Information Security Policy Manual

Title: Information Security Policy Manual
Policy Owner: Information Security Office
Applies to: Students, Employees, Users
Campus Applicability:  All Campuses, except UConn Health
Effective Date: May 16, 2012
For More Information, Contact Chief Information Security Officer
Contact Information: (860) 486-8255
Official Website:

The Information Security Policy Manual is available in PDF.

The University of Connecticut developed information security policies to protect the availability, integrity, and confidentiality of University information technology (IT) resources. While these policies apply to all faculty, staff, and students of the University, they are primarily applicable to Data Stewards, those that manage access to data and IT resources, and those who use University IT resources.

The University expects all employees, students and users to adhere to the policies herein. No set of policies can address all scenarios of IT security; therefore, these policies address the most common aspects of security. We cannot eliminate malevolent behavior or irresponsibility, but we can guide users and administrators toward responsible decisions and actions.

The Chief Information Security Officer (CISO) manages the University’s information security activities. The CISO works in cooperation with University employees whose responsibilities address information technology and information security.

In order to protect resources from threats and ensure compliance with applicable laws and industry standards, the University will manage and regulate networks and other IT resources.

All employees must immediately report lost or stolen technology resources to the University Police Department (860-486-4800), the Information Security Office (860-486-8255), and the Office of the Controller (860-486-2937).

The University’s IT resources, whether owned or contracted, will be configured to meet the requirements set forth in these policies. Agreements that involve a third party accessing or managing the University’s IT resources shall comply with all of the requirements specified in these policies.

Owners of IT resources are responsible for keeping computer systems protected from activities that could compromise the confidentiality, integrity, or availability of the resources. Owners shall perform regular and timely computer maintenance, which includes, but is not limited to, installation of software patches, and updates to malware and virus protection. The automatic implementation of patches and updates at regular intervals will be utilized for all capable devices. Owners of IT resources should be aware of the business and availability requirements for their systems, and owners shall create appropriate documentation and processes to meet the requirements outlined in these policies.

University managers should direct faculty and staff to the information security policies and discuss the impacts and outcomes of the policies for their specific areas. Upon hire, employees will sign a “Statement of Policy Acknowledgement” which will be administered and maintained by the Human Resources department.

The regulations of The Student Code remain applicable to students and their registered organizations, regarding information security:
“Unauthorized possession, duplication, or misuse of University property or other personal or public property, including but not limited to records, electronic files, telecommunications systems, forms of identification, and keys.” (Student Code, III. Proscribed Conduct, Section B, 16)


Please email for questions, concerns or general feedback.

Please email to report any security breaches or incidents.

Please visit for more information.


Violations of information security policy may result in appropriate disciplinary measures in accordance with local, state, and federal laws, as well as University Laws and By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the University of Connecticut Student Conduct Code.

For purposes of protecting the University’s network and information technology resources, the Information Security Office may temporarily remove or block any system, device, or person from the University network that is reasonably suspected of violating University information security policy. These non-punitive measures will be taken only to maintain business continuity and information security, and users of the University’s information technology resources will be contacted for resolution.

Any individual who suspects a violation of this policy may report it to:
• The Information Security Office: (860) 486-8255
• The Office of University Compliance: (860) 486-2530
• Anonymously through the Reportline: (888) 685-2637 or

The Information Security Policy Manual is available in PDF.

Policy Manual Created: May 16, 2012