IT Security Policy FAQs
FAQs about the Information Technology Resource Security PolicyDoes this policy apply to me?Yes. This policy applies to the entire University Community. Even contractors, consultants and affiliates of the University are expected to abide by this policy. Why do we need a policy specifically for "Information Technology Resource Security"?University Information Technology Resources are critical to the ongoing performance of the University's academic, research, health care, and community service missions. But just as important is the need to protect the sensitive personal information of faculty members, staff, and students, as well as any people who choose to conduct business with the University. What is this policy's purpose?The purpose of this Policy is to reduce the risk that the University may not be able to perform critical operations because of a security breach and to protect sensitive personal information that, if in the wrong hands, can be used to cause harm to an individual. See Identity Theft. This policy also brings the University into compliance with recently enacted federal laws and regulations regarding information resource security. (Gramm-Leach-Bliley Act, Sarbanes-Oxley Act) Our department already has an information security policy. How will this campus policy impact our departmental policy?Departmental information technology resource policies must comply with the campus policy, but specific college and/or departmental policies may be more restrictive depending on the security requirements of the college and/or department. For example any department that deals with personal health information must conform to HIPAA (Health Insurance Portability and Accountability Act). HIPAA regulations are in many ways more strict than the IT Resources Security Policy. How does this policy affect my privacy?This policy was developed to protect every individual's privacy and to minimize the risk that your personal identity could be hijacked for malicious purposes. It should help each of us to realize that we have a responsibility to safeguard the privacy and security of sensitive personal information of each member of our campus family. Can I keep "sensitive" personal information on my computer?The campus and its colleges and departments have implemented highly secure systems to store sensitive personal information. It would be best if personal information stayed in those systems, where we know that security precautions are implemented and enforced. However, there may be situations that require a person to maintain some personal information on a local or personal computer. If you are one of those people then you should do the following:
What information is "sensitive?"Any information that identifies or describes an individual in a way that may be used to harm the person. This may include a person's name in combination with a social security number, medical history, birth date, credit card or other financial information, and health information. The University and other private and public institutions are governed by laws regarding the disclosure of personal information. What about grades? I'd like to keep a record of student grades on my PC.Grades are considered to be part of the student's educational record. They are protected under the provisions of FERPA (Family Educational Rights and Privacy Act) regardless of where or how they are stored. This does not mean that grades cannot be maintained by the instructor of the class, but it does mean that the grades must be kept secure and may not be released to someone else without the permission of the student. So, it would be wise to password protect documents that contain grades (described earlier). Can I keep "critical" information on my computer?The campus and its colleges and departments have implemented highly secure systems to store information that is critical to the operation of the University or its colleges and departments. It would be best if critical information stayed in those systems, where we know that security precautions are implemented and enforced. However, there may be situations that require a person to maintain some critical information on a local or personal computer. If you are one of those people then you should do the following:
What information is "critical?"You should ask yourself if your work, the work of your department or college, or the work of the University could continue if an IT resource under your control were rendered unusable. If in doubt, seek the guidance of your college or department IT professionals, or contact ISO at security@utah.edu. As an IT Administrator, am I responsible for finding every possible file that may contain sensitive or critical IT resources?No. It is not possible for you, as an IT administrator, to inspect the content of every file on every PC in your organization. If end users want to keep sensitive or critical information on their personal computers, they should seek permission from their dean, department head, or vice president. They should then follow your department or college guidelines for securing this type of information. As an end user, am I going to be punished if sensitive or critical information is found that was inadvertently left on my PC?We hope that each End User will give some thought to this policy and do what they can to remove sensitive or critical information from personal computers. However, the policy states that a violation must happen "knowingly" to result in sanctions. The purpose of this policy is not to punish our colleagues and students. It is intended to protect each one of us, individually, and as an institution. How do I report an information security problem if I suspect one?You can report any IT security problem to the Institutional Security
Office at |
