Carnegie Mellon University

Policies 

The Information Security Office is responsible for maintaining a number of University policies that govern the use and protection of University data and computing resources.  These policies undergo a reigorous review process and are eventually approved by the Office of the President.  A comprehensive list of all University policies can be found on the University Policies website.  Below is a list of policies that are maintained by the Information Security Office.

Information Security Policy

The Information Security Policy was published in December 2008 as a measure to protect the confidentiality, integrity and availability of institutional data.  It applies to all faculty, staff and third-party agents of the University and will be supported by a collection of guidelines and procedures that will aid in its implementation.  The Information Security Policy replaces the Data and Computer Security Policy, which is now retired.

Computing Policy

The Computing Policy was published in 2003 and defines acceptable behavior with respect to the use of University computing resources. It applies to anyone who is provisioned access to computing resources.  The Computing Policy also defines privacy expectations with respect to student, faculty and staff data.  This policy is scheduled for review during the 2017-2018 fiscal year.

GLBA Information Security Program Policy

The GLBA Information Security Program Policy was published in 2003 to address regulatory requirements imposed by the Gramm-Leach-Bliley Act of 1999.  This Act dictates security requirements related to the protection of certain types of personal financial information.  Among these requirements is the implementation of a comprehensive information security program.  The GLBA Information Security Program Policy outlines components of the University's information security program with respect to the protection of personal financial information.

Other Policies

There are a number of policies maintained by other areas of the University that may be of value when dealing with the protection of University data and computing resources.  They include the following: