The Information Security Office is responsible for maintaining a number of University policies that govern the use and protection of University data and computing resources. These policies undergo a reigorous review process and are eventually approved by the Office of the President. A comprehensive list of all University policies can be found on the University Policies website. Below is a list of policies that are maintained by the Information Security Office.
Information Security Policy
The Information Security Policy was published in December 2008 as a measure to protect the confidentiality, integrity and availability of institutional data. It applies to all faculty, staff and third-party agents of the University and will be supported by a collection of guidelines and procedures that will aid in its implementation. The Information Security Policy replaces the Data and Computer Security Policy, which is now retired.
The Data and Computer Security Policy was originally published in 1990 by the Administrative Computing department. Until recently, it was maintained by the Information Security Office. This policy has been replaced by the Information Security Policy, effective December 17, 2008.
The Computing Policy was published in 2003 and defines acceptable behavior with respect to the use of University computing resources. It applies to anyone who is provisioned access to computing resources. The Computing Policy also defines privacy expectations with respect to student, faculty and staff data. This policy is scheduled for review during the 2009-2010 fiscal year.
The HIPAA Information Security Policy was originally published in 2008 to address regulatory requirements imposed by the Health Insurance Portability and Accountability Act of 1996. This policy has been replaced by the HIPAA Policy, effective March 2010. The HIPAA Policy is maintained by the Office of General Counsel.
GLBA Information Security Program Policy
The GLBA Information Security Program Policy was published in 2003 to address regulatory requirements imposed by the Gramm-Leach-Bliley Act of 1999. This Act dictates security requirements related to the protection of certain types of personal financial information. Among these requirements is the implementation of a comprehensive information security program. The GLBA Information Security Program Policy outlines components of the University's information security program with respect to the protection of personal financial information.