University information, including third party information that may be accessed or stored by the University of Illinois at Urbana-Champaign (“Data”), is a valuable asset to the University and requires appropriate protection. Unauthorized use or disclosure of Data could have adverse consequences for the individuals involved and could subject the University to fines, lawsuits, and government sanctions.
This policy is intended to:
- help the University and its community members comply with legal and contractual requirements to protect Data;
- help safeguard University information technology resources (“IT Resources”) from accidental or intentional damage and Data from alteration or theft; and
- designate the appropriate level of security requirements for securing Data and IT Resources.
This policy applies to everyone (including, but not limited to, all University faculty, researchers, staff, students, visitors, vendors, contractors, volunteers, and employees of an affiliated entity) who accesses Data or University networks or who stores Data through the use of University credentials or under the authority of and pursuant to University contracts (“University Community Members”). This policy also applies to such access and storage by University Community Members whether the Data is accessed, stored or otherwise resides on University owned or controlled devices, personally owned or controlled devices, or devices owned or controlled by a third party under contract with the University.
This policy is effective the date of publication but will be implemented in phases given the scope and complexity of the Information Security Standards. For details on the implementation schedule, please refer to the compliance timeline.
Chief Information Officer
- In order to manage information security risks, University Community Members must ensure that their actions with respect to Data and IT Resources and their electronic devices and other resources that store, transmit, or process Data meet:
- Individuals must report known non-compliance with this policy and its Information Security Standards to the University IT Security Office, firstname.lastname@example.org, (217) 265‑0000.
- Failure to comply with this policy and its Information Security Standards may result in denied access to IT Resources and disciplinary action, up to and including termination or dismissal.
- University Community Members must review and comply with the following Information Security Standards:
- University Data: Protect the confidentiality, integrity, and availability of Data.
- Data must be properly classified, labeled, and handled. See DAT01-Data Security Standard.
- Authorized access to and possession, use, and modification of Data must be provided. See DAT02-Information Access Control Standard.
- Program Management: Develop and maintain a program management strategy focusing on information risk management, information security, security assessment, and business continuity.
- A risk management strategy, which includes but is not limited to periodic risk assessments and reporting, must be developed and maintained. See MGT01-Information Risk Management Standard.
- An information security plan, which includes but is not limited to assigning appropriate security roles and resources, must be developed and maintained. See MGT02-Information Security Management Standard.
- Periodic security assessments must be performed to comply with this policy and all pertinent laws and University policies and contractual obligations. See MGT03-Compliance Management Standard.
- Business continuity and disaster recovery plan(s) must be developed, maintained, and periodically reviewed to limit the negative impact of a disruptive event upon University operations. See MGT04-Business Continuity Management Standard and IT01-Disaster Recovery Standard.
- Legal: Identify laws and regulations applicable to Data and IT Resources as they become known in order to foster compliance. See LEG01-Legal and Regulatory Compliance Standard.
- Business: Verify segregation of duties in applicable University financial systems and processes to minimize financial fraud. See BUS01-Financial Systems Security Standard.
- Purchasing: Include contractual obligations on vendors of third party software products and computer services to satisfy the University’s information security requirements. See PUR01-Contract Management Security Standard and IT09-Vendor Management Security Standard.
- Personnel Security: Manage the risk presented by each University Community Member throughout the lifecycle of the individual’s relationship with the University. Such management includes but is not limited to:
- Reviewing the background and needs of University Community Members before they are placed in positions with access to Data in order to match permitted access with the needs of both the University Community Members and the University.
- Establishing and maintaining a process to authorize, revoke, and audit access to Data and IT Resources by University Community Members.
- Establishing and maintaining a process to retrieve Data and IT Resources from University Community Members as appropriate when they are transferred within or leave the University. See PS01-Personnel Security Standard.
- Facilities: Equip University locations and workspaces with physical access controls to prevent the theft of, tampering with, or destruction of Data and IT Resources. See FAC01-Site Security Standard, FAC02-IT Workspace Security Standard, and IT02-Infrastructure Security Standard.
- Information Technology:
- Training and Awareness
- University Community Members must complete the appropriate privacy and information security training. See IT16-Security Training Standard.
- University Community Members must be made aware of their obligation to know and follow the Policy on Appropriate Use of Computers and Network Systems at the University of Illinois at Urbana-Champaign.
- Security Incidents – There must be prompt, effective response and management of information security incidents. See IT14-Security Incident Management.
- Identity Management – There must be secure use and management of digital identities and use of secure authentication processes in order for University Community Members to access Data or IT Resources as appropriate. See IT05-Identity Management Standard.
- System, Network, and Communication Protection — There must be secure operation and timely access of:
- Network devices. See IT03-Network Security Standard.
- Server systems. See IT04-Server Security Standard.
- Client systems and applications. See IT10-Client Computer Security Standard.
- Mobile devices and applications. See IT11-Mobile Device Security Standard.
- Digital Communications. See IT12-Digital Communications Security Standard.
- Malicious Software – Maximize reasonable protection of Data and IT Resources from exploitation by malicious software, which includes, but is not limited to, malware, viruses, and spyware. See IT06-Malicious Software Protection Standard.
- System Development Life Cycle – Establish a comprehensive approach to manage risks to IT Resources and to provide the appropriate levels of information security based on the levels of risk as IT Resources are being developed, modified, used, and retired. This approach must include the following:
- Development Process – Reasonably maximize the production of secure applications and software in the software development process. See IT08-Development Process Standard
- Application Development – Reasonably maximize the secure operation of applications so that they produce the correct results and perform only authorized transactions and so that Data is not inadvertently exposed during processing. See IT07-Application Development Security Standard and IT13-Web Application Security Standard.
- Secure Use and Disposal of Information and Equipment – Require that University storage media, which includes but is not limited to optical media (CDs or DVDs), magnetic media (tapes or diskettes), disk drives (external, portable, or removed from information systems), flash memory storage devices (SSDs or UBS flash drives) and documents (paper documents, paper output, or photographic media), are used and disposed of securely. See IT15-Storage Media Security Standard.
- Equipment and Software Inventory Management – Require that IT Resources, including information assets and software, are identified so they can be managed securely and in compliance with appropriate license agreements and copyright laws. See IT17-Asset Management Standard and IT18-Software License Management Standard.
- Responsible parties and their duties under this policy include:
- University Community Members shall:
- review and comply with:
- complete required privacy and information security training;
- notify administrative and technical staff of high risk or sensitive Data that is stored on computers and other electronic devices;
- work with their local IT staff or unit liaison through the exception request process if needed; and
- report non-compliance with this policy to the University IT Security Office, email@example.com, (217) 265‑0000.
- University Community Members with compliance responsibilities shall in addition to the duties of a University Community Member:
- monitor Data security compliance;
- investigate allegations and incidents of non-compliance;
- recommend appropriate corrective and disciplinary actions;
- develop and maintain policies related to the compliance requirements; and
- participate in breach notification processes.
- University Community Members with Information Technology responsibilities shall in addition to the duties of a University Community Member:
- Take reasonable action to secure Data and IT Resources in accordance with this policy, Information Security Standards and related standards and procedures, as well as pertinent laws and University policies and contractual obligations;
- Participate in University and University of Illinois System technical and security groups and forums, as appropriate; and
- Respond to technical questions from University Community Members related to securing IT Resources
- Unit administrators shall in addition to the duties of a University Community Member:
- assign the responsibility of managing the information security risk and identifying specific security requirements associated within the relevant unit;
- create, disseminate, and enforce local information security requirements to comply with University policies and standards for Data and IT Resources under their control;
- provide oversight and manage the security of Data created, stored, or accessed by University Community Members as applicable for their units;
- manage the security gap analysis for Data and IT Resources for security control requirements as applicable for their units;
- request exceptions to this policy or Information Security Standards, if needed; and
- exercise delegated authority and responsibility for unit Information Technology security, unit Data, and unit IT Resources, including designating unit individuals as appropriate.
- University Chief Privacy and Security Officer or Designate shall in addition to the duties of a University Community Member:
- exercise delegated authority and responsibility for privacy and information security from the CIO;
- establish and maintain an Information Security Advisory Committee to provide guidance on information security policy, standards, procedures, exceptions, and other information security related matters;
- establish information security policies and standards to protect Data and IT Resources;
- review and approve final information security standards;
- establish a process to review exception requests to this policy and related standards;
- review and approve exceptions to information security policies and standards; and
- review and manage university information security incidents.
- Technology Services – Privacy and Information Security personnel shall in addition to the duties of a University Community Member:
- oversee the information security policy and standards and related exception process;
- provide guidance on information technology security issues;
- monitor and notify regarding potential information security intrusions;
- review information security incidents;
- establish and publish the criteria upon which a server is determined to be a “critical server” and provide oversight for the vulnerability scan process;
- exercise operational responsibility to remove non-compliant electronic devices from the University network and, as appropriate, retrieve IT Resources and Data as part of an investigation;
- coordinate with the unit administrative and technical/security staff to assure that actions are taken as necessary to protect IT Resources and Data; and
- coordinate with law enforcement, compliance offices, and University Counsel.
- Security Advisory Committee shall in addition to the duties of a University Community Member:
- advise on information security issues; and
- advise on exceptions to information security policies and standards for high-level or unquantifiable risks to the University.
- Office of University Counsel shall, in addition to the duties of a University Community Member, review and comply with:
- University Office of Business and Financial Services personnel shall, in addition to the duties of a University Community Member, review and comply with:
- University Purchasing Division shall, in addition to the duties of a University Community Member, review and comply with:
The Information Security Policy represents a baseline of information security requirements for the University.
In certain situations, compliance with this policy or the Information Security Standards contained within this policy may not be immediately possible.
In such cases, exceptions to this policy or the Information Security Standards may be requested through the exception request procedure.
For questions related to this policy, please contact Technology Services – Privacy and Information Security; (217) 265‑0000; firstname.lastname@example.org.