• USU home
• A-Z index
• calendars
• MyUSU
• contact
• people/web search

User-Defined Navigation:

• Appropriate Use Policy
• Computer Management Policy
• Wireless Network Deployment
• BulkMail Policy
• Banner Identification Number
• Network Monitoring & Vulnerability Scanning
• Information Privacy
• Institutional Email Service

Main Navigation:

Information Security

Information Security

Number: 5##

Subject: Protecting Private Sensitive Information

Effective Date: April 1, 2008

PURPOSE/OBJECTIVE

The intention of this policy is to protect Utah State University's Private Sensitive Information (PSI) while stored on or transmitted by institutional Information Technology (IT) Resources, and to recognize and implement the Utah State Board of Regents Policy R345, Information Technology Resource Security.

POLICY

Utah State University will take measures to protect Private Sensitive Information that is stored, processed or transmitted using institutional Resources. It is the duty of each University employee who collects, controls or accesses the university's private sensitive information (PSI) to insure the security and confidentiality of that information. The relevant duties and responsibilities are itemized in the Utah Sytem of Higher Education Board or Regents Policy R345 Information Technology Resource Security and are included here by reference. The Vice President for Information Technology and the Provost will coordinate with affected units within USU to develop the appropriate procedures and standards to implement various aspects of this policy.

This policy protects the PSI provided by the Information Owner to Utah State University to conduct University business.  Users of IT Resources who place their own PSI on university computers for their own personal use do so at their own risk.

Violation of the Information Technology Resource Security Policy or derivative procedures may result in disciplinary action, including termination of employment. Staff members may appeal revocation of access to IT Resources or disciplinary actions taken against them pursuant to this policy.

Alternatively, maybe we should use R345 as a guide and draft our own stand alone policy.  R345 has some "problems" which we have noted, including:

• "Information Technology Resource" is defined differently than we have defined it in other policies; R345 seems to combine the equipment/infrastructure and the institution's information (especially PSI) but subsequent uses of the term sometimes only make sense if just the equipment or just the data are being referenced.  Additionally, the definition is overly broad and is not restricted to resources owned or controlled by the university.
• Steward, Custodian and Administrator are vaguely defined and described but could be replaced by real roles and positions that we recognize here.
• PSI needs to be limited to qualifying information that that the university requests or accepts, not just every private bit of info that is placed on or passes through our systems
• We need a measurable definition of what makes a resource "critical"  (maybe blood pressure changes)
• We need a definition of a security breach
• ISO needs to be defined in the context of our organizational structure
• we need to distinguish between policy violations, vulnerabilities, exposures and compromises as we define roles, requirements and consequences.
• there is an undefined "classification level" in the discussion of physical security
• how we implement the policy creation/approval process should be clarified - who proposes and who authorizes policies?
• The ISO has a wide assortment of responsibilities - should some of them be distributed in our existing organizational structure?
• "sanctions and remedies" - here's where we clarify the procedural difference between a policy violation and a security breach, etc.
• we need to be sure our policies apply appropriately to faculty and students as well as to "staff."