杨贵妃传媒

1. In order to manage information security risks, University Community Members must ensure that their actions with respect to Data and IT Resources and their electronic devices and other resources that store, transmit, or process Data meet:
   1. the I, and
   2. all applicable laws, University policies, and University contractual obligations.
2. Individuals must report known non-compliance with this policy and its Information Security Standards to the University IT Security Office, security@illinois.edu, (217) 265鈥�0000.
3. Failure to comply with this policy and its Information Security Standards may result in denied access to IT Resources and disciplinary action, up to and including termination or dismissal.
4. University Community Members must review and comply with the following Information Security Standards:
   • University Data: Protect the confidentiality, integrity, and availability of Data.
     1. Data must be properly classified, labeled, and handled. .
     2. Authorized access to and possession, use, and modification of Data must be provided. .
   • Program Management: Develop and maintain a program management strategy focusing on information risk management, information security, security assessment, and business continuity.
     1. A risk management strategy, which includes but is not limited to periodic risk assessments and reporting, must be developed and maintained. .
     2. An information security plan, which includes but is not limited to assigning appropriate security roles and resources, must be developed and maintained. .
     3. Periodic security assessments must be performed to comply with this policy and all pertinent laws and University policies and contractual obligations. .
     4. Business continuity and disaster recovery plan(s) must be developed, maintained, and periodically reviewed to limit the negative impact of a disruptive event upon University operations. and
   • Legal: Identify laws and regulations applicable to Data and IT Resources as they become known in order to foster compliance. .
   • Business: Verify segregation of duties in applicable University financial systems and processes to minimize financial fraud. .
   • Purchasing: Include contractual obligations on vendors of third party software products and computer services to satisfy the University鈥檚 information security requirements. and .
   • Personnel Security: Manage the risk presented by each University Community Member throughout the lifecycle of the individual鈥檚 relationship with the University. Such management includes but is not limited to:
     1. Reviewing the background and needs of University Community Members before they are placed in positions with access to Data in order to match permitted access with the needs of both the University Community Members and the University.
     2. Establishing and maintaining a process to authorize, revoke, and audit access to Data and IT Resources by University Community Members
     3. Establishing and maintaining a process to retrieve Data and IT Resources from University Community Members as appropriate when they are transferred within or leave the University. .
   • Facilities: Equip University locations and workspaces with physical access controls to prevent the theft of, tampering with, or destruction of Data and IT Resources. , , and
   • Information Technology:
     1. Training and Awareness
        1. University Community Members must complete the appropriate privacy and information security training. .
        2. University Community Members must be made aware of their obligation to know and follow the Acceptable Use of Information Technology Resources and Policy for Acceptable Use of Network Resources.
     2. Security Incidents 鈥� There must be prompt, effective response and management of information security incidents. .
     3. Identity Management 鈥� There must be secure use and management of digital identities and use of secure authentication processes in order for University Community Members to access Data or IT Resources as appropriate. .
     4. System, Network, and Communication Protection 鈥� There must be secure operation and timely access of:
        1. Network devices. .
        2. Server systems. .
        3. Client systems and applications. .
        4. Mobile devices and applications. .
        5. Digital Communications. .
     5. Malicious Software 鈥� Maximize reasonable protection of Data and IT Resources from exploitation by malicious software, which includes, but is not limited to, malware, viruses, and spyware. .
     6. System Development Life Cycle 鈥� Establish a comprehensive approach to manage risks to IT Resources and to provide the appropriate levels of information security based on the levels of risk as IT Resources are being developed, modified, used, and retired. This approach must include the following:
        1. Development Process 鈥� Reasonably maximize the production of secure applications and software in the software development process.
        2. Application Development 鈥� Reasonably maximize the secure operation of applications so that they produce the correct results and perform only authorized transactions and so that Data is not inadvertently exposed during processing. and .
     7. Secure Use and Disposal of Information and Equipment 鈥� Require that University storage media, which includes but is not limited to optical media (CDs or DVDs), magnetic media (tapes or diskettes), disk drives (external, portable, or removed from information systems), flash memory storage devices (SSDs or UBS flash drives) and documents (paper documents, paper output, or photographic media), are used and disposed of securely. .
     8. Equipment and Software Inventory Management 鈥� Require that IT Resources, including information assets and software, are identified so they can be managed securely and in compliance with appropriate license agreements and copyright laws. and
5. Responsible parties and their duties under this policy include:
   1. University Community Members shall:
      • review and comply with:
        • this policy;
        • the Information Security Standards;
        • the Acceptable Use of Information Technology Resources and Policy for Acceptable Use of Network Resources; and
        • applicable laws and University policies and contractual obligations;
      • complete required privacy and information security training;
      • notify administrative and technical staff of high risk or sensitive Data that is stored on computers and other electronic devices
      • work with their local IT staff or unit liaison through the exception request process if needed; and
      • report non-compliance with this policy to the University IT Security Office, security@illinois.edu, (217) 265鈥�0000.
   2. University Community Members with compliance responsibilities shall in addition to the duties of a University Community Member:
      • monitor Data security compliance;
      • investigate allegations and incidents of non-compliance;
      • recommend appropriate corrective and disciplinary actions;
      • develop and maintain policies related to the compliance requirements; and
      • participate in breach notification processes.
   3. University Community Members with Information Technology responsibilities shall in addition to the duties of a University Community Member:
      • Take reasonable action to secure Data and IT Resources in accordance with this policy, Information Security Standards and related standards and procedures, as well as pertinent laws and University policies and contractual obligations;
      • Information Security Standards and related standards and procedures, as well as pertinent laws and University policies and contractual obligations;
      • Participate in University and University of Illinois System technical and security groups and forums, as appropriate; and
      • Respond to technical questions from University Community Members related to securing IT Resources
   4. Unit administrators shall in addition to the duties of a University Community Member:
      • assign the responsibility of managing the information security risk and identifying specific security requirements associated within the relevant unit;
      • create, disseminate, and enforce local information security requirements to comply with University policies and standards for Data and IT Resources under their control;
      • provide oversight and manage the security of Data created, stored, or accessed by University Community Members as applicable for their units;
      • manage the security gap analysis for Data and IT Resources for security control requirements as applicable for their units;
      • request exceptions to this policy or Information Security Standards, if needed; and exercise delegated authority and responsibility for unit Information Technology security, unit Data, and unit IT Resources, including designating unit individuals as appropriate.
   5. University Chief Privacy and Security Officer or Designate shall in addition to the duties of a University Community Member:
      • exercise delegated authority and responsibility for privacy and information security from the CIO;
      • establish and maintain an Information Security Advisory Committee to provide guidance on information security policy, standards, procedures, exceptions, and other information security related matters;
      • establish information security policies and standards to protect Data and IT Resources;
      • review and approve final information security standards;
      • establish a process to review exception requests to this policy and related standards;
      • review and approve exceptions to information security policies and standards; and
      • review and manage university information security incidents.
   6. Technology Services 鈥� Privacy and Information Security personnel shall in addition to the duties of a University Community Member
      • oversee the information security policy and standards and related exception process;
      • provide guidance on information technology security issues;
      • monitor and notify regarding potential information security intrusions;
      • review information security incidents;
      • establish and publish the criteria upon which a server is determined to be a 鈥渃ritical server鈥� and provide oversight for the vulnerability scan process;
      • exercise operational responsibility to remove non-compliant electronic devices from the University network and, as appropriate, retrieve IT Resources and Data as part of an investigation;
      • coordinate with the unit administrative and technical/security staff to assure that actions are taken as necessary to protect IT Resources and Data; and
      • coordinate with law enforcement, compliance offices, and University Counsel.
   7. Security Advisory Committee shall in addition to the duties of a University Community Member:
      • advise on information security issues; and
      • advise on exceptions to information security policies and standards for high-level or unquantifiable risks to the University.
   8. Office of University Counsel shall, in addition to the duties of a University Community Member, review and comply with:
      • this policy;
      • the Information Security Standards, including in particular D. 3 and D. 5;
      • the Acceptable Use of Information Technology Resources and Policy for Acceptable Use of Network Resources; and
      • applicable University policies, laws or contractual obligations.
   9. University Office of Business and Financial Services personnel shall, in addition to the duties of a University Community Member, review and comply with:
      • this policy;
      • the Information Security Standards, including in particular D. 4;
      • the Acceptable Use of Information Technology Resources and Policy for Acceptable Use of Network Resources; and
      • applicable laws and University policies and contractual obligations.
   10. University Purchasing Division shall, in addition to the duties of a University Community Member, review and comply with:
       • this policy;
       • the Information Security Standards, including in particular D. 3 and D. 5;
       • the Acceptable Use of Information Technology Resources and Policy for Acceptable Use of Network Resources; and
       • applicable laws and University policies and contractual obligations.

Processes/Procedures/Guidelines

Procedures

• The Information Security Standards
• or to the Information Security Standards

Process

• Identifying Security Level

Exceptions

The Information Security Policy represents a baseline of information security requirements for the University.

In certain situations, compliance with this policy or the Information Security Standards contained within this policy may not be immediately possible.

In such cases, exceptions to this policy or the Information Security Standards may be requested through the exception request procedure.

Contact

For questions related to this policy, please contact Technology Services 鈥� Privacy and Information Security; (217) 265鈥�0000; itpolicy@illinois.edu.

Related Information

Related Policies

• Acceptable Use of Information Technology Resources

Related Laws