Rs ey UN Sng
10: maton Saat Play 10:7 stg Pay
Information Security Policy
0 INFORMATION SECURITY POLICY bar ayant
‘WEBER STATE UNIVERSIIY Revision 0319/19
‘The purpose ofthe information secur Policy ito
code policy to secure Sensitive Information of Univesity employees, students and others fiat with the University. and to
prevent the las of information thats etical to the operation ofthe University
information Technlogy Resse
ats, appientons, networks and computer systems.
Define mechanems which protct the reputation ofthe University and allow the University wo sti ts legal and etleal
esponstlies with regard tits networks’ and computer
Provide written guidelines and procedures to manage an
ect the integrity and vai of University data,
tems’ connectivity to networks outside the Univesity.
rl information considered tobe Sensitive Information whether i
Unversity Information Technology Resouces area valusble University asetand must be managed accordingly to assure thet
integrity, security and avalability for lawful edveational purpoce
orgnizations that have access to Univesity daa,
This document describes policy for use by all pereons andor
sve ajectto change approved bythe President an Vice Fresiden or Infomation Technology
A, FPM1055, Mobile Device Poticy
». Utah State Road of Regen
Points and software sperms (neuding bu not miedo Web hoes, customized databases, Universi databases, and
personel
Computing Equlpment Al hardvare used to proces, store of tans University data,
.Data- Information contained in either University computer systems o in physical copy thats utilized for the purposes of
potiey
Decentralized Compute Systems Computer harvarefincading but not nite to Servers, Ro
switenes and access
Point) and software systems (nehding but not limited to Web hosts custmlzed databases, Univesity dstabeses, and
faculty developed software for educational purposes) maintained by any nan T Division department
{ats or information, aswel a the data or information set Thie definition includes but eno imited 0
tronic mi,
information or microm. This also inches any wire, rato electromagnetic, photo optical, phot electronic or other facity
‘sed in transmitting electron communiatons, nd any computer facies or related electonte equipment that
electronically stores euch communicator
intended for spect use by students, faculty or ttH.Mobite Vence- Ary handheld or porabie computing evicemctaaing running and operang system optimized or
esigned for mobile computer, such ab Android, Blackberry 05 (RM) Apple's 0S, Windows Mobile. Any device running
full desktp version operating system isnot included n this desniion
[Portable Equlpinent~ Laptop and other removable storage devices suchas Fash Divs,
|. Puble information -nformation that may be provided openly tothe publ
‘.Security- Massures taken to reduce the rik of) unauthorized acces tb IT Resources vi logical, physical, managerial, or
sect engineering means and/or) damage to alas of Resources though any typeof dante, nehdingenees where a
‘lation of Security oF a draster occurs despite preventative measures
L sensitive information ~ Any data electronic or physical copy. of which the compromise with respect to confidentiality,
integrity, andr availabilty could have a material adverse eect on Weber State Univesity interest the conduct of
University programe or he privacy to which individuals are entitled, Examples of ch data would include that data
protected by the Government Records Access and Management Act (GRAMA’, Family Eéucation Rights and Privacy Act
(CFERPA, Graram-Leach-Bley Act "OLBA" oF ater laws governing the ute of ata ada that has been deemed bythe
University a5 requiring protective measures,
M. Strong Password ~A password that is atleast § characters long and i combination of upper and lower cas letrs,
numbers and characters. Stong passwords donot include phrases, names, o othe 1ypes of dictionary words
N User ll persons andor organizations that have access to Univesity da
0, Workstation - Computers assigned to one or more University employees for conduction wniverity busines
‘This policy covers paper-based and electronic data defined to include, but not be limited toll information maitaine, processed,
or datibutedby the University computer system that contain data defined bylaw or policy at Sensitive information, This poley
leo apples toll person and organizations that have acces o Univer data,
“Ths policy applies to all ongeneatons within the Univesity eventhough te dats needed and used by those organizations ate
Autorent Addionaly all Univesity oumed devices including, bu not limited ta worksatons, lab computers, and Wash are
fected by this policy unless atherie stated. The principles of academic feedom an free exchange of ideas apply to thie policy,
Which snot intended to imi or restriet those principles. This policy is ntended oben accordance with federal and sate laws
and regulations regarding information secur.
ach organization within the University mast appopeatelygpply this policy to make certain they are meeting the requiernents
regurding formation Security Its ecopnize thatthe technology at some organizations may limit immediate compliance with
the policy; such instances of non-compliance must be reviewed and approved by the Information Security Offce (150°) andthe
Information Securty Tak Free (ISTP. Reference Section § for mote information about paley exceptions.
Note: This poy applies to mobile devices as applicable, For aéitional requirements pertaining to tablets and smartphones
see able Device Ply EM 0-5),
‘ROLES AND RESPONSIBILITIES
‘The persons responsible for implementing this policy and ther vespective duties and/or responsibilities with respect this policy
are deserbed in Appendix A
‘A. Information Confidentiality and Privacy
-Allusers ae expeced to respect the confidentiality and privacy of individuals whose records they acces. Users are
esponsbl for maintaining the confidentiality of data they accessor use and the consequences of any breach of
confidentiality
5. Handling Sensitive Information
‘Te unauthorized addon, modieation, deletion or dslonure af Sensitive tnformation included in University data fe it
expressly forbidden,
.Convalized/Decentrallzed Computing Systems
‘Allcompuring systems wil bein compliance with this policy and University Security standards regardless of whether they re
conuaized or decentralized. Any decentralized computing systems that are unable to comply withthe vequrements af this policy
thay be required to relocate tothe University Data Center at the dicrtion ofthe ISTF and gO,
Sensitive Information Calecson
Sensitive Information must only be collated fr lawl and leptinate Universe purposes according to the requirements outlined
in Board of Regents Role R24, information Technology Resource Secu,
.Publle information
‘Although there are no restrictions on disclosure of Public Information, the same precations prescribed in this policy fr protection
of Univeraity data must be adhered to forthe purpose of preventing unauthorized modification, deletion, etc of Publi Information.
‘cess to University data adits resident compuring system wil be restricted to those users tha have a egiimate business need
‘nd appropiate approvals for acess to seh information. Users must ensure that Sensitive Information Is secured from
‘unauthorized access and are responsible for sateguaréing this information and related computing systems at al times trough the
tse of strng pasrwords andes outlined in the Access Contzl Section of Append
G Remote Access
(nly authorized User willbe perated to remotely connect to University computer ystems networks and date repositories toonic ues se ous esas oy tow Stats er Secu ene Mee
H Physical Security
‘Me psa security af computing resources wil be accomplished utlzing cunent industry standards and appropsate technology
and plans as defined by che (50. Responsibility for Centralized Computing systems security wil reside withthe I Division. All
other computing systems secu willbe the responsibilty ofthe appropriate I specials. See the Fhyscal Security section of
‘Appendix B for specific requirements,
Data Security
Users wl ensue Senstive Information le secure and the Incegity of records ie safeguarded in etorage and tranemission, Users who
handle Sensitive Information are responsible for the proper handling ofthis data while under their control. Refer to the Data
Secunty section of Appendix Bor speci Data Securty Requirements
J. Backup and Recorery
‘Adminstrators of Centralized computing ystems will backup easel Unversity data according to a documented dssster
recovery pln consistent with industry standards an store such data at a secure commercial ste. Decentalized computing
systems wil hve alae a minimum, a documented disaster recovery plan covering backup procedures, timolines, sage
loeatons/proceduves and recvery.
Security Incident Response and Handling
‘All suspected or actual security reaches of University college or departmental system) willbe reported immediatly tthe
organizations Data Security Steward who wil consul with the IS to assess the level of threat and/or ability posed tothe
University or affected individuals and respond according to tncldent Response Guidelines maatained bythe ISO. The Univeraty
veil port andor publicize unuthoized information disclosures a required by aw or specific industry requirements
LL service Providers
Service providers lize to design, implement, and service technologies must provide contractual assurance that they wil protect
‘he University’s Sensitive information it receives according to University or commercially reasonable standards
Such contacts must be reviewed by University Legal Counsel for appropriate terminology garding use and protection of Sensitive
Information.
orang and Awareness
Each new University emplayee wil be trained on the Acceptable Use Policy and University Information Security Policy as they relate
to ndidual job reponsibittes, Such taining willinchude information repardng controls ana procedures to prevent emplaveet
ftom providing data to an unauthorized individual. Allemployee wil be requted to complete adationaleecurty training ae
prescribed by the 180.
computer abs
Weber State University provides rebust computing ab resources for utlization in legitimate and lawfl academic endeavors,
Computing equipment in these labs wll confor to all requirements ofthis policy with the addition of requirements stated inthe
‘Computing Lab Section of Appendix &
.softane
nly propery Licensed sftware may be installed on Univesity computer systems.
Penalties an Enforcement
Penalties and enfrcement ofthis paley willbe n secordance wth Univers polices Appoptate dscpinary andr tga action
willbe ken when warranted in any area involving violations ofthis policy.
(Policy Review and Revision
‘This plcy and ite aeocinted appendices willbe subject o periodic review and revision,
Poi Cleriseation
For claiaton further information on any ten this poly, the sere encouraged to contact the 150, thelr Data Secty
Steward or a member of the (STF
S-Exceptions to Polley
‘Any computing systern thats unable to comply with this policy must fle an exception. Exceptions to this plcy must be approved
bythe 10 based on academic o business need and reviewed bythe ISTE. The 80 wil eview exceptions annually for continued
pplication and notify the exception holder of any concerns
1 Adetonal Pokies
Users shouldbe aware that Utah State Road of Ragente may implement other policies that may aflect Information Security on
campus. The University adopts such pois and Users must comply with any suc standards.
APPENDICA~Roles and Responsible
Division Heads/Galege DeansManagers/Supervicors
‘These individuals shall be responsible or oversight oftheir employees
of supervision. They will
+ Engure thatthe management até contol fis outinedin this pay are adhered to by employes in their unt
1 Engure employee’ acess to University data appropiate
+ Regularly review and document employee acess to University data
1 Ment the necessary Data Secu Steward and ensue they receive adequate taining to perform this.
+ Provide employees with resources and methods to propesy secure equipment where Uriversiy datas processed stored or
handled,
+ Provide employees with approved resources and methods for extemal data storage where Univesity dat x processed, stored ot
bande
rr spetaliat
‘These individuals are responsible for being the technical suppert within a business unt cllege/scool or department.
Data Secuty Steward
‘These individuals who are responsible fr business processes within her areas of supervision will
+ Understand curentinfermation Security police, standards and guidelines and ect asa poatof contact for questions regarding
Information Security and direct the ure tothe appropriate source (2g. the 160 palcee or standards,
+ Operates Information Security monitors in tei divisions or college.
suthorized se and acces to Universi data in ther aves