����̽̽

Goal

The goal of these Information Security Procedures is to limit information access to authorized users, protect information against unauthorized modification, and ensure that information is accessible when needed, whether that information is stored or transmitted on printed media, on computers, in network services, or on computer storage media. 

Guidance vs. Mandates

These Procedures contain both rules and guidelines to aid in the interpretation and implementation of the Information Security Policy. In some instances, the Procedures state rules that cannot be implemented immediately but must be implemented over time. Those sections of the Procedures that are presently binding rules employ the conventional language that denotes a mandatory obligation, including words such as “shall,”  “will” and “must.” Those sections that describe recommendations or institutional goals employ language, such as the word “should”. With particular reference to detailed technological standards, please contact the Office of the Chief Information Officer, or appropriate officials in Enterprise Technology Services (ETS), for day-to-day guidance about the state of the Procedures’ implementation.

Implementation

The Procedures are, in essence, a snapshot that reveals both (1) the University’s promulgation, implementation, and enforcement of specific standards, and (2) the University’s identification of best practices that may not yet be fully implemented. While it remains the University’s goal to aggressively pursue the ambitious agenda set forth in these Procedures, full-scale implementation will require a significant transition period. Given the breadth and depth of the territory covered by the Information Security Policy, and the rapidly changing technological and regulatory environment within which we work, a static or wooden presentation of rules is not possible, nor is it fair to expect that all of the principles and goals set forth in these pages could at once be fully operationalized. An example is the laptop encryption standard, section 16.4.2. The University cannot, in one day, encrypt all laptops now in use. However, laptops known to carry Protected University Information must be encrypted immediately, and as University employees or units obtain new laptop computers henceforth, they must all be equipped with encryption software and their users will be bound by the relevant rules. Data Stewards and Technology Managers will define practices appropriate for their domains to implement, over time, these rules and guidelines. 

These Procedures apply to all University information maintained in printed form, on computers, through network accounts, via the University e-mail system, or within other information and communication technology services. The Procedures apply whether ����̽̽ information resources are accessed remotely or through the use of a University-owned device or ����̽̽ network connection.

Responsible Official: Chief Information Officer

Effective Date: January 11, 2013