INFORMATION SECURITY

About This Policy

Policy Statement

The university’s information and technology systems are critical assets that support its academic, research, and administrative functions. The university is committed to protecting the confidentiality, integrity, and availability of these assets through a comprehensive information security program.

All data, communications, and work product created by employees as part of their duties are classified as university information, regardless of the device used for their creation. The creation of university information on a personal device does not change its status as university property, and it remains subject to all applicable university policies.

The university promotes and supports an institutional culture that elevates its overall information security posture by following these principles:

• The university will establish and maintain a comprehensive, institution-wide information security and cybersecurity risk management framework and program.
• The university will optimize its ability to protect institutional data, systems, resources, and services from unauthorized access and other threats or attacks that could potentially result in harm to the university or to members of the university community.
• Members of the university community have individual and shared responsibilities to protect the university’s information assets and comply with applicable laws, regulations, and policies.
• The university will comply with federal, state, and local law, university policies, contracts, and agreements that require the university to implement security safeguards in as cost-effective manner as possible.
• The university will seek to maximize the use of secure and compliant university-provided services that are readily and affordably accessible to faculty, staff, students.
• The university will educate, inform, and enable university community members to use information in a secure and compliant manner.

All institutional data must be protected in accordance with the provisions below, which take into consideration the level of sensitivity and criticality that the data has to the university.

• Data Classification: All university information is classified into an appropriate level based on its sensitivity and risk of harm to individuals and the university if the information is subject to a breach or unauthorized disclosure. Harm may encompass negative psychological, reputational, financial, personal safety, legal, or other ramifications to individuals or the university, or otherwise result in an adverse impact on the university’s mission, research activity, or operations.
• Data Security: The university establishes minimum security controls appropriate for safeguarding data based on the data’s classification level.
• Risk Management: The university maintains a risk-management framework which requires periodic risk assessments of systems and applications that maintain sensitive institutional data.
• Risk Acceptance: University leadership exercises authority to accept information security and privacy related risks to the university’s information assets. University department, units, and individuals may not unilaterally accept information security, privacy, and compliance risks that have the potential to increase the university’s vulnerability to cyber risks.

Authorization and Access

All users of university information resources must be accurately and individually identified. The university will rely on the principle of least privilege in granting access to data and information, in accordance with business requirements and legitimate institutional purpose.

Unauthorized use or disclosure of data protected by laws, regulations, or contractual obligations could cause severe harm to the university or members of the university community and could subject the university to fines or government sanctions. The physical and logical integrity of these resources must also be protected against threats such as unauthorized intrusions, malicious misuse, or inadvertent compromise. Activities outsourced to off-campus entities must comply with the same security requirements as in-house activities.

Some university information systems maintain information that uniquely identifies individuals. This information must be maintained consistent with federal and state laws and regulations and with university policies. All university employees with access to personally identifiable information must respect the confidentiality of that information consistent with federal and state laws and regulations and with university policies.

The university maintains the following requirements for all university information. All university-owned and maintained information:

Access, Use, and Disclosure All university-owned and maintained information:

• Must be accessible only by authorized individuals for a legitimate university purpose.
• Must be handled exclusively with approved university equipment and devices, unless a pre-approved exception is granted.
• Must be used and disclosed only as authorized or required by federal and state laws, regulations, and university policies.

Data Lifecycle Management All university-owned and maintained information:

• Must be gathered in a manner consistent with applicable laws, regulations, and university policies.
• Must be corrected if incorrect information is known to exist.
• Must be retained for the longest period required by federal, state, or university policies and securely destroyed after that time, provided no legal holds are in place.
• Must be removed or made inaccessible if an individual makes an appropriate request consistent with applicable laws, regulations, and university policies.

Security and Protection All university-owned and maintained information:

• Must be protected using appropriate computer-based and non-computer-based access controls.
• Must be encrypted both in transit and at rest if it is classified as confidential or sensitive.

Effective risk management requires a proactive approach to data security. Proper storage is a fundamental measure to prevent breaches and protect all university-owned information. Consequently, all university business must be conducted using university-owned or approved equipment. Unauthorized storage of university data on personal devices or unapproved platforms is strictly prohibited. The creation or processing of work product on an unauthorized device does not alter the university’s ownership of that intellectual property, nor does it exempt it from any applicable university policies. University-owned information:

• Must be stored in a manner that protects its confidentiality, integrity, and availability.
• Must be stored on university-approved platforms that are regularly audited for security and compliance.
• Must not be stored on personal devices or unapproved cloud services unless a specific, approved exception is granted. Any such exception must still adhere to all university policies as well as applicable local, state, and federal laws.
• Must be classified before being stored.
  

Security Controls for Non-Private Environments
The duty to protect university information applies in any environment—on or off campus—where unauthorized individuals could potentially view it. When working in public or shared spaces, employees are required to position screens to prevent observation, use privacy screens when possible, lock devices when away, and avoid discussing sensitive information where they can be overheard.

Risk Management for Data on Personal Devices
The use of personal devices and accounts to create, process, or store university information is strictly prohibited as a critical security measure. Any university information residing on a personal device, even temporarily due to incidental contact, remains fully subject to all university policies and legal obligations, including audit and legal discovery processes. Therefore, if information is stored on a personal device, the employee must immediately transfer it to an approved university system and permanently delete all copies from the personal device.

External Relationships

The university’s information security requirements must be considered when establishing relationships with external vendors and partners, to ensure that information assets accessible to external parties are protected. In accordance with its obligations, all contracts with vendors that will gain access to and/or transmit university information must be reviewed by university information security, university counsel, and must directly contain or adhere to the university’s pre-approved addendum on information security. 

Security Incident Management

All employees and non-employees must adhere to the Data Breach Notification policy for reporting any event that may have an impact on the security of university information. Security incident management procedures and responsibilities must be established and documented to ensure an effective, orderly, and timely response to any security incident to restore any disrupted services as quickly as possible. The response to any security incident must additionally include analysis of the cause of the incident and implementation of any corrective actions to prevent re-occurrence of the same incident. 

Identification of Cybersecurity Risks

Purchases of new university technology resources must adhere to the requirements established within established university policies to ensure the resource is compatible with the university’s existing technologies and will not impose an unnecessary risk to the university.

Third parties seeking to contract with the university to perform technology and information services must provide assurances of compliance with applicable laws and regulations and agree to adhere to the established Information Security Program prior to entering into an agreement with the university.

The university conducts risk assessments on the following:

• An annual risk assessment for the university’s central IT infrastructure.
• University technology resources, including specific assets or information systems, as needed.
• Requests for exceptions to the Information Security Program.

Additional technology risks to the university may be identified through other activities including technology project planning, privacy impact assessments, in-person visits, whistle blowers, or self-disclosures.

All identified technology risks will be classified based on the likelihood that harm will occur as a result of the threat occurring and the harm that that may occur to the university or individuals given the potential for the threat to exploit vulnerabilities.

Technology risks must be remediated, mitigated through implementation of compensating security controls, or accepted.

• Accepted risks will be tracked and reassessed annually at a minimum, to ensure the continual risk is still in line with the university’s level of risk tolerance.
• Aggregated data of known risks to the university will be compiled on an annual basis and provided to senior leadership to aid in determining the university’s ongoing technology risk appetite.

Oversight and Enforcement

The Program Administrator is responsible for the development, implementation, monitoring, and enforcement of the university’s information security program. Other university staff perform essential information security and cybersecurity risk management functions contributing to program implementation and regulatory compliance. 

Exceptions

Departments unable to meet a requirement defined by the information security standards must obtain an exception. The university Program Administrator or delegate may allow exceptions to this policy after consultation with university leadership and the affected department.

While personal device use for university business is prohibited, limited exceptions are authorized for specific university-approved applications when a university-provided device is not available. Any deviation from these established information security standards requires advance written approval from the Office of Innovation & Technology.

Enforcement

An employee who violates the university’s information security requirements will be subject to appropriate disciplinary action. A student who violates these requirements will be subject to appropriate disciplinary action in accordance with the Student Code of Conduct. An individual affiliated with the university who violates these requirements will be subject to appropriate corrective action, including, but not limited to, termination of the individual’s relationship with the university.

Consistent with the Acceptable Use of Information Technology Resources policy, the university may temporarily suspend, block, or restrict a user’s access to information and systems when it reasonably appears necessary to do so to protect the integrity, security, or functionality of university resources or to protect the university from liability.

The university may routinely monitor network traffic and information systems to ensure the continued integrity and security of university resources in accordance with applicable university policies and laws.

Reason For Policy

The purpose of this policy is to establish a framework for the protection of university information resources from accidental or intentional unauthorized access, modification, or damage in order to meet applicable federal, state, regulatory, and contractual requirements.

Policy Scope

This policy and its supporting controls, processes and procedures apply to all information used at the university, in all formats. This includes information processed by other organizations in their dealings with the university.

This policy applies to all universityfaculty and staff, as well as to students acting on behalf of the university through service on university bodies such as task forces, councils and committees. This policy also applies to all other individuals and entities granted use of university information, including, but not limited to, contractors, temporary employees, and volunteers.

Procedures

• There are no procedures associated with this policy.

Forms

• Report Information Security Incidents

Frequently Asked Quetions

Q: Am I responsible for everything that happens on my university account?

A: Yes. You are responsible for all functions performed from accounts assigned to you. You must protect your passwords and are accountable for any activity that occurs using your account.

Q: Can I store university files on my personal computer or cloud storage?

A: No. Storing confidential or restricted university data on personally-owned devices or unapproved cloud services is strictly prohibited. Public data may be stored on personal devices, but all other data must be stored on university-approved platforms.

Q: If I send a work-related text from my personal phone, who owns that message?

A: That text message is considered a university record. Any record you create for university business is a university record, no matter what device you use. These records must be managed according to university policies and may be subject to subpoena or other audit request.

Q: What is the “principle of least privilege”?

A: It is the security concept of giving a user only the minimum levels of access—or permissions—needed to perform their job functions. This is a core principle for how the university grants access to its data and systems.

Q: Is my use of university computers and networks private?

A: No. While the university does not routinely monitor individual use, it does log activity for normal operations and may access stored information without user consent when authorized to protect university resources or comply with legal requirements.

Q: What are the security requirements for working in a public place like a coffee shop?

A: You have a duty to protect university information wherever you are. This means you must position your screen to prevent others from seeing it, use a privacy screen if possible, lock your device when you step away, and avoid discussing sensitive information where you can be overheard.

Q: What should I do if I suspect a security incident, like a data breach or a virus?

A: You must report it immediately. You can contact the primary contact listed in this policy or email incident@northcentral.edu.

Q: What happens if I violate this policy?

A: Violations can lead to disciplinary action, including termination for employees or expulsion for students, and could be referred to law enforcement.

Appendices

Appendix A: Approved Storage Platforms

To ensure compliance with security and legal standards, institutional and sensitive data must not be stored on non-university-approved or personally-contracted cloud services—such as Google Drive, Box, or Dropbox—or on personal removable storage devices. Instead, individuals must store, transfer, and access all data exclusively on university-approved platforms.

Additional Contacts

Definitions

Authorization
The function of establishing an individual’s privilege levels to access and/or handle information.

Authorized Individuals
Employee, students, and third-parties who have been given access to university information systems and university information

Availability
Ensuring that information is ready and suitable for use.

Baseline Configuration
A documented set of specifications for hardware, software, or applications that reflect the most restrictive mode consistent with operational requirements and serve as a basis for future builds, releases, and/or changes to the University Technology Resource.

Business Impact Analysis
An assessment to identify the Mission Critical Services performed by all business units within the University. The BIA should identify vulnerabilities and threats that may impact the business unit’s ability to fulfill these services and preventative controls to mitigate or eliminate threats; the University Technology Resources used to perform these Mission Critical Services; and recovery time objectives and priorities for the Mission Critical Services.

Confidentiality
Ensuring that information is kept in strict privacy.

Criticality
The relative importance of the service and the consequences of incorrect behavior of the systems(s) that support it.

1. Mission Critical Service means that system is required to conduct essential mission-oriented operations of the University. Unplanned interruptions have immediate and widespread impact.
2. Core Service means the system must be available to conduct the most basic business activities. Interruptions have an immediate, University-wide impact.
3. Business Critical Service means the system is required to conduct normal University operations. Interruptions in service impact important operations but is not University-wide.

Data Classification
The process of categorizing university information into levels (e.g., Public, Confidential, Restricted) based on its sensitivity and the risk of harm if it is disclosed without authorization.

Data Owner
Individual with primary authority and accountability for specified information (e.g., a specific business function) or type of data (e.g., research).

Data User
Individual, who in the course of carrying out official university business or research, may collect, store, transfer or report data consistent with their function at the institution.

Disruption
An unplanned event that causes the University Technology Resource to be inoperable for an unacceptable length of time.

High Availability
A failover feature to ensure Availability during a Disruption.

Information Security
The state of being free from unacceptable risk. Information security focuses on reducing the risk of computing systems, communications systems, and information being misused, destroyed, modified or disclosed inappropriately either by intent or accident.

Integrity
The accuracy and consistency of stored data, indicated by an absence of any variance in data between two updates of a data record.

Least Privilege
The minimum system resources and authorizations needed to perform its function or restricting access privileges of authorized personnel to the minimum functions necessary to perform their job.
Maximum Tolerable Downtime (MTD) the total amount of time the business unit is willing to accept for an outage or disruption.

Program Administrator
Individual responsible for the management of the Information Security Program.

Risk Acceptance
The formal decision made by university leadership to accept an information security risk rather than remediating or mitigating it. Departments and individuals may not accept risks on behalf of the university.

Security Incident
A suspected, attempted, successful, or imminent threat to the confidentiality, integrity, and/or availability of University Data; interference or Unauthorized Access to a University Technology Resource; or, a violation, or imminent threat of violation of University information technology rules, policies, standards, and/or procedures.

Unauthorized Access
Looking up, reviewing, copying, modifying, deleting, analyzing, or handling information without proper authorization and legitimate business need.

University Data (Information)
Information that the university collects, possesses, transmits, or has access to, regardless of its source. This includes information contained in hard copy documents or other media, communicated over voice or data networks, or exchanged in conversation.

Responsibilities

Users and Departments

• Be knowledgeable about relevant security requirements and guidelines.
• Protect the resources under their control, such as access passwords, computers, and data they download.
  Report information security related incidents.

Administrators and Supervisors

• Authorizing and de-authorizing access to data under their stewardship, based on the principle of least privilege, and in a manner that supports individual accountability for user activity.

Information Technology Security Staff

• Handling information security incidents, and incident reporting, for the university.

Program Administrator (Executive Director of Innovation & Technology

• Responsible for the security of the university’s information technologies. Implementation of security policies is delegated throughout the university to various university services, departments and other units; and to individual users of campus information resources.
• Provide interpretation of this and other related policies, disseminating related information, and enforcing information security policies across campus.

RELATED INFORMATION

Relevant University Policies

• Acceptable Use of Information Technology Resources
• Data Breach Notification
• Managing Physical Security Data 
• Managing Student Records
• Privacy

Relevant Legislation

• FERPA – Family Education Rights and Privacy Act
• HIPAA – Health Insurance Portability and Accountability Act
• GLBA – Gramm Leach Bliley Act
• FACTA – Fair and Accurate Credit Transactions Act
• PCI-DSS – Payment Card Industry Data Security Standard

History

Issued
2022-07-20