Budget Office Navigation Bar Michigan Tech Home Academics Search Michigan Tech Michigan Tech Departments

Policy Number: 2.1009
Title: Information Security Compliance
Effective: 11/07/2012
Senate Proposal: No
Responsible University Officer: Vice President for Governmental Relations
Responsible Office: Information Technology Services

Policy Statement  |  Reason  |  Requirements  |  Related Information  |  Exclusions
Contacts  |  Definitions  |  Responsibilities  |  Procedures  |  Forms & Instructions  |  Appendices  |  History

Policy Statement

Michigan Tech will take a University-wide approach to information security to help identify and prevent the compromise of information security and the misuse of University information technology by which all University faculty, staff and students must adhere when handling information.


top

Policy Requirements

Information security at Michigan Tech is achieved by implementing a suitable set of controls; including policies, processes, procedures, and software/hardware functions to protect information assets and preserve the privacy of Michigan Tech employees, students, sponsors, suppliers, and other associated entities.

The University will appoint an Information Security Board of Review to develop, approve, and maintain an Information Security Plan to ensure compliance with regulations relating to Information Security including the Family Education Rights and Privacy Act (FERPA), Gramm-Leach-Bliley Act for Disclosure of Nonpublic Personal Information (GLBA), Health Information Technology for Economic and Clinical Health Act (HITECH), Health Insurance Portability Accountability Act (HIPAA), Payment Card Industry Data Security Standards (PCI DSS) Services, and Red Flag Rules (RFR).

All Information Technology personnel and users with access to sensitive data are required to sign and date the University Confidentiality Agreement at the time of hire, and annually thereafter.

Any University employee, student or non-university individual with access to University data who engages in unauthorized use, disclosure, alteration, or destruction of data is in violation of this plan and will be subject to appropriate disciplinary action, including possible dismissal and/or legal action.

top

Reason for Policy

Michigan Tech has an obligation to comply with laws, regulations, policies, and standards associated with information security to preserve the confidentiality, integrity, and availability of information assets owned or entrusted by the University. Information security policies and procedures have been developed to allow the University to satisfy its legal and ethical responsibilities with regard to IT resources.

top

Related Policy Information

Michigan Tech's Acceptable Use of Information Technology Resources Policy contains the governing philosophy for effective and efficient use of the University's computing, communications, and information resources by all members of the University community.

Information Technology Services in cooperation with various departments will develop training and education programs to achieve technical proficiency and appropriate use for all employees who have access to information assets.

Exclusions

top

Contacts

Office/Unit Name Telephone Number
Information Technology Services 906-487-1111
top

Definitions

Availability of Information Assets Timely and reliable access to and use of information.

Confidentiality of Information Assets Authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.

Data Custodian An employee of the University who has administrative and/or operational responsibility over information assets.

Data Owner An individual or group of people who have been officially designated as accountable for specific data that is transmitted, used, and stored on a system or systems within a department, college, school, or administrative unit of the University.

Data User A person (which may include, but is not limited to: administrator, faculty, staff, student, temporary employee, volunteer, or guest) who has been granted explicit authorization to access the data by the owner.

Executive, Administrator, and Manager Includes all persons whose assignments require primary (and major) responsibility for management of the institution or customarily recognized department or subdivision thereof. Assignments require the performance of work directly related to management policies or general business operations of the institution department or subdivision, etc. It is assumed that assignments in this category customarily and regularly require the individual to exercise discretion and independent judgement and to direct the work of others. Included in this category are all officers holding titles such as president, vice president, dean, director, or the equivalents, as well as officers subordinate to any of these administrators with such titles as associate dean, assistant dean, executive officer of academic departments (chair, heads, or the equivalent) if their principal activity is administrative.

Information Assets Definable pieces of information in any form, recorded or stored on any media that is recognized as "valuable" to the University.

Information Technology Resources The data, applications, information assets, and related sources, such as personnel, equipment, networks and computer systems of the University.

Information Security Protection of the University's data, applications, networks, and computer systems from unauthorized access, alteration, or destruction.

Integrity of Information Assets Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.

Information Security Board of Review (ISBR) An appointed administrative authority whose role is to provide oversight and direction regarding information systems security and privacy assurance campus-wide.

IT Security Practitioners Network, system, application, and database administrators; computer specialists; security analysts; security consultants.

top

Responsibilities

Chief Technology Officer (CTO) Responsible for the University's IT planning, budgeting, and performance including its information security components.

Data Custodians Grants access to users limited to resources absolutely essential for completion of assigned duties or functions, and nothing more.

Data Owners Ensures that proper controls are in place to address information asset integrity, confidentiality, and availability of the IT systems and data they own.

Data User Uses the data only for purposes specified by the owner, complies with security measures specified by the owner or custodian (i.e. securing login-ID and password), and does not disclose information or control over the data unless specifically authorized in writing by the owner of the data.

Executive, Administrator, and Manager Ensures compliance with information security practices, protecting University resources by adopting and implementing the security standards and procedures, and should ensure their department adopts standards that exceed the minimum requirements for the protection of University resources that are controlled exclusively within their department.

Vice President for Governmental Relations Establishes the overall approach to governance and control by forming the Information Security Board of Review (ISBR) to provide strategic direction, ensures objectives are achieved, ascertains risks are managed appropriately, and verifies that the University's resources are used responsibly.

Information Security Board of Review (ISBR) Provides oversight and direction regarding information systems security and privacy assurance University-wide.

Information Security and Compliance Officers Communicates requirements of information security regulations to University management and employees, acts as a technical resource for University compliance, ensures the Information Security Plan is being effectively carried out in accordance with regulatory and University requirements which meets or exceeds industry standards for information security.

IT Security Practitioners Implements security requirements in the IT systems as changes occur.

Office of Information Technology (OIT) Develops and implements good internal controls as well as ensuring the promotion and awareness of IT requirements and plans throughout the University.

Persons or organizations which use or provide information resources Maintains and safeguards information assets, uses these shared resources with consideration for others, and are required to comply with all University policies, state and federal laws, regulations and contractual obligations.

top

Procedures

In support of this policy, the following procedures are included:

Procedure
Information Security Plan

Forms and Instructions

In support of this policy, the following forms/instructions are included:

Forms
University Confidentiality Agreement
top

Appendices

Information Security Policies, Procedures and Guidelines:
Acceptable Use of Information Technology Resources
Information Security Roles & Responsibilities
Data Classification and Protection Standard
Identity and Access Management Policy
Password Standards
Backup & Recovery Standards
Data Sanitization Standard
Media Destruction Procedure
Retention Policy
System Development Life Cycle (SDLC)
Change Management Policy - Under Development
Disaster Recovery & Business Continuity - Under Development
Incident Response Procedure
top

Additional Information

Family Education Rights and Privacy Act (FERPA)
http://www.ed.gov/policy/gen/reg/ferpa/index.html
Gramm-Leach-Bliley Act for Disclosure of Nonpublic Personal Information (GLBA)
http://www.ftc.gov/privacy/privacyinitiatives/glbact.html
Health Information Technology for Economic and Clinical Health Act (HITECH)
http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/hitechenforcementifr.html
Health Insurance Portability and Accountability Act (HIPAA)
http://www.cms.hhs.gov/HIPAAGenInfo/Downloads/HIPAALaw.pdf
Payment Card Industry Data Security Standards (PCI DSS)
https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
Red Flag Rules (RFR)
http://www.ftc.gov/redflagsrule

History

Adoption Date: 09/13/2007 Policy approved by President
Amended: 01/31/2011 Revised entire policy and linked to the Information Security Plan.
05/01/2012 To reflect current University titles and practice, MTU is now Michigan Tech and the email address for questions is now hbwebmaster.
11/07/2012 Changed Information Technology Services and Security to Information Technology Services; changed the name of the Computer Use Policy to Acceptable Use of Information Technology Resources; changed Chief Information Officer to Chief Technology Officer; removed the director of ITSS from responsibilities because the position no longer exists; changed the list of law acronyms that users are required to comply with to read all university policies, state and federal laws, and regulations and contractual obligations.
top

Policy Statement  |  Requirements  |  Reason  |  Related Information  |  Exclusions
Contacts  |  Definitions  |  Responsibilities  |  Procedures  |  Forms & Instructions  |  Appendices  |  History