

College of DuPage Information Technology. Information Security Plan

Rowan University Data Governance Policy

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

ONLINE EXPRESS INTERNET BANKING CUSTOMER AGREEMENT

INFORMATION TECHNOLOGY SECURITY POLICY COUNTY OF IMPERIAL

NETWORK AND AIS AUDIT, LOGGING, AND MONITORING POLICY OCIO TABLE OF CONTENTS

Astaro Services AG Rheinweg 7, CH-8200 Schaffhausen. Supplementary data protection agreement. to the license agreement for license ID: between

Transcription:

Information Security Policy Policy Title Responsible Executive Responsible Office Information Security Policy Vice President for Information Technology and CIO, Jay Dominick Office of Information Technology, Information Security Office Endorsed by Data Governance Steering Committee, approved by ECC 11/5/2015 Contact Vice President for Information Technology and CIO, Jay Dominick Effective Date First version: May 21, 2004 ; current major revision: November 5, 2015 Last Update November 5, 2015 I. Policy Statement The purpose of this policy is to provide a security framework that will ensure the protection of University Information from unauthorized access, loss or damage while supporting the open, information-sharing needs of our academic culture. University Information may be verbal, digital, and/or hardcopy, individually-controlled or shared, stand-alone or networked, used for administration, research, teaching, or other purposes. Standards and procedures related to this Information Security Policy will be developed and published separately. Failure to comply with this policy may subject you to disciplinary action and to potential penalties described in Section 1.1.7 of Rights, Rules, Responsibilities. II. Who Is Affected By This Policy The Information Security Policy applies to all University faculty and staff, as well as to students acting on behalf of Princeton University through service on University bodies such as task forces, councils and committees (for example, the Faculty-Student Committee on Discipline). This policy also applies to all other individuals and entities granted use of University Information, including, but not limited to, contractors, temporary employees, and volunteers. 1

III. Definitions Authorization the function of establishing an individual s privilege levels to access and/or handle information. Availability ensuring that information is ready and suitable for use. Confidentiality ensuring that information is kept in strict privacy. Integrity ensuring the accuracy, completeness, and consistency of information. Unauthorized access looking up, reviewing, copying, modifying, deleting, analyzing, or handling information without proper authorization and legitimate business need. University Information information that Princeton University collects, possesses, or has access to, regardless of its source. This includes information contained in hard copy documents or other media, communicated over voice or data networks, or exchanged in conversation. IV. Policy Princeton University appropriately secures its information from unauthorized access, loss or damage while supporting the open, information-sharing needs of our academic culture. A. Classification Levels All University Information is classified into one of four levels based on its sensitivity and the risks associated with disclosure. The classification level determines the security protections that must be used for the information. When combining information, the classification level of the resulting information must be re-evaluated independently of the source information s classification to manage risks. Additional requirements for the protection of information in each classification level are identified in the Princeton Information Protection Standards and Procedures [http://protectourinfo.princeton.edu]. The classifications levels are: 1. Restricted The following University Information is classified as Restricted: Social security number Bank account number Driver s license number 2

State identity card number Credit card number Protected health information (as defined by HIPAA) State and Federal laws require that unauthorized access to certain Restricted information must be reported to the appropriate agency or agencies. All reporting of this nature to external parties must be done by or in consultation with the Office of the General Counsel (see: Office of General Counsel/Privacy/Information Technology). Sharing of Restricted information within the University may be permissible if necessary to meet the University s legitimate business needs. Except as otherwise required by law (or for purposes of sharing between law enforcement entities), no Restricted information may be disclosed to parties outside the University, including contractors, without the proposed recipient s prior written agreement (i) to take appropriate measures to safeguard the confidentiality of the Restricted information; (ii) not to disclose the Restricted information to any other party for any purpose absent the University s prior written consent or a valid court order or subpoena; and (iii) to notify the University in advance of any disclosure pursuant to a court order or subpoena unless the order or subpoena explicitly prohibits such notification. In addition, the proposed recipient must abide by the requirements of this policy. Any sharing of Restricted information within the University must comply with University policies including Rights, Rules and Responsibilities and Acceptable Use Policy for Princeton University Information Technology and Digital Resources. 2. Confidential University Information is classified as Confidential if it falls outside the Restricted classification, but is not intended to be shared freely within or outside the University due to its sensitive nature and/or contractual or legal obligations. Examples of Confidential Information include all non-restricted information contained in personnel files, misconduct and law enforcement investigation records, internal financial data, donor records, and education records (as defined by FERPA). Sharing of Confidential information may be permissible if necessary to meet the University s legitimate business needs. Unless disclosure is required by law (or for purposes of sharing between law enforcement entities), when disclosing Confidential information to parties outside the University, the proposed recipient must agree (i) to take appropriate measures to safeguard the confidentiality of the information:(ii) not to disclose the information to any other party for any purpose absent the University s prior written consent or a valid court order or subpoena; and (iii) to notify the University in advance of any disclosure pursuant to a court order or subpoena unless the order or subpoena explicitly prohibits such 3

notification. In addition, the proposed recipient must abide by the requirements of this policy. Any sharing of Confidential information within the University must comply with University policies including Rights, Rules and Responsibilities and Acceptable Use Policy for Princeton University Information Technology and Digital Resources. 3. Unrestricted Within Princeton (UWP) University Information is classified as Unrestricted Within Princeton (UWP) if it falls outside the Restricted and Confidential classifications, but is not intended to be freely shared outside the University. One example is the Faculty Facebook. The presumption is that UWP information will remain within Princeton University. However, this information may be shared outside of Princeton if necessary to meet the University s legitimate business needs, and the proposed recipient agrees not to re-disclose the information without the University s consent. 4. Publicly Available University Information is classified as Publicly Available if it is intended to be made available to anyone inside and outside of Princeton University. B. Protection, Handling, and Classification of Information 1. Based on its classification, University Information must be appropriately protected from unauthorized access, loss and damage. Specific security requirements for each classification can be found in the Princeton Information Protection Standards and Procedures. 2. Handling of University Information from any source other than Princeton University may require compliance with both this policy and the requirements of the individual or entity that created, provided or controls the information. If you have concerns about your ability to comply, consult the relevant senior executive and the Office of the General Counsel. 3. When deemed appropriate, the level of classification may be increased or additional security requirements imposed beyond what is required by the Information Security Policy and Princeton Information Protection Standards and Procedures. V. Responsibilities All Princeton University faculty, staff, students (when acting on behalf of the University through service on University bodies), and others granted use of University Information are expected to: 4

Understand the information classification levels defined in the Information Security Policy. As appropriate, classify the information for which one is responsible accordingly. Access information only as needed to meet legitimate business needs. Not divulge, copy, release, sell, loan, alter or destroy any University Information without a valid business purpose and/or authorization. Protect the confidentiality, integrity and availability of University Information in a manner consistent with the information's classification level and type. Handle information in accordance with the Princeton Information Protection Standards and Procedures and any other applicable University standard or policy. Safeguard any physical key, ID card, computer account, or network account that allows one to access University Information. Discard media containing Princeton University information in a manner consistent with the information s classification level, type, and any applicable University retention requirement. This includes information contained in any hard copy document (such as a memo or report) or in any electronic, magnetic or optical storage medium (such as a memory stick, CD, hard disk, magnetic tape, or disk). Contact the Office of the General Counsel prior to disclosing information generated by that Office or prior to responding to any litigation or law enforcement subpoenas, court orders, and other information requests from private litigants and government agencies. Contact the appropriate University office prior to responding to requests for information from regulatory agencies, inspectors, examiners, and/or auditors. VI. Related Princeton Policies, Procedures, Standards, and Templates Rights, Rules, Responsibilities Acceptable Use Policy for Princeton University Information Technology and Digital Resources University Policy for Accepting and Handling Credit and Debit Card Payments Policy on Export Controls Research Data Security Guidelines [http://www.princeton.edu/ria/human-researchprotection/data/] Red Flags Procedures Under Princeton University s Identity Theft Prevention Program Procedure for Responding to a Possible Exposure of Sensitive University Data Princeton Information Protection Standards and Procedures [http://protectourinfo.princeton.edu currently in draft] Confidentiality Information Agreement Template 5

VII. Policy Review At a minimum, the Information Security Policy will be reviewed every 24 months. 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information