University Policies

Page tree

Versions Compared

Old Version 4

changes.mady.by.user Rowan, James J.

Saved on

compared with

New Version 5

changes.mady.by.user Rowan, James J.

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

ROWAN UNIVERSITY POLICY

 

Title: Information Security Policy

Subject: Information Security                                      

Policy No: ISO: 2013:01                                                  

Applies: University-Wide

Issuing Authority: Vice President for Information Resources and Chief Information Officer

Responsible Officer: Vice President for Information Resources and Chief Information Officer     

Adopted: 09/01/2013

Amended: 11/21/2013

Last Revision: 05/08/2015

I. PURPOSE

The purpose of this policy and the related Procedures and Standards set forth security practices necessary to protect the Rowan University network and information. This policy does not supersede any applicable state or federal laws regarding access to or disclosure of information

II. ACCOUNTABILITY

Under the President and the Vice President for Information Resources and Chief Information Officer (CIO), the Chief Information Security Officer shall ensure compliance with this policy. The Provost, Executive Vice President for Administration and Strategic Advancement, Vice Presidents, Deans, IR Directors, and individual managers shall implement the policy. 

III. APPLICABILITY

This policy applies to all individuals accessing University data, including students, faculty, visiting faculty, staff, volunteers, alumni, persons hired or retained to perform University work, external individuals and organizations, and any other person extended access and use privileges by the University under contractual agreements and obligations or otherwise. All users who have access to University-owned or managed information through computing systems or devices (“Users”) must maintain the security of that information and those systems and devices.

IV. POLICY

A. All University faculty, students, staff, temporary employees, contractors, outside vendors and visitors to campus who have access to University-owned or managed information through computing systems or devices (“Users”) must maintain the security of that information and those systems and devices.

...

 This policy has been reviewed and adopted under the direction of Rowan’s Data Governance Committee and Chief Information Officer (CIO):

V. COMPLIANCE

A. Failure to adhere to this Policy and the Procedures and Standards may put University information assets at risk and may have disciplinary consequences for employees up to and including termination of employment. Students who fail to adhere to this Policy or the Procedures and Standards will be referred to the Office of Student Affairs and may be expelled. Contractors and vendors who fail to adhere to this Policy and the Procedures and Standards may face termination of their business relationships with the University.

B. This policy applies to all Users accessing the ROWAN network or ROWAN information through computing devices owned by or managed through ROWAN or through permission granted by ROWAN. All Users must read this Policy Statement and the related Procedures and Standards in their entirety. If you have any questions about whether this Policy Statement applies to you or how it applies to you, please contact the Information Security Office at 856- 256-4498.

VI. ATTACHMENTS

A. Attachment 1, Sensitive Information

...

Division of Information Resources and Technology   

ATTACHMENT 1

SENSITIVE INFORMATION

Sensitive Information includes all data, in its original and duplicate form, which contains:

  • “Personal Identifying Information or PII,” as defined by the New Jersey Identity Theft Protection Act. This includes employer tax ID numbers, drivers' license numbers, passport numbers, SSNs, state identification card numbers, credit/debit card numbers, banking account numbers, PIN codes, digital signatures, biometric data, fingerprints, passwords, and any other numbers or information that can be used to access a person's financial resources.
  • “Protected Health Information or PHI” as defined by the Health Insurance Portability?and Accountability Act (HIPAA).
  • Student “education records,” as defined by the Family Educational Rights and ?Privacy Act (FERPA).
  • “Customer record information,” as defined by the Gramm Leach Bliley Act ?(GLBA).
  • “Card holder data,” as defined by the Payment Card Industry (PCI) Data ?Security Standard.
  • Information that is deemed to be confidential in accordance with the New Jersey Public Records Act. ?Sensitive Information also includes any other information that is protected by University policy or federal or state law from unauthorized access.

Sensitive Information must be restricted to those with a legitimate business need for access. Examples of Sensitive Information may include, but are not limited to, Social Security numbers, system access passwords, some types of research data (such as research data that is personally identifiable or proprietary), public safety information, information concerning select agents, information security records, and information file encryption keys.