Personal tools
 
You are here: Home Policies and Standards ISO ISO PS005 Sanction Policy
Document Actions

ISO PS005 Sanction Policy

Policies and Standards
ISO PS005 Sanction Policy
[Previous]  [Next]  [Policy Home]

Policy Name: Sanction Policy
Policy Number: IS PS005
Effective Date: July 23, 2007
Review Date: July 23, 2008
Last Revision Date: July 23, 2007
Last Revision By: Bruce Edwards
Contact Name: Bruce W. Edwards
Contact Email: ISOPolicy@louisville.edu
Approved By: Compliance Oversight Council
Version: 1.0

POLICY:

The University of Louisville requires that Users of University computing infrastructure, devices or data comply with all applicable laws, regulations, statutes and University policies relating to information security and information technology. The University must be prepared to respond fairly and appropriately (1) to violations of law, regulation or University policy relating to information security, (2) when questionable or unacceptable computing practices occur, or (3) where there is non-compliance with information security policy requirements or with reasonable requests for action or cooperation necessary to implement the University's information security policies. Lack of compliance will result in sanctions or other appropriate action.

STANDARDS:

Background and definition:

Sanctions are a requirement of many information security laws and regulations. Sanctions also encourage following the policies, standards and procedures promulgated to help the University maintain the confidentiality, integrity and availability of the University's information and computing infrastructure. The Redbook of the University of Louisville (http://louisville.edu/provost/redbook) is the basic governance document of the University and supports faculty, staff or student disciplinary action.

Organizational Responsibilities:

  • UofL Faculty, Staff, Students and other users
    Knowledge of violations of or non-compliance with information security policies should be immediately reported to the University of Louisville Computer Incident Response Team (ULCirt) as well as the appropriate administrator for the department or unit in which the violation occurred. The individual receiving the report is required to inform ULCirt. See ISO PS006 Security Incidents for more information.

    ULCirt will work with the reporter to determine the administrative level at which the initial advisory should occur. ULCirt can be reached at SecureIT@louisville.edu or, if the violation has potentially serious consequences and requires immediate attention, the violation should be reported to the IT Help Desk at 502-852-7997 with Priority One status requested.
  • ULCirt
    The University has identified ULCirt as its authority in developing response plans to information security and technology policy violations and serious security incidents. ULCirt consists of personnel from the Information Technology Data Center Services Unit and the Information Security Office. ULCirt will assess the reported violation and/or incident using an established procedural framework. This framework has been established to apply a consistent methodology to all assessments. Goals of the framework include:
    • documentation of the reported violation or incident;
    • preservation of evidence;
    • impartial assessment of the accuracy of the reported violation or incident, including hearing the particulars from the personnel apparently responsible for the violation;
    • possible escalation of the violation or incident to Human Resources, UofL Department of Public Safety, outside authorities or others;
    • containment and mitigation of the violation or incident;
    • remediation of the violation or incident; and
    • imposition or recommendation of sanctions if and as appropriate.

    ULCirt follows established procedures and guidelines when investigating reported policy violations and security incidents.

Corrective actions and sanctions applied pursuant to this policy shall not supersede or impede any regulatory authority conferred upon other compliance oversight offices at the University of Louisville to apply sanctions or take other corrective actions appropriate to their authority. Corrective actions and sanctions applied pursuant to this policy do not supersede any sanctions imposed by external regulatory bodies.

Corrective Actions and Sanctions Available:
Corrective actions and sanctions available to the University in those circumstances where a violation or non-compliance of information security or technology policy has occurred include, but are not limited to:

  • Imposition of a requirement to obtain additional appropriate training;
  • Temporary suspension or permanent revocation of computing accounts or computing access rights at the University;
  • Requirement to bring self, unit, department or school managed computing resources up to specified and on-going standards or place these resources under the management of the Information Technology Division;
  • Imposition of a mandate and timetable for corrective or remediating action;
  • Letter of Reprimand placed in personnel file;
  • Loss of improperly collected data;
  • Requirement to make financial restitution;
  • Suspension of some or all activities at the University;
  • Any action that may be required by applicable law, regulation or contract;
  • Any other disciplinary actions available as corrective action in a case of inappropriate behavior by a student, faculty member, staff, administrator or other employee up to and including termination;
  • When appropriate and warranted, a department or unit may be held accountable for fees, charges, fines, or expenses incurred or resulting from or related to any such violation or non-compliance where the unit or department is deemed in whole or part responsible.

SCOPE / APPLICABILITY:

All persons while conducting/performing work, teaching, research or study activity or otherwise using University resources. Scope/Applicability also includes all facilities, property, data and equipment owned, leased and/or maintained by the University or affiliates.

POLICY AUTHORITY / ENFORCEMENT:

The University's Information Security Officer (ISO) is responsible for the development and oversight of these policies and standards. The ISO works in conjunction with University Leadership, Information Technology, Audit Services and others for development, monitoring and enforcement of these policies and standards.

POLICY REVIEW:

This policy will be reviewed annually to determine if the policy is in compliance with the applicable security regulations and University direction. In the event that significant regulatory changes occur, this policy will be reviewed and updated as needed.

COMPLIANCE:

Failure to comply with these policies and standards and/or any related information security and/or information technology policy, standard or procedure may result in disciplinary action up to and including termination of employment, services or relationship with the University and/or action in accordance with local ordinances, state or federal laws.

REVISION HISTORY:

Version / Revision Date / Description

1.0 / July 23, 2007 / Original Publication

This policy is subject to change or termination by the University at any time. This policy SUPERSEDES all prior policies, procedures or advisories pertaining to the same subject.

Approved July 23, 2007 by the Compliance Oversight Council
Shirley C Willihnganz, Executive Vice President and University Provost, Chair of the Compliance Oversight Council

[Next]

Latest News & Updates

10/04/07
THIRD NOTICE Changes to Privacy, Security, and HSC Compliance Training

09/05/07
Third Annual Cyber-Security Awareness Week
and Grill the ISO Cook-outs!
Week of October 1-5, 2007

08/20/07
Information Security Policies
and Standards Approved:

 
Powered by Plone CMS, the Open Source Content Management System

This site conforms to the following standards: