Management Guide for Information Security

Contents

• Oversight of Electronic Information

• Information Security Program

• Identity and Access Management

• Continuity Planning and Disaster Recovery

Oversight of Electronic Information

Appropriate management of electronic information stored, processed, or transmitted by University individuals or electronic information systems entails practices that ensure privacy protections, foster clear accountability, increase the effectiveness of data administration, and minimize legal exposure and liability. Therefore, to achieve these goals, individuals who oversee the management of electronic information resources should consult applicable University policies and guidelines.

Business and Finance Bulletin IS-2, Inventory, Classification, and Release of University Electronic Information provides specific guidance regarding

• Inventories of Electronic Information. Inventories and classification of electronic information resources should be conducted and updated periodically.  
• Disclosure and Release of Information. Sharing of sensitive electronic information with University administrative units is allowed for legitimate business needs; however, permission for access to information or release and/or disclosure of information should be granted in conformance with University policy and applicable laws by the University authority that has been assigned overall management responsibility for that information.

Additional advisory information is available on the Web at Oversight of Electronic Information.  See IS-2 for specific guidelines.

Information Security Program

In compliance with Business and Finance Bulletin IS-3, Electronic Information Security, each campus must establish an Information Security Program that includes the following elements:

• Information Security Officer(s)
• Risk Assessments
• Security Controls
• Incident Response and Notification
• Training
• Contract Review

Additional advisory information is available at Information Security Program. See IS-3 for specific guidelines.

Identity and Access Management

Many University electronic information resources are openly available without authorization.  However, Business and Finance Bulletin IS-11, Identity and Access Management recognizes that access to certain resources may be granted to specific individuals only upon appropriate identification and authorization. IS-11 addresses essential elements that comprise campus identity and access management programs. These include guidelines regarding

• accurate identification of members of campus communities,
• secure authorization and authentication access to sensitive information resources, and
• timely granting and revocation of access privileges.

   

Additional advisory information is available at Identity and Access Management. See IS-11 for specific guidelines.

Continuity Planning and Disaster Recovery

University policy requires each campus to implement a comprehensive and effective program that encompasses risk assessment, risk mitigation, emergency preparedness and response, and business recovery to enable and strengthen University capabilities for crisis and consequence management.

• Unit and departmental management should collaborate with campus emergency planning and recovery coordinators to ensure the availability and integrity of critical information resources.
• Systems that host electronic information identified as critical to the continuing operation of the campus or the University should be included in disaster recovery plans.

Business and Finance Bulletin IS-12, Continuity Planning and Disaster Recovery sets forth University guidelines for planning and procedures related to electronic information resources.  Additional advisory information is available at Continuity Planning and Disaster Recovery.