Senate Proposal: No
Responsible University Officer: Vice President for Governmental Relations
Responsible Office: Information Technology Services
Michigan Tech will take a University-wide approach to information security to help identify and prevent the compromise of information security and the misuse of University information technology by which all University faculty, staff and students must adhere when handling information.
Information security at Michigan Tech is achieved by implementing a suitable set of controls; including policies, processes, procedures, and software/hardware functions to protect information assets and preserve the privacy of Michigan Tech employees, students, sponsors, suppliers, and other associated entities.
The University will appoint an Information Security Board of Review to develop, approve, and maintain an Information Security Plan to ensure compliance with regulations relating to Information Security including the Family Education Rights and Privacy Act (FERPA), Gramm-Leach-Bliley Act for Disclosure of Nonpublic Personal Information (GLBA), Health Information Technology for Economic and Clinical Health Act (HITECH), Health Insurance Portability Accountability Act (HIPAA), Payment Card Industry Data Security Standards (PCI DSS) Services, and Red Flag Rules (RFR).
All Information Technology personnel and users with access to sensitive data are required to sign and date the University Confidentiality Agreement at the time of hire, and annually thereafter.
Any University employee, student or non-university individual with access to University data who engages in unauthorized use, disclosure, alteration, or destruction of data is in violation of this plan and will be subject to appropriate disciplinary action, including possible dismissal and/or legal action.
Reason for Policy
Michigan Tech has an obligation to comply with laws, regulations, policies, and standards associated with information security to preserve the confidentiality, integrity, and availability of information assets owned or entrusted by the University. Information security policies and procedures have been developed to allow the University to satisfy its legal and ethical responsibilities with regard to IT resources.
Related Policy Information
Michigan Tech's Acceptable Use of Information Technology Resources Policy contains the governing philosophy for effective and efficient use of the University's computing, communications, and information resources by all members of the University community.
Information Technology Services in cooperation with various departments will develop training and education programs to achieve technical proficiency and appropriate use for all employees who have access to information assets.
|Information Technology Services
Availability of Information Assets — Timely and reliable access to and use of information.
Confidentiality of Information Assets — Authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
Data Custodian — An employee of the University who has administrative and/or operational responsibility over information assets.
Data Owner — An individual or group of people who have been officially designated as accountable for specific data that is transmitted, used, and stored on a system or systems within a department, college, school, or administrative unit of the University.
Data User — A person (which may include, but is not limited to: administrator, faculty, staff, student, temporary employee, volunteer, or guest) who has been granted explicit authorization to access the data by the owner.
Executive, Administrator, and Manager — Includes all persons whose assignments require primary (and major) responsibility for management of the institution or customarily recognized department or subdivision thereof. Assignments require the performance of work directly related to management policies or general business operations of the institution department or subdivision, etc. It is assumed that assignments in this category customarily and regularly require the individual to exercise discretion and independent judgment and to direct the work of others. Included in this category are all officers holding titles such as president, vice president, dean, director, or the equivalents, as well as officers subordinate to any of these administrators with such titles as associate dean, assistant dean, executive officer of academic departments (chair, heads, or the equivalent) if their principal activity is administrative.
Information Assets — Definable pieces of information in any form, recorded or stored on any media that is recognized as "valuable" to the University.
Information Technology Resources — The data, applications, information assets, and related sources, such as personnel, equipment, networks and computer systems of the University.
Information Security — Protection of the University's data, applications, networks, and computer systems from unauthorized access, alteration, or destruction.
Integrity of Information Assets — Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.
Information Security Board of Review (ISBR) — An appointed administrative authority whose role is to provide oversight and direction regarding information systems security and privacy assurance campus-wide.
IT Security Practitioners — Network, system, application, and database administrators; computer specialists; security analysts; security consultants.
Chief Information Officer (CIO) — Responsible for the University's IT planning, budgeting, and performance including its information security components.
Data Custodians — Grants access to users limited to resources absolutely essential for completion of assigned duties or functions, and nothing more.
Data Owners — Ensures that proper controls are in place to address information asset integrity, confidentiality, and availability of the IT systems and data they own.
Data User — Uses the data only for purposes specified by the owner, complies with security measures specified by the owner or custodian (i.e. securing login-ID and password), and does not disclose information or control over the data unless specifically authorized in writing by the owner of the data.
Executive, Administrator, and Manager — Ensures compliance with information security practices, protecting University resources by adopting and implementing the security standards and procedures, and should ensure their department adopts standards that exceed the minimum requirements for the protection of University resources that are controlled exclusively within their department.
Vice President for Governmental Relations — Establishes the overall approach to governance and control by forming the Information Security Board of Review (ISBR) to provide strategic direction, ensures objectives are achieved, ascertains risks are managed appropriately, and verifies that the University's resources are used responsibly.
Information Security Board of Review (ISBR) — Provides oversight and direction regarding information systems security and privacy assurance University-wide.
Information Security and Compliance Officers — Communicates requirements of information security regulations to University management and employees, acts as a technical resource for University compliance, ensures the Information Security Plan is being effectively carried out in accordance with regulatory and University requirements which meets or exceeds industry standards for information security.
IT Security Practitioners — Implements security requirements in the IT systems as changes occur.
Office of Information Technology (OIT) — Develops and implements good internal controls as well as ensuring the promotion and awareness of IT requirements and plans throughout the University.
Persons or organizations which use or provide information resources — Maintains and safeguards information assets, uses these shared resources with consideration for others, and are required to comply with all University policies, state and federal laws, regulations and contractual obligations.
Forms and Instructions
Information Security Policies, Procedures and Guidelines:
- Acceptable Use of Information Technology Resources
- Information Security Roles & Responsibilities
- Data Classification and Protection Standard
- Identity and Access Management Policy
- Password Standards
- Backup & Recovery Standards
- Data Sanitization Standard
- Media Destruction Procedure
- Retention Policy
- System Development Life Cycle (SDLC)
- Incident Response Procedure
- Family Education Rights and Privacy Act (FERPA) https://www2.ed.gov/policy/gen/reg/ferpa/index.html
- Gramm-Leach-Bliley Act for Disclosure of Nonpublic Personal Information (GLBA) https://business.ftc.gov/privacy-and-security/gramm-leach-bliley-act
- Health Information Technology for Economic and Clinical Health Act (HITECH) https://www.hhs.gov/hipaa/for-professionals/special-topics/hitech-act-enforcement-interim-final-rule/index.html
- Health Insurance Portability and Accountability Act (HIPAA) https://www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/HIPAA-ACA/index.html
- Payment Card Industry Data Security Standards (PCI DSS) https://www.pcisecuritystandards.org/security_standards/index.php
- Red Flag Rules (RFR) https://business.ftc.gov/privacy-and-security/red-flags-rule
|Policy approved by President
|Policy Update: to reflect current practice, changed "Chief Technology Officer (CTO)" to "Chief Information Officer (CIO)"
|Transfer of policy page from HTML to CMS. General Policy numbers renamed from "2.1000" to "1.00 General University". Specifically from "2.1009—Information Security Compliance" to "1.09—Information Security Compliance".
|Changed Information Technology Services and Security to Information Technology Services; changed the name of the Computer Use Policy to Acceptable Use of Information Technology Resources; changed Chief Information Officer to Chief Technology Officer; removed the director of ITSS from responsibilities because the position no longer exists; changed the list of law acronyms that users are required to comply with to read all university policies, state and federal laws, and regulations and contractual obligations.
|To reflect current University titles and practice, MTU is now Michigan Tech and the email address for questions is now hbwebmaster.
|Revised entire policy and linked to the Information Security Plan.