Information Security Policy-Computing Services ISO - Carnegie Mellon University

Information Security Policy

View/Download PDF Version
lvl_2colHorizontalRule
lvl_2colHorizontalRule

Purpose

Carnegie Mellon University (“University”) has adopted the following Information Security Policy (“Policy”) as a measure to protect the confidentiality, integrity and availability of Institutional Data as well as any Information Systems that store, process or transmit Institutional Data.

Scope

This Policy applies to all faculty, staff and third-party Agents of the University as well as any other University affiliate who is authorized to access Institutional Data.

Maintenance

This Policy will be reviewed by the University’s Information Security Office every 5 years or as deemed appropriate based on changes in technology or regulatory requirements.

Enforcement

Violations of this Policy may result in suspension or loss of the violator’s use privileges, with respect to Institutional Data and University owned Information Systems.  Additional administrative sanctions may apply up to and including termination of employment or contractor status with the University.  Civil, criminal and equitable remedies may apply.

Exceptions

Exceptions to this Policy must be approved by the Information Security Office, under the guidance of the Executive Steering Committee on Computing (“ESCC”), and formally documented.  Policy exceptions will be reviewed on a periodic basis for appropriateness.

Definitions

Agent, for the purpose of this Policy, is defined as any third-party that has been contracted by the University to provide a set of services and who stores, processes or transmits Institutional Data as part of those services.

Executive Steering Committee on Computing (“ESCC”) is a committee appointed by the Provost.  Members include the Provost, Vice Provost for Computing and Chief Information Officer, Vice President and General Counsel, Vice President and Chief Financial Officer, Vice President for Campus Services, Vice President for University Advancement, Vice President for Research, two academic deans appointed by the Provost, a member appointed by the Administrative Leadership Group and the Executive Director of Computing Services.

Information System is defined as any electronic system that stores, processes, or transmits information.

Institutional Data is defined as any data that is owned or licensed by the University

Policies

01
Throughout its lifecycle, all Institutional Data shall be protected in a manner that is considered reasonable and appropriate, as defined in documentation approved by the ESCC and maintained by the Information Security Office, given the level of sensitivity, value and criticality that the Institutional Data has to the University.
02
Any Information System that stores, processes or transmits Institutional Data shall be secured in a manner that is considered reasonable and appropriate, as defined in documentation approved by the ESCC and maintained by the Information Security Office, given the level of sensitivity, value and criticality that the Institutional Data has to the University. 
03
Individuals who are authorized to access Institutional Data shall adhere to the appropriate Roles and Responsibilities, as defined in documentation approved by the ESCC and maintained by the Information Security Office.

Additional Information

If you have any questions or concerns related to this Policy, please send email to the University’s Information Security Office at iso@andrew.cmu.edu.

Additional information can also be found using the following resources:

Back to the Top

Revision History

Version Published
Author
Description
1.0
12/17/2008
Doug Markiewicz Policy was approved by the President's Council on 12/17/2008.

Status:  Published
Published: 12/17/2008
Last Reviewed:  03/13/2014
Last Updated:  12/17/2008
Version
1.0