9.8 Information Security Program Policy
I. Purpose
Illinois State University is committed to the confidentiality, integrity, and availability of its information systems and information resources. This policy establishes an Information Security Program for the University that is responsible for managing and maintaining the necessary functions to fulfill this commitment and applicable regulatory requirements.
II. Scope
This policy applies to all information systems and information resources owned or operated by or on behalf of or connected to the networks of the University. Any use that is in scope is also subject to other applicable University policies, procedures, and local, state, and federal laws.
III. Policy
The President and Vice Presidents of Illinois State University have approved the Information Security Program and the Data Governance Framework. These together will be responsible for developing and maintaining policies and procedures relevant to the program. The Information Security Office and Data Governance Committee are authorized to promulgate procedures to effectuate the implementation of this Policy.
IV. Compliance
Individuals that use or grant access to information systems and information resources within the scope of this policy are responsible for following all applicable procedures and sustaining relevant processes as a part of routine operational activities to monitor and ensure compliance with this Policy.
Violations of this policy are defined in the 9.8.1 Procedures for Information Security Program Policy Violations. They shall be reported and responded to in accordance with university procedures associated with this policy. Illinois State University reserves the right to act in accordance with the level and extent of the violation. Such acts may include, but are not limited to, discipline, up to and including discharge or termination; limitation of access; initiation of legal action; and/or requiring the violator to provide financial restitution to the University.
V. Policy Review and Approval
This program policy statement will be reviewed at least annually by the Chief Information Security Officer, Chief Information Officer, and the Data Governance Committee.
Changes to the policy must be reviewed and approved by the Data Governance Executive Council, the Vice President for Finance and Planning, and the President of the University.