Policy Name: Information Security Policy
Date Approved: April 21, 2022
Policy Category: Board of Governors - University Operation
Date Effective: April 21, 2022
Policy Number: 4.1.090
Date Last Revised: n/a
Approval Authority: UCM Board of Governors
Review Cycle: 5 years
Responsible Department: Office of Technology
The University of Central Missouri relies on information systems and technology resources to perform daily operations vital to achieving the University’s mission. This policy serves as the foundation for the University’s Information Security Program and provides the Office of Technology the authority to implement standards, procedures, and guidelines necessary to protect the University’s information assets in a manner consistent with legislative mandates, regulatory requirements, University policy, and Information Security best-practices to ensure the confidentiality, integrity, and availability of information technology assets.
Confidential Information is a classification for systems or data that, if made available to unauthorized parties, may adversely affect individuals or the University. This classification includes information required to be protected from disclosure by law, industry regulation, confidentiality agreement, information systems with access to confidential data, or systems designated as “High Risk”.
Information System: A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. The term information system includes information technology, data, people, and processes used to manage information.
Information Technology is any equipment or interconnected system or subsystem of equipment used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the University. For purposes of the preceding sentence, equipment is used by the University if the equipment is used directly or is used by a contractor under a contract with the University which:
1) requires the use of such equipment; or
2) requires the use, to a significant extent, of such equipment in the performance of a service or the furnishing of a product.
The term information technology includes computers, ancillary equipment, software, firmware and similar procedures, services (including support services), and related resources.
Information Technology Service is the use of information technology for generating, acquiring, storing, transforming, processing, retrieving, utilizing, or making information available (e.g. web applications, authentication, file shares, shared printers, etc.) to users or systems.
Associate Vice President of Technology / Chief Information Officer (AVP of Technology / CIO) is responsible for designating an individual to manage a University-wide Information Security Management program and providing the resources necessary to ensure the confidentiality, integrity, and availability of information systems.
Information Security Officer (ISO) is responsible for management and oversight of the information security program to ensure the protection of the University’s information systems.
Computer Security Incident Response Team (CSIRT) is established by the ISO and is responsible for receiving, reviewing, and responding to major computer security incident reports and activity when activated by the ISO.
System Owner is a University official with budgetary oversight for an information system and is responsible for the overall procurement, development, integration, modification, and operation of the system.
System User is any user provided access to an information system required to fulfill their assigned role or function including, but not limited to, Faculty, Staff, Students, Contractors, and Guests. Users are responsible for using systems and protecting information in accordance with University policy and Information Security standards.
The following subsections outline the Information Security policy. Each University information system is bound to this policy, and system owners must develop or adhere to a program plan which demonstrates compliance with the policy and related documented standards.
University of Central Missouri Board of Governors Policy 1.2.040 provides authority to the University president to delegate authority to the AVP of Technology / CIO to take prudent steps to secure the University’s information technology resources.
The AVP of Technology / CIO delegated responsibility for a University-wide Information Security Management Program to the ISO with responsibility for management and oversight of the information security program to ensure the protection of the University’s information systems.
Users of University of Central Missouri’s information systems shall adhere to University policies and applicable law to protect the confidentiality, integrity, and availability of the University’s information systems and shall comply with criteria established by University officials delegated with planning and policy-making responsibilities for specific categories of data.
Information security audits and assessments may only be conducted by individuals authorized by the ISO. The Office of Technology reserves the right to conduct periodic security audits or vulnerability assessments at any time without prior notification and shall take reasonable precautions to ensure systems are not adversely affected by assessment activity. A record of such audits shall be kept by the ISO in consultation with the AVP of Technology / CIO. Identified vulnerabilities shall be remediated in a timely manner, in accordance with the Vulnerability Management Process, based on the likelihood and impact of exploitation.
Information systems containing confidential information shall be subject to penetration testing annually. Intensive vulnerability scans or penetration testing must be authorized by the System Owner.
Information security must be a consideration of any University project containing information systems from the beginning to integrate information security into systems before they become active and to manage information security risks on an ongoing basis.
The Office of Technology shall implement a Technology Risk Management Program for information systems and technology resources to identify critical assets, threats, and vulnerabilities. A risk analysis will be conducted prior to implementation of an information system or technology resource and annually thereafter. This effort shall be coordinated with the Office of General Counsel in relation to its Director of Contracts, Compliance and Risk Management and the University’s Enterprise Risk Management efforts.
Information security awareness and training reduces the likelihood uninformed users will do incidental harm to University information systems and technology resources. All University users are expected to meet training requirements in accordance with the Information Security Awareness and Training standards. The Office of Technology will provide general security and confidential information awareness training for all University users and validate conformance to role-based security training and record keeping requirements.
Information security incidents will be managed by the Computer Security Incident Response Team (CSIRT) and will be reported, as required, by applicable law. CSIRT shall establish a Computer Security Incident Response Plan to ensure each incident is reported, documented, and resolved in a timely manner to restore operation of the affected system(s) and, if required, preserve evidence for further disciplinary or legal actions. CSIRT will take prudent steps to protect the University from active threats, which may include immediate isolation of information assets or disablement of user accounts without prior notification.
All University users are expected to provide full cooperation with CSIRT to resolve information security incidents.
The Department of Public Safety shall serve as liaison with external law enforcement organizations and Integrated Marketing and Communications shall serve as liaison with media organizations, both in coordination with the Office of General Counsel prior to the release of information.
In support of the University Emergency Response Plan, The Office of Technology shall
develop and maintain contingency and disaster recovery plans for infrastructure and
services managed by OT, prioritized as follows:
Owners of information systems and technology resources not managed by the Office of Technology shall develop and maintain a plan for responding to system failure or data loss according to standards defined by the Office of Technology. System owners shall provide their system recovery plan to the Office of Technology for integration with the overall contingency and disaster recovery plan.
Approval is required to provide an information technology service, hosted internally or externally, by the AVP of Technology / CIO or appointed designee. Owners of Information Systems connected to University networks or third party systems used in support of the University mission shall maintain awareness and adherence to all information security policies, standards, and related procedures.
The Office of Technology will register systems deployed on campus. During which, System Owners shall agree to the following terms:
The Office of Technology will verify compliance to this policy through various methods,
including but not limited to, business tool reports, internal and external audits,
and feedback to the ISO and applicable supervisor and/or area vice president, as authorized
and documented by the Associate Vice President of Technology / Chief Information Officer
or appointed designee.
Any exception to this policy must be approved by the Associate Vice President of Technology
/ Chief Information Officer or appointed designee.
Any user found to have violated this policy may be subject to discipline, including loss of network access privileges and referral to law enforcement.
Any device found in violation of this policy may be disconnected from the university network until the device is brought into compliance as confirmed by the ISO.
An employee found to have violated this policy and may be subject to disciplinary action, up to and including termination of employment.
A student found to have violated this policy may be subject to disciplinary sanctions,
which may include suspension or expulsion from the University.
Questions about this policy and its enforcement should be brought to the ISO.