APS #6005

ActiveUnder Review Revision

IT Security Program

Brief Description

The IT Security Program serves as the core for the University's IT security activities and provides general guidance to the computing community on ensuring the privacy of personal information and the availability of University information and IT resources.  This Administrative Policy Statement encompasses all IT Security-related requirements as outlined in the policy sections.

Reason for Policy

Establishes the required roles, responsibilities, and functions for the effective management of the University’s IT Security Program and provides general guidance to the computing community on ensuring the privacy of personal information and the availability of University information and IT resources.

Policy Profile

APS Policy Title: 
IT Security Program
APS Number: 
6005
Proposed Effective Date: 
October 1, 2023
Effective Date: 
January 1, 2014
Approved By: 
President Bruce D. Benson
Responsible University Officer: 
Vice President, Employee and Information Services
Responsible Office: 
Office of Information Security
Policy Contact: 
security@cu.edu
Supersedes: 
IT Security Program Policy-January 7, 2010; IT Resource User Responsibilities; IT Security in Personnel Job Descriptions, Responsibilities and Training; IT Security in University Operations, Business Continuity Planning, and Contracting; and IT Service Provider Security.
Last Reviewed/Updated date: 
January 1, 2014
Applies to: 
University wide or as specifically defined by each policy section.

Section Effective Dates

IT Security Policy Sections Effective Date Last Reviewed Applies To  
Section 1 – IT Resource User Responsibilities 1/1/2014 1/1/2014 IT Resource Users  
Section 2 - IT Security in Personnel Job Descriptions, Responsibilities and Training 3/1/2011 3/1/2011 Supervisors  
Section 3 - IT Security in University Operations, Business Continuity Planning, and Contracting 3/1/2011 3/1/2011 Organizational Unit Directors/Chairs  
Section 4 - IT Service Provider Security 3/1/2011 3/1/2011 IT Service Providers  

I. Introduction

This Administrative Policy Statement is the parent policy for the University's Information Technology (IT) security policy suite, which defines and establishes the IT Security ProgramIT security programA collection of policies, processes, and responsibilities that provide direction and guidance to the computing community on protecting University information.​ (Program). The Program serves as the core for the University's IT securityIT securityThe protection of electronic information from (intentional or unintentional) unauthorized access, modification, or destruction, as well as taking precautions to ensure that such information is available as needed to conduct University business.​ activities and provides general guidance to the computing community on ensuring the privacy of personal information and the availability of University informationUniversity informationOfficial information of the institution, including but not limited to: university work products, results, materials, records, or other information developed or produced with university goods, funds or services. University information encompasses all information created by the university, including information classified as private or restricted. Examples include university web site content, schedules of courses, requests for proposals, policies and guidelines, personnel records, student data, research data, and patient data.​ and IT resourcesIT resourceComputers, networking equipment, storage media, software, and other electronic devices that store, process, or transmit University information. In the context of IT security policy, this includes all IT resources that are owned, leased, licensed, or authorized for use by the University.​.

More specifically, this policy assigns responsibilities for the oversight and day-to-day management of the Program. These fundamental responsibilities are essential to ensuring that the Program provides timely and effective guidance to the University computing community in the face of almost continuous change. The effectiveness of this guidance requires that the Program be frequently reviewed and molded to fit the evolving needs of the University and its stakeholders.  This policy also includes the following IT-security related sections:                   

Section

Title

Applies To

1

IT Resource User Responsibilities1 2

IT Resource Users

2

IT Security in Personnel Job Descriptions, Responsibilities and Training

Supervisors

3

IT Security in University Operations, Business Continuity Planning, and Contracting

Organizational Unit Directors/Chairs

4

IT Service Provider Security

IT Service Providers

II. Policy Statement

  1. The goals of the University IT Security ProgramIT security programA collection of policies, processes, and responsibilities that provide direction and guidance to the computing community on protecting University information. are as follows:
    1. All members of the University community are aware of and are sufficiently trained to carry out their responsibilities for protecting University informationUniversity informationOfficial information of the institution, including but not limited to: university work products, results, materials, records, or other information developed or produced with university goods, funds or services. University information encompasses all information created by the university, including information classified as private or restricted. Examples include university web site content, schedules of courses, requests for proposals, policies and guidelines, personnel records, student data, research data, and patient data.​ and IT resourcesIT resourceComputers, networking equipment, storage media, software, and other electronic devices that store, process, or transmit University information. In the context of IT security policy, this includes all IT resources that are owned, leased, licensed, or authorized for use by the University.​.
    2. University information is regarded as a strategic organizational asset and is treated in a manner consistent with that of other strategic assets, such as financial and facility assets.
    3. IT securityIT securityThe protection of electronic information from (intentional or unintentional) unauthorized access, modification, or destruction, as well as taking precautions to ensure that such information is available as needed to conduct University business.​ is not considered a technical concern, but is addressed as a strategic business issue by integrating IT security safeguards into University business processes.
    4. University resources are applied judiciously to IT security issues by focusing on those that represent the greatest risk to University operations and information.
    5. IT security incidents are promptly detected and responded to in a manner that limits the impact to the security of University information and the operations of the University.
  2. The following principles shall be followed in implementing the University IT Security Program:
    1. Each campus shall adopt all applicable elements of the Program and may make modifications to specific Program elements to meet special campus needs as long as the modifications are as stringent as and meet the intended functionality of the applicable Program elements.
    2. Risk managementRisk managementThe process of evaluating and responding to risks to University information for the purpose of reducing those risks to acceptable levels. Risk management is inclusive of the risk assessment process, and uses the results of risk assessments to make decisions on the acceptance of risk or on taking action to reduce risk.​ methods shall be used to identify and manage risks to University information and IT resources. Risk management decisions shall be made by appropriate authorities with jurisdiction over those areas affected by the risks.
    3. University information shall be adequately protected regardless of the information's physical location, the nature of the device or media upon which it is stored, or the persons in possession or control of the information.
  3. Roles and Responsibilities for the University IT Security Program.
    1. The Program shall be managed and monitored collaboratively by the Chief Information Security Officer (CISO), campus Information Security OfficersInformation security officerThe person who performs day-to-day management of and is the point of contact for the IT Security Program at the campus level.​, Security Advisory Committee (SAC), and other University representatives as appropriate. Program management responsibilities are as follows:
      1. CISO (Chief Information Security Officer)
        1. Provide day-to-day management for the Program. Review and report on Program effectiveness to the President, Chancellors, and SAC as appropriate.
        2. In cooperation with the SAC, provide security advice to the President, Chancellors, and campus Information Security Officers in accordance with Program goals and requirements.
        3. Oversee the development and maintenance of Administrative Policy Statements for IT security and advise campus Information Security Officers on the alignment of campus IT security policies with Administrative Policy Statements.
        4. Provide guidance to campus Information Security Officers on risk management processes to ensure that IT security safeguards are applied in a judicious and effective manner. Submit reports to the SAC on risk management decisions as appropriate.
        5. Establish training standards for campus IT security awareness and education programs.
        6. When IT security incidents affect multiple campuses, lead investigations and coordinate with and/or report to the President, Chancellors, , Legal, SAC, and others as appropriate.
      2. Chief Information Officer (CIO)
        1. The CIO is an individual designated by the Chancellor on each campus with oversight authority for all IT operations on that campus. These individuals have the authority to enforce the requirements of University and campus policies for information security.
        2. Authorize new IT operations, shut down IT operations that are out of compliance with policy, or transfer management of those operations to a department or service provider with the requisite capabilities.I
      3. Information Security Principals
        Campus Information Security Officers serve in a variety of technical and non-technical roles for a specific University campus.  The Information Security Officers shall:
        1. Provide day-to-day Program management for their campus, advise Organizational UnitsOrganizational unitA subset of University operations. An Organizational Unit may be a department or any other distinct operational activity with the following characteristics: • Organizational permanency; • Programmatic autonomy; and • An annual operating budget that is fiscally independent. Within the Finance System, these areas are represented on the ChartField tree as Orgs.​ on IT security issues, and assist the CISO with Program reviews and reporting.
        2. Assist Organizational Units with evaluating risks to University information and the CISO with risk management reporting.
        3. Assist with the preparation, approval, and maintenance of campus-specific IT security policies, procedures, and guidelines as appropriate.
        4. Provide guidance on implementation of unit-specific IT security policies, procedures, and guidelines as appropriate.
        5. Establish and manage an IT security awareness and education program for campus IT resource usersIT resource userIndividuals that are authorized to use University IT resources. Examples of users include: faculty, staff, students, researchers, vendors, volunteers, contractors, or sponsored affiliates of the University.​ and provide guidance to Organizational Units on supplementing program events with unit-specific training.
        6. When IT security incidents affect a single campus, lead investigations, coordinate with and issue timely reports to the Chancellor or designee, affected campus units, CISO, Legal, and others as appropriate.
      4. SAC (Security Advisory Committee)
        The SAC provides oversight of and support for the IT Security Program and is composed of members representing a cross section of the University community. SAC members are appointed by the President or designee.
        1. Advise, inform, and coordinate with the CISO as appropriate to promote and support the Program and to ensure that Program requirements reflect and support the functional requirements, external requirements, and the mission of the University.
        2. Advise the President and the CISO as appropriate to ensure that University-wide IT security policies, procedures, and guidelines reflect and support the functional requirements, external requirements, and the mission of the University.
        3. In collaboration with the CISO advise the University President and Chancellors on risk management decisions and Program direction to ensure alignment with University objectives.
    2. Although campus Information Security Officers provide day-to-day management of the Program and general advice on IT security issues, the following campus support responsibilities are required:
      1. Organizational Unit (typically a department with an independent budget represented in the Finance System) directors and chairs or their designees are responsible for ensuring that all applicable Program and IT security policy requirements are implemented in their respective units. While Organizational Unit directors and chairs may delegate these responsibilities, they may only be delegated to a single person in an Organizational Unit who has budget authority for the entire unit. Organizational Unit directors and chairs or their designees shall report any security weaknesses, concerns, or breaches to the campus Information Security Officer. The campus Information Security Officer will work with the appropriate campus Officer and CIO to determine if the risk caused by a security weakness may be accepted.
      2. IT service providersIT service providerAny person that designs, builds, implements, supports, or provides an IT service to other University employees, students, or affiliates, using a University IT resource. Examples of IT service providers include: website administrators, workstation support staff, server administrators, software programmers, application developers, data network technicians, user account administrators, and computer center personnel.​ (e.g., webmasters, network engineers, server administrators, application developers, desktop support staff, or database administrators) shall implement all applicable Program and IT security policy requirements within their areas of responsibility. IT service providers shall evaluate the effectiveness of IT security safeguards in their areas of responsibility and report any security weaknesses, concerns, or breaches to the campus Information Security Officer.
      3. Data trusteeData trusteeA party or entity identified with and widely recognized to have primary authority and decision responsibility over a particular collection of university data. The Council of Data Trustees list is included on this page.​ is a party or entity identified with and widely recognized to have primary authority and decision responsibility over a particular collection of university data. Data trustees are accountable for managing, protecting, and ensuring the integrity and usefulness of university data. Data trustees have the primary responsibility to ensure the university is following its policies and is in compliance with federal and state laws and regulations. Data trustees typically are associated with the business functions of an organization rather than technology functions.
      4. Data CustodianData custodianAny party charged with managing a data collection for a data trustee.​ is any party charged with managing a data collection for a data trustee. Custodians typically have control over a data asset's disposition, whether stored (at rest), in transit, or during creation. Custodians will often have modification or distribution privileges. Data custodians carry a significant responsibility to protect data and prevent unauthorized use. Data custodians are often data providers to data users. Data trustees or data stewards may also exercise custodial roles and responsibilities. Data custodians typically are associated with IT units within the university, either central IT organizations or IT offices within academic and administrative units.
      5. Data StewardData stewardA party or entity possessing delegated authority to act on a data trustee's behalf.​ is a party or entity possessing delegated authority to act on a data trustee's behalf. Data Stewards will often have data custodial responsibilities, but are distinguished from custodians by delegated decision-making authority regarding the data. Data stewards may represent data trustees in policy discussions, architectural discussions, or in decision-making forums. Data Stewards actively participate in processes that establish business-context and quality definition for data elements. Data Stewards are more likely to be associated with business functions than IT functions.
      6. Data UserData userAny person or party that utilizes university data to perform his or her job responsibilities.​ is any person or party that utilizes university data to perform his or her job responsibilities. To the degree that a data user creates university data and/or controls the disposition of university data, he or she has responsibility for the custodial care of that data. Data users share responsibility in helping data stewards and custodians manage and protect data by understanding and following the IT and information security policies of the university related to data use.
  4. Any exceptions to this policy must be approved by the University CISO.

III. Definitions

APS Glossary of Terms

  1. Business Continuity
  2. Disaster Preparedness
  3. Employees
  4. Encryption
  5. IT Resource
  6. IT Resource User
  7. IT Security
  8. Information Security Officer
  9. IT Security Program
  10. IT Service Provider
  11. Organizational Unit
  12. President
  13. Highly Confidential Information
  14. Confidential Information
  15. Risk Management
  16. Student
  17. University Information

IV. Related Policies, Procedures, Forms, Guidelines and Other Resources

  1. Administrative Policy Statements (APS) and Other Policies

    The IT Security Program serves as the core for the University's IT securityIT securityThe protection of electronic information from (intentional or unintentional) unauthorized access, modification, or destruction, as well as taking precautions to ensure that such information is available as needed to conduct University business.​ activities and provides general guidance to the computing community on ensuring the privacy of personal information and the availability of University informationUniversity informationOfficial information of the institution, including but not limited to: university work products, results, materials, records, or other information developed or produced with university goods, funds or services. University information encompasses all information created by the university, including information classified as private or restricted. Examples include university web site content, schedules of courses, requests for proposals, policies and guidelines, personnel records, student data, research data, and patient data.​ and IT resources IT resourceComputers, networking equipment, storage media, software, and other electronic devices that store, process, or transmit University information. In the context of IT security policy, this includes all IT resources that are owned, leased, licensed, or authorized for use by the University.and encompasses all related IT Security requirements, including the following policy sections:
      • IT Resource User Responsibilities
      • IT Security in Personnel Job Descriptions, Responsibilities and Training
      • IT Security in University Operations, Business Continuity Planning, and Contracting
      • IT Service Provider Security
  2. Other Resources (i.e. training, secondary contact information)

    Educational information and resources are available on the Office of Information Security website.

History

    • Effective March 1, 2011 the following policies were combined into the IT Security Program policy.  Individual APS history for each is listed below:
      • IT Resource User Responsibilities
        • Initial Policy Effective: January 1, 2007
        • Rescinded March 1, 2011 and combined with IT Security Program.
      • IT Security in Personnel Job Descriptions, Responsibilities and Training
        • Initial Policy Effective: January 1, 2007
        • Rescinded March 1, 2011 and combined with IT Security Program.
      • IT Security in University Operations, Continuity and Contracting
        • Initial Policy Effective: January 1, 2007
        • Rescinded March 1, 2011 and combined with IT Security Program.
      • IT Service Provider Security
        • Initial Policy Effective: September 1, 2007
        • Rescinded March 1, 2011 and combined with IT Security Program.
      • IT Security Program
        • Initial Policy Effective: January 1, 2007
        • Revised January 7, 2010.
        • Revised as the parent policy and combined with above IT-security-related policies effective March 1, 2011.
        • Section 1 – IT Resource User Responsibilities was revised effective January 1, 2014.
    • On May 1, 2014 the title of “IT Security Principals” was replaced with the title of “Information Security Officers”.
    • Non-substantive clean-up – May 1, 2015.  Use of the title “Chief Technology Officer (CTO)” has been terminated and references to it were removed.
    • The title of “IT Security Principals” was replaced with the title of “Information Security Officers” effective May 1, 2014.
    • The term “data owner” was replaced with the term “data trustee” effective July 1, 2018.

Section 1: IT Resource User Responsibilities
 

Brief Description:  Establishes IT security requirements for all IT resource users in protecting University information and IT resources.

Applies to:  IT Resource Users

I. Introduction

This section of the IT Security Program Policy establishes the Information Technology (IT) security safeguards that must be taken by every person using a University IT resourceIT resourceComputers, networking equipment, storage media, software, and other electronic devices that store, process, or transmit University information. In the context of IT security policy, this includes all IT resources that are owned, leased, licensed, or authorized for use by the University.​ or otherwise accessing University informationUniversity informationOfficial information of the institution, including but not limited to: university work products, results, materials, records, or other information developed or produced with university goods, funds or services. University information encompasses all information created by the university, including information classified as private or restricted. Examples include university web site content, schedules of courses, requests for proposals, policies and guidelines, personnel records, student data, research data, and patient data.​. Additional safeguards may be appropriate, depending on the situation and its inherent risk to University information and IT resources.

This policy does not impose restrictions that are contrary to the University's established culture of sharing, openness, and trust. However, the University is committed to implementing the safeguards necessary to ensure the privacy of personal information, the availability of University information and IT resources, and the integrity of University operations.

CU has three levels of data classification.  These are: Highly Confidential, Confidential, and Public.  For more information please review the University of Colorado Process for Data Classification and System Security Categorization.

II. Policy Statement

  1. It is the responsibility of every IT resource userIT resource userIndividuals that are authorized to use University IT resources. Examples of users include: faculty, staff, students, researchers, vendors, volunteers, contractors, or sponsored affiliates of the University.​ to know the University's IT securityIT securityThe protection of electronic information from (intentional or unintentional) unauthorized access, modification, or destruction, as well as taking precautions to ensure that such information is available as needed to conduct University business.​ requirements and to conduct her/his activities accordingly. IT resource users shall comply with the following requirements:
    1. Protect the Privacy of Others. Users shall respect the privacy of others when handling Highly Confidential information and shall take appropriate precautions to protect that information from unauthorized disclosure or use.
    2. Protect Highly Confidential  or Confidential Information on Workstations and Mobile Devices.  Ordinarily, Highly Confidential information shall not be stored on workstations and mobile computing devices (laptops, flash drives, backup disks, etc.) unless specifically justified for business purposes and adequately secured. If Highly Confidential information is stored on a workstation or mobile computing device or transmitted to an external network or organization, IT resource users shall encrypt EncryptionThe process of transforming data so that it is unreadable to anyone who is not authorized (i.e. an individual or system that is in possession of a required password, key or other electronic token).or adequately protect that information from disclosure. If Confidential information is stored on a workstation or mobile computing device or transmitted to an external network or organization, IT resource users shall adequately protect that information from disclosure. In addition to encryption, adequate protections may include the use of passwords, automatic logoffs, and secure Internet transmissions.  IT Resource users are required to secure university information on personally owned and/or institutionally provided mobile devices in accordance with the mobile device security standards. The protection of Highly Confidential or Confidential information shall be in accordance with campus IT security requirements and other guidance as available from the appropriate IT service center or help desk
    3. Protect Highly Confidential Data from Unauthorized Physical Access. IT resource users shall keep all Highly Confidential or Confidential information out of plain sight unless in use and shall not leave such information displayed when it is not needed.
    4. Protect Workstations and Other Computing Devices. IT resource users are responsible for helping to maintain the security of workstations and other computing devices by striving to protect them from unauthorized access and malicious software infections (e.g., viruses, worms, and spyware). Users shall consult the appropriate IT service center or help desk for guidance on protecting their computing devices.
    5. Protect Passwords, Identification Cards, and Other Access Devices. Passwords, identification cards, and other access devices are used to authenticate the identity of individuals and gain access to University resources. Each person is responsible for protecting the access devices assigned to her or him and shall not share passwords or devices with others. If a password or access device is compromised, lost, or stolen, the individual shall report this to the appropriate IT service center or help desk as soon as possible so that the access device is not used by an unauthorized person.
    6. Report Security Violations, Malfunctions, and Weaknesses. IT resource users shall report security related events; known or suspected violations of IT security policy; and inappropriate, unethical, and illegal activities involving University IT resources. Users shall follow the reporting process applicable to their campus. If unsure of the local incident reporting process, users shall call the appropriate IT service center or help desk.
    7. Utilize University Information and IT Resources for Authorized Purposes Only. IT resource users shall access or otherwise utilize University information and IT resources only for those activities they are specifically authorized and in a manner consistent with University policies, federal and state laws, and other applicable requirements.

III. Related Policies, Procedures, Forms, Guidelines and Other Resources

  1. Administrative Policy Statements (APS) and Other Policies

    The IT Security Program serves as the core for the University's IT securityIT securityThe protection of electronic information from (intentional or unintentional) unauthorized access, modification, or destruction, as well as taking precautions to ensure that such information is available as needed to conduct University business.​ activities and provides general guidance to the computing community on ensuring the privacy of personal information and the availability of University informationUniversity informationOfficial information of the institution, including but not limited to: university work products, results, materials, records, or other information developed or produced with university goods, funds or services. University information encompasses all information created by the university, including information classified as private or restricted. Examples include university web site content, schedules of courses, requests for proposals, policies and guidelines, personnel records, student data, research data, and patient data.​ and IT resourcesIT resourceComputers, networking equipment, storage media, software, and other electronic devices that store, process, or transmit University information. In the context of IT security policy, this includes all IT resources that are owned, leased, licensed, or authorized for use by the University.​ and encompasses all related IT Security requirements, including the following policy sections:
    • IT Resource User Responsibilities
    • IT Security in Personnel Job Descriptions, Responsibilities and Training
    • IT Security in University Operations, Business Continuity Planning, and Contracting
    • IT Service Provider Security

      The Laws of the Regents, section 14.A.4 states that employees shall be responsible for the safekeeping and proper maintenance of university property in their charge. The administrative policy "Fiscal Code of Ethics" prohibits use of University property for personal gain.

      The "Use of Electronic Mail" Administrative Policy Statement sets forth the appropriate use of University email and expectations for privacy in email communications.​

      System-wide Mobile Device Security Standards

      Standards for Data classification and System security categorization
       
  2. Other Resources (i.e. training, secondary contact information)

    Educational information and resources are available on the Office of Information Security website.

Section 2: IT Security in Personnel Job Descriptions, Responsibilities and Training
 

Brief Description: Establishes requirements for incorporating employee responsibilities for IT security into performance management processes, as well as ensuring employees are aware of their IT security responsibilities and are adequately trained to fulfill those responsibilities.

Applies to:  Supervisors

I. Introduction

Information technology (IT) security responsibilities are, to various degrees, part of all duties within the University. For employeesEmployeesAn individual who currently holds a University employment appointment, whether full-time, part-time, temporary, seasonal or hourly.​ and job candidates it is important that the applicable IT securityIT securityThe protection of electronic information from (intentional or unintentional) unauthorized access, modification, or destruction, as well as taking precautions to ensure that such information is available as needed to conduct University business.​ responsibilities are known, documented, and accepted as part of the terms and conditions of employment.

II. Policy Statement

  1. IT SecurityIT securityThe protection of electronic information from (intentional or unintentional) unauthorized access, modification, or destruction, as well as taking precautions to ensure that such information is available as needed to conduct University business. Guidance and Support
    1. Campus Information Security OfficersInformation security officerThe person who performs day-to-day management of and is the point of contact for the IT Security Program at the campus level.​ shall, in collaboration with the Chief Information Security Officer (CISO), provide information and guidance to supervisors on implementing the requirements of this policy.
    2. Campus Information Security Officers shall establish and oversee IT security awareness and education programs for their respective campuses.
  2. Supervisor Responsibilities for IT Security
    1.  Supervisors shall ensure that all employeesEmployeesAn individual who currently holds a University employment appointment, whether full-time, part-time, temporary, seasonal or hourly.​ within their areas of authority are aware of their IT security responsibilities and that these responsibilities are incorporated into employee performance management processes and addressed in recruitment and hiring practices.
    2. Supervisors shall ensure that employees provide a signed, written, or other documented acknowledgment of their IT security responsibilities as a condition of gaining access to University informationUniversity informationOfficial information of the institution, including but not limited to: university work products, results, materials, records, or other information developed or produced with university goods, funds or services. University information encompasses all information created by the university, including information classified as private or restricted. Examples include university web site content, schedules of courses, requests for proposals, policies and guidelines, personnel records, student data, research data, and patient data.​ and IT resourcesIT resourceComputers, networking equipment, storage media, software, and other electronic devices that store, process, or transmit University information. In the context of IT security policy, this includes all IT resources that are owned, leased, licensed, or authorized for use by the University.​. Where feasible, acknowledgements should be provided prior to gaining access or as soon afterward as reasonably possible. Personnel supervising authorities shall track and/or maintain the records of employee acknowledgements.
    3. Supervisors, in consultation with the campus Information Security Officer, are encouraged to make recommendations on the designation of positions with significant IT security responsibilities as "security-sensitive positions."
  3. Employee Training
    1.  Supervisors shall ensure that employees are adequately trained to fulfill their IT security responsibilities. Employees with elevated computing privileges (e.g., server support technicians, user account managers, or web page administrators) may require additional, specialized training for carrying out their IT security responsibilities effectively.
    2. All University employees including associates and other individuals, who require the use of University IT resources to perform their duties, shall receive initial training and periodic refresher training relevant to their IT security responsibilities.
    3. Supervisors shall coordinate their local IT security training initiatives with the campus Information Security Officer.
  4. Changes in Employee Duties or Employment Status
    1.  Supervisors shall provide timely notification to the appropriate service center or help desk when an employee's duties or employment status changes so that access to University information and IT resources is adjusted accordingly.

III. Related Policies, Procedures, Forms, Guidelines and Other Resources

  1. Administrative Policy Statements (APS) and Other Policies

    The IT Security Program serves as the core for the University's IT securityIT securityThe protection of electronic information from (intentional or unintentional) unauthorized access, modification, or destruction, as well as taking precautions to ensure that such information is available as needed to conduct University business.​ activities and provides general guidance to the computing community on ensuring the privacy of personal information and the availability of University informationUniversity informationOfficial information of the institution, including but not limited to: university work products, results, materials, records, or other information developed or produced with university goods, funds or services. University information encompasses all information created by the university, including information classified as private or restricted. Examples include university web site content, schedules of courses, requests for proposals, policies and guidelines, personnel records, student data, research data, and patient data.​ and IT resourcesIT resourceComputers, networking equipment, storage media, software, and other electronic devices that store, process, or transmit University information. In the context of IT security policy, this includes all IT resources that are owned, leased, licensed, or authorized for use by the University.​ and encompasses all related IT Security requirements, including the following policy sections:
      • IT Resource User Responsibilities
      • IT Security in Personnel Job Descriptions, Responsibilities and Training
      • IT Security in University Operations, Business Continuity Planning, and Contracting
      • IT Service Provider Security

        The "Use of Electronic Mail" Administrative Policy Statement sets forth the appropriate use of University email and expectations for privacy in email communications.
  2. Procedures

    IT Security Training Standards and Core Topics
     
  3. Other Resources (i.e. training, secondary contact information)

    Educational information and resources are available on the Office of Information Security website.​

Section 3: IT Security in University Operations, Business Continuity Planning, and Contracting
 

Brief Description:  Requires IT security safeguards to be integrated into University operations, asset management, contracting, business continuity planning, disaster preparedness, and enterprise risk management processes.

Applies to:  Organizational Unit Directors/Chairs

I. Introduction

University operations are organized into Organizational UnitsOrganizational unitA subset of University operations. An Organizational Unit may be a department or any other distinct operational activity with the following characteristics: • Organizational permanency; • Programmatic autonomy; and • An annual operating budget that is fiscally independent. Within the Finance System, these areas are represented on the ChartField tree as Orgs.​ that develop and execute strategic and tactical plans to carry out the University's mission and achieve its objectives. In doing so, these units collect, store, and process information that is essential to University operations and must be protected from unauthorized use and disclosure. To ensure that University informationUniversity informationOfficial information of the institution, including but not limited to: university work products, results, materials, records, or other information developed or produced with university goods, funds or services. University information encompasses all information created by the university, including information classified as private or restricted. Examples include university web site content, schedules of courses, requests for proposals, policies and guidelines, personnel records, student data, research data, and patient data.​ is protected in a manner consistent with other strategic assets, Organizational Units must implement Information Technology (IT) security safeguards as a part of normal University operations.

II. Policy Statement

  1. IT Security Guidance and Support
    1. Campus Information Security OfficersInformation security officerThe person who performs day-to-day management of and is the point of contact for the IT Security Program at the campus level.​shall, in collaboration with the Chief Information Security Officer (CISO), provide information and guidance to Organizational UnitsOrganizational unitA subset of University operations. An Organizational Unit may be a department or any other distinct operational activity with the following characteristics: • Organizational permanency; • Programmatic autonomy; and • An annual operating budget that is fiscally independent. Within the Finance System, these areas are represented on the ChartField tree as Orgs.​ on implementing the requirements of this policy.
  2. Information Classification
    1. Campus Information Security Officers shall provide security standards based on the criticality and sensitivity of University informationUniversity informationOfficial information of the institution, including but not limited to: university work products, results, materials, records, or other information developed or produced with university goods, funds or services. University information encompasses all information created by the university, including information classified as private or restricted. Examples include university web site content, schedules of courses, requests for proposals, policies and guidelines, personnel records, student data, research data, and patient data.​ for their respective campuses.
    2. Organizational Unit directors / chairs or their designees shall, following guidance from the campus Information Security Officer, ensure that appropriate IT security safeguards are in place for the University information and IT resourcesIT resourceComputers, networking equipment, storage media, software, and other electronic devices that store, process, or transmit University information. In the context of IT security policy, this includes all IT resources that are owned, leased, licensed, or authorized for use by the University.​ under their care. The appropriateness of the safeguards shall be determined by the criticality and sensitivity of information involved, campus policies and guidance, and applicable external requirements (e.g., state and federal laws, and industry standards).
  3. Continuity of Operations
    1. Organizational Unit directors / chairs or their designees, with guidance from the campus Information Security Officer, shall ensure that business continuityBusiness continuityThe plans and processes that allow essential business functions to continue in the event of a disaster or during an interruption of utilities or services (e.g., IT services).​ and disaster preparednessDisaster preparednessThe plans and processes that allow the University to restore utilities and services (e.g., IT services) in the event of a disaster in an orderly and timely manner. Disaster preparedness is a component of business continuity that uses advanced preparation and planning to minimize the duration and impact of utility/service interruptions.​ plans include all appropriate IT security requirements and are reviewed, tested, and updated as needed to ensure the viability of such plans.
  4. IT Security Requirements in RFPs, Contracts, and Other Service Arrangements
    1. Organizational Unit directors / chairs or their designees shall, with guidance from the Procurement Service Center and the Information Security Officer, ensure that Request for Proposals (RFP), contracts, or other service arrangements include adequate safeguards so that contractors and other third parties protect University information at a level that is equal to or greater than that required of University employeesEmployeesAn individual who currently holds a University employment appointment, whether full-time, part-time, temporary, seasonal or hourly.​.
    2. Organizational Unit directors / chairs or their designees, with guidance from the campus Information Security Officer, shall ensure that access to University information and IT resources by contractors and third parties follows established policies and procedures.
  5. Risk Evaluation and Handling
    1. Organizational Unit directors / chairs or their designees shall, with guidance from the campus Information Security Officer, evaluate risks related to the protection of University information and IT resources in their care. Organizational Unit directors / chairs or their designees shall forward issues of risk to campus authorities with appropriate jurisdiction over those affected by the risks.

III. Related Policies, Procedures, Forms, Guidelines and Other Resources

  1. Administrative Policy Statements (APS) and Other Policies

    The IT Security Program serves as the core for the University's IT securityIT securityThe protection of electronic information from (intentional or unintentional) unauthorized access, modification, or destruction, as well as taking precautions to ensure that such information is available as needed to conduct University business.​ activities and provides general guidance to the computing community on ensuring the privacy of personal information and the availability of University information University informationOfficial information of the institution, including but not limited to: university work products, results, materials, records, or other information developed or produced with university goods, funds or services. University information encompasses all information created by the university, including information classified as private or restricted. Examples include university web site content, schedules of courses, requests for proposals, policies and guidelines, personnel records, student data, research data, and patient data.and IT resourcesIT resourceComputers, networking equipment, storage media, software, and other electronic devices that store, process, or transmit University information. In the context of IT security policy, this includes all IT resources that are owned, leased, licensed, or authorized for use by the University.​ and encompasses all related IT Security requirements, including the following policy sections:
    • IT Resource User Responsibilities
    • IT Security in Personnel Job Descriptions, Responsibilities and Training
    • IT Security in University Operations, Business Continuity Planning, and Contracting
    • IT Service Provider Security

      The Laws of the Regents, section 14.A.4 states that employees shall be responsible for the safekeeping and proper maintenance of university property in their charge.
  2. Other Resources (i.e. training, secondary contact information)

    Educational information and resources are available on the Office of Information Security website.​

Section 4: IT Service Provider Security
 

Brief Description:  Requires that IT service providers (e.g., server and workstation support, programmers, webmasters, user account administrators) incorporate IT security safeguards into the IT services and products provided to the University community.

Applies to:  IT Service Providers

I. Introduction

This section of the IT Security Program Policy sets forth the Information Technology (IT) security safeguards that must be taken by every IT service providerIT service providerAny person that designs, builds, implements, supports, or provides an IT service to other University employees, students, or affiliates, using a University IT resource. Examples of IT service providers include: website administrators, workstation support staff, server administrators, software programmers, application developers, data network technicians, user account administrators, and computer center personnel.​. These safeguards are necessary to protect University informationUniversity informationOfficial information of the institution, including but not limited to: university work products, results, materials, records, or other information developed or produced with university goods, funds or services. University information encompasses all information created by the university, including information classified as private or restricted. Examples include university web site content, schedules of courses, requests for proposals, policies and guidelines, personnel records, student data, research data, and patient data.​ from inappropriate access, disclosure and misuse; provide assurances that information resources are available as needed for University business; and comply with applicable policies, laws, regulations, rules, grants, and contracts.  Campus Information Security OfficersInformation security officerThe person who performs day-to-day management of and is the point of contact for the IT Security Program at the campus level.​ may require additional safeguards so as to address campus specific risks or compliance requirements.

II. Policy Statement

  1. IT Security Oversight and Guidance

    Campus Information Security OfficersInformation security officerThe person who performs day-to-day management of and is the point of contact for the IT Security Program at the campus level.​ in collaboration with the Chief Information Security Officer (CISO) shall provide guidance and information as needed to IT service providersIT service providerAny person that designs, builds, implements, supports, or provides an IT service to other University employees, students, or affiliates, using a University IT resource. Examples of IT service providers include: website administrators, workstation support staff, server administrators, software programmers, application developers, data network technicians, user account administrators, and computer center personnel.​ on implementing the requirements of this policy. IT service providers shall be aware that purchases of IT goods and services may be subject to a security review by the campus Information Security Officer or a designated campus authority.

    Organizational Unit Organizational unitA subset of University operations. An Organizational Unit may be a department or any other distinct operational activity with the following characteristics: • Organizational permanency; • Programmatic autonomy; and • An annual operating budget that is fiscally independent. Within the Finance System, these areas are represented on the ChartField tree as Orgs.directors / chairs shall be aware of their responsibilities, as described by IT Security in University Operations, Continuity, and Contracting, to ensure that adequate safeguards are implemented for the IT resourcesIT resourceComputers, networking equipment, storage media, software, and other electronic devices that store, process, or transmit University information. In the context of IT security policy, this includes all IT resources that are owned, leased, licensed, or authorized for use by the University.​ under their control.
  2. Life Cycle Management

    Campus IT service providers shall ensure that IT securityIT securityThe protection of electronic information from (intentional or unintentional) unauthorized access, modification, or destruction, as well as taking precautions to ensure that such information is available as needed to conduct University business.​ controls are appropriately implemented and managed throughout the life of the IT resources under their responsibility. This is to ensure that security is addressed in the design and purchase of new systems, implementation of new or modified systems, maintenance of existing systems, and removal from service of end-of-life systems.
  3. IT Resource Security Management

    Providing an IT service is a complex undertaking that requires continuous monitoring, maintenance, and system management to ensure that University informationUniversity informationOfficial information of the institution, including but not limited to: university work products, results, materials, records, or other information developed or produced with university goods, funds or services. University information encompasses all information created by the university, including information classified as private or restricted. Examples include university web site content, schedules of courses, requests for proposals, policies and guidelines, personnel records, student data, research data, and patient data.​ is adequately protected as it is processed, stored, and transmitted. Therefore, IT service providers shall implement the following controls where appropriate for the IT resources under their responsibility:
    1. System and application security management. IT resources shall be maintained according to industry and vendor best practices to ensure that system and application updates, vulnerability fixes, security patches, and other modifications are applied in a timely fashion. Where applicable these practices shall include vulnerability management, system/application hardening, and security testing.
    2. Malicious activity protection. IT resources that transmit or receive information on a University-managed network shall be adequately protected from malicious activities, such as viruses, worms, and denial of service attacks.
    3. Data backup and recovery. University information shall be backed up and retained as appropriate for business needs, retention schedules, and legal requirements as provided by law or related university policy. Data backups shall be tested where appropriate to ensure the effective recovery of information.
    4. Media handling and storage. Electronic storage media (e.g., CD-ROMs, memory sticks, disk drives, tapes, cartridges, etc.) shall be appropriately protected from loss and unauthorized access. All media containing Highly Confidential and Confidential information shall be stored in a secure location and adequately protected with a safeguard that restricts access to authorized personnel only. In addition, Highly Confidential information stored on portable electronic media shall be encrypted or otherwise adequately protected based on security standards and guidance from the campus Information Security Officers.
    5. Disposal of electronic equipment and media. Computing and network equipment and storage media shall be purged of all University information so that information is not recoverable, or destroyed before disposal or release from University control to a third party. In the rare event the information is not purged prior to release or the device destroyed prior to disposal, the IT service provider shall acquire confirmation from the contracted third party that the information is properly purged. For equipment and media that is to be redeployed within the University, the IT service provider shall purge all information not authorized for access by the receiving person(s) prior to redeployment.
  4. Access Management

    Although studentsStudentAny individual who applies to, is accepted for admission, and enrolls for a course at the University of Colorado. This does not include an individual who has never attended or never enrolled at the institution.​, faculty, and staff require access to University information resources for academic and business purposes, this access must be limited to what is needed for his/her work. Use of resources beyond that which is authorized results in unnecessary risks to University information with no corresponding academic or business value.
    1. User access management. IT service providers shall manage user access to the IT resources under their responsibility, so that such access is appropriately authorized, documented, and limited to that which is needed to perform authorized tasks. Because a user's responsibilities and relationships with the University change over time, IT service providers shall ensure that user access privileges are regularly reviewed and adjusted to comply with currently authorized activities.
    2. IT resource access controls. IT service providers shall ensure that IT resources under their responsibility (developed, purchased or otherwise used to handle University information) have adequate features and controls to support the proper management of user access as described in section II.D.1.
    3. Network security controls. IT service providers shall ensure that electronic access to and use of the campus data networks under their responsibility is adequately controlled to protect data network equipment and other networked IT resources.
  5. Physical and Environmental Security

    University data centers and IT resources shall be sufficiently protected from physical and environmental threats to prevent the loss, damage, or compromise of assets, and interruption to business activities.
    1. Data centers. Data center owners, managers, or their designees shall, following guidance from the campus Information Security Officer, ensure that data center facilities under their responsibility have adequate physical security safeguards. These safeguards may include: physical barriers (e.g., walls, gates, locked doors), access controls (e.g., identification cards, visitor escorts and logs, facility/equipment repair records), environmental controls and protections (e.g., uninterruptible power supplies, generators, temperature and humidity systems, fire suppression units).
    2. IT resources. IT service providers shall ensure that all IT resources under their responsibility have adequate physical security safeguards. While the value of these IT resources may not rise to that found in a data center, the physical protections normally afforded to IT resources within a data center should be employed where reasonable and appropriate.
  6. Incident Detection and Reporting

    IT service providers shall monitor for and report security breaches or other significant security events involving the IT resources under their control, following guidance from the campus Information Security Officer.

III. Related Policies, Procedures, Forms, Guidelines and Other Resources

  1. Administrative Policy Statements (APS) and Other Policies

    The IT Security Program serves as the core for the University's IT securityIT securityThe protection of electronic information from (intentional or unintentional) unauthorized access, modification, or destruction, as well as taking precautions to ensure that such information is available as needed to conduct University business.​ activities and provides general guidance to the computing community on ensuring the privacy of personal information and the availability of University informationUniversity informationOfficial information of the institution, including but not limited to: university work products, results, materials, records, or other information developed or produced with university goods, funds or services. University information encompasses all information created by the university, including information classified as private or restricted. Examples include university web site content, schedules of courses, requests for proposals, policies and guidelines, personnel records, student data, research data, and patient data.​ and IT resourcesIT resourceComputers, networking equipment, storage media, software, and other electronic devices that store, process, or transmit University information. In the context of IT security policy, this includes all IT resources that are owned, leased, licensed, or authorized for use by the University.​ and encompasses all related IT Security requirements, including the following policy sections:
    • IT Resource User Responsibilities
    • IT Security in Personnel Job Descriptions, Responsibilities and Training
    • IT Security in University Operations, Business Continuity Planning, and Contracting
    • IT Service Provider Security

      The Laws of the Regents, section 14.A.4 states that employees shall be responsible for the safekeeping and proper maintenance of university property in their charge.
  2. Other Resources (i.e. training, secondary contact information)

    Educational information and resources are available on the Office of Information Security website.​
  • 1. Section 1 – IT Resource User Responsibilities was revised effective January 1, 2014.
  • 2. The terms private information and restricted information were changed to highly confidential information and confidential information, respectively – as of April 2014.