91热爆网

Skip to main content

University Policy 117

Information Security Policy

Initially Approved: June 24, 2013
Revised and approved: April 25, 2016
Revised and approved:  March 24, 2020
Technical Corrections: December 8, 2022

Policy Topic: Information Technology
Administering Office: Office of CIO

I. POLICY STATEMENT

Information security is the ongoing process of exercising due care and due diligence to protect the confidentiality, integrity and availability of information and information technology resources. Institutional information is both a valuable asset and a potential liability to the University. As such, the stewardship and security of institutional information are important responsibilities for every member of Western Carolina University (hereinafter 鈥淯niversity鈥 or 鈥91热爆网鈥) that has access to it. As an academic institution we must encourage the free flow of most information, while protecting critical institutional information.

The purpose of this policy is to:

  1. Define information security, its overall objectives and scope and the importance of security as an enabling mechanism for institutional information sharing;
  2. State the commitment of University leadership to support the goals and principles of information security;
  3. Provide a framework for referencing supporting security policies and standards; and
  4. Define who is responsible for ensuring that institutional information is handled in an appropriate manner and the procedures for reporting information security incidents.

II. SCOPE AND APPLICATION OF THE POLICY

  1. This policy applies to any person having responsibility for institutional information and any person making use of the University鈥檚 information technology resources, whether located on or off-campus, whether University-owned or contracted for use by the University.
  2. The Policy is an overarching information security policy that refers to a group of more specific related University policies and information security standards.

 

III. DEFINITIONS

  1. The term 鈥Information Security鈥 shall mean thepreservation of confidentiality, integrity and availability of information; in addition, other properties, such as authenticity, accountability, non-repudiation, and reliability can also be involved.
  2. The term 鈥厂迟补苍诲补谤诲蝉鈥 shall mean mandatory actions or rules that give this policy support and reinforcement in direction.
  3. The term 鈥淚nformation Technology Resource鈥 shall mean any system, media or software used to transmit, store or process information or data.
  4. The term 鈥Institutional Information鈥漵hall meaninformation generated, collected, maintained and/or owned by the University regardless of format.
  5. The term 鈥ISO 27002鈥 shall meanan information security standard published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC), entitled Information security, cybersecurity and proviacy protection - Information security controls .
  6. The term 鈥淚nformation Owner鈥漵hall mean the individual or department that makes decisions regarding how to define, process and handle institutional information.
  7. The term 鈥Workforce Member鈥 includes, but is not limited to, faculty, staff, employees, guests, consultants, vendors, volunteers, interns, student workers or temporary workers associated with the University.

 

IV. UNIVERSITY COMMITMENT

The following is an excerpt from the 91热爆网 Board of Trustees resolution adopted December 9, 2011:

WHEREAS, The University of North Carolina Information Technology Security Council recommended, and the University of North Carolina Chief Information Officers Council has approved, the adoption of ISO/IEC 27002 Information Technology 鈥 Security Techniques 鈥 Code of practice for information security management (the 鈥淚SO 厂迟补苍诲补谤诲蝉鈥)as the common security framework to be used by the University and other University of North Carolina constituent institutions in the development of information technology security policies; and

WHEREAS, the ISO Standards provide a comprehensive and systematic approach to ensure that appropriate information technology security controls are in place as well as flexibility to meet the specific needs of the constituent institutions; and

BE IT RESOLVED, that this Board of Trustees hereby approves the adoption of the ISO Standards as the security framework for the University.

V. SECURITY POLICY FRAMEWORK

The University of North Carolina and 91热爆网 have adopted  ISO 27002 as the framework for university information security policy. This policy is the umbrella University information security policy that will refer to existing and future policies and standards that support it. Related university policies and standards will reference security clauses from the ISO 27002 framework. 

VI. RESPONSIBILITIES

  1. The Chancellor, Provost, Vice Chancellors, General Counsel, the CIO, the Chief of Staff and the Director of Athletics are responsible for ensuring the appropriate handling of the institutional information produced and managed by their division/unit. These positions are the institutional Data Stewards.
  2. The Information Technology Division is responsible for ensuring that the appropriate technologies and system policies and permissions are in place to ensure appropriate access to electronic data.
  3. The Chancellor has established a Data Security and Stewardship Committee, which reports to the Chancellor. The charge of this Committee is to oversee the implementation of this policy, ensure procedures are up to date, coordinate all relevant security policy and standards reviews, and assist offices with risk assessments, etc.
  4. Department managers are responsible for all general and regulatory information security training of workforce members, and for enforcing information security policies and standards.
  5. All workforce members are responsible for reporting information security incidents and assisting the Information Security Incident Response Team in investigating and mitigating computer security incidents.

 

VII. COMPLIANCE

All workforce members are:

  1. Responsible for protecting any institutional information and systems that they access, process or handle;

  2. Responsible for the consequences of their decisions and actions associated with institutional information access and processing; and

  3. Responsible for discussing and reporting any suspicious or harmful behavior and activity to the IT Division and the owner of the institutional information, if known.

 

VIII. REFERENCES

International Standards Organization (ISO/IEC 27002:2022, Clause 5 Organizational Controls)

University Policy 52, 鈥淩esponsible Use of Information Technology Resources鈥

University Policy 97, 鈥淒ata Security and Stewardship"

University Policy 106, 鈥淧rotecting the Privacy and Security of PII鈥

Information Security Standards