The purpose of this policy is to establish a University-wide framework for the protection of Illinois State University's information technology resources, computers, networking systems, and data, collectively defined here as “ISU Information Technology Resources and Systems.” This framework aids the University in meeting its regulatory and legal obligations with regard to information security and privacy.
This policy requires actively controlling the security of and access to ISU Information Technology Resources and Systems, and authorizes the creation of procedures that will outline how security will be administered and how access to systems and data will be granted, maintained, reviewed and audited. Any use of ISU Information Technology Resources and Systems is also subject to applicable University policies, procedures, and local, state, and federal laws.
ISU promotes an open environment that grants, maintains, and audits access for authorized individuals to ISU Information Technology Resources and Systems, while providing adequate controls to minimize risk to the organization. ISU Information Technology Resources and Systems are available to authorized individuals based upon their roles and unit expectations as specified by the assigned oversight group. The Information Technology Service Management Council (IT Council) is authorized to promulgate procedures to effectuate the implementation of this Policy.
Security controls are based upon the nature and classification of the resources and systems being protected and the potential risk associated with unauthorized access or release. The President or the President’s designee will assign responsibility for the creation, maintenance and monitoring of procedures to support this Policy. Individuals granting access to ISU Information Technology Resources and Systems shall be held accountable for its use and protection, and are responsible for following all applicable procedures and sustaining relevant processes as a part of routine operational activities to monitor and ensure compliance with this Policy.
ISU Information Technology Resources and Systems are owned by the University and are to be used in support of the educational, research and public service mission of the University. All individuals who use or grant access to ISU Information Technology Resources and Systems, whether from on campus or off campus, are responsible for using these resources and systems in an effective, ethical, and lawful manner. In addition, the use of ISU Information Technology Resources and Systems is subject to all applicable state and federal laws, as well as all University policies. All individuals granting access to ISU Information Technology and Resource and Systems shall be required to perform authentication and authorization processes in accordance with University procedures. The University reserves the right to deny any request, restrict access, or remove an individual’s account or access. In addition, violations may result in disciplinary action, up to and including discharge or termination.
Faculty, Staff and Students - Full or part-time faculty, staff and students who maintain their status as employees or students at Illinois State University may be permitted accounts in order to access ISU Information Technology Resources and Systems.
All non-affiliated individuals shall sign a written agreement governing the proper use, protection and security of the information being provided and establishing the length of time for which access will be granted.
A. Faculty and Staff Affiliated with Other Institutions- Individuals working in collaboration with a faculty or staff member of Illinois State University may request an account in order to access ISU Information Technology Resources and Systems for the time-period necessary for the collaboration.
B. Contracted Employees, Vendors and Commercial Accounts - Requests for access, shall be initiated through an Illinois State University faculty or staff member using the procedure appropriate for the resource being requested. All requests must be approved by the appropriate Illinois State University employees or bodies on a case-by-case basis, and according to University Policy and procedure.
Security controls reflect the University’s responsibility to the stewardship of the Information Technology Resources and Systems entrusted to its care. All controls shall be implemented to provide transparency in the validity and reliable protection of ISU Information Technology Resources and Systems. Controls shall be designed and implemented in such a way as to allow consistent independent evaluation and audit of their effectiveness.
Deans, Directors and Department Heads are responsible for identifying unit security liaisons to act on their behalf to submit requests for access to ISU Information Technology Resources and Systems. In addition, these unit security liaisons will serve as the primary contact for security incident response issues.
EDUCATION AND AWARENESS
Information security awareness training shall be required for those individuals designated as a unit security liaison who grant access as well as those granted access to ISU Information Technology Resources and Systems. In addition, an annual formal communication to faculty, staff, and students about information security policies and procedures shall be provided.
Access to ISU Information Technology Resources and Systems requires that each individual either granting or granted access accept responsibility to protect the security of this information, which protects the University and the University community.
Violations of this policy shall be reported and responded to in accordance with University procedures associated with this policy. Violations may include, but are not limited to, breach of confidentiality/privacy of records, theft of IT resources, vandalism, or damage to ISU Information Technology Resources and Systems, or unauthorized modification or use of data contained in these systems. Illinois State University reserves the right to act in accordance with the level and extent of the violation. Such acts may include, but are not limited to: discipline, up to and including discharge or termination; limitation of access; initiation of legal action; and/or requiring the violator to provide financial restitution to the University.
The President of Illinois State University has approved the Policy on Security of Information Technology Resource and Systems. This policy will be periodically reviewed by the IT Council, and changes or additions to this policy will be recommended by this Council to the Academic Senate and the President of the University. ISU Information Technology Resources and Systems are changing rapidly both in terms of technology and application, and the University reserves the right to amend this policy at any time. The version posted on the web at www.policy.ilstu.edu/ is the governing policy.
Last Review: 26 October 2011