Purpose

University information, including third party information that may be accessed or stored by the University of Illinois Springfield (“Data”), is a valuable asset to the University and requires appropriate protection. Unauthorized use or disclosure of Data could have adverse consequences for the individuals involved and could subject the University to fines, lawsuits, and government sanctions.

This policy is intended to:

  • help the University and its community members comply with legal and contractual requirements to protect Data;
  • help safeguard University information technology resources (“IT Resources”) from accidental or intentional damage and Data from alteration or theft; and
  • designate the appropriate level of security requirements for securing Data and IT Resources.

Scope

This policy applies to everyone (including, but not limited to, all University faculty, researchers, staff, students, visitors, vendors, contractors, volunteers, and employees of an affiliated entity) who accesses Data or University networks or who stores Data through the use of University credentials or under the authority of and pursuant to University contracts (“University Community Members”). This policy also applies to such access and storage by University Community Members whether the Data is accessed, stored or otherwise resides on University owned or controlled devices, personally owned or controlled devices, or devices owned or controlled by a third party under contract with the University.

Timeline

This policy is effective the date of publication but will be implemented in phases given the scope and complexity of the Information Security Standards. For details on the implementation schedule, please refer to the compliance timeline.

Authority

Chief Information Officer

  1. In order to manage information security risks, University Community Members must ensure that their actions with respect to Data and IT Resources and their electronic devices and other resources that store, transmit, or process Data meet:
    1. the Information Security Standards policy, and
    2. all applicable laws, University policies, and University contractual obligations.
  2. Individuals must report known non-compliance with this policy and its Information Security Standards to the University IT Security Office, security@illinois.edu, (217) 265‑0000.
  3. Failure to comply with this policy and its Information Security Standards may result in denied access to IT Resources and disciplinary action, up to and including termination or dismissal.
  4. University Community Members must review and comply with the following Information Security Standards:
  5. Responsible parties and their duties under this policy include:
    1. University Community Members shall:
      • review and comply with:
        • this policy;
        • the Information Security Standards;
        • the Acceptable Use of Information Technology Resources and Policy for Acceptable Use of Network Resources; and
        • applicable laws and University policies and contractual obligations;
      • complete required privacy and information security training;
      • notify administrative and technical staff of high risk or sensitive Data that is stored on computers and other electronic devices
      • work with their local IT staff or unit liaison through the exception request process if needed; and
      • report non-compliance with this policy to the University IT Security Office, security@illinois.edu, (217) 265‑0000.
    2. University Community Members with compliance responsibilities shall in addition to the duties of a University Community Member:
      • monitor Data security compliance;
      • investigate allegations and incidents of non-compliance;
      • recommend appropriate corrective and disciplinary actions;
      • develop and maintain policies related to the compliance requirements; and
      • participate in breach notification processes.
    3. University Community Members with Information Technology responsibilities shall in addition to the duties of a University Community Member:
      • Take reasonable action to secure Data and IT Resources in accordance with this policy, Information Security Standards and related standards and procedures, as well as pertinent laws and University policies and contractual obligations;
      • Information Security Standards and related standards and procedures, as well as pertinent laws and University policies and contractual obligations;
      • Participate in University and University of Illinois System technical and security groups and forums, as appropriate; and
      • Respond to technical questions from University Community Members related to securing IT Resources
    4. Unit administrators shall in addition to the duties of a University Community Member:
      • assign the responsibility of managing the information security risk and identifying specific security requirements associated within the relevant unit;
      • create, disseminate, and enforce local information security requirements to comply with University policies and standards for Data and IT Resources under their control;
      • provide oversight and manage the security of Data created, stored, or accessed by University Community Members as applicable for their units;
      • manage the security gap analysis for Data and IT Resources for security control requirements as applicable for their units;
      • request exceptions to this policy or Information Security Standards, if needed; and exercise delegated authority and responsibility for unit Information Technology security, unit Data, and unit IT Resources, including designating unit individuals as appropriate.
    5. University Chief Privacy and Security Officer or Designate shall in addition to the duties of a University Community Member:
      • exercise delegated authority and responsibility for privacy and information security from the CIO;
      • establish and maintain an Information Security Advisory Committee to provide guidance on information security policy, standards, procedures, exceptions, and other information security related matters;
      • establish information security policies and standards to protect Data and IT Resources;
      • review and approve final information security standards;
      • establish a process to review exception requests to this policy and related standards;
      • review and approve exceptions to information security policies and standards; and
      • review and manage university information security incidents.
    6. Technology Services – Privacy and Information Security personnel shall in addition to the duties of a University Community Member
      • oversee the information security policy and standards and related exception process;
      • provide guidance on information technology security issues;
      • monitor and notify regarding potential information security intrusions;
      • review information security incidents;
      • establish and publish the criteria upon which a server is determined to be a “critical server” and provide oversight for the vulnerability scan process;
      • exercise operational responsibility to remove non-compliant electronic devices from the University network and, as appropriate, retrieve IT Resources and Data as part of an investigation;
      • coordinate with the unit administrative and technical/security staff to assure that actions are taken as necessary to protect IT Resources and Data; and
      • coordinate with law enforcement, compliance offices, and University Counsel.
    7. Security Advisory Committee shall in addition to the duties of a University Community Member:
      • advise on information security issues; and
      • advise on exceptions to information security policies and standards for high-level or unquantifiable risks to the University.
    8. Office of University Counsel shall, in addition to the duties of a University Community Member, review and comply with:
      • this policy;
      • the Information Security Standards, including in particular D. 3 and D. 5;
      • the Acceptable Use of Information Technology Resources and Policy for Acceptable Use of Network Resources; and
      • applicable University policies, laws or contractual obligations.
    9. University Office of Business and Financial Services personnel shall, in addition to the duties of a University Community Member, review and comply with:
      • this policy;
      • the Information Security Standards, including in particular D. 4;
      • the Acceptable Use of Information Technology Resources and Policy for Acceptable Use of Network Resources; and
      • applicable laws and University policies and contractual obligations.
    10. University Purchasing Division shall, in addition to the duties of a University Community Member, review and comply with:
      • this policy;
      • the Information Security Standards, including in particular D. 3 and D. 5;
      • the Acceptable Use of Information Technology Resources and Policy for Acceptable Use of Network Resources; and
      • applicable laws and University policies and contractual obligations.

Processes/Procedures/Guidelines

Procedures

Process

  • Identifying Security Level

Exceptions

The Information Security Policy represents a baseline of information security requirements for the University.

In certain situations, compliance with this policy or the Information Security Standards contained within this policy may not be immediately possible.

In such cases, exceptions to this policy or the Information Security Standards may be requested through the exception request procedure.

Contact

For questions related to this policy, please contact Technology Services – Privacy and Information Security; (217) 265‑0000; itpolicy@illinois.edu.

Related Information

Related Policies

Related Laws