NORTHERN ARIZONA UNIVERSITY POLICY MANUAL – POLICY NAU-700
1.0 Revision History
Document No: NAU - 700
Effective Date: 06/21/2005
Revision Date: 06/30/2013
Revision No: ￼ 2.0
Producer: Information Technology Services, Lanita Collette, University Information Security Officer
2.1 Northern Arizona University, hereinafter referred to as University, is committed to preserving the availability, confidentiality, and integrity of its information resources while also preserving and nurturing the open, information-sharing requirements of its academic culture. The University must protect its information assets, provide for the integrity of institutional processes and records, and comply with state and federal regulations.
2.2 Authorize the creation of the University Information Security Program, hereinafter referred to as “Program”, in support of this policy. The Program will establish, implement, and maintain information security related policies, procedures and standards for the University. These policies, procedures and standards will support the University’s compliance with federal, state and ABOR regulations, and support the implementation of information security best practices.
2.3 Authorize the creation of the University Information Security Committee, hereinafter referred to as “Committee”, in support of this policy and the Program. The Committee will review and recommend to the President’s Cabinet, information security policies and standards, and provide guidance and support to the University Information Security Officer for the implementation and maintenance of the Program.
2.4 All systems implemented after the effective date of this policy are expected to comply with the provisions of this policy and the Program. Existing systems must be brought into compliance as soon as practical.
3.1 Availability: The information resources of the University, including the network, the hardware, the software, the facilities, the infrastructure, and any other such resources, available to support the teaching, learning, research, or administrative roles for which they are designated.
3.2 Confidentiality: Information is protected from unauthorized use or disclosure.
3.3 Integrity: Information is protected from unauthorized or unintentional modification.
3.4 Appropriate level of security: Information falls in a range from fully public to confidential and protected by law. The level of security applied should be appropriate to where it falls in this spectrum.
4.1 This policy applies to all academic professionals, administrators, administrative faculty, classified staff, service professionals, faculty, and students as well as official university affiliates such as vendors and service providers, sub-contractors, retirees, etc.
4.2 This policy applies to all computer and network systems owned by and/or administered within the University. This includes all platforms (operating systems), all computer sizes (smartphone through mainframes), and all applications and data (whether developed in-house or purchased from third parties) contained on those systems.
4.3 This policy applies to information in any form as defined in Section 5.2.
5.1 Faculty, Staff, Administrators, Students and others as indicated in paragraph 4.0 must protect information according to its sensitivity, criticality, and value to the University. This protection includes an appropriate level of security regardless of the media on which it is stored, the manual or automated systems that process it, or the methods by which it is distributed.
5.2 The intent of information security is to protect information whether it is written, spoken, filmed, typed, recorded electronically or printed, from accidental or intentional unauthorized modification, destruction or disclosure. Information will be protected through its life cycle (origination, entry, processing, distribution, storage, and disposal.)
6.0 Roles & Responsibilities
6.1 President of the University: The President supports the implementation of the Program and authorizes the Information Security Committee to review and approve prudent security policies, procedures, and standards in support of the implementation of the Program.
6.2 University Administrators: University Administrators for the purposes of this policy are those individuals responsible for campus organizational units (e.g., deans, department chairs, principal investigators, directors, or managers) or individuals having functional ownership of data. University Administrators have a responsibility to ensure that the Program is supported within their organizational units.
6.3 University Information Security Officer: The University Information Security Officer, reporting to the Chief Information Technology Officer with a dotted line report to the President of the University, is responsible for working with the roles identified herein to develop and implement prudent security policies, procedures, and standards in support of the implementation of the Program.
6.4 Information Security Committee: The Committee is responsible for oversight of the Program. The Committee will review and recommend to the President’s Cabinet information security policies and standards, and provide guidance and support to the University Information Security Officer for the implementation and maintenance of the Program. The Committee will have the following membership as a minimum: University Information Security Officer, Comptroller Office representative, University Counsel, Chief Audit Executive, Provost’s office representative, President’s office representative, NAU Chief of Police, University Librarian, ASNAU representative, Extended Campuses representative, Enrollment Management and Student Affairs representative, and HR representative. Representatives may stand in for regular members as needed.
6.5 Authorized Data Users: An authorized data user is any individual who has been authorized to read, enter, or update data on a university system or other medium as defined in section 4.0. The authorized data user is expected to comply with security policies, procedures, and standards as set forth in The Program.
Persons subject to this policy are also subject to the provisions of applicable University Personnel Policies, the student employment handbook, Arizona Board of Regents policies and conditions of service documents, including provisions for discipline for violation of this policy, as well as applicable sanctions under the law. University affiliates are subject to loss of access to University resources for violation of the policy, as well as applicable sanctions under the law.
State of Arizona – Government Information Technology Agency – IT Security Statewide Policy P800
Arizona Board of Regents: Tri-University Target Information Security Architecture
Arizona Board of Regents: Tri-U Personnel Guidelines on Protecting University Information and Systems
Arizona Board of Regents: ABOR Policy Manual, Chapter 9 – Information Technology, 9-202 University Responsibilities
Arizona State University: Information Security Policy (Draft)
The University of North Carolina at Chapel Hill: Information Security Policy and Standards (Draft)
Peltier, Thomas R., Information Security Policies, Procedures, and Standards: Guidelines for effective information security management. New York: Auerbach Publications, 2002.