1. In order to manage information security risks, University Community Members must ensure that their actions with respect to Data and IT Resources and their electronic devices and other resources that store, transmit, or process Data meet:
   1. the Information Security Standards policy, and
   2. all applicable laws, University policies, and University contractual obligations.
2. Individuals must report known non-compliance with this policy and its Information Security Standards to the University IT Security Office, security@illinois.edu, (217) 265‑0000.
3. Failure to comply with this policy and its Information Security Standards may result in denied access to IT Resources and disciplinary action, up to and including termination or dismissal.
4. University Community Members must review and comply with the following Information Security Standards:
   • University Data: Protect the confidentiality, integrity, and availability of Data.
     1. Data must be properly classified, labeled, and handled. See DAT01-Data Security Standard.
     2. Authorized access to and possession, use, and modification of Data must be provided. See DAT02-Information Access Control Standard.
   • Program Management: Develop and maintain a program management strategy focusing on information risk management, information security, security assessment, and business continuity.
     1. A risk management strategy, which includes but is not limited to periodic risk assessments and reporting, must be developed and maintained. See MGT01-Information Risk Management Standard.
     2. An information security plan, which includes but is not limited to assigning appropriate security roles and resources, must be developed and maintained. See MGT02-Information Security Management Standard.
     3. Periodic security assessments must be performed to comply with this policy and all pertinent laws and University policies and contractual obligations. See MGT03-Compliance Management Standard.
     4. Business continuity and disaster recovery plan(s) must be developed, maintained, and periodically reviewed to limit the negative impact of a disruptive event upon University operations. See MGT04-Business Continuity Management Standard and IT01-Disaster Recovery Standard
   • Legal: Identify laws and regulations applicable to Data and IT Resources as they become known in order to foster compliance. See LEG01-Legal and Regulatory Compliance Standard.
   • Business: Verify segregation of duties in applicable University financial systems and processes to minimize financial fraud. See BUS01-Financial Systems Security Standard.
   • Purchasing: Include contractual obligations on vendors of third party software products and computer services to satisfy the University’s information security requirements. See PUR01-Contract Management Security Standard and IT09-Vendor Management Security Standard.
   • Personnel Security: Manage the risk presented by each University Community Member throughout the lifecycle of the individual’s relationship with the University. Such management includes but is not limited to:
     1. Reviewing the background and needs of University Community Members before they are placed in positions with access to Data in order to match permitted access with the needs of both the University Community Members and the University.
     2. Establishing and maintaining a process to authorize, revoke, and audit access to Data and IT Resources by University Community Members
     3. Establishing and maintaining a process to retrieve Data and IT Resources from University Community Members as appropriate when they are transferred within or leave the University. See PS01-Personnel Security Standard.
   • Facilities: Equip University locations and workspaces with physical access controls to prevent the theft of, tampering with, or destruction of Data and IT Resources. See FAC01-Site Security Standard, FAC02-IT Workspace Security Standard, and IT02-Infrastructure Security Standard
   • Information Technology:
     1. Training and Awareness
        1. University Community Members must complete the appropriate privacy and information security training. See IT16-Security Training Standard.
        2. University Community Members must be made aware of their obligation to know and follow the Acceptable Use of Information Technology Resources and Policy for Acceptable Use of Network Resources.
     2. Security Incidents – There must be prompt, effective response and management of information security incidents. See IT14-Security Incident Management.
     3. Identity Management – There must be secure use and management of digital identities and use of secure authentication processes in order for University Community Members to access Data or IT Resources as appropriate. See IT05-Identity Management Standard.
     4. System, Network, and Communication Protection — There must be secure operation and timely access of:
        1. Network devices. See IT03-Network Security Standard.
        2. Server systems. See IT04-Server Security Standard.
        3. Client systems and applications. See IT10-Client Computer Security Standard.
        4. Mobile devices and applications. See IT11-Mobile Device Security Standard.
        5. Digital Communications. See IT12-Digital Communications Security Standard.
     5. Malicious Software – Maximize reasonable protection of Data and IT Resources from exploitation by malicious software, which includes, but is not limited to, malware, viruses, and spyware. See IT06-Malicious Software Protection Standard.
     6. System Development Life Cycle – Establish a comprehensive approach to manage risks to IT Resources and to provide the appropriate levels of information security based on the levels of risk as IT Resources are being developed, modified, used, and retired. This approach must include the following:
        1. Development Process – Reasonably maximize the production of secure applications and software in the software development process. See IT08-Development Process Standard
        2. Application Development – Reasonably maximize the secure operation of applications so that they produce the correct results and perform only authorized transactions and so that Data is not inadvertently exposed during processing. See IT07-Application Development Security Standard and IT13-Web Application Security Standard.
     7. Secure Use and Disposal of Information and Equipment – Require that University storage media, which includes but is not limited to optical media (CDs or DVDs), magnetic media (tapes or diskettes), disk drives (external, portable, or removed from information systems), flash memory storage devices (SSDs or UBS flash drives) and documents (paper documents, paper output, or photographic media), are used and disposed of securely. See IT15-Storage Media Security Standard.
     8. Equipment and Software Inventory Management – Require that IT Resources, including information assets and software, are identified so they can be managed securely and in compliance with appropriate license agreements and copyright laws. See IT17-Asset Management Standard and IT18-Software License Management Standard.
5. Responsible parties and their duties under this policy include:
   1. University Community Members shall:
      • review and comply with:
        • this policy;
        • the Information Security Standards;
        • the Acceptable Use of Information Technology Resources and Policy for Acceptable Use of Network Resources; and
        • applicable laws and University policies and contractual obligations;
      • complete required privacy and information security training;
      • notify administrative and technical staff of high risk or sensitive Data that is stored on computers and other electronic devices
      • work with their local IT staff or unit liaison through the exception request process if needed; and
      • report non-compliance with this policy to the University IT Security Office, security@illinois.edu, (217) 265‑0000.
   2. University Community Members with compliance responsibilities shall in addition to the duties of a University Community Member:
      • monitor Data security compliance;
      • investigate allegations and incidents of non-compliance;
      • recommend appropriate corrective and disciplinary actions;
      • develop and maintain policies related to the compliance requirements; and
      • participate in breach notification processes.
   3. University Community Members with Information Technology responsibilities shall in addition to the duties of a University Community Member:
      • Take reasonable action to secure Data and IT Resources in accordance with this policy, Information Security Standards and related standards and procedures, as well as pertinent laws and University policies and contractual obligations;
      • Information Security Standards and related standards and procedures, as well as pertinent laws and University policies and contractual obligations;
      • Participate in University and University of Illinois System technical and security groups and forums, as appropriate; and
      • Respond to technical questions from University Community Members related to securing IT Resources
   4. Unit administrators shall in addition to the duties of a University Community Member:
      • assign the responsibility of managing the information security risk and identifying specific security requirements associated within the relevant unit;
      • create, disseminate, and enforce local information security requirements to comply with University policies and standards for Data and IT Resources under their control;
      • provide oversight and manage the security of Data created, stored, or accessed by University Community Members as applicable for their units;
      • manage the security gap analysis for Data and IT Resources for security control requirements as applicable for their units;
      • request exceptions to this policy or Information Security Standards, if needed; and exercise delegated authority and responsibility for unit Information Technology security, unit Data, and unit IT Resources, including designating unit individuals as appropriate.
   5. University Chief Privacy and Security Officer or Designate shall in addition to the duties of a University Community Member:
      • exercise delegated authority and responsibility for privacy and information security from the CIO;
      • establish and maintain an Information Security Advisory Committee to provide guidance on information security policy, standards, procedures, exceptions, and other information security related matters;
      • establish information security policies and standards to protect Data and IT Resources;
      • review and approve final information security standards;
      • establish a process to review exception requests to this policy and related standards;
      • review and approve exceptions to information security policies and standards; and
      • review and manage university information security incidents.
   6. Technology Services – Privacy and Information Security personnel shall in addition to the duties of a University Community Member
      • oversee the information security policy and standards and related exception process;
      • provide guidance on information technology security issues;
      • monitor and notify regarding potential information security intrusions;
      • review information security incidents;
      • establish and publish the criteria upon which a server is determined to be a “critical server” and provide oversight for the vulnerability scan process;
      • exercise operational responsibility to remove non-compliant electronic devices from the University network and, as appropriate, retrieve IT Resources and Data as part of an investigation;
      • coordinate with the unit administrative and technical/security staff to assure that actions are taken as necessary to protect IT Resources and Data; and
      • coordinate with law enforcement, compliance offices, and University Counsel.
   7. Security Advisory Committee shall in addition to the duties of a University Community Member:
      • advise on information security issues; and
      • advise on exceptions to information security policies and standards for high-level or unquantifiable risks to the University.
   8. Office of University Counsel shall, in addition to the duties of a University Community Member, review and comply with:
      • this policy;
      • the Information Security Standards, including in particular D. 3 and D. 5;
      • the Acceptable Use of Information Technology Resources and Policy for Acceptable Use of Network Resources; and
      • applicable University policies, laws or contractual obligations.
   9. University Office of Business and Financial Services personnel shall, in addition to the duties of a University Community Member, review and comply with:
      • this policy;
      • the Information Security Standards, including in particular D. 4;
      • the Acceptable Use of Information Technology Resources and Policy for Acceptable Use of Network Resources; and
      • applicable laws and University policies and contractual obligations.
   10. University Purchasing Division shall, in addition to the duties of a University Community Member, review and comply with:
       • this policy;
       • the Information Security Standards, including in particular D. 3 and D. 5;
       • the Acceptable Use of Information Technology Resources and Policy for Acceptable Use of Network Resources; and
       • applicable laws and University policies and contractual obligations.

Processes/Procedures/Guidelines

Procedures

• The Information Security Standards
• Requests for an exception to this policy or to the Information Security Standards

Process

• Identifying Security Level

Exceptions

The Information Security Policy represents a baseline of information security requirements for the University.

In certain situations, compliance with this policy or the Information Security Standards contained within this policy may not be immediately possible.

In such cases, exceptions to this policy or the Information Security Standards may be requested through the exception request procedure.

Contact

For questions related to this policy, please contact Technology Services – Privacy and Information Security; (217) 265‑0000; itpolicy@illinois.edu.

Related Information

Related Policies

• Acceptable Use of Information Technology Resources
• University of Illinois System HIPAA Privacy and Security Directive
• University of Illinois System PCI DSS Policies
• University of Illinois System Family Educational Rights and Privacy Act (FERPA) and Compliance
• University of Illinois System Comply with the Red Flags Rule
• University of Illinois System Web Privacy Notice

Related Laws

• Family Educational Rights and Privacy Act (FERPA)
• Gramm-Leach Bliley (GLBA)
• Health Insurance Portability and Accountability Act (HIPAA)
• Illinois Personal Information Protection Act (PIPA)
• Illinois Data Security on State Computers Act
• Payment Card Industry – Data Security Standard (PCI-DSS)