APS #6005

ActiveLatest Change

IT Security Program

Brief Description

The IT Security Program serves as the core for the university's IT security and risk activities and provides requirements to users and administrators of IT resources via the noted security and risk standards.  These standards help ensure information is secured appropriately, the university information and IT resources are available, and document the best practices and control activities that help mitigate the university technology risks.  This Administrative Policy Statement encompasses all IT Security-related requirements as outlined in the noted security standards.

Reason for Policy

Defines roles, responsibilities and requirements for the users and administrators of IT resources to mitigate risk involving the confidentiality, integrity and availability of university data and IT systems.

Policy Profile

APS Policy Title: 
IT Security Program
APS Number: 
6005
Effective Date: 
October 1, 2023
Approved By: 
President Todd Saliman
Responsible University Officer: 
Chief Information Security Officer
Responsible Office: 
Office of Information Security
Policy Contact: 
security@cu.edu
Supersedes: 
IT Security Program Policy-January 7, 2010
Last Reviewed/Updated date: 
October 1, 2023
Applies to: 
Universitywide or as specifically defined by each policy section.

NOTE:  The following sections of APS 6005 will remain in effect until they have completed transition to other APS documents and associated standards (expected in early 2024): 

Those sections include:

     Section 1: IT Resource User Responsibilities
     Section 2: IT Security in Personnel Job Descriptions, Responsibilities and Training
     Section 3: IT Security in University Operations, Business Continuity Planning, and Contracting
     Section 4: IT Service Provider Security

Once that work is complete (expected in early 2024), the above sections will be removed from this policy and the related documents for APS 6005 will include the following - once they are created or reviewed and revised:

Related documents Effective Date
(TBD if blank)
Compliance Date
(TBD if blank)
APS 6001 – Providing and Using Information Technology (Active, revision planned)    
IT Security Controls Standard (updated to 800-171) 10/01/2023 10/01/2024
IT Security Responsibilities (new)    
Campus Acceptable Use Policies (links)    
APS 6002 - Electronic Communications (Active, revision planned)    
APS 6010 - Data Governance (Active, revision planned)    
Data Classification    

I. Introduction

This Administrative Policy Statement (APS) is the parent policy for the university’s Information Technology (IT) security standard suite, which defines and establishes the IT Security Program (Program). The Program serves as the core for the university’s IT security activities and provides general guidance to the users and administrators of IT resources to help mitigate the risks to university information and IT resources.

More specifically, this policy assigns responsibilities for the oversight and day-to-day management of the Program. These fundamental responsibilities are essential to ensure the Program provides timely and effective guidance to the users and administrators of IT resources in the face of almost continuous change. The effectiveness of this guidance requires that the Program be frequently reviewed and adapted to fit the evolving needs of the university and its stakeholders. .

II. Policy Statement

  1. The goals of the University IT Security ProgramIT security programA collection of policies, processes, and responsibilities that provide direction and guidance to the computing community on protecting University information. are as follows:
    1. Identify the IT security roles and responsibilities of the Chief Information Security Officer, the Information Security Officer or designated campus IT security authority, and the Cyber Risk and Compliance Committee (CRCC). 
    2. Codify standards to mitigate IT security risks related to data and IT resources used across the university.
    3. Ensure members of the university community are aware of the university requirements for managing security risks related to university information and IT resources.
  2. The following principles shall be followed in implementing the University IT Security Program:
    1. Each campus and System Administration shall adopt the Program and may create campus-specific policies, standards, and procedures to meet special campus needs if they do not conflict with the requirements in the Program.
    2. IIT security risk management decisions shall be made by appropriate authorities with jurisdiction over those areas affected by the risks.
    3. University information shall be subject to the Program regardless of the information’s physical location, the nature of the device or media upon which it is stored, or the person in possession or control of the information.
  3. Roles and Responsibilities for the University IT Security Program.
    1. The Program shall be managed and monitored collaboratively by the Chief Information Security Officer (CISO), campus Information Security Officers (ISOs), CRCC, and other university representatives as appropriate. Program management responsibilities are as follows:
      1. CISO (Chief Information Security Officer)
        1. Provides day-to-day management for the systemwide elements of the Program. Reviews and reports on Program status, at least annually to the Board of Regents, president, chancellors, IT Governance Executive Committee, and CRCC.
        2. In cooperation with the CRCC, advises the president, chancellors, and ISOs in accordance with Program goals and requirements.
        3. Oversees the development and maintenance of procedural statements and standards for IT security and advises ISOs on the alignment of campus IT security procedures with administrative standards.
        4. Oversees the development and maintenance of IT security compliance testing and reporting to help monitor effectiveness and adherence to the administrative standards for IT security.
        5. Develops and manages processes for tracking and reporting IT security risks at a systemwide level in coordination with Risk Management. Provides recommendations based on risk management activities to mitigate risk.
        6. Establishes a baseline for IT security training and awareness for all university employees, as well as IT service providers, and provides a method for tracking compliance.
        7. Provides coordination assistance via the Data Exposure Process when IT security events span multiple campus IT security programs.
        8. In coordination with campus IT security leadership, provides reporting about major IT security incidents to the president, Board of Regents, CRCC and others as appropriate.
      2. Chief Information Officer (CIO)
        1. Accountable for overall campus adherence to systemwide IT security policies, standards, and procedures.
      3. ISOs or designated senior IT security leaders
        1. Provide day-to-day campus IT security program management and oversight in alignment with university and campus policies, standards, and procedures.
        2. Collaborate with the CISO to conduct systemwide Program reviews and IT security risk management reporting.
        3. Advise Organizational Units on the evaluation and management of IT security risks and issues.
        4. Lead the preparation, approval, and maintenance of campus-specific IT security policies, standards, and procedures. Provide implementation guidance to IT service providers and department heads as appropriate.
        5. Collaborate with the CISO on the systemwide IT security awareness and training program. Additional campus IT security awareness and training requirements may be established.
        6. Develop and maintain a campus IT security incident response process and/or policy. As appropriate, coordinate with systemwide response processes.
        7. In coordination with appropriate employee and student discipline groups, address non-compliance with the Program. 
        CRCC
        1. The CRCC provides steering and guidance for the Program. The CRCC shall be composed of members as defined in the CRCC charter. The CRCC shall provide systemwide IT security oversight and guidance as defined in the charter.
      4. IT resource users
        1. IT resource users shall ensure that their actions adhere to applicable university IT security policies, standards, and procedures.
        2. To the extent that an individual establishes, manages, or oversees relationships with third parties that provide services handling university data, they must work with procurement and IT security teams to ensure third parties are required to adhere to applicable IT security policies, standards, and procedures.

III. Related Policies, Procedures, Forms, Guidelines and Other Resources

The IT Security Program serves as the core for the university's IT security activities and provides general guidance to the users and administrators of IT resources to help ensure the confidentiality of personal information, the availability of university information and IT resources, and the best practices and control activities that should be in place to help mitigate the risks of using technology associated with the university.  The related documents that support this APS include:

The following sections of APS 6005 will remain in effect until they have completed transition to other APS documents and associated standards (expected in early 2024):

     Section 1: IT Resource User Responsibilities
     Section 2: IT Security in Personnel Job Descriptions, Responsibilities and Training
     Section 3: IT Security in University Operations, Business Continuity Planning, and Contracting
     Section 4: IT Service Provider Security

Once that work is complete (expected in early 2024), the above sections will be removed from this policy and the related documents for APS6005 will include the following - once they are created or reviewed and revised and revised: 

Related documents Effective Date
(TBD if blank)
Compliance Date
(TBD if blank)
APS 6001 – Providing and Using Information Technology (Active, revision planned)    
IT Security Controls Standard (updated to 800-171) 10/01/2023 10/01/2024
IT Security Responsibilities (new)    
Campus Acceptable Use Policies (links)    
APS 6002 - Electronic Communications (Active, revision planned)    
APS 6010 - Data Governance (Active, revision planned)    
Data Classification    

IV. History

Effective October 1, 2023, this APS was revised as part of a review and refresh by the Office of Information Security to remove extraneous parts of the policy, update titles of the various governance groups and roles related to information security, and tie the revised policy to a new set of security standards based on the NIST-800-171 to establish a new format for the creation of security-related standards within the university. 

Effective March 1, 2011 the following policies were combined into the IT Security Program policy.  Individual APS history for each is listed below:

    IT Resource User Responsibilities
        - Initial Policy Effective: January 1, 2007
        - Rescinded March 1, 2011 and combined with IT Security Program.

    IT Security in Personnel Job Descriptions, Responsibilities and Training
        - Initial Policy Effective: January 1, 2007
        - Rescinded March 1, 2011 and combined with IT Security Program.

    IT Security in University Operations, Continuity and Contracting
        - Initial Policy Effective: January 1, 2007
        - Rescinded March 1, 2011 and combined with IT Security Program.

    IT Service Provider Security
        - Initial Policy Effective: September 1, 2007
        - Rescinded March 1, 2011 and combined with IT Security Program.

    IT Security Program
        - Initial Policy Effective: January 1, 2007
        - Revised January 7, 2010.
        - Revised as the parent policy and combined with above IT-security-related policies effective March 1, 2011.
        - Section 1 – IT Resource User Responsibilities was revised effective January 1, 2014.

On May 1, 2014 the title of “IT Security Principals” was replaced with the title of “Information Security Officers”.

Non-substantive clean-up – May 1, 2015. Use of the title “Chief Technology Officer (CTO)” has been terminated and references to it were removed.

The title of “IT Security Principals” was replaced with the title of “Information Security Officers” effective May 1, 2014.

The term “data owner” was replaced with the term “data trustee” effective July 1, 2018.

Section 1: IT Resource User Responsibilities
 

Brief Description:  Establishes IT security requirements for all IT resource users in protecting University information and IT resources.

Applies to:  IT Resource Users

I. Introduction

This section of the IT Security Program Policy establishes the Information Technology (IT) security safeguards that must be taken by every person using a University IT resourceIT resourceComputers, networking equipment, storage media, software, and other electronic devices that store, process, or transmit University information. In the context of IT security policy, this includes all IT resources that are owned, leased, licensed, or authorized for use by the University.​ or otherwise accessing University informationUniversity informationOfficial information of the institution, including but not limited to: university work products, results, materials, records, or other information developed or produced with university goods, funds or services. University information encompasses all information created by the university, including information classified as private or restricted. Examples include university web site content, schedules of courses, requests for proposals, policies and guidelines, personnel records, student data, research data, and patient data.​. Additional safeguards may be appropriate, depending on the situation and its inherent risk to University information and IT resources.

This policy does not impose restrictions that are contrary to the University's established culture of sharing, openness, and trust. However, the University is committed to implementing the safeguards necessary to ensure the privacy of personal information, the availability of University information and IT resources, and the integrity of University operations.

CU has three levels of data classification.  These are: Highly Confidential, Confidential, and Public.  For more information please review the University of Colorado Process for Data Classification and System Security Categorization.

II. Policy Statement

  1. It is the responsibility of every IT resource userIT resource userIndividuals that are authorized to use University IT resources. Examples of users include: faculty, staff, students, researchers, vendors, volunteers, contractors, or sponsored affiliates of the University.​ to know the University's IT securityIT securityThe protection of electronic information from (intentional or unintentional) unauthorized access, modification, or destruction, as well as taking precautions to ensure that such information is available as needed to conduct University business.​ requirements and to conduct her/his activities accordingly. IT resource users shall comply with the following requirements:
    1. Protect the Privacy of Others. Users shall respect the privacy of others when handling Highly Confidential information and shall take appropriate precautions to protect that information from unauthorized disclosure or use.
    2. Protect Highly Confidential  or Confidential Information on Workstations and Mobile Devices.  Ordinarily, Highly Confidential information shall not be stored on workstations and mobile computing devices (laptops, flash drives, backup disks, etc.) unless specifically justified for business purposes and adequately secured. If Highly Confidential information is stored on a workstation or mobile computing device or transmitted to an external network or organization, IT resource users shall encrypt EncryptionThe process of transforming data so that it is unreadable to anyone who is not authorized (i.e. an individual or system that is in possession of a required password, key or other electronic token).or adequately protect that information from disclosure. If Confidential information is stored on a workstation or mobile computing device or transmitted to an external network or organization, IT resource users shall adequately protect that information from disclosure. In addition to encryption, adequate protections may include the use of passwords, automatic logoffs, and secure Internet transmissions.  IT Resource users are required to secure university information on personally owned and/or institutionally provided mobile devices in accordance with the Security Standards for Mobile Devices. The protection of Highly Confidential or Confidential information shall be in accordance with campus IT security requirements and other guidance as available from the appropriate IT service center or help desk
    3. Protect Highly Confidential Data from Unauthorized Physical Access. IT resource users shall keep all Highly Confidential or Confidential information out of plain sight unless in use and shall not leave such information displayed when it is not needed.
    4. Protect Workstations and Other Computing Devices. IT resource users are responsible for helping to maintain the security of workstations and other computing devices by striving to protect them from unauthorized access and malicious software infections (e.g., viruses, worms, and spyware). Users shall consult the appropriate IT service center or help desk for guidance on protecting their computing devices.
    5. Protect Passwords, Identification Cards, and Other Access Devices. Passwords, identification cards, and other access devices are used to authenticate the identity of individuals and gain access to University resources. Each person is responsible for protecting the access devices assigned to her or him and shall not share passwords or devices with others. If a password or access device is compromised, lost, or stolen, the individual shall report this to the appropriate IT service center or help desk as soon as possible so that the access device is not used by an unauthorized person.
    6. Report Security Violations, Malfunctions, and Weaknesses. IT resource users shall report security related events; known or suspected violations of IT security policy; and inappropriate, unethical, and illegal activities involving University IT resources. Users shall follow the reporting process applicable to their campus. If unsure of the local incident reporting process, users shall call the appropriate IT service center or help desk.
    7. Utilize University Information and IT Resources for Authorized Purposes Only. IT resource users shall access or otherwise utilize University information and IT resources only for those activities they are specifically authorized and in a manner consistent with University policies, federal and state laws, and other applicable requirements.

III. Related Policies, Procedures, Forms, Guidelines and Other Resources

  1. Administrative Policy Statements (APS) and Other Policies

    The IT Security Program serves as the core for the University's IT securityIT securityThe protection of electronic information from (intentional or unintentional) unauthorized access, modification, or destruction, as well as taking precautions to ensure that such information is available as needed to conduct University business.​ activities and provides general guidance to the computing community on ensuring the privacy of personal information and the availability of University informationUniversity informationOfficial information of the institution, including but not limited to: university work products, results, materials, records, or other information developed or produced with university goods, funds or services. University information encompasses all information created by the university, including information classified as private or restricted. Examples include university web site content, schedules of courses, requests for proposals, policies and guidelines, personnel records, student data, research data, and patient data.​ and IT resourcesIT resourceComputers, networking equipment, storage media, software, and other electronic devices that store, process, or transmit University information. In the context of IT security policy, this includes all IT resources that are owned, leased, licensed, or authorized for use by the University.​ and encompasses all related IT Security requirements, including the following policy sections:
    • IT Resource User Responsibilities
    • IT Security in Personnel Job Descriptions, Responsibilities and Training
    • IT Security in University Operations, Business Continuity Planning, and Contracting
    • IT Service Provider Security

      Regent Policy 8.A.5 states that members of the university community are expected to ensure that university property, funds, and technology are used appropriately. The administrative policy "Fiscal Code of Ethics" prohibits use of University property for personal gain.

      The "Use of Electronic Mail" Administrative Policy Statement sets forth the appropriate use of University email and expectations for privacy in email communications.​

      Security Standards for Mobile Devices

      Standards for Data classification and System security categorization
  2. Other Resources (i.e. training, secondary contact information)

    Educational information and resources are available on the Office of Information Security website.

Section 2: IT Security in Personnel Job Descriptions, Responsibilities and Training
 

Brief Description: Establishes requirements for incorporating employee responsibilities for IT security into performance management processes, as well as ensuring employees are aware of their IT security responsibilities and are adequately trained to fulfill those responsibilities.

Applies to:  Supervisors

I. Introduction

Information technology (IT) security responsibilities are, to various degrees, part of all duties within the University. For employeesEmployeesAn individual who currently holds a University employment appointment, whether full-time, part-time, temporary, seasonal or hourly.​ and job candidates it is important that the applicable IT securityIT securityThe protection of electronic information from (intentional or unintentional) unauthorized access, modification, or destruction, as well as taking precautions to ensure that such information is available as needed to conduct University business.​ responsibilities are known, documented, and accepted as part of the terms and conditions of employment.

II. Policy Statement

  1. IT SecurityIT securityThe protection of electronic information from (intentional or unintentional) unauthorized access, modification, or destruction, as well as taking precautions to ensure that such information is available as needed to conduct University business. Guidance and Support
    1. Campus Information Security OfficersInformation security officerThe person who performs day-to-day management of and is the point of contact for the IT Security Program at the campus level.​ shall, in collaboration with the Chief Information Security Officer (CISO), provide information and guidance to supervisors on implementing the requirements of this policy.
    2. Campus Information Security Officers shall establish and oversee IT security awareness and education programs for their respective campuses.
  2. Supervisor Responsibilities for IT Security
    1.  Supervisors shall ensure that all employeesEmployeesAn individual who currently holds a University employment appointment, whether full-time, part-time, temporary, seasonal or hourly.​ within their areas of authority are aware of their IT security responsibilities and that these responsibilities are incorporated into employee performance management processes and addressed in recruitment and hiring practices.
    2. Supervisors shall ensure that employees provide a signed, written, or other documented acknowledgment of their IT security responsibilities as a condition of gaining access to University informationUniversity informationOfficial information of the institution, including but not limited to: university work products, results, materials, records, or other information developed or produced with university goods, funds or services. University information encompasses all information created by the university, including information classified as private or restricted. Examples include university web site content, schedules of courses, requests for proposals, policies and guidelines, personnel records, student data, research data, and patient data.​ and IT resourcesIT resourceComputers, networking equipment, storage media, software, and other electronic devices that store, process, or transmit University information. In the context of IT security policy, this includes all IT resources that are owned, leased, licensed, or authorized for use by the University.​. Where feasible, acknowledgements should be provided prior to gaining access or as soon afterward as reasonably possible. Personnel supervising authorities shall track and/or maintain the records of employee acknowledgements.
    3. Supervisors, in consultation with the campus Information Security Officer, are encouraged to make recommendations on the designation of positions with significant IT security responsibilities as "security-sensitive positions."
  3. Employee Training
    1.  Supervisors shall ensure that employees are adequately trained to fulfill their IT security responsibilities. Employees with elevated computing privileges (e.g., server support technicians, user account managers, or web page administrators) may require additional, specialized training for carrying out their IT security responsibilities effectively.
    2. All University employees including associates and other individuals, who require the use of University IT resources to perform their duties, shall receive initial training and periodic refresher training relevant to their IT security responsibilities.
    3. Supervisors shall coordinate their local IT security training initiatives with the campus Information Security Officer.
  4. Changes in Employee Duties or Employment Status
    1.  Supervisors shall provide timely notification to the appropriate service center or help desk when an employee's duties or employment status changes so that access to University information and IT resources is adjusted accordingly.

III. Related Policies, Procedures, Forms, Guidelines and Other Resources

  1. Administrative Policy Statements (APS) and Other Policies

    The IT Security Program serves as the core for the University's IT securityIT securityThe protection of electronic information from (intentional or unintentional) unauthorized access, modification, or destruction, as well as taking precautions to ensure that such information is available as needed to conduct University business.​ activities and provides general guidance to the computing community on ensuring the privacy of personal information and the availability of University informationUniversity informationOfficial information of the institution, including but not limited to: university work products, results, materials, records, or other information developed or produced with university goods, funds or services. University information encompasses all information created by the university, including information classified as private or restricted. Examples include university web site content, schedules of courses, requests for proposals, policies and guidelines, personnel records, student data, research data, and patient data.​ and IT resourcesIT resourceComputers, networking equipment, storage media, software, and other electronic devices that store, process, or transmit University information. In the context of IT security policy, this includes all IT resources that are owned, leased, licensed, or authorized for use by the University.​ and encompasses all related IT Security requirements, including the following policy sections:
      • IT Resource User Responsibilities
      • IT Security in Personnel Job Descriptions, Responsibilities and Training
      • IT Security in University Operations, Business Continuity Planning, and Contracting
      • IT Service Provider Security

        The "Use of Electronic Mail" Administrative Policy Statement sets forth the appropriate use of University email and expectations for privacy in email communications.
  2. Procedures

    IT Security Training Standards and Core Topics
     
  3. Other Resources (i.e. training, secondary contact information)

    Educational information and resources are available on the Office of Information Security website.​

Section 3: IT Security in University Operations, Business Continuity Planning, and Contracting
 

Brief Description:  Requires IT security safeguards to be integrated into University operations, asset management, contracting, business continuity planning, disaster preparedness, and enterprise risk management processes.

Applies to:  Organizational Unit Directors/Chairs

I. Introduction

University operations are organized into Organizational UnitsOrganizational unitA subset of University operations. An Organizational Unit may be a department or any other distinct operational activity with the following characteristics: • Organizational permanency; • Programmatic autonomy; and • An annual operating budget that is fiscally independent. Within the Finance System, these areas are represented on the ChartField tree as Orgs.​ that develop and execute strategic and tactical plans to carry out the University's mission and achieve its objectives. In doing so, these units collect, store, and process information that is essential to University operations and must be protected from unauthorized use and disclosure. To ensure that University informationUniversity informationOfficial information of the institution, including but not limited to: university work products, results, materials, records, or other information developed or produced with university goods, funds or services. University information encompasses all information created by the university, including information classified as private or restricted. Examples include university web site content, schedules of courses, requests for proposals, policies and guidelines, personnel records, student data, research data, and patient data.​ is protected in a manner consistent with other strategic assets, Organizational Units must implement Information Technology (IT) security safeguards as a part of normal University operations.

II. Policy Statement

  1. IT Security Guidance and Support
    1. Campus Information Security OfficersInformation security officerThe person who performs day-to-day management of and is the point of contact for the IT Security Program at the campus level.​shall, in collaboration with the Chief Information Security Officer (CISO), provide information and guidance to Organizational UnitsOrganizational unitA subset of University operations. An Organizational Unit may be a department or any other distinct operational activity with the following characteristics: • Organizational permanency; • Programmatic autonomy; and • An annual operating budget that is fiscally independent. Within the Finance System, these areas are represented on the ChartField tree as Orgs.​ on implementing the requirements of this policy.
  2. Information Classification
    1. Campus Information Security Officers shall provide security standards based on the criticality and sensitivity of University informationUniversity informationOfficial information of the institution, including but not limited to: university work products, results, materials, records, or other information developed or produced with university goods, funds or services. University information encompasses all information created by the university, including information classified as private or restricted. Examples include university web site content, schedules of courses, requests for proposals, policies and guidelines, personnel records, student data, research data, and patient data.​ for their respective campuses.
    2. Organizational Unit directors / chairs or their designees shall, following guidance from the campus Information Security Officer, ensure that appropriate IT security safeguards are in place for the University information and IT resourcesIT resourceComputers, networking equipment, storage media, software, and other electronic devices that store, process, or transmit University information. In the context of IT security policy, this includes all IT resources that are owned, leased, licensed, or authorized for use by the University.​ under their care. The appropriateness of the safeguards shall be determined by the criticality and sensitivity of information involved, campus policies and guidance, and applicable external requirements (e.g., state and federal laws, and industry standards).
  3. Continuity of Operations
    1. Organizational Unit directors / chairs or their designees, with guidance from the campus Information Security Officer, shall ensure that business continuityBusiness continuityThe plans and processes that allow essential business functions to continue in the event of a disaster or during an interruption of utilities or services (e.g., IT services).​ and disaster preparednessDisaster preparednessThe plans and processes that allow the University to restore utilities and services (e.g., IT services) in the event of a disaster in an orderly and timely manner. Disaster preparedness is a component of business continuity that uses advanced preparation and planning to minimize the duration and impact of utility/service interruptions.​ plans include all appropriate IT security requirements and are reviewed, tested, and updated as needed to ensure the viability of such plans.
  4. IT Security Requirements in RFPs, Contracts, and Other Service Arrangements
    1. Organizational Unit directors / chairs or their designees shall, with guidance from the Procurement Service Center and the Information Security Officer, ensure that Request for Proposals (RFP), contracts, or other service arrangements include adequate safeguards so that contractors and other third parties protect University information at a level that is equal to or greater than that required of University employeesEmployeesAn individual who currently holds a University employment appointment, whether full-time, part-time, temporary, seasonal or hourly.​.
    2. Organizational Unit directors / chairs or their designees, with guidance from the campus Information Security Officer, shall ensure that access to University information and IT resources by contractors and third parties follows established policies and procedures.
  5. Risk Evaluation and Handling
    1. Organizational Unit directors / chairs or their designees shall, with guidance from the campus Information Security Officer, evaluate risks related to the protection of University information and IT resources in their care. Organizational Unit directors / chairs or their designees shall forward issues of risk to campus authorities with appropriate jurisdiction over those affected by the risks.

III. Related Policies, Procedures, Forms, Guidelines and Other Resources

  1. Administrative Policy Statements (APS) and Other Policies

    The IT Security Program serves as the core for the University's IT securityIT securityThe protection of electronic information from (intentional or unintentional) unauthorized access, modification, or destruction, as well as taking precautions to ensure that such information is available as needed to conduct University business.​ activities and provides general guidance to the computing community on ensuring the privacy of personal information and the availability of University information University informationOfficial information of the institution, including but not limited to: university work products, results, materials, records, or other information developed or produced with university goods, funds or services. University information encompasses all information created by the university, including information classified as private or restricted. Examples include university web site content, schedules of courses, requests for proposals, policies and guidelines, personnel records, student data, research data, and patient data.and IT resourcesIT resourceComputers, networking equipment, storage media, software, and other electronic devices that store, process, or transmit University information. In the context of IT security policy, this includes all IT resources that are owned, leased, licensed, or authorized for use by the University.​ and encompasses all related IT Security requirements, including the following policy sections:
    • IT Resource User Responsibilities
    • IT Security in Personnel Job Descriptions, Responsibilities and Training
    • IT Security in University Operations, Business Continuity Planning, and Contracting
    • IT Service Provider Security

      Regent Policy 8.A.5 states that members of the university community are expected to ensure that university property, funds, and technology are used appropriately.
  2. Other Resources (i.e. training, secondary contact information)

    Educational information and resources are available on the Office of Information Security website.​

Section 4: IT Service Provider Security
 

Brief Description:  Requires that IT service providers (e.g., server and workstation support, programmers, webmasters, user account administrators) incorporate IT security safeguards into the IT services and products provided to the University community.

Applies to:  IT Service Providers

I. Introduction

This section of the IT Security Program Policy sets forth the Information Technology (IT) security safeguards that must be taken by every IT service providerIT service providerAny person that designs, builds, implements, supports, or provides an IT service to other University employees, students, or affiliates, using a University IT resource. Examples of IT service providers include: website administrators, workstation support staff, server administrators, software programmers, application developers, data network technicians, user account administrators, and computer center personnel.​. These safeguards are necessary to protect University informationUniversity informationOfficial information of the institution, including but not limited to: university work products, results, materials, records, or other information developed or produced with university goods, funds or services. University information encompasses all information created by the university, including information classified as private or restricted. Examples include university web site content, schedules of courses, requests for proposals, policies and guidelines, personnel records, student data, research data, and patient data.​ from inappropriate access, disclosure and misuse; provide assurances that information resources are available as needed for University business; and comply with applicable policies, laws, regulations, rules, grants, and contracts.  Campus Information Security OfficersInformation security officerThe person who performs day-to-day management of and is the point of contact for the IT Security Program at the campus level.​ may require additional safeguards so as to address campus specific risks or compliance requirements.

II. Policy Statement

  1. IT Security Oversight and Guidance

    Campus Information Security OfficersInformation security officerThe person who performs day-to-day management of and is the point of contact for the IT Security Program at the campus level.​ in collaboration with the Chief Information Security Officer (CISO) shall provide guidance and information as needed to IT service providersIT service providerAny person that designs, builds, implements, supports, or provides an IT service to other University employees, students, or affiliates, using a University IT resource. Examples of IT service providers include: website administrators, workstation support staff, server administrators, software programmers, application developers, data network technicians, user account administrators, and computer center personnel.​ on implementing the requirements of this policy. IT service providers shall be aware that purchases of IT goods and services may be subject to a security review by the campus Information Security Officer or a designated campus authority.

    Organizational Unit Organizational unitA subset of University operations. An Organizational Unit may be a department or any other distinct operational activity with the following characteristics: • Organizational permanency; • Programmatic autonomy; and • An annual operating budget that is fiscally independent. Within the Finance System, these areas are represented on the ChartField tree as Orgs.directors / chairs shall be aware of their responsibilities, as described by IT Security in University Operations, Continuity, and Contracting, to ensure that adequate safeguards are implemented for the IT resourcesIT resourceComputers, networking equipment, storage media, software, and other electronic devices that store, process, or transmit University information. In the context of IT security policy, this includes all IT resources that are owned, leased, licensed, or authorized for use by the University.​ under their control.
  2. Life Cycle Management

    Campus IT service providers shall ensure that IT securityIT securityThe protection of electronic information from (intentional or unintentional) unauthorized access, modification, or destruction, as well as taking precautions to ensure that such information is available as needed to conduct University business.​ controls are appropriately implemented and managed throughout the life of the IT resources under their responsibility. This is to ensure that security is addressed in the design and purchase of new systems, implementation of new or modified systems, maintenance of existing systems, and removal from service of end-of-life systems.
  3. IT Resource Security Management

    Providing an IT service is a complex undertaking that requires continuous monitoring, maintenance, and system management to ensure that University informationUniversity informationOfficial information of the institution, including but not limited to: university work products, results, materials, records, or other information developed or produced with university goods, funds or services. University information encompasses all information created by the university, including information classified as private or restricted. Examples include university web site content, schedules of courses, requests for proposals, policies and guidelines, personnel records, student data, research data, and patient data.​ is adequately protected as it is processed, stored, and transmitted. Therefore, IT service providers shall implement the following controls where appropriate for the IT resources under their responsibility:
    1. System and application security management. IT resources shall be maintained according to industry and vendor best practices to ensure that system and application updates, vulnerability fixes, security patches, and other modifications are applied in a timely fashion. Where applicable these practices shall include vulnerability management, system/application hardening, and security testing.
    2. Malicious activity protection. IT resources that transmit or receive information on a University-managed network shall be adequately protected from malicious activities, such as viruses, worms, and denial of service attacks.
    3. Data backup and recovery. University information shall be backed up and retained as appropriate for business needs, retention schedules, and legal requirements as provided by law or related university policy. Data backups shall be tested where appropriate to ensure the effective recovery of information.
    4. Media handling and storage. Electronic storage media (e.g., CD-ROMs, memory sticks, disk drives, tapes, cartridges, etc.) shall be appropriately protected from loss and unauthorized access. All media containing Highly Confidential and Confidential information shall be stored in a secure location and adequately protected with a safeguard that restricts access to authorized personnel only. In addition, Highly Confidential information stored on portable electronic media shall be encrypted or otherwise adequately protected based on security standards and guidance from the campus Information Security Officers.
    5. Disposal of electronic equipment and media. Computing and network equipment and storage media shall be purged of all University information so that information is not recoverable, or destroyed before disposal or release from University control to a third party. In the rare event the information is not purged prior to release or the device destroyed prior to disposal, the IT service provider shall acquire confirmation from the contracted third party that the information is properly purged. For equipment and media that is to be redeployed within the University, the IT service provider shall purge all information not authorized for access by the receiving person(s) prior to redeployment.
  4. Access Management

    Although studentsStudentAny individual who applies to, is accepted for admission, and enrolls for a course at the University of Colorado. This does not include an individual who has never attended or never enrolled at the institution.​, faculty, and staff require access to University information resources for academic and business purposes, this access must be limited to what is needed for his/her work. Use of resources beyond that which is authorized results in unnecessary risks to University information with no corresponding academic or business value.
    1. User access management. IT service providers shall manage user access to the IT resources under their responsibility, so that such access is appropriately authorized, documented, and limited to that which is needed to perform authorized tasks. Because a user's responsibilities and relationships with the University change over time, IT service providers shall ensure that user access privileges are regularly reviewed and adjusted to comply with currently authorized activities.
    2. IT resource access controls. IT service providers shall ensure that IT resources under their responsibility (developed, purchased or otherwise used to handle University information) have adequate features and controls to support the proper management of user access as described in section II.D.1.
    3. Network security controls. IT service providers shall ensure that electronic access to and use of the campus data networks under their responsibility is adequately controlled to protect data network equipment and other networked IT resources.
  5. Physical and Environmental Security

    University data centers and IT resources shall be sufficiently protected from physical and environmental threats to prevent the loss, damage, or compromise of assets, and interruption to business activities.
    1. Data centers. Data center owners, managers, or their designees shall, following guidance from the campus Information Security Officer, ensure that data center facilities under their responsibility have adequate physical security safeguards. These safeguards may include: physical barriers (e.g., walls, gates, locked doors), access controls (e.g., identification cards, visitor escorts and logs, facility/equipment repair records), environmental controls and protections (e.g., uninterruptible power supplies, generators, temperature and humidity systems, fire suppression units).
    2. IT resources. IT service providers shall ensure that all IT resources under their responsibility have adequate physical security safeguards. While the value of these IT resources may not rise to that found in a data center, the physical protections normally afforded to IT resources within a data center should be employed where reasonable and appropriate.
  6. Incident Detection and Reporting

    IT service providers shall monitor for and report security breaches or other significant security events involving the IT resources under their control, following guidance from the campus Information Security Officer.

III. Related Policies, Procedures, Forms, Guidelines and Other Resources

  1. Administrative Policy Statements (APS) and Other Policies

    The IT Security Program serves as the core for the University's IT securityIT securityThe protection of electronic information from (intentional or unintentional) unauthorized access, modification, or destruction, as well as taking precautions to ensure that such information is available as needed to conduct University business.​ activities and provides general guidance to the computing community on ensuring the privacy of personal information and the availability of University informationUniversity informationOfficial information of the institution, including but not limited to: university work products, results, materials, records, or other information developed or produced with university goods, funds or services. University information encompasses all information created by the university, including information classified as private or restricted. Examples include university web site content, schedules of courses, requests for proposals, policies and guidelines, personnel records, student data, research data, and patient data.​ and IT resourcesIT resourceComputers, networking equipment, storage media, software, and other electronic devices that store, process, or transmit University information. In the context of IT security policy, this includes all IT resources that are owned, leased, licensed, or authorized for use by the University.​ and encompasses all related IT Security requirements, including the following policy sections:
    • IT Resource User Responsibilities
    • IT Security in Personnel Job Descriptions, Responsibilities and Training
    • IT Security in University Operations, Business Continuity Planning, and Contracting
    • IT Service Provider Security

      Regent Policy 8.A.5 states that members of the university community are expected to ensure that university property, funds, and technology are used appropriately.
  2. Other Resources (i.e. training, secondary contact information)

    Educational information and resources are available on the Office of Information Security website.​