FAYETTEVILLE STATE UNIVERSITY POLICY ON INFORMATION SECURITY



Similar documents
Encryption Security Standard

R345, Information Technology Resource Security 1

M E M O R A N D U M. Revised Information Technology Security Procedures INFORMATION TECHNOLOGY SECURITY PROCEDURES. I. General

Written Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution.

Virginia Commonwealth University School of Medicine Information Security Standard

Wright State University Information Security

Wellesley College Written Information Security Program

UNIVERSITY OF ROCHESTER INFORMATION TECHNOLOGY POLICY

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

Information Security Policy

DHHS Information Technology (IT) Access Control Standard

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

Neutralus Certification Practices Statement

Virginia Commonwealth University School of Medicine Information Security Standard

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

California State University, Sacramento INFORMATION SECURITY PROGRAM

Rowan University Data Governance Policy

HIPAA TRAINING. A training course for Shiawassee County Community Mental Health Authority Employees

NETWORK SECURITY GUIDELINES

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Responsible Access and Use of Information Technology Resources and Services Policy

IT Security Standard: Computing Devices

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

Contact: Henry Torres, (870)

MCOLES Information and Tracking Network. Security Policy. Version 2.0

ADMINISTRATIVE DATA MANAGEMENT AND ACCESS POLICY

USFSP Network Security Guidelines

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION

Sierra College ADMINISTRATIVE PROCEDURE No. AP 3721

HIPAA: Bigger and More Annoying

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

Information Resources Security Guidelines

PBGC Information Security Policy

Information Security Policy

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

Retention & Destruction

RUTGERS POLICY. Policy Name: Standards for Privacy of Individually Identifiable Health Information

Information Technology Acceptable Use Policies and Procedures

Specific observations and recommendations that were discussed with campus management are presented in detail below.

The Internet and 2 Acceptable use 2 Unacceptable use 2 Downloads 3 Copyrights 3 Monitoring 3. Computer Viruses 3

Network Security Policy

Procedure Manual. Number: A6Hx2-8.01a. Title: College Network and Software Usage by Employees. Policy Number: 6Hx of 21

Central Texas College District Human Resource Management Operating Policies and Procedures Manual Policy No. 294: Computer Security Policy

Access Control Policy

Information Security Policy Manual

Authorized. User Agreement

Computer, Communication, and Network Technology Acceptable Use

University of Liverpool

INFORMATION SECURITY OVERVIEW

How To Manage Information Security At A University

IF YOU CHOOSE NOT TO ACCEPT THIS AGREEMENT, WHICH INCLUDES THE CERTIFICATE POLICY, THEN CLICK THE "DECLINE" BUTTON BELOW.

HIPAA Security Alert

IT Security Procedure

ICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation

LET S ENCRYPT SUBSCRIBER AGREEMENT

Network Security Policy

New River Community College. Information Technology Policy and Procedure Manual

PRIVACY AND INFORMATION SECURITY INCIDENT REPORTING

Contra Costa Community College District Business Procedure SECURITY CAMERA OPERATING PROCEDURE

GENERAL ELECTRIC COMPANY EMPLOYMENT DATA PROTECTION STANDARDS

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

Who Should Know This Policy 2 Definitions 2 Contacts 3 Procedures 3 Forms 5 Related Documents 5 Revision History 5 FAQs 5

Supplier Information Security Addendum for GE Restricted Data

Valdosta Technical College. Information Security Plan

HIPAA Audit Risk Assessment - Risk Factors

PHI- Protected Health Information

Merchant Gateway Services Agreement

SUPREME COURT OF COLORADO OFFICE OF THE CHIEF JUSTICE

COMPUTER USE IN INSTRUCTION

TECHNICAL SECURITY AND DATA BACKUP POLICY

Information Security Operational Procedures Banner Student Information System Security Policy

Regulation 8.3.R2 COMPUTING AND NETWORK FACILITIES RULES. 1. Definitions. In this regulation unless a contrary intention appears.

Security Tool Kit System Checklist Departmental Servers and Enterprise Systems

CSH111 COMPANY-ISSUED CREDIT CARDS

Transcription:

FAYETTEVILLE STATE UNIVERSITY POLICY ON INFORMATION SECURITY Authority: Category: Applies to: Chancellor, Fayetteville State University University-wide Faculty, Staff, and Students History: Approved on 06/01/2013 Modified on 05/15/2013 First Issued on 10/3/03 Related Policies: Identity Theft Protection Act of State of North Carolina Network Use Policy Policy on Acceptable Use of Computer Resources Policy on Email Use Contact for Info: Chief Information Officer (672-1477) I. Purpose Fayetteville State University maintains electronic information resources, which are essential to performing University business. Similar to any other capital resources owned by the University, these resources are to be viewed as valuable assets over which the University has both rights and obligations to manage, protect, secure, and control. University employees, students, and other affiliates are expected to utilize these resources for appropriate purposes, protect access to them, and control them appropriately. Examples of information resources include, but are not limited to, computer systems, network systems, software and data. II. Glossary A. Information Security Officer - The Information Security Officer works in conjunction with information resource owners, data administrators, and departmental data security liaisons to insure that access rights to systems and data are consistent and applicable, as individuals jobs require. (Ex., ITTS Administrative Systems Security Staff, ITTS Network & Systems Security Staff) 1

B. Resource Owner - An administrative officer within the University-given responsibility for managing specific information resources within a functional area. These resources may be equipment-related or data-related. (Ex., CFO designated owner of the financial data) C. Resource Steward - An individual appointed by a Resource Owner to manage a subset of the resources designated as being within the area of responsibility of that Owner. (Ex., Director of Financial Aid Resource steward of student financial aid data) D. Resource User - Any individual requiring access to University information resources in the course of meeting the requirements of the work position or an educational curriculum. (Ex., Payroll Staff resource users of payroll and financial data) II. Purpose This policy sets forth the mechanisms by which data stored on University-owned computing systems and utilized by University employees and students is secured and protected. This policy is adopted and promoted in order that: A. The University can meet its record-keeping and reporting obligations as required by state and federal law, the Board of Trustees, the Board of Governors, and University administrators. B. The University can comply with the Family Educational Rights and Privacy Act of 1974 (FERPA - the Buckley Amendment), Identity Theft Protection Act of State of North Carolina and other statutes and policies protecting the rights of individuals. C. The University can consistently maintain data integrity and accuracy. D. The University can assure that authorized individuals have timely and reliable access to necessary data. E. The University can assure that unauthorized individuals are denied access to computing resources or other means to retrieve, modify or transfer data. F. Every employee, student and affiliate of Fayetteville State University must be aware of these risks, and act in a way to protect the information resources of the University. III. Scope This policy applies to all individuals associated with Fayetteville State University, including, but not limited to: Faculty Staff Students Student assistants 2

Contractors Temporary staff This policy applies to the all University-owned information technology hardware and its software, including, but not limited to, desktop workstations, departmental servers and institutionally available resources, such as: Servers Personal computers Network systems Access card systems Computer integrated telephony Other technology hardware such as iphones, ipads, Laptops, and smart phones. The policy applies to all University data, and reports derived from University data; and it applies to all programs utilizing University operational data. III. Responsibilities for Information Security A. The Chief Information Officer is responsible for ensuring that Fayetteville State University has adequate information security, and that this policy is observed. To that end, the Information Security Officers, currently IT managers, have the added responsibility of developing and publicizing the information security policy, and monitoring its compliance. B. The Information Security Liaisons coordinate the standards, procedures, and guidelines necessary to administer access to University information resources. The Information Security Liaisons in conjunction with information resource owners, the University Data Administrator, and functional users to develop this material. C. As expected, every employee, student and affiliate at Fayetteville State University is responsible for protection of University assets, including information systems equipment and data. Each employee, student and affiliate at FSU is responsible for notifying the Information Security Officer whenever he or she observes actions, which seem to be contrary to this policy. The Information Security Officer is responsible for responding appropriately to actual or perceived breaches by working together with the Resource Owners and the Information Technology personnel directly responsible for the resource in question. IV. Passwords A. Security 1. No one should access University information systems without an authorized network account ID and password. Receiving a network 3

account ID requires approval of the individual(s) responsible for the system in question. 2. A network account ID may be revoked or disabled to protect the system at any time. Network account access will be revoked if the employee, student or affiliate terminates the relationship with the University. 3. Inactive network accounts are temporarily disabled until continued need can be established. Each user is required to change his or her password at least every 90 days. ITTS will automatically enforce this when a user has not changed his/her password within the time of expiration. 4. University applications systems must be configured so that only users with authorized network accounts can access them. 5. Network users logged into systems and computers should not leave their workstations unsecured. The following password protection guidelines should be followed: 1. Passwords are not to be shared except in emergency circumstances or when there is an overriding operational necessity. 2. Passwords should be changed immediately after sharing. 3. Passwords should not be kept in a location accessible to others or secured in a location for which protection is less than that required for information that the password protects. 4. Passwords or any other sensitive information are not to be sent via email. 5. Stolen or compromised passwords should be changed immediately 6. Passwords are not to be written down and post it in an unsecured area such as a computer s monitor. 7. FSU employees are not to provide their user ids and passwords to anyone in person or via e-mail B. Password Management All authorized users must enroll in the password management system in order to change and retrieve forgotten passwords. Persons not enrolled in the system and need assistance with their password will need to come in person to the help desk with a valid FSU ID or provide the necessary authenticating information over the phone to a helpdesk agent. V. Policy Awareness A. Every student, employee and affiliate of Fayetteville State University should have access to a copy of this policy. All new students and employees should be made aware of the importance of information systems security and their responsibilities 4

in the process. All effort should be made to include this policy in existing communication mechanisms for policy dissemination. B. Prior to network accounts being issued, the Resource Stewards of each department are responsible for notifying employees of the security practices of their departments, and the policy of the University. C. All students must be made aware of the Information Security Policy. The Dean of Students is responsible for notifying students of information security practices relating to students. D. All affiliates must be made aware of the Information Security Policy. The sponsoring official is responsible for notifying the affiliate of information security practices relating to affiliates. E. Employees and students who use FSU IT network and IT resources must go through the online security awareness program available through ITTS website VI. Access to Equipment VII. Only authorized persons whose work requires it will be allowed access to information systems resources. All information systems resources will be protected against fire, water, physical damage and theft. The appropriate protection will be selected from among physical barriers, environmental detection and protection, insurance, and other risk management techniques. Data Protection and Security All data and program files on University information systems will be protected against unauthorized changes. Sensitive data and program files will be protected against unauthorized reading and copying. FSU requires that all FSU employees save their data files on the network drive instead of the Desktop PC or laptop. Furthermore, employees who make copies of data on thumb drives and CDs must take responsibility to insure that sensitive information such as social security numbers, credit card numbers and addresses of FSU employees and students have additional layers of protection. University information systems shall be configured to control, which network accounts can read and/or write to any given file. Every file shall be associated with an owner. The owner of each file is responsible for specifying whether the file is sensitive and which network accounts should be allowed to read and/or write to it. All university data must be stored in devices that are backed up by the data center. This essentially means that individual users and departments that need to work with university data locally on their workstations must store the data on the network ( T Drive designated for individuals and O Drive designated for departments) to protect from inadvertent loss of data. The BANNER-the ERP system for the campus which houses all student, faculty, and staff information is secured through firewall and backed up nightly at MCNC (UNC-GA hosting center) for recovery purposes. A copy of the back-up data is physically stored at a MCNC designated off-site location to protect against natural or man-made disasters at the MCNC data center. 5

VIII. Violations Violations of this policy incur the same types of disciplinary measures as violations of other University policies including, but not limited to, the revocation or disablement of the network account. IX. Revisions Fayetteville State University Information Security Policy will be reviewed on an annual basis, in cooperation with Resource Owners and Information Technology advisory groups. All affected parties are encouraged to correspond with the Chief Information Officer regarding any suggestions for revising this document. 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information