Policy Name: Information Security Policy
Policy Owner: Information Technology
Policy Approver(s): Vice President’s Council
Version Number: 2.2
Effective Date: December 11, 2017
Last Reviewed/Approved Date: November 01, 2022
Next Scheduled Review Date: November 01, 2023
Policy Type: Campus-Wide
The Information Security Policy provides a structure that will document requirements to:
- Establish accountability and prudent practices regarding the use and safeguarding of Elon University’s information and technology resources;
- Protect the privacy, confidentiality, and integrity of personally identifiable and other regulated information and data stored, processed and transmitted by members of the Elon Community;
- Ensure Elon University complies with applicable policies and state, federal, and international laws regarding the management and security of information resources; and
- Educate the Elon Community with respect to the responsibilities associated with use of the University’s information and technology resources.
In addition, this policy serves as the foundation for the University’s Written Information Security Program and provides Information Technology with the authority to implement internal controls necessary for policy and regulatory compliance. This policy supersedes any other prior policies or requirements related to these topics and will be reviewed at least annually for potential updates.
This policy applies to:
- All Elon University-owned or managed networks, network devices, computer systems, applications, or any other technology or computing assets (“Elon Assets”);
- All Elon University proprietary or confidential information, including intellectual property (“Confidential Information”)
- Any Elon owned or controlled individually identifiable personal data or other personal information for which the privacy, security, retention and confidentiality are regulated by applicable legal, regulatory and contractual requirements (“Elon Data”);
- Elon Confidential Information and Elon Data stored at third-party locations; and
- Any persons who access or use Elon Facilities or Assets, Confidential Information, Elon Data (the “Elon Community”), including faculty, staff, trustees, students, temporary employees, contractors, third-party service providers, business partners and alumni.
Availability: characteristic of the information by which it can be accessed by authorized persons when it is needed.
Confidentiality: characteristic of the information by which it is available only to authorized persons or systems.
Confidential Information: includes data and information regulated by state, federal or international laws, any data and information regulated by the Payment Card Industry and any Elon data and information that is not considered public.
- any equipment that is used in the acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information, including printers, storage devices, computers, computer equipment, network equipment and systems and phone equipment and systems.
- any software or technology system used to store, transmit, process, create or present information or data for university use.
- any data or information used by Elon community members in the course of doing business for and on behalf of Elon University.
Elon Data: any information resource that is maintained in electronic or digital format. Data may be accessed, searched, or retrieved via electronic networks or other electronic data processing technologies.
Employee: For the purpose of this policy, the term “employee” refers to any person hired by the University and/or provided credentials that give them access to Elon’s data, information or technology assets.
Information Security: preservation of confidentiality, integrity and availability of information.
Information Security Program: a segment of management processes that addresses the planning, implementation, maintenance, monitoring and improving information security within the University.
Integrity: characteristic of the information by which it is changed only by authorized persons or systems in an allowed way.
- Elon Senior Leadership (University President and members of Senior Staff) is responsible for ensuring the availability of resources to adequately protect Elon Facilities, Elon Assets, Confidential Information and Elon Data and promoting campus-wide compliance to all University and security policies, as well as regulatory and contractual requirements.
- Associate Vice President of Information Technology and Chief Information Officer is responsible for ensuring Elon’s Information Security Program is effective and is governed appropriately.
- Director of Information Security is responsible for designing and implementing the Written Information Security Program that aligns to the University’s goals and objectives, address the security needs of the organization and reduce potential risk to Elon Assets, Confidential Information and Elon Data to an acceptable level.
- Supervisors / Department Heads / Managers are responsible for promoting security awareness within their department and ensuring their direct reports have read and understand the University’s policies. Managers, department heads and supervisors are also responsible for ensuring their direct reports receive appropriate information security awareness training so they may fulfill their security and compliance related responsibilities.
- The Elon Community should read and understand this policy. In addition, Elon Community members have a responsibility to:
- protect Elon Data and Confidential Information within their control from unauthorized access, modification, destruction, and disclosure;
- recognize and report cyber-related threats against the University and Elon Assets;
- immediately report any security violation to his/her supervisor or department head or Campus Safety and Police; and
- attend appropriate University information security awareness training on an annual basis or as assigned.
5.0 Policy Statements
- Elon University will protect information and technology resources based on risk against accidental or unauthorized disclosure, modification, or destruction and ensure the confidentiality, integrity, and availability of Elon Data.
- Elon University will apply appropriate internal controls to sensitive information and Elon Data by implementing “least privilege” and “need to know” principles guided by Elon’s “Access Control Policy” and “Acceptable Use Policy” without creating unjustified obstacles to the conduct of the scholarship, business, and research of the University and the provision of services to its many constituencies.
- Elon University will assign a steward or stewards to all Elon Assets and technology resources. Stewards will ensure all information and technology resources and Elon Assets are used for the sole purpose of supporting the business activities of the University.
- Elon University will abide by all government and industry regulations related to information security, privacy and data protection through the implementation of proven security mechanisms, controls, documentation, education and training.
- Elon University will ensure each member of the Elon Community who accesses (reads, writes, updates, stores, uses or transmits) Elon’s technology and Elon Data or Assets are aware of her/his responsibility to and accountability for all activity that is logged against his or her user-id.
- All employees that have Elon accounts are required to complete annual Information Security Awareness Training each academic year. This requirement can be satisfied by attending an Information Security sponsored training class hosted by the Office of Leadership and Professional Development or Teaching and Learning Technologies or watching any video in Elon’s Information Security Course catalog.
- All newly hired employees are required to complete Security Awareness training assigned by Human Resources as part of their onboarding process.
- Additional role-based security awareness training will be required for personnel who access regulated data such as credit card data, student records, medical records or Elon financial information.
Sanctions for policy violation or inappropriate use of Elon Facilities, Assets or Data may include, but are not limited to:
- Temporary or permanent revocation of access to some or all computing, networking and other technology resources;
- Disciplinary action according to applicable University policies; and /or
- Legal action according to applicable laws and contractual agreements.
Individuals concerned about any violation of this policy are encouraged to contact the Associate Vice President of Information Technology/CIO or the Vice President for Finance and Administration/CFO. Individuals can also report suspected policy violations to firstname.lastname@example.org.