A-to-Z Index

Policy #1204
Information Security

Date of Current Revision: September 2010
Responsible Office: Assistant Vice President for Information Technology

1. PURPOSE

This policy assigns responsibility for the security of departmental, administrative, and other critical university information and systems. Components of security include confidentiality, availability, and integrity.

2. AUTHORITY

Consistent with the University’s Memorandum of Understanding granting Level II delegation from the Commonwealth under the Virginia Restructured Higher Education Financial and Administrative Operations Act of 2005 and in keeping with JMU Policy 1214 (University Information Technology Security Program), JMU exercises independent authority for establishing and executing its information security program.

The president gives Information Technology (IT) responsibility for the institution’s information security program and for instituting policies, procedures and technical controls to address specific areas of security such as: security administration, personnel security, physical security, risk management and contingency management.

3. DEFINITIONS

Information Security Program:
The set of managerial, operational, and technical controls instituted to protect the integrity, availability, and if needed, confidentiality of information and resources used to enter, store, process, and communicate electronic information.

Information technology resources:
Specific items such as telecommunications devices, computer systems, media, and other equipment, goods, services, and personnel related to the collection, storage, or transport of electronic information.

Critical data:
Data supporting critical functions (i.e., business processes identified by the division heads that significantly affect service levels to students, affect public safety, impact the budget, and/or are the result of governmental regulations). This data is so important to the university that its loss or unavailability is unacceptable.

Sensitive data:
Non-public data subject to legal requirements (e.g., Federal or State privacy laws) or other privacy or compliance considerations, which define and regulate its responsible use. The university’s Data Stewardship Policy (JMU 1205) defines two types of sensitive data: protected and highly confidential.

4. APPLICABILITY

This policy applies to all information collected, and/or processed using the university’s information technology resources.

5. POLICY

University data and information technology resources must be recognized as sensitive and valuable and be protected. Depending on the scope and nature of the information, integrity constraints and special procedures for access and handling may be required.

One of the fundamental requirements and goals of university information processing, whether manual or automated, is to manage a single resource: information. This goal drives all others as the university works to protect and disseminate access to this resource. The individual data elements and their interface to the larger process must be protected and managed at the local office, throughout the department or administrative office or network, as well as, through centralized computer systems processing, storage, and management.

It is the policy of the university to maintain security of its information technology resources. The university will take appropriate steps to secure information technology resources and sensitive information through the development of an agency information technology security program. All systems must include security safeguards that reflect the importance of the information processed on the system.

All users of university information technology resources are required to adhere to detailed requirements included in JMU Computing Standards as well as other university policies related to information technology.

6. PROCEDURES

In keeping with the responsibilities outlined above, departments and administrative offices shall develop, manage, and review local operating policies and procedures to create the proper security posture for sensitive or critical data created and stored locally and on centrally managed computer systems. Integrity constraints, procedures that ensure correct processing of correct data, shall be written as local procedure. Such procedures shall be reviewed as required, but at least once each year.

7. RESPONSIBILITIES

7.1 Division heads, academic deans and academic/administrative unit heads shall be responsible for identifying critical functions as specified in Policy 1206 (Contingency Management for Information-based Systems). In addition, senior vice presidents, deans, department heads, and their staffs are responsible for the security, confidentiality, availability, and integrity of data and software stored on individual microcomputers and on centrally managed computer systems to the extent that they have access and or access control. This responsibility includes ensuring the backup of key software systems and data on microcomputers or departmental file servers. It may also include account management and/or data stewardship responsibilities that have been specifically assigned.

7.2 Academic deans and academic/administrative unit heads are further required to designate a system administrator for any shared file server or application system under their control and not administered by IT. This designation must be communicated to the University Information Security Officer in writing within three days of assignment of responsibilities and shall be updated as necessary.

7.3 This policy also places responsibility on department heads and directors to: 1) require appropriate computer use as specified in Policy 1207 (Appropriate Use of Information Technology Resources), 2) ensure compliance with information technology policies and standards by people and services under their control, and 3) implement and monitor additional procedures as necessary to provide appropriate security of information and technology resources within their area of responsibility.

7.4 IT is responsible for establishing and maintaining the physical security of the central computing facilities (including shared file servers managed by IT), the university's communications network, and data for which IT is the custodian. As part of the university's Information Security Program, IT will maintain JMU Computing Standards for access to centrally managed computing systems as specified in Policy 1205 (University Data Stewardship), the campus network, and fileservers managed by IT.

7.5 Additionally, the president will appoint an Information Security Officer who shall be responsible for the administration of the university's Information Security Program and providing technical support to university departments and offices in the development of local security procedures. This program shall extend to all information technology resources of the university. Its emphasis will be on protection of the university's information technology resources, in particular sensitive information and critical data and applications.

8. SANCTIONS

Sanctions will be commensurate with the severity and/or frequency of offense and may include termination.

9. EXCLUSIONS

None.

10. INTERPRETATION

Authority to interpret this policy rests with the president, and is generally delegated to the Assistant Vice President for Information Technology.

Previous version: March, 2006
Approved by the President: April, 2002

Index Terms
Information Security
Information confidentiality policy
Data security