1.0 Revision History
Document No: NAU - 700
Effective Date: 06/21/2005
Revision Date: 06/21/2005
Producer: Information Technology Services Information Security
2.0 Purpose
2.1 Northern Arizona University, hereinafter referred to as University, is committed to preserving the availability, confidentiality, and integrity of its information resources while also preserving and nurturing the open, information-sharing requirements of its academic culture. The University must protect its information assets, provide for the integrity of institutional processes and records, and comply with state and federal regulations.
2.2 Authorize the creation of the University Information Security Program, hereinafter referred to as “Program”, in support of this policy. The Program will establish, implement, and maintain information security related policies, procedures and standards for the University. These policies, procedures and standards will support the University’s compliance with federal, state and ABOR regulations, and support the implementation of information security best practices.
2.3 Authorize the creation of the University Information Security Committee, hereinafter referred to as “Committee”, in support of this policy and the Program. The Committee will review and and recommend to the President’s Cabinet, information security policies and standards, and provide guidance and support to the Director of Information Security for the implementation and maintenance of the Program.
2.4 All systems implemented after the effective date of this policy are expected to comply with the provisions of this policy and the Program. Existing systems must be brought into compliance as soon as practical.
3.0 Definitions
3.1 Availability: The information resources of the University, including the network, the hardware, the software, the facilities, the infrastructure, and any other such resources, are available to support the teaching, learning, research, or administrative roles for which they are designated.
3.2 Confidentiality: Information is protected from unauthorized use or disclosure. 3.3 Integrity: Information is protected from unauthorized or unintentional modification. 3.4 Appropriate level of security: Information falls in a range from fully public to confidential and
protected by law. The level of security applied should be appropriate to where it falls in this spectrum.
4.0 Applicability
4.1 This policy applies to all Academic Professionals, Administrators, Administrative Faculty, Classified Staff, Faculty, University Affiliates, Vendors and Service Providers, Sub-Contractors, Service Professionals, Temporary Employees, and Students.
4.2 This policy applies to all computer and network systems owned by and/or administered within the University. This includes all platforms (operating systems), all computer sizes (personal digital assistants through mainframes), and all applications and data (whether developed in-house or purchased from third parties) contained on those systems.
4.3 This policy applies to information in any form as defined in Section 5.2.
5.0 Policy
5.1 Faculty, Staff, Administrators, Students and others as indicated in paragraph 4.0 must protect information according to its sensitivity, criticality, and value to the University. This protection includes an appropriate level of security regardless of the media on which it is stored, the manual or automated systems that process it, or the methods by which it is distributed.
5.2 The intent of information security is to protect information whether it is written, spoken, filmed, typed, recorded electronically or printed, from accidental or intentional unauthorized modification, destruction or disclosure. Information will be protected through its life cycle (origination, entry, processing, distribution, storage, and disposal.)
6.0 Roles & Responsibilities
6.1 President of the University: The President supports the implementation of the Program and authorizes the Information Security Committee to review and approve prudent security policies, procedures, and standards in support of the implementation of the Program.
6.2 University Administrators: University Administrators for the purposes of this policy are those individuals responsible for campus organizational units (e.g., deans, department chairs, principal investigators, directors, or managers) or individuals having functional ownership of data. University Administrators have a responsibility to ensure that the Program is supported within their organizational units.
6.3 Director of Information Security: The Director of Information Security is responsible for working with the roles identified herein to develop and implement prudent security policies, procedures, and standards in support of the implementation of the Program.
6.4 Information Security Committee: The Committee is responsible for oversight of the Program. The Committee will review and recommend to the President’s Cabinet, information security policies and standards, and provide guidance and support to the Director of Information Security for the implementation and maintenance of the Program. The Committee will have the following membership as a minimum: Director of Information Security, Compliance Officer, University Counsel, Provost’s office designee, President’s office designee, NAU Chief of Police, University Librarian, 2 ASNAU representatives, DLS representative, HR representative, 2 academic members-at-large, 2 administrative members-at-large.
6.5 Authorized Data Users: An authorized data user is any individual who has been authorized to read, enter, or update data on a university system or other medium as defined in section 4.0. The authorized data user is expected to comply with security policies, procedures, and standards as set forth in The Program.
7.0 Compliance
All persons who are subject to this policy are also subject to the provisions of applicable NAU Personnel Policies, the student employment handbook, Arizona Board of Regents policies and conditions of service documents, including provisions for discipline for violation of this policy, as well as applicable sanctions under the law.
8.0 References
NORTHERN ARIZONA UNIVERSITY POLICY MANUAL – POLICY NAU-700
State of Arizona – Government Information Technology Agency – IT Security Statewide Policy P800 Arizona Board of Regents: Tri-University Target Information Security Architecture Arizona Board of Regents: Tri-U Personnel Guidelines on Protecting University Information and Systems Arizona State University: Information Security Policy (Draft)
The University of North Carolina at Chapel Hill: Information Security Policy and Standards (Draft) Peltier, Thomas R., Information Security Policies, Procedures, and
Standards: Guidelines for effective information security management. New York: Auerbach Publications, 2002