Skip to content. | Skip to navigation

Advanced Search…
Personal tools
You are here: Home Policies and Standards ISO ISO PS001 Information Security Responsibility

ISO PS001 Information Security Responsibility

Policies and Standards
ISO PS001 Information Security Responsibility
[Previous]  [Next]  [Policy Home]

Policy Name: Information Security Responsibility
Policy Number: IS PS001
Effective Date: July 23, 2007
Review Date: July 23, 2008
Last Revision Date: July 23, 2007
Last Revision By: Bruce Edwards
Contact Name: Bruce W. Edwards
Contact Email: ISOPolicy@louisville.edu
Approved By: Compliance Oversight Council
Version: 1.0

POLICY:

Each member of the campus community is responsible for the security and protection of electronic information resources over which he or she has control. Resources to be protected include networks, computers, software, and data. The physical and logical integrity of these resources must be protected against threats such as unauthorized intrusions, malicious misuse, or inadvertent compromise. Activities outsourced to off-campus entities must comply with the same security requirements as in-house activities

STANDARDS:

General roles and responsibilities:

Responsibilities range in scope from administration of security controls for a large system such as PeopleSoft Human Resources to the protection of one's own access password. A particular individual often has more than one role.

Administrators, their designees or individuals with functional ownership of data must:

  1. identify the electronic information resources within areas under their control;
  2. define the purpose and function of the resources and ensure that requisite education and documentation are provided as needed;
  3. establish acceptable levels of security risk for resources by assessing factors such as:
    • if the data is sensitive information,
    • the level of criticality or overall importance to the continuing operation of the campus as a whole, individual departments, research projects, or other essential activities;
    • how negatively the operations of one or more units would be affected by unavailability or reduced availability of the resources,
    • how likely it is that a resource could be used as a platform for inappropriate acts towards other entities,
    • limits of available technology, programmatic needs, cost, and staff support;
  4. ensure compliance with the University's general Information Security policies and standards;
  5. ensure that requisite security measures are implemented for the resources;

Providers must:

  1. become knowledgeable regarding relevant security requirements and guidelines;
  2. analyze potential threats and the feasibility of various security measures in order to provide recommendations to Administrative Officials;
  3. implement security measures that mitigate threats, consistent with the level of acceptable risk established by administrative officials;
  4. establish procedures to ensure that privileged accounts are kept to a minimum and that privileged users comply with privileged access agreements;
  5. ensure compliance with the University's general Information Security policies and standards and establish procedures for their resource area in support of these policies and standards;
  6. communicate the purpose and appropriate use for resources under their control.

Users - Individuals who access and use campus electronic information resources must:

  1. become knowledgeable about relevant security requirements and guidelines;
  2. protect the resources under their control, such as access passwords, computers, and data they download.

Responsibility for Privacy and Confidentiality:

Applications must be designed and computers must be used to protect the privacy and confidentiality of the various types of electronic data they process, in accordance with applicable laws and policies.

Users who are authorized to obtain data must ensure that it is protected to the extent required by law or policy after they obtain it. For example, when sensitive data is transferred from a well-secured system such as PeopleSoft Financials to a User's location, adequate security measures must be in place at the destination computer to protect this data.

Responsibility for Compliance with Law and Policy:

Campus departments, units, or groups, for specific systems and activities under their purview, must comply with this and other University information security polices and standards as well as applicable laws and regulations. These groups should, as appropriate and relevant to their area, establish security guidelines, standards, or procedures that support and refine the provisions of the University information security polices and standards for specific activities under their purview.

SCOPE / APPLICABILITY:

All persons while conducting/performing work, teaching, research or study activity or otherwise using University resources. Scope/Applicability also includes all facilities, property, data and equipment owned, leased and/or maintained by the University or affiliates.

POLICY AUTHORITY / ENFORCEMENT:

The University's Information Security Officer (ISO) is responsible for the development and oversight of these policies and standards. The ISO works in conjunction with University Leadership, Information Technology, Audit Services and others for development, monitoring and enforcement of these policies and standards.

POLICY REVIEW:

This policy will be reviewed annually to determine if the policy is in compliance with the applicable security regulations and University direction. In the event that significant regulatory changes occur, this policy will be reviewed and updated as needed.

COMPLIANCE:

Failure to comply with these policies and standards and/or any related information security and/or information technology policy, standard or procedure may result in disciplinary action up to and including termination of employment, services or relationship with the University and/or action in accordance with local ordinances, state or federal laws.

REVISION HISTORY:

Version / Revision Date / Description

1.0 / July 23, 2007 / Original Publication

This policy is subject to change or termination by the University at any time. This policy SUPERSEDES all prior policies, procedures or advisories pertaining to the same subject.

Approved July 23, 2007 by the Compliance Oversight Council

Shirley C Willihnganz, Executive Vice President and University Provost, Chair of the Compliance Oversight Council

Thanks and appreciation to University of California, Berkeley for elements of this document (http://security.berkeley.edu/IT.sec.policy.html)

 [Next]

Document Actions

10/27/2008
University of Louisville Selects GuardianEdge to Protect Sensitive Data for Faculty, Staff, Doctors and Researchers

  • GuardianEdge, the leader in enterprise endpoint data protection, today announced that the University of Louisville has selected the GuardianEdge Hard Disk Encryption, Smartphone Protection and Device Control solutions to safeguard data for faculty and staff, doctors and researchers. [Click here for more information]

10/20/08
Fourth Annual Cyber-Security Awareness Week was a BIG Success!

08/25/08
Safe computing starts with knowing the rules of the road (InfoSec Bulletin #7 - August 25, 2008)

08/20/07
Information Security Policies
and Standards Approved: