Policy #1204
Information Security

Date of Current Revision: March 2006
Responsible Office: Assistant Vice President for Information Technology
  1. PURPOSE

    This policy assigns responsibility for the security of departmental, administrative and other critical university information and systems. Components of security include confidentiality, availability and integrity.

  2. AUTHORITY

    This policy is established by authority of the president in keeping with the Commonwealth of Virginia Information Technology Resource Management (ITRM) Policy on Information Security (ITRM Policy 90-1), to meet the institution's information security responsibilities by instituting a program that will address specific areas of security such as: security administration, personnel security, physical security, risk management and contingency management.

  3. DEFINITIONS

    Information Security Program:
    The set of managerial, operational, and technical controls instituted to protect the integrity, availability, and if needed, confidentiality of information and resources used to enter, store, process, and communicate electronic information.

    Information technology resources:
    Specific items such as telecommunications devices, computer systems, media, and other equipment, goods, services, and personnel related to the collection, storage or transport of electronic information.

    Critical data:
    Data supporting critical functions (i.e., business processes identified by the Division Heads that significantly affect service levels to students, affect public safety, impact the budget, and/or are the result of governmental regulations). This data is so important to the university that its loss or unavailability is unacceptable.

    Sensitive data:
    Data subject to legal requirements (e.g., Federal or State privacy laws) or considerations, which define and regulate its responsible use.

  4. APPLICABILITY

    This policy applies to all information collected, and/or processed using the university's information technology resources.

  5. POLICY

    University data and information technology resources must be recognized as sensitive and valuable and be protected. Depending on the scope and nature of the information, integrity constraints and special procedures for access and handling may be required.

    One of the fundamental requirements and goals of university information processing, whether manual or automated, is to manage a single resource: information. This goal drives all others as the university works to protect and disseminate access to this resource. The individual data elements and their interface to the larger process must be protected and managed at the local office, throughout the department or administrative office or network, as well as, through centralized computer systems processing, storage and management.

    It is the policy of the university to maintain security of information technology resources. The university will take appropriate steps to secure information technology resources and sensitive information through the development of an agency information technology security program. All systems must include security safeguards that reflect the importance of the information processed on the system.

    All users of university information technology resources are required to adhere to detailed requirements included in JMU Computing Standards as well as other university policies related to information technology.

  6. PROCEDURES

    In keeping with the responsibilities outlined above, departments and administrative offices shall develop, manage and review local operating policies and procedures to create the proper security posture for sensitive or critical data created and stored locally and on centrally managed computer systems. Integrity constraints, procedures that ensure correct processing of correct data, shall be written as local procedure. Such procedures shall be reviewed as required, but at least once each year.

  7. RESPONSIBILITIES

    7.1 Division heads, deans and directors shall be responsible for identifying critical functions as specified in JMU Policy 1206: Contingency Management for Information-based Systems. In addition, vice presidents, deans, department heads and their staffs are responsible for the security, confidentiality, availability and integrity of data and software stored on individual microcomputers and on centrally-managed computer systems to the extent that they have access and or access control. This responsibility includes ensuring the backup of key software systems and data on microcomputers or departmental file servers. It may also include account management and/or data stewardship responsibilities that have been specifically assigned.

    7.2 Directors, department heads and other work unit managers are further required to designate a system administrator for any shared file server or application system under their control and not administered by IT. This designation must be communicated to the University Information Security Officer in writing within three days of assignment of responsibilities and shall be updated as necessary.

    7.3 This policy also places responsibility on department heads and directors to: 1) encourage appropriate computer use as specified in JMU Policy 1207: Appropriate Use of Information Technology Resources, 2) ensure compliance with information technology policies and standards by people and services under their control, and 3) implement and monitor additional procedures as necessary to provide appropriate security of information and technology resources within their area of responsibility.

    7.4 Information Technology (IT) is responsible for establishing and maintaining the physical security of the central computing facilities (including shared file servers managed by IT), the university's communications network, and data for which Information Technology (IT) is the custodian. As part of the university's Information Security Program, IT will maintain (JMU Computing Standards) for access to centrally managed computing systems as specified in Policy 1205 Data Stewardship, the campus network and fileservers managed by IT.

    7.5 Additionally, the president will appoint an Information Security Officer who shall be responsible for the administration of the university's Information Security Program and providing technical support to university departments and offices in the development of local security procedures. This program shall extend to all information technology resources of the university. Its emphasis will be on protection of the university's information technology resources, in particular sensitive information and critical data and applications.

  8. SANCTIONS

    Sanctions will be commensurate with the severity and/or frequency of the offense and may include termination of employment.

  9. EXCLUSIONS

    None.

  10. INTERPRETATION

    Authority to interpret this policy rests with the president, and is generally delegated to the Assistant Vice President for Information Technology.

Original Version: March 1, 1999

Approved:
April 2002
Linwood H. Rose, President
Index Terms

Information Security
Information confidentiality policy
Data security