Link to the CU IT Security Program Policy APS #6005 from the Office of Policy and Efficiency (OPE).
OIT Guidance for IT Security Policy APS #6005
University IT Security policy APS-6005 addresses the security and privacy of CU information and IT systems, including requirements for IT resource users and IT Service Providers. APS 6005 should be provided to all IT resource users and IT Service
Section 1- IT Resource Users shall protect confidential and highly confidential data from unauthorized disclosure by:
- Do not store highly confidential data on a workstation or a mobile computing device (laptop, phone, flash drives, backup disks, etc.) unless justified for business purposes and adequately secured by encrypting the device.
- Configure automatic logoff for laptops, workstations, tablets and phones.
- Ensure the use of passwords on all devices that carry university data, including personal computing devices.
- Protect from unauthorized physical access- Do not keep data in plain sight when not in use or leave displayed when it is not needed. (lock screen prior to leaving your desk)
- Protect from unauthorized access by using antivirus/antimalware/antispyware.
- Protect passwords, identification cards, and any other devices used to access to university resources. Report if lost or stolen.
- Report security violations, malfunctions, or weaknesses, such as unethical or illegal activity.
- Utilize University IT Resources for authorized purposes only.
Section 2- IT Security in Personnel Job Descriptions, Responsibilities and Training
Units shall ensure that employees are aware of their IT Security responsibilities and are adequately trained to fulfill those responsibilities.
- For additional guidance on implementing the requirements of this policy, contact the OIT Service Desk at (303) 724-4357 (4-HELP on Campus) and ask that a ticket be assigned to the Risk and Compliance team.
- Units shall have an IT Security Awareness training plan and ensure that all employees participate in the training.
Supervisors should ensure that all employees have this training and it should be incorporated into the employee’s performance review.
- Departments/units should have signed, written or other documented acknowledgement from the employee prior to gaining access to university IT Resources. Supervisors should also maintain the records of employee acknowledgement.
- Supervisors should provide employees with additional specialized training as needed prior to gaining access to privileged resources.
- Periodic refreshers on all training should be provided and acknowledgements documented.
- Supervisors should coordinate training efforts with the ISO to ensure all training needed by employees is received and appropriate for their job role.
- When a change in duties or employment status occurs, the Supervisor will notify the appropriate groups (for OIT-managed systems contact the OIT Service Desk @ 4-4357) in order to change or remove access that is no longer needed.
Section 3- IT Security in University Operations, BCP, and contracting
IT Security safeguards should be integrated into University operations, asset management, contracting and Business Continuity Planning (BCP), disaster preparedness, and enterprise risk management processes.
- Units should follow guidance from the campus ISO to ensure proper safeguards are in place to protect university information and IT resources in their care. The appropriateness of the safeguards shall be determined by the criticality and sensitivity
of the information involved. Considerations should also be made for campus policies and external state and federal laws and regulations and industry standards.
- Continuity of Operations- units should ensure that a Business Continuity Plan and disaster preparedness/recovery are in place and reviewed, tested, and updated as needed to ensure the viability of the plan.
- Units should ensure the RFPs, contracts or other service agreements contain proper IT security language and safeguards so that contractors protect University information to a greater level than that which is required by University employees.
- Units should ensure the access to University information and IT resources by contractors and other third parties follows university procedures and policies for the type of access needed.
- Units should evaluate risk to the university information and IT resources in their care. They should forward risk to campus authorities with appropriate jurisdiction over those affected by the risk. (Risk Analysis and Risk Acceptance documentation)
Section 4- IT Service Provider Security
IT Service Providers (server and workstation support, programmers, webmasters, user account administrators) incorporate IT security safeguards into the IT services and products provided to the University community.
- Prevent unauthorized access, disclosure or misuse
- Make certain that information resources are available when needed for university business
- Comply with applicable policies, laws, regulations, rules, grants, and contracts.
- Comply with ISO additional safeguards specific to our campus risks or compliance requirements.
- Make certain all purchases of IT goods and services are approved by the ISO or a designated campus authority in order to protect IT resources in their control.
- Ensure IT controls are implemented and managed throughout the life of the IT resource under their responsibility (asset management). This ensures security is addressed in the design and purchase of new systems, implementation of new or modified systems,
maintenance of existing systems and removal from service at end-of-life systems. (data destruction processes, etc.)
- Engage in continuous monitoring, maintenance and system management to make certain that university information is protected as it is processed, stored, and transmitted for all IT resources in the OU’s control.
- Provide malicious activity protection: IT Resources should be protected from viruses, worms, DOS attacks.
- Further secure by applying appropriate app updates, vulnerability fixes, security patches or other modifications in a timely manner. (vulnerability management, system application hardening, security testing.
- Provide a method for data backup and recovery - University information should be backed up and retained as appropriate for business needs and/or legal requirements. Backups should be tested to ensure the proper recovery of data.
- Media handling and storage - secure electronic storage media (thumb drives, external drives, CD-ROMS, tapes, cartridges, etc.) and protect them from loss and unauthorized access. Any media that is used to store confidential or highly confidential
data shall be stored in a secure location where access is restricted to authorized personnel only. Media used to store highly confidential information shall be encrypted or protected in some other method as described in guidance provided by the
- When disposing of electronic equipment and media-computing and network equipment, all university information should be purged so that information in not recoverable, or destroyed before disposal or contracted with a third party that will be responsible
for the data destruction and provide documentation to prove that data was indeed destroyed.
- Units should have a documented access management plan. The plan should include all processes and procedures in place. Employees should be provided role-based access to university IT resources that are needed to perform job duties. Privileges/Access
should be removed in cases where there is a job change or removal from the university.
- Ensure Network security controls are in place- Adequately control electronic access to and use of, the campus data networks in order to protect data network equipment and other networked IT resources.
- Monitor physical access to data centers. University IT Resources should be protected from physical access to unauthorized persons. Access logs should be kept and reviewed on a monthly basis.