The University of San Francisco: Information Technology Services
Information Technology

Information Security Policy

Printable version of the entire policy (pdf)

Table of Contents

1. Purpose

2. Policy Development and Maintenance

3. Policy Implementation and Evaluation

4. Scope

5. Information Classifications

6. Roles & Responsibilities

7. Information Access

8. Information Use

9. Information Transmission

10. Information Storage

11. Information Destruction

12. Incident Reporting and Response

13. Sanctions

14. Associated Policies

15. Potentially Applicable Laws

Appendix A: Windows Secure File Deletion (pdf)

Appendix B: Mac OS Secure File Deletion (pdf)

1. Purpose

The purpose of this policy is to ensure the confidentiality and integrity of USF information assets. The policy reflects USF's commitment to stewardship of sensitive personal information and critical business information, in acknowledgement of the many threats to information security and the importance of protecting the privacy of University constituents, safeguarding vital business information, and fulfilling legal obligations.

This policy serves as a companion to the USF Network Security Policy, which speaks to the secure configuration of systems and use of the USF network, and the Technology Resources Appropriate Use Policy.

Top Arrow

2. Policy Development and Maintenance

This policy was drafted by the Information Security Policy Task Force for review and revision by the Communication Infrastructure and Security (CIS) subcommittee of the University Information Technology Committee (UITC). The resulting version was reviewed and revised by the full UITC, and forwarded to the University Leadership Team for final review and approval.

This policy shall be reviewed by the CIS subcommittee on an annual basis and any substantive changes forwarded to the UITC and the University Leadership Team for approval.

Top Arrow

3. Policy Implementation and Evaluation

Implementation of this policy shall be overseen by the Vice President for Information Technology, in consultation with the University Leadership Team. Implementation activities, including information security review, remediation, and training development, shall be carried out by the ITS Information Security Coordinator in collaboration with Information Stewards, as defined in this policy.

An evaluation of policy implementation shall be conducted on an annual basis in the form of a third party information security audit.

Top Arrow

4. Scope

This policy applies to the entire USF community, including students, faculty, staff, alumni, trustees, temporary employees, contractors, volunteers and guests who have access to USF information assets. Information assets are information in any form, recorded on any media. Such assets include data, images, text, software, and voice recordings, in digital or analog form, stored on hardware, paper or other storage media.

Top Arrow

5. Information Classifications

  1. Public
  2. This classification covers information that may be disclosed to any person inside or outside the University. Although security mechanisms are not needed to control disclosure and dissemination, they are still required to protect against unauthorized modification and/or destruction of information.

  3. Internal
  4. This classification covers information that requires protection against unauthorized disclosure, modification, destruction, and use, but the sensitivity of the information is less than that for Confidential information. Examples of Internal-use-only information are internal memos, correspondence, and other documents whose distribution is limited as intended by the steward.

  5. Confidential
  6. This classification covers sensitive information about individuals and sensitive information about the University. Information receiving this classification requires a high level of protection against unauthorized disclosure, modification, destruction, and use. Specific categories of confidential information include personally identifiable information about:

    1. Current and former students (whose education records are protected under the Family Educational Rights and Privacy Act (FERPA) of 1974), including student academic, disciplinary, and financial records.
    2. Current, former, and prospective employees, including employment, pay, benefits data, and other personnel information.
    3. Donors, potential donors, Law Clinic and other University clinic clients, library patrons.
    4. Human subjects in USF research
    5. Other categories of confidential information include:

    6. Research information related to a forthcoming or pending patent application.
    7. Certain University business operations, finances, legal matters, or other operations of a particularly sensitive nature.
    8. Information security data, including passwords. Information about security-related incidents.
  7. Highly Confidential
  8. This classification covers sensitive information which, if it becomes available to unauthorized users, creates risk for identity theft and therefore requires notification of affected individuals. This information includes Social Security Numbers, bank account numbers, credit card numbers, and drivers license numbers.

  9. Default Classification
  10. Information that is not classified explicitly is classified by default as follows: Information falling into one of the Confidentiality categories listed above is treated as Confidential or Highly Confidential. Other information is treated as Public unless it is labeled as Internal-use-only by the Steward.

  11. Summary Table
  Public Internal Confidential Highly Confidential
Example
Schedule of Classes
Memos and minutes
Academic records
SSN
Access
Minimal controls to prevent unauthorized modification/ deletion
Determined by steward
Limited based upon need to know, named users only, training and confidentiality agreement required
Provide access only when no alternative exists. Treat as toxic. Named users only, training and confidentiality agreement required
Use
Post as needed
Determined by steward
No posting, limited reporting and copying
Use only when no alternative exist. Treat as toxic. No posting, limited reporting and copying
Transmission
Minimal controls to prevent unauthorized modification
Determined by steward
Confidential envelope; encrypted transmission
Hand deliver; encrypted transmission
Storage
Minimal controls to prevent unauthorized modification
Determined by steward
Locked private office or cabinets; secure server room; should encrypt on desktops, laptops, media
Locked private office or cabinets; secure server room; should encrypt on desktops, laptops, media
Destruction
No Controls
Determined by steward
Shred paper; secure delete files, wipe media
Shred paper; secure delete files, wipe media

Top Arrow

6. Roles & Responsibilities

  1. Information Stewards
  2. Stewards are members of the University community who have primary responsibility for particular information. One becomes a Steward either by designation or by virtue of having acquired, developed, or created information resources for which no other party has stewardship. For example, the Registrars (Law and University) are the Stewards of student data; Human Resources are the Stewards of employee data; Advancement Services are the Stewards of donor data. Faculty are the Stewards of their research and course materials; students are the Stewards of their own work.

    The term Steward as used here does not imply ownership in any legal sense, for example, as holder of a copyright or patent. Stewards have all responsibilities of Users (see next section). In addition, they are responsible for the following:

    1. Establishing supplemental security policies and procedures. Stewards may establish specific information security policies and procedures for their information where appropriate. Stewards are responsible for the procedures related to the creation, retention, distribution and disposal of information. These procedures must be consistent with this Policy, as well as with other University policies, contractual relationships, and laws. Stewards may impose additional requirements that enhance security.
    2. Assigning classifications and marking information. Stewards are responsible for determining the classification of their information and any specific information handling requirements that go beyond this Policy, particularly as may be imposed by confidentiality agreements with third parties. Information that is Confidential or Highly Confidential shall be marked as such when it is presented or distributed to Users. Additional markings specifying handling and distribution requirements may be added.
    3. Determining authorizations. Stewards determine who is authorized to have access to their information. Steward shall keep records of all users who are granted access and make these records available for audit upon request.
    4. Training. Stewards of Confidential and/or Highly Confidential information shall ensure the development/compilation and delivery of appropriate training on security policies and procedures to be completed by users prior to being granted access the information. Third party resources and services may be used. Stewards or their designees shall keep records of required training completion by users.
    5. Confidentiality Agreement. Stewards of Confidential and/or Highly Confidential Information shall ensure that users sign an appropriate confidentiality agreement prior to being granted access. All confidentiality agreements must be reviewed and approved by University General Counsel.
    6. Periodic review of access and/or Termination of access. Stewards must terminate access to Confidential and/or Highly Confidential information resources in a timely manner when a User has changed roles or left the University. Access privileges should also be reviewed periodically to ensure currency.
  3. Information Users
  4. All members of the University community are "Users" of USF's information resources, even if they do not have responsibility for managing the resources. Users are responsible for protecting information resources to which they have access. They shall follow the information security practices described in this policy, as well as any other information security practices specified by an information Steward and/or other information-related policies, including but not limited to the University's FERPA compliance policy, the Technology Resources Appropriate Use Policy, and Network Security Policy.

  5. ITS Security Coordinator
  6. The ITS Security Coordinator coordinates the efforts of ITS and other University personnel to maintain and improve information security at USF. On behalf of the Vice President for Information Technology, the Security Coordinator is charged with taking steps to ensure compliance with this policy across the University, including assisting with training and development of technical and procedural solutions. The Security Coordinator also coordinates the ITS response to information security incidents.

  7. University Information Technology Committee and Subcommittees
  8. The UITC and its subcommittees - Desktop Computing, Communication Infrastructure & Security, Learning Technologies, System Infrastructure, and Enterprise Applications - must ensure ongoing compliance with this policy as they review new and continuing ITS initiatives.

  9. Leadership Team
  10. The Leadership Team approves this policy and any substantive revisions, as recommended by the UITC. Leadership Team members are also responsible for championing good information security practices in their respective divisions, schools, and colleges.

  11. Public Safety
  12. The Department of Public Safety is responsible for working with Information Technology Services in response to information security incidents in which a crime may have been committed. Public Safety shall conduct an investigation and prepare a report for the appropriate authorities, or provide support to authorities conducting their own investigation(s).

  13. Internal Auditor
  14. The USF Internal Auditor reviews USF information security practices and recommends appropriate controls to mitigate the risk of inappropriate information access and/or use. The Internal Auditor also receives and processes whistleblower hotline reports, which may alert the University to information security incidents.

  15. General Counsel
  16. The University General Counsel's office provides guidance regarding laws applicable to USF information security policies and procedures. The office also reviews confidentiality agreements, this policy and proposed revisions for clarity and conformity with best practice.

  17. Third Parties
  18. Third parties with whom USF exchanges or entrusts Confidential and/or Highly Confidential information must provide the University with documentation of sound information security practices prior to any release of Confidential or Highly Confidential information. This documentation must be kept on file in the office of Business and Finance.

Top Arrow

7. Information Access

  1. Collection
  2. Highly Confidential information should be collected only when such information is an essential element of the necessary task and not prohibited by law. Alternative business processes should be employed whenever possible to avoid collection of such data.

  3. Need to know
  4. Access to Confidential and/or Highly Confidential information should be provided only when the user must know the information in order to perform his or her job functions. Access should not be provided automatically or as an adjunct to another process; for example, if a person needs access to an information system screen which contains Confidential and/or Highly Confidential data, but does not need access to all or some of the Confidential and/or Highly Confidential data elements, only those data elements which are specifically needed should be visible.

  5. Individual Accountability
  6. Access shall be granted to users in such manner as to provide individual accountability. Generic or otherwise shared accounts should not be permitted for access to Confidential and/or Highly Confidential information.

  7. Usernames and Passwords
  8. Usernames and passwords must never be shared. Passwords that provide access to University resources must not be stored on personal computers and must not be displayed on sticky notes or scraps of paper on or by computers. Whenever possible, passwords should be 8 or more characters long, and include letters, numbers, and punctuation characters. They should not be names, words in dictionaries, or permutations of personal data (birth dates or anniversaries, social security numbers, etc.). Passwords should be changed periodically.

  9. Logging out
  10. Users must log off from applications, computers, and networks when finished. If computers are located in secure offices or laboratories, Users must not leave unattended personal computers with open sessions without locking office doors or locking the computer. If computers are located in the open or in a shared computer lab, Users must complete their session and log off fully.

    USF faculty and staff computers should be configured to time out and require a new login after a period of inactivity.

  11. Training
  12. Users must complete training, as designated and recorded by the information Steward, prior to being granted access to Confidential and/or Highly Confidential information.

  13. Confidentiality Agreement
  14. Users with access to Confidential and/or Highly Confidential information must sign a Confidentiality Agreement prior to being granted access.

Top Arrow

8. Information Use

  1. Reporting
  2. Social Security Numbers must not be used in reports or other documents unless required by law.

  3. Posting
  4. Confidential and/or Highly Confidential information must not be posted in physical spaces or on web pages whose access is not limited to the specific individual to whom the information belongs.

  5. Copying
  6. Copying of Confidential and/or Highly Confidential information must be kept to an absolute minimum, and all paper copies must be shredded prior to disposal.

Top Arrow

9. Information Transmission

Highly Confidential, Confidential and Internal information must not be distributed or made available to users who are not authorized to access the information. This applies to originals, copies, and new materials that contain all or part of the information, and to oral communication of information. When such information is distributed, it must be distributed in such manner that the restrictions on its future distribution are clear.

When distributing documents in electronic form, precautions shall be taken against distributing files and disks with viruses and other forms of malicious code. Users should not forward e-mail messages with attachments without some level of confidence that the attachments do not carry malicious code.

  1. E-mail
  2. Confidential and/or Highly Confidential information sent via e-mail or as e-mail attachments must be encrypted.

  3. File Sharing
  4. Private directories in USFfiles should be used to share Highly Confidential, Confidential and Internal information with authorized individuals. Confidential and/or Highly Confidential information must not be placed in public or WWW folders on USFfiles. Confidential and/or Highly Confidential information should only be shared on local file servers if access is appropriately limited. Desktops should not be used for file sharing.

  5. Campus Mail
  6. Confidential information sent via campus mail must be sealed and marked Confidential. Highly Confidential information must also be sealed and marked Confidential, and should be hand-delivered.

  7. To Third Parties
  8. All file transfers to third party organizations containing Confidential and/or Highly Confidential information should be encrypted. Mail should be appropriately sealed and marked.

Top Arrow

10. Information Storage

  1. Electronic
    1. On desktop computers, laptop computers, PDAs, smart phones, and other portable computing devices and media
      1. USF owned
        1. Confidential and/or Highly Confidential information must require a login for access.
        2. Confidential information should be encrypted and backed up to a secure server.
        3. Highly Confidential information must be encrypted and backed up to a secure server.
      2. Personally owned
      3. With the exception of adjunct faculty records of student academic work in their courses. Confidential and/or Highly Confidential information must not be stored on personally-owned computers, devices, or media.

    2. On servers
    3. Confidential and/or Highly Confidential information should be stored on secure servers. Servers with appropriate physical and network access controls may store Confidential and/or Highly Confidential data in unencrypted form. Access to Confidential and and/or Highly Confidential information on servers must require a login. Server data should be backed up regularly. Backups should be stored in a secure, off-site location. Because electronic media can degrade, copies that may require long-term retention shall be periodically refreshed.

  2. Paper
    1. Internal
    2. Confidential and/or Highly Confidential information stored in USF facilities must be stored in locked cabinets or secure storage rooms.

    3. External
    4. Confidential and/or Highly Confidential information stored off-site must be stored with a reputable storage service provider in a physically secure space. Appropriate documentation of security practices should be provided by the third party, as specified above.

Top Arrow

    11. Information Destruction

    Confidential and/or Highly Confidential information must be disposed of in such manner as to ensure it cannot be retrieved and recovered by unauthorized persons. Note: Information destruction is prohibited by law if litigation is reasonably foreseeable. Consult with the University General Counsel.

    1. Data Wiping
      1. Retired equipment
      2. When donating, selling, transferring, or disposing of computers or removable media (such as diskettes), care must be taken to ensure that Highly Confidential, Confidential and Internal information are removed or rendered unreadable. All retired computers must be processed through Information Technology Services to ensure proper data removal.

      3. Current production equipment
      4. To remove a file containing confidential information from a current desktop or laptop computer, follow the instructions included in Appendix A or Appendix B for secure deletion of files.

    2. Shredding
    3. Confidential and/or Highly Confidential information stored in paper form must be shredded prior to disposal.

Top Arrow

    12. Incident Reporting and Response

    Users shall report known or suspected compromises of University information security to infosecurity@usfca.edu. The ITS Security Coordinator will inform the appropriate information steward and, if it appears that a crime may have been committed, the Department of Public Safety. In such cases, a Public Safety incident report should be created prior to the start of investigation. ITS detailed investigation reports must be shared with Public Safety and appropriate executive officers only, with only general status information reported, if appropriate, to broader community. Non-criminal incidents will be treated as Confidential unless information subject to California law has been compromised. In this case, affected individuals will be informed.

    The ITS Security Coordinator shall coordinate the efforts of all involved parties to investigate the incident. The Coordinator shall provide frequent status reports to the Vice President for Information Technology and other executive officers, as appropriate, and submit a complete incident report to the Vice President for Information Technology upon completion of the investigation.

Top Arrow

    13. Sanctions

    Members of the University community who knowingly violate this policy may be subject to disciplinary action in accordance with the Administrative Handbook, the applicable Collective Bargaining Agreement, and/or the Student Handbook (Fogcutter). Members of the University community are responsible for familiarity with this policy.

Top Arrow

    14. Associated Policies

    1. Technology Resources Appropriate Use Policy
    2. Network Security Policy

Top Arrow

    15. Potentially Applicable Laws

    1. Family Education Right to Privacy Act
    2. USF compliance with FERPA is overseen by the University Registrar.

    3. Gramm Leach Bliley Act (GLB)
    4. The GLB requires that institutions have a comprehensive written information security program.

    5. Cal. Civil Code section 1798.85
    6. This law prohibits the posting of SSNs.

    7. Identity Theft Protection Act (California)
    8. This California law requires notification to affected individuals if highly confidential information is compromised.

    9. Laws governing Intellectual Property

    Appendix A: Windows Secure File Deletion (pdf)

    Appendix B: Mac OS Secure File Deletion (pdf)

Top Arrow