9.8 IT Security and Procurement Policy

Administrative Responsibility:   Chief Information Officer

PURPOSE

This policy protects university confidential information from emergent and evolving cyber security threats, including but not limited to ransomware, phishing, and coordinated and uncoordinated threat actors. It will assist with data breach mitigation and financial and cost controls, including retaining cybersecurity liability insurance.

Compliance with this policy is necessary for legal and regulatory requirements, including accreditation, CMMC (Cybersecurity Maturity Model Certification), and GLBA (Gramm-Leach-Bliley Act).

This policy also supports consistent and efficient management of IT resources.

SCOPE

This policy applies to all employees of the university as well as non-employee affiliated persons or entities.

DEFINITIONS

  1. C&IT means the Computing & Information Technology Division.
  2. IT Device means any electronic device communicating with other devices or can store and/or process university information.
  3. Systems means any software, service, or program used, leased, acquired, or purchased by the University.
  4. Managed means subject to the centralized deployment of a common set of device security protection methods by C&IT, consistent with the currently published security standards.

POLICY

  1. C&IT must approve all computing, IT devices, and systems purchased by the university before acquisition. This includes all IT devices and systems acquired by the university for research and/or through grants, gifts, loans, and leases.
  2. All computing, IT devices, and systems purchased or acquired by the university must be managed through C&IT and adhere to all currently published standards and guidelines for security and management. A list of currently published standards and guidelines is available on the C&IT site under Policies, Standards, Guidelines.
  3. All employees must complete an appropriate level of online IT security awareness training annually.
  4. Non-employee affiliated persons or entities who require access to privileged university systems and/or university data must have documented agreements governing that access that are subject to legal review and final approval by C&IT. These persons or entities may be required to complete annual online IT security awareness training at the direction of the Chief Information Security Officer.

PROCEDURE

  1. Purchasing (Purchasing & Strategic Sourcing) – Notify C&IT staff of all computing, IT devices, and system purchases before acquisition.

APPENDICES

N/A

RELATED UNIVERSITY/BOARD POLICIES

N/A

Effective Date: 8/1/2023

Revised Date: 7/31/2023

Reviewed Date: 7/31/2023

To be reviewed, at minimum, every three years and/or revised as needed by:  Chief Information Officer (CIO), Computing & Information Technology

Next Review By Date: 8/1/2026

SUPERSEDES POLICY

  1. N/A

HISTORICAL DATES

N/A