• Policy Name: Information Security Policy
  • Policy Owner: Information Technology
  • Policy Approver(s): Christopher Waters
  • Version Number: 2.0
  • Effective Date: December 11, 2017
  • Last Reviewed/Approved Date: January 15, 2020
  • Next Scheduled Review Date: January 1, 2021
  • Policy Type: Campuswide

1.0 Purpose

The Information Security Policy provides a structure that will document requirements to:

  • establish accountability and prudent practices regarding the use and safeguarding of Elon University’s information and technology resources;
  • protect the privacy, confidentiality, and integrity of personally identifiable and other regulated information and data stored, processed and transmitted by members of the Elon community;
  • ensure Elon University complies with applicable policies and state, federal, and international laws regarding the management and security of information resources; and
  • educate the Elon community with respect to the responsibilities associated with use of the university’s information and technology resources.

In addition, this policy serves as the foundation for the university’s information security program and provides the Information Security Office the authority to implement internal controls necessary for policy and regulatory compliance.

2.0 Scope

This policy applies to:

  • all information and technology resources owned, leased, operated, or under the custodial care of Elon University;
  • all information and technology resources under the custodial care of Elon University that are stored, processed or transmitted by third-party service providers; and
  • all individuals accessing, using, holding, or managing information and technology resources on behalf of Elon University. This includes staff, faculty, alumni, students, business partners and third-party service providers.

3.0 Definitions

Information and technology resources include, but may not be limited to:

  • • All computer devices and peripherals
  • • Printers
  • • Data and information printouts
  • • Fax machines
  • • All computer hardware and software
  • • Technology-related documentation
  • • Application programs
  • • Digital data, information and records
  • • Mobile phones/computer devices

Confidentiality:  characteristic of the information by which it is available only to authorized persons or systems.

Integrity: characteristic of the information by which it is changed only by authorized persons or systems in an allowed way.

Availability: characteristic of the information by which it can be accessed by authorized persons when it is needed.

Information Security:  preservation of confidentiality, integrity and availability of information.

Information Security Program: a segment of management processes that addresses the planning, implementation, maintenance, monitoring and improving information security within the university.

4.0 Responsibilities

Senior Leadership is responsible for ensuring the availability of resources to adequately protect the information and technology assets of the university and promoting campus-wide compliance to all university and security policies, as well as regulatory and contractual requirements.

Associate Vice President of Information Technology and Chief Information Officer is responsible for ensuring Elon’s Information Security Program is effective and is governed appropriately.

Director of Information Security is responsible for designing and implementing an Information Security Program that aligns to the university’s goals and objectives, addresses the security needs of the organization and reduces risk to Elon’s information and technology assets to an acceptable level.

Supervisors / Department Heads / Managers are responsible for promoting security awareness within their department and ensuring their direct reports have read and understand the university’s policies. Managers, department heads and supervisors are also responsible for ensuring their direct reports receive appropriate information security awareness training so they may fulfill their security and compliance related responsibilities.

The Elon Community, which includes all users of Elon technology and information assets, staff, faculty, students, alumni, business partners, and third-party service providers, should read and understand this policy. In addition, community members must:

  • protect regulated data within their control from unauthorized access, modification, destruction, and disclosure;
  • recognize and report cyber-related threats against the university and its assets;
  • immediately report any security violation to his/her supervisor or department head; and
  • attend appropriate university information security awareness training on an annual basis.

5.0 Policy Statement

Elon University will:

  • protect information and technology resources based on risk against accidental or unauthorized disclosure, modification, or destruction and ensure the confidentiality, integrity, and availability of university data.
  • apply appropriately internal controls to sensitive and regulated data and information by implementing “least privilege” & “need to know” principles guided by Elon’s “Access Control Policy” and “Acceptable Use Policy” without creating unjustified obstacles to the conduct of the scholarship, business, and research of the university and the provision of services to its many constituencies.
  • assign a steward or stewards to all Elon-owned information and technology resources and assets.  Stewards will ensure all information and technology resources and assets are used for the sole purpose of supporting the business activities of the university.
  • abide by all government and industry regulations related to information security, privacy and data protection through the implementation of proven security mechanisms, controls, documentation, education and training.
  • ensure each member of the Elon Community who accesses (reads, writes, updates, stores, uses or transmits) Elon’s technology and information resources or assets is aware of her/his responsibility to and accountability for all activity that is logged against his or her user-id.

6.0 Sanctions

Sanctions for inappropriate use of computing, networking and other technology facilities may include, but are not limited to, one or more of the following:

  • temporary or permanent revocation of access to some or all computing, networking and other technology resources;
  • disciplinary action according to applicable University policies; and /or
  • legal action according to applicable laws and contractual agreements.

Individuals concerned about any violation of this policy are encouraged to contact the Assistant Vice President for Technology or the Vice President for Business, Finance and Technology. Individuals can also report suspected policy violations to infosec@elon.edu.