128 Data Security Policies UNIVERSITY OF MASSACHUSETTS AMHERST Information Security Policy - Draft http://www.umass.edu/it/policies/drafts Published on UMass Amherst Information Technology (http://www.umass.edu/it) Home University of Massachusetts Amherst Information Security Policy – DRAFT University of Massachusetts Amherst Information Security Policy – DRAFT [1] February 23, 2018 I. Introduction Institutional information, research data, and information technology (IT) resources are critical assets necessary for the University of Massachusetts Amherst (“UMass Amherst”) to fulfill its missions. To maximize the preservation and protection of these assets, and to manage the risks associated with their maintenance and use, this policy establishes information security governance structure, rules, technical standards, and procedures. By approval of UMass Amherst’s Chancellor, this policy exists in conjunction with all other institutional policy. II. Policy Statements Information security is the responsibility of every user of institutional information, research data, and information technology resources. All users who create, access, manage, or manipulate institutional information, research data, or information technology resources must comply with this policy’s administrative, technical, and physical safeguards. A. Governance This policy establishes campus information security governance with the creation of roles and responsibilities. Information Security Program Management Chancellor Vice Chancellor and Chief Information Officer Chief Information Security Officer Vice Chancellors and Deans Information Categorization and Management Data Stewards o Steward Delegate Data Administrators Subject Matter Experts Data Custodians Information Security Program Implementation Vice Chancellors and Deans Department Chairs, Directors, Supervisors, etc. Security Liaisons Chief Technology Officer Service Administrator Users Additional details regarding the specific roles in these categories are in section IV. B. Information Incident Reporting All users must report incidents involving unauthorized access to institutional information, research data, and information technology resources to the Chief Information Security Officer. You may also report them to your local information security liaison and to the UMass Amherst IT Security Team. For more information, see: https://www.umass.edu/it/security/incident-reporting [2] C. Institutional Information and Research Data Categorization