Rs ey UN Sng 10: maton Saat Play 10:7 stg Pay Information Security Policy 0 INFORMATION SECURITY POLICY bar ayant ‘WEBER STATE UNIVERSIIY Revision 0319/19 ‘The purpose ofthe information secur Policy ito code policy to secure Sensitive Information of Univesity employees, students and others fiat with the University. and to prevent the las of information thats etical to the operation ofthe University information Technlogy Resse ats, appientons, networks and computer systems. Define mechanems which protct the reputation ofthe University and allow the University wo sti ts legal and etleal esponstlies with regard tits networks’ and computer Provide written guidelines and procedures to manage an ect the integrity and vai of University data, tems’ connectivity to networks outside the Univesity. rl information considered tobe Sensitive Information whether i Unversity Information Technology Resouces area valusble University asetand must be managed accordingly to assure thet integrity, security and avalability for lawful edveational purpoce orgnizations that have access to Univesity daa, This document describes policy for use by all pereons andor sve ajectto change approved bythe President an Vice Fresiden or Infomation Technology A, FPM1055, Mobile Device Poticy ». Utah State Road of Regen Points and software sperms (neuding bu not miedo Web hoes, customized databases, Universi databases, and personel Computing Equlpment Al hardvare used to proces, store of tans University data, .Data- Information contained in either University computer systems o in physical copy thats utilized for the purposes of potiey Decentralized Compute Systems Computer harvarefincading but not nite to Servers, Ro switenes and access Point) and software systems (nehding but not limited to Web hosts custmlzed databases, Univesity dstabeses, and faculty developed software for educational purposes) maintained by any nan T Division department {ats or information, aswel a the data or information set Thie definition includes but eno imited 0 tronic mi, information or microm. This also inches any wire, rato electromagnetic, photo optical, phot electronic or other facity ‘sed in transmitting electron communiatons, nd any computer facies or related electonte equipment that electronically stores euch communicator intended for spect use by students, faculty or ttH.Mobite Vence- Ary handheld or porabie computing evicemctaaing running and operang system optimized or esigned for mobile computer, such ab Android, Blackberry 05 (RM) Apple's 0S, Windows Mobile. Any device running full desktp version operating system isnot included n this desniion [Portable Equlpinent~ Laptop and other removable storage devices suchas Fash Divs, |. Puble information -nformation that may be provided openly tothe publ ‘.Security- Massures taken to reduce the rik of) unauthorized acces tb IT Resources vi logical, physical, managerial, or sect engineering means and/or) damage to alas of Resources though any typeof dante, nehdingenees where a ‘lation of Security oF a draster occurs despite preventative measures L sensitive information ~ Any data electronic or physical copy. of which the compromise with respect to confidentiality, integrity, andr availabilty could have a material adverse eect on Weber State Univesity interest the conduct of University programe or he privacy to which individuals are entitled, Examples of ch data would include that data protected by the Government Records Access and Management Act (GRAMA’, Family Eéucation Rights and Privacy Act (CFERPA, Graram-Leach-Bley Act "OLBA" oF ater laws governing the ute of ata ada that has been deemed bythe University a5 requiring protective measures, M. Strong Password ~A password that is atleast § characters long and i combination of upper and lower cas letrs, numbers and characters. Stong passwords donot include phrases, names, o othe 1ypes of dictionary words N User ll persons andor organizations that have access to Univesity da 0, Workstation - Computers assigned to one or more University employees for conduction wniverity busines ‘This policy covers paper-based and electronic data defined to include, but not be limited toll information maitaine, processed, or datibutedby the University computer system that contain data defined bylaw or policy at Sensitive information, This poley leo apples toll person and organizations that have acces o Univer data, “Ths policy applies to all ongeneatons within the Univesity eventhough te dats needed and used by those organizations ate Autorent Addionaly all Univesity oumed devices including, bu not limited ta worksatons, lab computers, and Wash are fected by this policy unless atherie stated. The principles of academic feedom an free exchange of ideas apply to thie policy, Which snot intended to imi or restriet those principles. This policy is ntended oben accordance with federal and sate laws and regulations regarding information secur. ach organization within the University mast appopeatelygpply this policy to make certain they are meeting the requiernents regurding formation Security Its ecopnize thatthe technology at some organizations may limit immediate compliance with the policy; such instances of non-compliance must be reviewed and approved by the Information Security Offce (150°) andthe Information Securty Tak Free (ISTP. Reference Section § for mote information about paley exceptions. Note: This poy applies to mobile devices as applicable, For aéitional requirements pertaining to tablets and smartphones see able Device Ply EM 0-5), ‘ROLES AND RESPONSIBILITIES ‘The persons responsible for implementing this policy and ther vespective duties and/or responsibilities with respect this policy are deserbed in Appendix A ‘A. Information Confidentiality and Privacy -Allusers ae expeced to respect the confidentiality and privacy of individuals whose records they acces. Users are esponsbl for maintaining the confidentiality of data they accessor use and the consequences of any breach of confidentiality 5. Handling Sensitive Information ‘Te unauthorized addon, modieation, deletion or dslonure af Sensitive tnformation included in University data fe it expressly forbidden, .Convalized/Decentrallzed Computing Systems ‘Allcompuring systems wil bein compliance with this policy and University Security standards regardless of whether they re conuaized or decentralized. Any decentralized computing systems that are unable to comply withthe vequrements af this policy thay be required to relocate tothe University Data Center at the dicrtion ofthe ISTF and gO, Sensitive Information Calecson Sensitive Information must only be collated fr lawl and leptinate Universe purposes according to the requirements outlined in Board of Regents Role R24, information Technology Resource Secu, .Publle information ‘Although there are no restrictions on disclosure of Public Information, the same precations prescribed in this policy fr protection of Univeraity data must be adhered to forthe purpose of preventing unauthorized modification, deletion, etc of Publi Information. ‘cess to University data adits resident compuring system wil be restricted to those users tha have a egiimate business need ‘nd appropiate approvals for acess to seh information. Users must ensure that Sensitive Information Is secured from ‘unauthorized access and are responsible for sateguaréing this information and related computing systems at al times trough the tse of strng pasrwords andes outlined in the Access Contzl Section of Append G Remote Access (nly authorized User willbe perated to remotely connect to University computer ystems networks and date repositories toonic ues se ous esas oy tow Stats er Secu ene Mee H Physical Security ‘Me psa security af computing resources wil be accomplished utlzing cunent industry standards and appropsate technology and plans as defined by che (50. Responsibility for Centralized Computing systems security wil reside withthe I Division. All other computing systems secu willbe the responsibilty ofthe appropriate I specials. See the Fhyscal Security section of ‘Appendix B for specific requirements, Data Security Users wl ensue Senstive Information le secure and the Incegity of records ie safeguarded in etorage and tranemission, Users who handle Sensitive Information are responsible for the proper handling ofthis data while under their control. Refer to the Data Secunty section of Appendix Bor speci Data Securty Requirements J. Backup and Recorery ‘Adminstrators of Centralized computing ystems will backup easel Unversity data according to a documented dssster recovery pln consistent with industry standards an store such data at a secure commercial ste. Decentalized computing systems wil hve alae a minimum, a documented disaster recovery plan covering backup procedures, timolines, sage loeatons/proceduves and recvery. Security Incident Response and Handling ‘All suspected or actual security reaches of University college or departmental system) willbe reported immediatly tthe organizations Data Security Steward who wil consul with the IS to assess the level of threat and/or ability posed tothe University or affected individuals and respond according to tncldent Response Guidelines maatained bythe ISO. The Univeraty veil port andor publicize unuthoized information disclosures a required by aw or specific industry requirements LL service Providers Service providers lize to design, implement, and service technologies must provide contractual assurance that they wil protect ‘he University’s Sensitive information it receives according to University or commercially reasonable standards Such contacts must be reviewed by University Legal Counsel for appropriate terminology garding use and protection of Sensitive Information. orang and Awareness Each new University emplayee wil be trained on the Acceptable Use Policy and University Information Security Policy as they relate to ndidual job reponsibittes, Such taining willinchude information repardng controls ana procedures to prevent emplaveet ftom providing data to an unauthorized individual. Allemployee wil be requted to complete adationaleecurty training ae prescribed by the 180. computer abs Weber State University provides rebust computing ab resources for utlization in legitimate and lawfl academic endeavors, Computing equipment in these labs wll confor to all requirements ofthis policy with the addition of requirements stated inthe ‘Computing Lab Section of Appendix & .softane nly propery Licensed sftware may be installed on Univesity computer systems. Penalties an Enforcement Penalties and enfrcement ofthis paley willbe n secordance wth Univers polices Appoptate dscpinary andr tga action willbe ken when warranted in any area involving violations ofthis policy. (Policy Review and Revision ‘This plcy and ite aeocinted appendices willbe subject o periodic review and revision, Poi Cleriseation For claiaton further information on any ten this poly, the sere encouraged to contact the 150, thelr Data Secty Steward or a member of the (STF S-Exceptions to Polley ‘Any computing systern thats unable to comply with this policy must fle an exception. Exceptions to this plcy must be approved bythe 10 based on academic o business need and reviewed bythe ISTE. The 80 wil eview exceptions annually for continued pplication and notify the exception holder of any concerns 1 Adetonal Pokies Users shouldbe aware that Utah State Road of Ragente may implement other policies that may aflect Information Security on campus. The University adopts such pois and Users must comply with any suc standards. APPENDICA~Roles and Responsible Division Heads/Galege DeansManagers/Supervicors ‘These individuals shall be responsible or oversight oftheir employees of supervision. They will + Engure thatthe management até contol fis outinedin this pay are adhered to by employes in their unt 1 Engure employee’ acess to University data appropiate + Regularly review and document employee acess to University data 1 Ment the necessary Data Secu Steward and ensue they receive adequate taining to perform this. + Provide employees with resources and methods to propesy secure equipment where Uriversiy datas processed stored or handled, + Provide employees with approved resources and methods for extemal data storage where Univesity dat x processed, stored ot bande rr spetaliat ‘These individuals are responsible for being the technical suppert within a business unt cllege/scool or department. Data Secuty Steward ‘These individuals who are responsible fr business processes within her areas of supervision will + Understand curentinfermation Security police, standards and guidelines and ect asa poatof contact for questions regarding Information Security and direct the ure tothe appropriate source (2g. the 160 palcee or standards, + Operates Information Security monitors in tei divisions or college. suthorized se and acces to Universi data in ther aves