Policy Name: Information Security Policy
Policy Owner: Information Technology
Policy Approver(s): Associate Vice President of Information Technology and Chief Information Officer
Version Number: 2.0
Effective Date: December 11, 2017
Last Reviewed/Approved Date: May 01, 2021
Next Scheduled Review Date: May 01, 2022
Policy Type: Campus-Wide
The Information Security Policy provides a structure that will document requirements to:
- establish accountability and prudent practices regarding the use and safeguarding of Elon University’s information and technology resources;
- protect the privacy, confidentiality, and integrity of personally identifiable and other regulated information and data stored, processed and transmitted by members of the Elon community;
- ensure Elon University complies with applicable policies and state, federal, and international laws regarding the management and security of information resources; and
- educate the Elon community with respect to the responsibilities associated with use of the university’s information and technology resources.
In addition, this policy serves as the foundation for the university’s information security program and provides Information Technology the authority to implement internal controls necessary for policy and regulatory compliance.
This policy applies to:
- all information and technology resources owned, leased, operated, or under the custodial care of Elon University;
- all information and technology resources under the custodial care of Elon University that are stored, processed or transmitted by third-party service providers; and
- all individuals accessing, using, holding, or managing information and technology resources on behalf of Elon University. This includes staff, faculty, alumni, students, business partners and third-party service providers.
Information and technology resources include, but may not be limited to:
- All computer devices and peripherals
- Data and information printouts
- Fax machines
- All computer hardware and software
- Technology-related documentation
- Application programs
- Digital data, information and records
- Telecommunication equipment
- Mobile phones / computer devices
Confidentiality: characteristic of the information by which it is available only to authorized persons or systems.
Integrity: characteristic of the information by which it is changed only by authorized persons or systems in an allowed way.
Availability: characteristic of the information by which it can be accessed by authorized persons when it is needed.
Information Security: preservation of confidentiality, integrity and availability of information.
Information Security Program: a segment of management processes that addresses the planning, implementation, maintenance, monitoring and improving information security within the university
- Elon Senior Leadership is responsible for ensuring the availability of resources to adequately protect the information and technology assets of the university and promoting campus-wide compliance to all university and security policies, as well as regulatory and contractual requirements.
- Associate Vice President of Information Technology and Chief Information Officer is responsible for ensuring Elon’s Information Security Program is effective and is governed appropriately.
- Director of Information Security is responsible for designing and implementing an Information Security Program that aligns to the university’s goals and objectives, addresses the security needs of the organization and reduces risk to Elon’s information and technology assets to an acceptable level.
- Supervisors / Department Heads / Managers are responsible for promoting security awareness within their department and ensuring their direct reports have read and understand the university’s policies. Managers, department heads and supervisors are also responsible for ensuring their direct reports receive appropriate information security awareness training so they may fulfill their security and compliance related responsibilities.
- The Elon Community (All users of Elon technology and information assets, including Staff, Faculty, Students, Alumni, Business Partners, and Third-party Service Providers) should read and understand this policy. In addition, community members must:
- protect regulated data within their control from unauthorized access, modification, destruction, and disclosure;
- recognize and report cyber-related threats against the university and its assets;
- immediately report any security violation to his/her supervisor or department head; and
- attend appropriate university information security awareness training on an annual basis.
5.0 Policy Statement
- Elon University will protect information and technology resources based on risk against accidental or unauthorized disclosure, modification, or destruction and ensure the confidentiality, integrity, and availability of university data.
- Elon University will apply appropriately internal controls to sensitive and regulated data and information by implementing “least privilege” & “need to know” principles guided by Elon’s “Access Control Policy” and “Acceptable Use Policy” without creating unjustified obstacles to the conduct of the scholarship, business, and research of the university and the provision of services to its many constituencies.
- Elon University will assign a steward or stewards to all Elon-owned information and technology resources and assets. Stewards will ensure all information and technology resources and assets are used for the sole purpose of supporting the business activities of the university.
- Elon University will abide by all government and industry regulations related to information security, privacy and data protection through the implementation of proven security mechanisms, controls, documentation, education and training.
- Elon University will ensure each member of the Elon Community who accesses (reads, writes, updates, stores, uses or transmits) Elon’s technology and information resources or assets is aware of her/his responsibility to and accountability for all activity that is logged against his or her user-id.
Sanctions for inappropriate use of computing, networking and other technology facilities may include, but are not limited to:
- temporary or permanent revocation of access to some or all computing, networking and other technology resources;
- disciplinary action according to applicable University policies; and /or
- legal action according to applicable laws and contractual agreements.
Individuals concerned about any violation of this policy are encouraged to contact the Associate Vice President of Information Technology/CIO or the Vice President for Finance and Administration/CFO. Individuals can also report suspected policy violations to email@example.com.