• I. Overview
• II. Policy Statement
• III. Rationale
• IV. Audience
• V. Procedures
  • 1. Information Resources Security Responsibility and Accountability
  • 2. Acceptable Use
  • 3. Account Management
  • 4. Administrative/Special Access
  • 5. Backup Recovery of Systems and Data
  • 6. Change Management
  • 7. Computer Virus Protection
  • 8. Classification of Sensitive (Category-I) Digital Data
  • 9. Risk Management
  • 10. Reduction of Use and Collection of Social Security Numbers
  • 11. Management of Sensitive Digital Data
  • 12. Electronic Mail (E-mail)
  • 13. Incident Management
  • 14. Internet Use
  • 15. Information Services Privacy
  • 16. Network Access
  • 17. Network Configuration
  • 18. Passwords
  • 19. Physical Access
  • 20. Portable Computing and Remote Access
  • 21. Security Monitoring
  • 22. Security Training
  • 23. System Hardening
  • 24. Software Licensing
  • 25. Secure Development and Administration
  • 26. Vendor Access
  • 27. Right to Monitor
  • 28. Disciplinary Actions
• VI. Implementation
• VII. Appendix
• VIII. Definitions

Information Resources Use and Security Policy

VI. Implementation

This Policy is based on public policy and privacy issues and not on convenience or past practices. Nevertheless, the university recognizes the financial burdens and the potentially disruptive nature of securing, reprogramming, and immediate conversions of business, research, and information systems.

Nothing in this Policy is intended to prohibit or restrict the collection, use, and maintenance of Category-I data as required or permitted by applicable law; to create unjustified obstacles to conduct the business of the university and the provision of services to its many constituencies; or to negatively affect the university's commitment to engage in high-quality, innovative research that entails the discovery, retention, dissemination, and application of knowledge in compliance with university policy and state and federal laws and regulations.

Some of the requirements of this Policy have immediate compliance dates and others have delayed compliance dates. The university should implement those requirements with delayed compliance dates in a steady and purposeful manner so that they are fully implemented no later than the specified respective compliance dates. The university shall establish priorities for all systems, processes, and research projects that are out of compliance and shall establish a plan for remediating them.