Author: Brandon Murray

Business Continuity & Disaster Recovery, Information Technology

Title: Business Continuity & Disaster Recovery, Information Technology
Policy Owner: Information Security Office
Applies to: Students, Employees, Users
Campus Applicability: All University departments at all campuses except UConn Health
Effective Date: May 16, 2012
For More Information, Contact Chief Information Security Officer
Contact Information: (860) 486-8255
Official Website: https://security.uconn.edu/

Each University department will maintain a current, written and tested Business Continuity Plan (BCP) that addresses the department’s response to unexpected events that disrupt normal business (for example, fire, vandalism, system failure, and natural disaster).

The BCP will be an action-based plan that addresses critical systems and data. Analysis of the criticality of systems, applications, and data will be documented in support of the BCP.

Emergency access procedures will be included in the BCP to address the retrieval of critical data during an emergency.

The BCP will include a Disaster Recovery (DR) Plan that addresses maintaining business processes and services in the event of a disaster and the eventual restoration of normal operations. The BCP and DR Plan will contain a documented process for annual review, testing, and revision. Annual testing of the BCP will include desk audits, and should also include tabletop testing, walkthroughs, live simulations, and data restoration procedures, where appropriate. The BCP will include measures necessary to protect Confidential Data during emergency operations.

Data Administrators are responsible for implementing procedures for critical data backup and recovery in support of the BCP. The data procedures will address the recovery point objective and recovery time objectives determined by the Data Steward and other stakeholders.

Policy Created: May 16, 2012

Security Awareness Training Policy, Information Technology

Title: Security Awareness Training Policy, Information Technology
Policy Owner: Information Technology Services / Chief Information Security Officer 
Applies to: All faculty, staff, student employees, and volunteers   
Campus Applicability: All campuses except UConn Health 
Effective Date: August 30, 2021
For More Information, Contact UConn Information Security Office 
Contact Information: techsupport@uconn.edu or security@uconn.edu 
Official Website: https://security.uconn.edu/

PURPOSE 

The Information Security Office (ISO) maintains an active Security Awareness Training program available to all faculty, staff, and student employees. This policy establishes the authority of the ISO to mandate Security Awareness training as needed and outlines the expectations for individuals and departments in assisting with ensuring the confidentiality, integrity, and availability of university systems, services, and data. 

APPLIES TO 

This policy applies to all University faculty, staff, student employees, and volunteers who regularly interact with or have access to confidential or protected information within the university. 

POLICY STATEMENT  

While the Information Security Office maintains an active information security program, faculty and staff members’ knowledge of the threats and risks to the University’s systems and data is a critical component in helping to defend the University from attack.  

The ISO maintains an Information Security Awareness program that supports University employees’ and students’ needs for regular training. Training on important information security topics is available or communicated in multiple ways including: 

  • Online training systems with a variety of topics relevant to Information Security (available at https://security.uconn.edu/training) 
  • Communications to targeted groups by email of ongoing or imminent threats 
  • Postings on various web-based systems across the university (security.uconn.edu or techsupport.uconn.edu) 
  • Availability of ISO staff for in-person discussions on information security 

As part of their ongoing operations and employee development, all academic and administrative departments should identify opportunities to engage faculty, staff, and student employees in Security Awareness training annually. These opportunities may include those offerings from the ISO or a tailored program for specific threats against departments or systems, which may also be included in procedural manuals or scheduled as group training opportunities. 

The ISO is authorized to mandate Security Awareness training. In some areas, Security Awareness training may be mandatory based on federal or industry regulations. Training for these programs must be coordinated with the ISO to ensure regulatory requirements are met.  

ENFORCEMENT  

Failure to comply with mandatory Security Awareness training, or to coordinate training with the ISO, may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the Student Code. 

Questions about this policy or suspected violations may be reported to any of the following: 

Office of University Compliance –  https://compliance.uconn.edu (860-486-2530) 

Information Technology Services Tech Support –  https://techsupport.uconn.edu (860-486-4357) 

Information Security Office – https://security.uconn.edu 

REFERENCES 

Compliance Training Policy 

POLICY HISTORY 

Policy created:  May 16, 2012 

Revisions:  August 30, 2021 [Approved by President’s Senior Team]

Risk Management, Information Technology

Title: Risk Management, Information Technology
Policy Owner: Information Technology Services / Chief Information Security Officer 
Applies to: All department and school/college system owners and IT professionals   
Campus Applicability: All campuses except UConn Health 
Effective Date: August 30, 2021
For More Information, Contact UConn Information Security Office 
Contact Information: techsupport@uconn.edu or security@uconn.edu 
Official Website: https://security.uconn.edu/

PURPOSE 

As technology and capabilities change our University environment, threats against these technologies also evolve. To provide the highest level of protection for the University, department and system owners are responsible for regular assessments of risks to their technology platforms. The Information Security Office is responsible for overseeing the evaluation of IT risk across the organization. 

APPLIES TO 

This policy applies to all University department and school/college system owners and IT professionals.  

DEFINITIONS  

Confidential Data: Confidential data is institutional information protected by law, government regulations, statutes, industry regulations, contractual obligations, or specific university policies. Examples of confidential data may include Personally Identifiable Information (PII), Protected Health Information (PHI), Educational Records (FERPA), Credit Card Information (PCI-DSS). An extended list of Confidential Data can be found in Appendix A of the Data Classification Policy. 

Protected Data: Protected data is institutional information that must be guarded due to proprietary, ethical, privacy, or business process considerations. By default, most administrative data will fall into this classification or if data is not confidential or public, it will fall into the protected data category. 

Risk Assessment: Part of the ongoing risk management process that assigns relative priorities for mitigation plans and implementation.  

Risk Assessment Tool: Risk assessment tools are available to department and school/college system owners and IT professionals to collect information about systems, services, and data that will inform efforts to continuously strengthen UConn’s information security.  

POLICY STATEMENT  

The Information Security Office (ISO) is authorized to administer the University’s risk management process, which includes the delegation of responsibility for ensuring that information systems are assessed for risk. 

Due to the size and complexity of the UConn environment, each department and system owner is responsible for conducting a regular and ongoing risk assessment of the Information Technologies they are responsible for overseeing. 

In conducting a risk assessment, departments/individuals should evaluate risks to Information Technology based on a People, Process, Technology (PPT) methodology. Using this methodology and leveraging ISO policies, including the Acceptable Use Policy, Confidential Data Policy, Data Roles and Responsibilities Policy, Security Awareness Training Policy and System and Application Security Policy (available at https://security.uconn.edu), departments must evaluate opportunities to reduce risk to the confidentiality, integrity, and availability of information technology assets. 

Some University organizations will be required to do regular risk assessments as a regulatory or industry requirement. Organizations typically focusing on Personal Health Information or Credit Card Processing will have more formal risk assessments conducted by their leadership and review by Information Security Office on an annual basis.   

ENFORCEMENT 

Violations of this policy may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the Student Code. 

Questions about this policy or suspected violations may be reported to any of the following: 

Office of University Compliance –  https://compliance.uconn.edu (860-486-2530) 

Information Technology Services Tech Support –  https://techsupport.uconn.edu (860-486-4357) 

Information Security Office – https://security.uconn.edu 

 

POLICY HISTORY 

Policy created:  May 16, 2012 

Revisions: August 30, 2021 [Approved by the President’s Senior Team]

 

Data Classification Policy

Title: Data Classification Policy
Policy Owner: Information Technology Services / Chief Information Security Officer 
Applies to: All students, faculty, staff, volunteers, and contractors  
Campus Applicability:  All Campuses except UConn Health
Effective Date: August 30, 2021
For More Information, Contact UConn Information Security Office 
Contact Information: techsupport@uconn.edu or security@uconn.edu 
Official Website: https://security.uconn.edu/

PURPOSE 

This policy defines the classifications of institutional data (i.e., the categories of data that the University is responsible for safeguarding) and the associated measures that are necessary to safeguard each classification. Institutional data commonly exists in many forms, including electronic, magnetic, optical, and traditional paper documents. Common types of electronic data include email messages, spreadsheets, word processing documents, PDF reports, and university managed databases and file storage systems. 

APPLIES TO 

This policy applies to all University faculty, staff, students, student employees, volunteers, and contractors who have access to protected or confidential information. This policy covers data that is stored, accessed, or transmitted in all formats, including electronic, magnetic, optical, paper, or other non-digital formats. 

DEFINITIONS  

Cloud: Any environment not operated by UConn. This includes cloud-based services that provide basic infrastructure including operating system and storage or services that provide a full software stack for an intended purpose or platform offering multiple services. 

Confidential Data: Institutional information protected by law, government regulations, statutes, industry regulations, contractual obligations, or specific university policies. Examples of confidential data may include Personally Identifiable Information (PII), Protected Health Information (PHI), Educational Records (FERPA), Credit Card Information (PCI-DSS). An extended list of Confidential Data can be found in Appendix A of this policy. 

Protected Data: Institutional information that must be guarded due to proprietary, ethical, privacy, or business process considerations. By default, most administrative data will fall into this classification or if data is not confidential or public. 

Public Data: Institutional information that may or must be freely available to the general public. Such information has no local, national, international, or contractual restrictions on access or usage. 

POLICY STATEMENT  

Through the normal course of business, many individuals at the University of Connecticut collect, maintain, transmit, and/or have access to personal information, financial data, and other information which is protected or confidential in nature. The protection of some types of data is governed by industry or governmental regulations. While other types of information may not be covered by specific legal requirements, it is in the University of Connecticut’s best interest to take steps to safeguard all university information reasonably and responsibly. 

Except for those classes of data expressly protected by statute, contract, or industry regulation, the data classification examples presented in this policy are guidelines. Ultimate responsibility for the classification in the university environment is determined by the Data Steward, as defined in the University’s Data Roles and Responsibilities Policy, and the Office of General Counsel for any given set of data. 

Data Protection 

The University of Connecticut has established the following requirements and guidelines in order to protect each classification of data. 

Public Data 

While there are few restrictions on public data, such data should be properly secured to prevent unauthorized modification, unintended use, or inadvertent/improper distribution. It should be understood that any information that is widely disseminated within the university community is potentially available to the public at large. 

The following guidelines are for information systems that are used to store and share the University’s public data. 

  • When practical, public data should only be shared via systems over which the University maintains full administrative control, which includes the ability to remove or modify the data in question. 
  • Information systems, such as web servers or cloud services that are used to share public data, must be properly secured to prevent the unauthorized modification of published public data. 
  • Interactive access to databases containing public data, such as online directories or library catalogs, should be properly secured using query rate limiting, CAPTCHA’s or similar technology to impede bulk downloads of entire collections. 

    Protected Data 

    Protected data requires additional levels of protection because its unauthorized disclosure, alteration, or destruction could cause damage to the University or its constituents.  

    In addition to the requirements outlined for public data, protected data must also meet these requirements: 

    • If stored in the cloud, stored only on cloud-based information systems managed or contracted by the University. 
    • Protected through the use of authenticated access in order to prevent loss, theft, or unauthorized access, disclosure or modification. 
    • Printed sensitive data including reports must be stored in a secure manner (file cabinet, closed office, or department where electronic/physical access control systems are in place) when not in use. 

    Confidential Data 

    Confidential data (see Appendix A) requires the highest level of protection due to the risk and magnitude of loss or harm that could result from disclosure, alteration, or destruction of the data. Certain types of information, such as health information, may have additional requirements for protection. Wherever possible, confidential information should remain in source systems and not propagated through saved files, spreadsheets, or other file formats. Whenever storage of confidential data is required outside the source system, it should be limited to the minimum amount, and for the minimum time, required to perform the business function, or as required by law and/or State of Connecticut Data Retention requirements. 

    In addition to the requirements for protected data, confidential data must be: 

    • Protected with strong passwords and should leverage Multi-Factor Authentication whenever such capabilities exist.  
    • Stored on devices that have appropriate protection, monitoring and encryption measures in order to protect against theft, unauthorized access and unauthorized disclosure. 
    • Transmitted using approved encryption methods. 
    • Accessed via approved remote access services such as VPN when accessed remotely.  
    • Stored on university-owned devices. Confidential data is not permitted to be stored on any personally owned devices including mobile phones, laptops, or home computers. 
    • Stored, if printed material, only in a locked drawer; a locked room; an area where access is controlled by a guard, cipher lock, and/or card reader; or an area that has sufficient physical access control measures to afford adequate protection and prevent unauthorized access by members of the public, visitors, or other individuals not on a need-to-know basis. 

      The University’s Confidential Data may not be accessed, transmitted, or stored using public computers or via email. 

      Encryption 

      To maintain its confidentiality, all data shall be encrypted while in transit across communication networks or when stored. Stored data may only be encrypted using current encryption methodologies. To ensure that data is available when needed, each department or user of encrypted University data will ensure that encryption keys are adequately protected and that procedures are in place to allow data to be recovered by another authorized University employee. In employing encryption as a privacy tool, users must be aware of, and are expected to comply with, Federal Export Control Regulations. 

      Service Providers  

      Departments shall take steps to ensure that third-party service providers understand the University’s Data Classification Policy and protection of the University’s Data. No user may give a third-party access to the University’s Protected or Confidential Data or to systems that store or process Protected or Confidential Data without permission from the Data Steward and a standard Confidentiality Agreement from University Procurement in place.  

      Disposal 

      Systems administrators will ensure that all data stored on electronic media is properly destroyed or wiped to current Department of Defense Data Wipe standards prior to the disposal or transfer of the equipment.  

      Confidential Data maintained in hard copy form will be properly disposed of when no longer required for business or legal purposes. 

      ENFORCEMENT 

      Violations of this policy may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the Student Code.  

      Questions about this policy or suspected violations may be reported to any of the following: 

      Office of University Compliance –  https://compliance.uconn.edu (860-486-2530) 

      Information Technology Services Tech Support –  https://techsupport.uconn.edu (860-486-4357) 

      Information Security Office – https://security.uconn.edu 

      REFERENCES 

      Data Roles and Responsibilities, Policy On 

      POLICY HISTORY 

      Policy created:  May 16, 2012 

      Revisions: August 30, 2021

       

      Data Roles and Responsibilities Policy

      Title: Data Roles and Responsibilities Policy, Information Technology
      Policy Owner: Information Technology Services / Chief Information Security Officer 
      Applies to:  All students, faculty, and staff  
      Campus Applicability:  All campuses except UConn Health 
      Effective Date: August 30, 2021
      For More Information, Contact UConn Information Security Office 
      Contact Information: techsupport@uconn.edu or security@uconn.edu 
      Official Website: https://security.uconn.edu/

      PURPOSE 

      To define the responsibilities of individuals within the organization in protecting the University of Connecticut’s data assets. 

      APPLIES TO 

      This policy applies to all University faculty, staff, students, student employees, volunteers, and contractors who have access to or have been assigned one of the roles defined in this policy. 

      POLICY STATEMENT  

      Through the normal course of operations of the University, ever increasing amounts of data are created, processed, modified, and eventually disposed of as part of daily activities. To ensure the proper management of the various data sets, the University has defined the following roles and responsibilities to ensure data is properly protected, used, and managed throughout its lifecycle. 

      Data Stewards are employees of the university responsible for the overall use and proper handling of administrative, academic, public engagement, or research data. Data Stewards must classify data according to the University’s Data Classification Policy. Data Stewards ensure that appropriate steps are taken to protect data and implement policies and agreements that define appropriate use of data.  

      The Data Steward or their designated representatives are responsible for: 

      • Ensuring the information they are responsible for is accurate 
      • Authorizing the specific use of information across the organization 
      • Working with other Data Stewards to resolve conflicting data issues 
      • Specify appropriate controls, based on data classification, to protect the data from unauthorized modification, deletion, or disclosure 
      • Ensuring access rights are evaluated on a regular basis 

        Data Administrators are usually system administrators who are responsible for applying appropriate controls to data based on its classification level and required protection level. Data Administrators are also responsible for securely processing, storing, and recovering data. The Data Administrator is accountable for: 

        • Implementing the appropriate controls specified by the Data Stewards 
        • Removing access rights to specific data resources due to a job change or separation from the University 
        • Implementing the appropriate monitoring techniques and procedures for detecting, reporting, and investigating incidents 
        • Assisting Data Stewards in evaluating the overall effectiveness of controls and monitoring  

        Data Users are individuals who receive authorization from the Data Steward/Administrator to access, enter, or update information. Data Users  must use the resource only for the purpose specified by the Data Steward, complying with controls established by the Steward, and preventing disclosure or confidential or protected information. 

        ENFORCEMENT 

        Failure to properly fulfill the roles and responsibilities articulated in this policy may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the Student Code. 

        Questions about this policy or suspected violations may be reported to any of the following: 

        Office of University Compliance –  https://compliance.uconn.edu (860-486-2530) 

        Information Technology Services Tech Support –  https://techsupport.uconn.edu (860-486-4357) 

        Information Security Office – https://security.uconn.edu 

         

        POLICY HISTORY 

        Policy created:  May 16, 2012 

        Revisions: August 30, 2021 [Approved by President’s Senior Team]

        Acceptable Use, Information Technology

        Title: Acceptable Use, Information Technology
        Policy Owner: Information Technology Services/Chief Information Security Officer
        Applies to: All University Information Technology Users
        Campus Applicability: All campuses except UConn Health
        Effective Date: August 30, 2021
        For More Information, Contact UConn Information Security Office
        Contact Information: techsupport@uconn.edu or security@uconn.edu
        Official Website: https://security.uconn.edu/

        BACKGROUND 

        The University’s IT resources support many systems to fulfill the academic, research and administrative needs of the University’s constituents, including students, faculty, staff, and guests. These resources must be used in a responsible manner consistent with Federal and State laws and University policies. 

        PURPOSE 

        To define expectations of appropriate use and inform all users of information technology (IT) resources at UConn of their obligation to comply with all existing laws and institutional policies in their use of IT resources. 

        APPLIES TO 

        This policy applies to all constituents (students, faculty, staff, affiliates and guests) who use UConn’s information technology resources, including but not limited to wired and wireless networks, computer-based systems and services, printers/copiers, and cloud-based services. 

        DEFINITIONS  

        Access Point (AP): A networking hardware device that allows other Wireless (Wi-Fi) devices to connect to the University network. 

        Information Technology (IT) Resources: Include but are not limited to: 

        • Systems and equipment such as computers, hard drives, printers, scanners, video and audio recorders, cameras, photocopiers and other related devices.  
        • Software such as computer software, including open-source and purchased software, and all cloud-based software including infrastructure-based cloud computing and software as a service.  
        • Networks such as all voice, video, and data systems, including both wired and wireless network access across the institution. 

          IoT: Internet of Things are devices that communicate across a network without direct human interaction. These include but are not limited to smart assistants, lightbulbs, appliances, and televisions. 

          POLICY STATEMENT  

          The appropriate use of UConn IT Resources focuses on three primary areas including: (1) the fair and equitable use of limited resources by all constituents; (2) individual responsibilities in the use of UConn IT resources; and (3) the appropriate use of IT resources in compliance with all applicable federal and state laws, university rules, regulations and policies. 

          All activities involving the use of UConn IT resources are not personal or private; therefore, users should have no expectation of privacy in the use of these resources.  Information stored, created, sent or received via UConn systems, including cloud-based systems, may be accessible when required by law, including requests made under the Freedom of Information Act (FOIA), the Family Educational Rights and Privacy Act (FERPA), subpoena, or other legal process, statute, or regulation. 

          ACCEPTABLE USE 

          • UConn provides IT resources to enable faculty, students, and staff to accomplish their university-related work and support the University’s mission. University equipment is to be used primarily in support of the University’s mission and may not be used to conduct commercial activities or any activity prohibited by state and federal law or University policy.  
          • UConn IT Resources may not be used for the illegal download, copying, or distribution of copyright materials without the copyright owner’s permission or where not permitted by fair use standards under the TEACH Act. 
          • Actions that negatively impact the ability of the University to operate or cause undue stress on IT resources are prohibited. These actions include but are not limited to interfering with the legitimate use of IT resources by others, introducing additional software or devices to any IT resource without appropriate authorization, or the mass mailing of unapproved email or other electronic communication. 
          • Do not intentionally seek or provide information or access to IT resources to which one is not authorized, nor assist others in doing so. Do not attempt to subvert or circumvent University systems’ security measures nor use University IT resources to subvert or circumvent other systems’ security measures for any purpose. 
          • Do not publish, post, transmit or otherwise make available content that is in violation of law or policy. The University cannot protect individuals against the existence or receipt of material that may be offensive to them. As such, those who make use of electronic communications are warned they may come across or be recipients of material they find offensive or objectionable. 
          • Do not violate the privacy of other individuals. This includes viewing, monitoring, copying, altering, or destroying any file, data, transmission or communication unless you have been given explicit permission by the owner. 
          • Do not forge, maliciously disguise or misrepresent your personal identity. This policy does not prohibit users from engaging in anonymous communications, providing that such communications do not otherwise violate the Acceptable Use Policy. University technology resources may not be used by employees of the University for partisan political purposes or presenting the impression the University has a particular political position except for those individuals authorized by the University as part of their formal responsibilities. 

            INDIVIDIUAL RESPONSIBILITIES 

            • Protect your data and the institution’s data 
            • Do not share your password with ANYONE or allow anyone else to use your account(s).  
            • Do not use anyone else’s account. 
            • Be vigilant in identifying and reporting various types of phishing attacks to gain access to your information. Store confidential and/or sensitive data on appropriate University approved services only. 
            • While UConn owned computers often are maintained by ITS and other University IT organizations, any personally owned devices connecting to the University network (including tablets, cell phones and IoT devices) are expected to be kept up to date with current operating system and software patches, as well as employing appropriate security measures which are automatically updated. 
            • Do not utilize UConn computing resources, including personally owned computers connected to UConn’s network for non-University related commercial activity.  
            • Users who connect personally owned computers to UConn’s network that are used as servers, or who permit others to use their computers, whether directly or through user accounts, have the additional responsibility to respond to any use of their server that is in violation of the Acceptable Use Policy. IT Resource administrators and those who permit the use of the computers by others are responsible for the security and actions of others on their systems. 

                  ENFORCEMENT 

                  Violations of this policy may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the Student Code.  

                  Individual or system access may be revoked at any time based on the decision of the Chief Information Security Officer or the Chief Information Officer to protect the confidentiality, integrity, and/or availability of UConn IT Resources.  

                  PROCEDURES/FORMS 

                  Questions about this policy or suspected violations may be reported to any of the following: 

                  Office of University Compliance –  https://compliance.uconn.edu (860-486-2530) 

                  Information Technology Services Tech Support –  https://techsupport.uconn.edu (860-486-4357) 

                  Information Security Office – https://security.uconn.edu 

                  POLICY HISTORY 

                  Policy created:  05/16/2012 

                  Revisions: 08/24/2015; 08/30/2021 [Approved by President’s Senior Team]