131 SPEC Kit 360: Learning Analytics UNIVERSITY OF MASSACHUSETTS AMHERST Information Security Policy - Draft http://www.umass.edu/it/policies/drafts 6. Users In accordance with this policy, users must be aware of the value of information. They must protect information reasonably. Users must therefore follow the requirements for: Information technology resources Institutional information Research data V. Standards The user of every device connected to the campus network or that stores or transmits institutional information and research data is responsible for adherence to security control standards. IT administrators either in UMass IT or in specific colleges or units may do the actual installation and configuration work, but it remains the responsibility of the user of that device to have those controls installed, configured and up to date (even if that simply means that when prompted to keep a computer on for its update, the user will comply with the prompt). Faculty, staff, and researchers who do not have or accept IT administration support are still subject to these rules and assume all responsibility for maintaining up to date controls on their devices that store or transmit institutional information and research data. This rule applies whether it is an institutionally owned device or personal, and whether it is on the campus network while physically on the campus or from a remote location. A. Technology Standards All information technology resources, regardless of ownership, that contain institutional information or research data must have the following foundational information security controls in place and functioning. Alternative, but equally effective, controls may be substituted in accordance with the exception process. Additional controls may be required based on the categorization of the information or data, the nature of the information technology resource, the applicable regulatory or contractual requirements, or other risk management calculations. For more information see: https://www.umass.edu/it/security/controls [4]. 1. Foundational Information Security Controls The five foundational information security controls identified at the time of this policy’s publication are referenced below. For additional information, or to see a complete, updated list of foundational information security controls, see https://www.umass.edu/it/security /controls [4] a) Patch Management Security patches must be installed, operational and regularly updated on all information technology resources. b) Anti-Malware Anti-malware solutions must be installed, operational and regularly updated for applicable information technology resources. c) Firewall Software to block incoming connections, unless explicitly allowed, must be installed and configured on applicable information technology resources. d) Encryption All institutional information and research data stored on end-user devices must be encrypted. e) Secure Disposal All information technology resources that contain institutional information or research data must be disposed of in an authorized manner. B. User Account Standards The campus owns all accounts, including NetID. IT creates and provisions these accounts to users for the purposes of accessing university resources. All users have a responsibility to protect the university accounts under their care. Protection of these accounts
Previous Page Next Page