SUU Seal (for official use only)
Print Friendly and PDF

POLICY #5.57 
SUBJECT: Information Technology Resource Security


University Information Technology (IT) Resources are at risk from potential threats such as human error, accident, System failures, natural Disasters, and criminal or malicious action.

The purpose of this Policy is to:

  1. Secure the Private Sensitive Information of faculty, staff, students, and others affiliated with the University
  2. Prevent the loss of information that is critical to the operation of the University.
  3. Maintain the Confidentiality, Integrity, and Availability of all Systems supporting the mission and functions of Southern Utah University.
  4. Ensure compliance with all applicable federal, state, and local laws, regulations and statutes, as well as contractual obligations.
  5. Ensure the protection of Southern Utah University’s IT Resources from Unauthorized Access or damage.


  1. Southern Utah University Policy 5.8 Computer Software Licensing
  2. Southern Utah University Policy 5.39 Records Access and Management
  3. Southern Utah University Policy 5.51 Information Technology Resources
  4. Southern Utah University Policy 5.58 University E-mail Policy
  5. Southern Utah University Policy 6.22 Faculty Due Process
  6. Southern Utah University Policy 8.3.5 Termination of non-Academic Staff Employees and Disciplinary Sanctions
  7. Southern Utah University Policy 11.2 Student Conduct Code
  8. Acknowledgements
    1. University of Utah Information Technology Resource Security Policy (Policy 4-004) and University of Utah Information Security Policy
    2. Utah System of Higher Education Policy R345 Information Technology Resource Security


  1. Account: A login ID in combination with a password or other authentication token used to access any of Southern Utah University’s IT Resources.
  2. Assessed Level of Risk: Risk as assessed by the Information Security Office (ISO) or by using a methodology approved by that office (including self-assessments).
  3. Availability: Ability of an IT service to perform its agreed function when required.
  4. Chief Information Officer (CIO): The Chief Information Officer is responsible for Southern Utah University’s IT planning, budgeting, and performance including its information Security components. The Associate Vice President for Information Technology is the CIO.
  5. Confidential: Any data which is classified as “restricted” or “sensitive” per the data classification model as outlined in Section IV.B.1.a.
  6. Confidentiality: A Security principle that requires that data should only be accessed by authorized people.
  7. Critical Information Technology (IT) Resource: An IT Resource which is required for the continuing operation of the University and/or its colleges and departments, including any IT Resource which, if it fails to function correctly and/or on schedule, could result in a major failure of mission-critical business functions, a significant loss of funds, or a significant liability or other legal exposure.
  8. Disaster: Any event or occurrence that prevents the normal operation of a Critical Information Technology Resource(s).
  9. Disaster Recovery Plan: A written plan including provisions for implementing and running Critical Information Technology Resources at an alternate site or provisions for equivalent alternate processing (possibly manual) in the event of a Disaster.
  10. Incident Response Team: Directed by the Information Security Office (ISO) and made up of campus personnel, the Incident Response Team is responsible for immediate response to any breach of Security. The Incident Response Team is also responsible for determining and disseminating remedies and preventative measures that develop as a result of responding to and resolving Security breaches.
  11. Information Security Office (ISO): The Information Security Office is responsible for the development and maintenance of Security strategy for Southern Utah University’s Information Technology Resources and resolution of campus IT Security incidents. The Director of IT Security heads the ISO.
  12. Information Technology Resource (IT Resource): A resource used for electronic storage, processing or transmitting of data, as well as the data itself. Resources as defined in SUU Policy 5.51, Information Technology Resources.
  13. Information Technology Resource Media: Physical media that contains Southern Utah University’s data. This definition includes but is not limited to hard drives, backup tapes, CD-ROM, DVD-ROM, Blu-Ray disc, USB drives, recorded magnetic media, photographs, digitized information or microfilm.
  14. Integrity: A Security principle that ensures data is only modified by authorized personnel and activities. Integrity considers all possible causes of modification, including software and hardware failure, environmental events, and human intervention.
  15. IT Resource Steward: The individual who has policy level responsibility for determining what IT Resources will be stored, who will have access, what Security and privacy risk is acceptable, and what measures will be taken to prevent the loss of Information Resources.
  16. IT Resource Custodian: The organization or individual who implements the policy defined by the IT Resource Steward and has responsibility for IT Systems that store, process or transmit IT Resources.
  17. IT Systems Administrator: University staff that, under the direction of the IT Resource Custodian, have day-to-day operational responsibility for data capture, maintenance and dissemination.
  18. Private Sensitive Information: Private information retained by or accessible through IT Resources, including any information that identifies or describes an individual, including but not limited to, their name, social Security number, medical history, and financial matters. Access to such data is governed by state and federal laws, both in terms of protection of the data, and requirements for disclosing the data to the individual to whom it pertains.

    Private Sensitive Information does not include “public information” as defined by the Utah Government Records Access and Management Act (GRAMA), or in the case of student records, “directory information” as defined by the Family Education Rights and Privacy Act (FERPA).
  19. Security: Measures taken to reduce the risk of 1) Unauthorized Access to IT Resources, via either logical, physical, managerial, or social engineering means; and 2) damage to or loss of IT Resources through any type of Disaster, including cases where a violation of Security or a Disaster occurs despite preventive measures.
  20. Server: A computer used to provide information and/or services to multiple Users.
  21. Southern Utah University (SUU): All colleges, divisions, departments, members of the University community, and all students, staff, faculty, temporary employees.
  22. System: A functionally related group of software, hardware, and IT Resources.
  23. Unauthorized Access: Access to any IT Resource, User area, controlled physical area, or other private repository, without the permission of the appropriate steward/owner.
  24. User: Any person, including faculty, staff, students, temporary employees, contractors, vendors, automated processes (acting as a User), and third-party agents, who accesses any Southern Utah University IT Resources.


  1. Applicability: Compliance with this policy, and all its related rules and procedures, is required for all Southern Utah University colleges, schools, divisions, departments, members of the University community, and all students, staff, faculty, temporary employees, contractors, vendors, and third-party agents.
  2. Data Management
    1. Southern Utah University shall take measures to protect Confidential information that is stored, processed or transmitted using IT Resources. These measures shall be implemented commensurate with the Assessed Level of Risk and reviewed at regular intervals.
      1. Data Classification – All electronic data shall be classified in accordance with the following requirements:
        1. Public Data is information that may or must be open to the general public. It is defined as information with no existing local, national, or international legal restrictions on access or usage. Public Data, while subject to University disclosure rules, is available to all members of the University community and to all individuals and entities external to the University community. By way of illustration only, some examples of Public Data include:
          1. Campus maps;
          2. Campus events;
          3. Course descriptions.
        2. Sensitive Data is information that must be guarded due to proprietary, ethical, or privacy considerations, and must be protected from Unauthorized Access, modification, transmission, storage, or other use. This classification applies even though there may not be a civil statute requiring this protection. Sensitive Data is information that is restricted to members of the University community who have a legitimate purpose for accessing such data. By way of illustration only, some examples of Sensitive Data include:
          1. Internal memos and email, and non-public reports, budgets, plans, and financial information;
          2. Library transactions;
          3. Information covered by non-disclosure agreements;
          4. Donor contact information and non-public gift amounts.
        3. Restricted Data is information protected by statutes, regulations, University policies, or contractual language. Restricted data may be disclosed to individuals on a need-to-know basis only. By way of illustration only, some examples of Restricted Data include:
          1. Credit card information;
          2. Protected Health Information (PHI);
          3. Social Security number (SSN);
          4. Student and prospective student information;
          5. Export controlled information under U.S. laws.
      2. Departments should carefully evaluate the appropriate data classification category for their information.
      3. Data Handling – All electronic data shall have appropriate handling procedures in accordance with its classification and commensurate with the Assessed Level of Risk.
  3. Access Management
    1. Only authorized Users shall have physical, electronic, or other access to Southern Utah University’s IT Resources. Access shall be limited to Users with a business need-to-know, and limited only to the requirements of their job function. It is the shared responsibility of IT Resource administrators and Users to prevent Unauthorized Access to Southern Utah University’s Systems. Access controls for IT Resources shall include effective procedures for granting authorization, tools and practices to authenticate authorized Users, and prevention and detection of unauthorized use. IT Systems Administrators and managers are primarily responsible for establishing, documenting, implementing, and managing access control procedures for their IT Resources.
      1. Account Authorization – Southern Utah University Accounts shall be created according to Identity Management (IDM) procedures.
      2. Account Authentication – Southern Utah University Accounts shall be authenticated at a minimum via unique login ids and passwords.
      3. Account Termination – Southern Utah University Accounts shall be disabled and/or deleted according to Identity Management (IDM) procedures.
      4. Account Reaccreditation – Southern Utah University shall conduct periodic reviews of authorized access commensurate with the Assessed Level of Risk.
  4. Change Management
    1. Units responsible for information resources will ensure that changes that impact Users and other IT System Administrators will be communicated, and follow approved change management procedures.
  5. IT Resource Security
    1. Southern Utah University shall protect IT Resources commensurate with the Assessed Level of Risk and utilize Security baseline settings to ensure that IT Resources are available for use and free from malware. IT System Administrators and Users managing IT Resources shall:
      1. Protect any IT Resource under their management from compromise. This includes installing antivirus and relevant Security patches to address Security issues.
      2. Implement procedures that lock the User’s workstation after a predetermined time of inactivity.
      3. Configure the IT Resources to reduce vulnerabilities to a minimum.
      4. Periodically verify audit and activity logs, examine performance data, and generally check for any evidence of Unauthorized Access, the presence of viruses or other malicious code.
      5. Cooperate with the ISO by providing support for and/or review of administrative activities as well as allowing the performance of more sophisticated procedures such as penetration testing and real-time intrusion detection.
    2. Southern Utah University shall physically protect IT Resources commensurate with the Assessed Level of Risk. Users and IT System Administrators shall ensure that controls are planned and implemented for safeguarding physical components against compromise and environmental hazards. Locks, cameras, alarms, redundant power Systems, fire detection and suppression Systems, and other safeguards as appropriate shall be installed in data centers and technology closets to discourage and respond to Unauthorized Access to electronic or physical components contained in these areas.
  6. Mobile/Remote Access
    1. Users who create, access, transmit, or receive Southern Utah University information are responsible for protecting that information in a manner commensurate with risk (i.e., the data's sensitivity, value, and criticality). Appropriate procedures regarding Confidentiality and privacy of information should be followed at all times regardless of location on or off-campus.
    2. Users who work remotely shall ensure that their remote device (workstation, mobile phone, tablet, etc.) meets the same information Security standards as the User's on-site connection (i.e., physical Security, antivirus, operating System updates, etc.), as defined by best practices established by the ISO.
    3. In addition, any User accessing Southern Utah University IT Resources from a mobile device (netbook, tablet, cell phone, etc.) must follow best practices designated by the ISO for mobile device Security and ensure that the device can meet any technological requirements defined in the best practices. By way of illustration only, some device requirements may include:
      1. Passcode lock
      2. Remote wiping capability
  7. Vendors and Business Services Agreement
    1. Southern Utah University may permit a vendor, or other third party, to create, receive, maintain, or transmit Confidential University information when satisfactory assurances are obtained that the vendor will appropriately safeguard the information.
  8. Network Security
    1. Access to both internal and external networked services shall be controlled, restricted, and protected by IT Resource administrators, commensurate with the Assessed Level of Risk. Southern Utah University User and/or IT Resource access to networks and network services shall not compromise the Security of the network services by ensuring:
      1. Appropriate controls are in place between Southern Utah University’s network and networks owned by other organizations, and public networks.
      2. Appropriate authentication mechanisms are applied for Users and IT Resources.
      3. Control of User and IT Resource access to information services is enforced.
  9. Log Management and Monitoring
    1. IT System Administrators shall configure IT Resources to record and monitor information Security incidents, events, and weaknesses. IT Resource administrators and the ISO shall regularly review and analyze these logs for indications of inappropriate or unusual activity.
  10. Backup and Recovery
    1. IT Resource administrators shall conduct backups of User-level, application-level, and System-level information commensurate with the Assessed Level of Risk and protect backup information at the storage location. Routine procedures shall be established for taking backup copies of data and testing their timely restoration and recoverability.
    2. Measures to protect backup media shall be commensurate with the importance and sensitivity of the data.
    3. Measures may include physically secured, encrypted, off-site copies (see Section IV.B.1.c.).
  11. IT Resource Media Handling
    1. Southern Utah University’s IT Resource media shall be controlled and physically protected by Users, commensurate with the Assessed Level of Risk to prevent unauthorized disclosure, modification, removal or destruction of assets, and interruption to business activities. Appropriate operating procedures shall be established to protect documents, IT Resource media, input/output data, and System documentation from unauthorized disclosure, modification, removal, and destruction.
      1. IT Resource Media Access - Southern Utah University shall restrict access to IT Resource media to authorized individuals.
      2. IT Resource Media Storage - Southern Utah University shall physically control and securely store IT Resource media on-site within controlled areas where appropriate, and ensures any authorized off-site storage is, at minimum, secured at the same level as the on-site area.
      3. IT Resource Media Transport - Southern Utah University shall label IT Resource media prior to transport, protect and control IT Resource media during transport outside of controlled areas, and restrict the activities associated with transport of such media to authorized personnel.
      4. IT Resource Media Sanitization and Disposal - Southern Utah University shall appropriately sanitize or destroy IT Resource media prior to disposal or release for reuse.
  12. Business Continuity and Disaster Recovery Planning
    1. Southern Utah University shall develop and periodically review, test, and update a formal, documented contingency plan based on a business impact analysis that addresses purpose, scope, roles, responsibilities, management commitment, coordination among Southern Utah University entities, escalation procedures, as well as develop and periodically review, test, and update formal, documented procedures to facilitate the implementation of the contingency plan.
    2. Where appropriate, Southern Utah University must develop contingency plans that allow physical access to facilities in order to recover data and resume operations in the event of an emergency or Disaster. For example, if card access to the data center were to fail.
    3. As needed, establish (and implement as necessary) procedures to enable continuation of critical business processes for protection of the Security of information while operating in emergency mode.
  13. Information Security Incident Management
    1. Southern Utah University shall develop and periodically review, test, and update a formal, documented incident response plan that addresses purpose, scope, roles, responsibilities, management commitment, coordination among Southern Utah University entities, escalation procedures, as well as develop and periodically review and update a formal, documented procedure to facilitate the implementation of the incident response plan.
    2. Southern Utah University may discontinue service as outlined in Section IV.W. of this Policy.
  14. Information Security Awareness Training
    1. Southern Utah University’s faculty, staff, temporary employees, and, where appropriate, contractors and third-party Users shall receive information Security awareness training and regular updates as mandated for their role at the University.
  15. Protecting Private Sensitive Information
    1. University colleges, schools, departments, and divisions must take measures to protect Private Sensitive Information that is stored, processed, or transmitted using IT Resources under their control. These measures should be taken as needed and reviewed at regular intervals using best practices designated by the ISO.
    2. Security procedures must be designed for IT Resources that do not store, process or transmit Private Sensitive Information if access to such IT Resources provides the possibility of a breach of Security.
    3. Users of IT Resources must not knowingly retain on personal computers, Servers, or other computing devices, Private Sensitive Information, such as Social Security numbers, financial information including credit card numbers and bank information, or protected health information, including health records and medical information, except under all of the following conditions:
      1. The User requires such Private Sensitive Information to perform duties that are necessary to conduct the business of the University.
      2. The Dean, Department Chair, or Vice President grants permission to the User.
      3. The User takes reasonable precautions to secure Private Sensitive Information that resides on a User’s personal computer or other computing device, e.g., implement password protection and encryption for documents that contain sensitive information.
  16. Preventing the Loss of Critical IT Resources
    1. University units must take measures to identify and prevent the loss of Critical IT Resources that are under their control, according to best practice designated by the ISO, and to include Critical IT Resources in a Disaster Recovery Plan.
    2. Reasonable and appropriate Security procedures must be implemented to ensure the Availability of Critical IT Resources.
    3. A User must take reasonable precautions to reduce the risk of loss of Critical IT Resources that reside on a User’s personal computer or other computing device, i.e., backup critical documents on CDs or other media, or back up documents to a storage device or System, at regular intervals, which is administered by the User’s IT Systems Administrator.
  17. If uncertain whether or not an IT Resource contains Private Sensitive Information or is a Critical IT Resource, a User must seek direction from the IT Resource Steward, the IT Resource Custodian, or the University ISO.
  18. Reporting of Security Breaches
    1. All suspected or actual Security breaches of University, college, or departmental Systems must immediately be reported to the ISO. IT Systems Administrators should report Security incidents to the IT Resource Steward and IT Resource Custodian for their respective organization. If the compromised System contains personal or financial information (e.g. credit card information, Social Security numbers, etc.), the organization must report the event to the University’s Office of General Counsel.
    2. If Private Sensitive Information has been accessed or compromised by unauthorized persons or organizations:
      1. The IT Resource Steward or User who is responsible for the information must consult with the vice president, dean, department head, supervisor, ISO, and the Office of General Counsel to assess the level of threat and/or liability posed to the University and to those whose Private Sensitive Information was accessed.
      2. Individuals whose Private Sensitive Information was accessed or compromised will be notified and referred to the ISO for instructions regarding measures to be taken to protect themselves from identity theft.
  19. Reporting Loss of IT Resource
    1. If IT Resources are lost, the User must notify the ISO who will determine the appropriate course of action.
  20. Risk Assessment
    1. Southern Utah University must regularly identify, define and prioritize risks to the Confidentiality, Integrity, and Availability of their IT Resources utilizing a methodology approved by the ISO. The ISO will provide guidance or assistance for the risk assessment process as necessary.
    2. In addition to regular risk assessments, The University must conduct a risk analysis, in consultation with the ISO, when environmental or operational changes or additions occur (new services, Systems, etc.) which significantly impact the Confidentiality, Integrity, or Availability of information Systems containing Confidential information.
  21. Roles and Responsibilities
    1. Director of IT Security: The Director of IT Security reports directly to the Chief Information Officer (CIO). The Director of IT Security is responsible for drafting University Security policies, plans, and best practices documents. The Director of IT Security is responsible for the coordination, review, and approval of procedures used to provide the requisite Security for Private Sensitive Information or Critical IT Resources. The Director of IT Security is responsible for coordinating compliance with this policy. Responsibilities and roles include but are not limited to:
      1. Head the Information Security Office (ISO).
      2. Develop and maintain Security policy, plans, procedures, strategies, architectures, best practices, and minimum requirements.
      3. Educate IT Systems Administrators, computer professionals, and Users, regarding Security. Provide guidelines, consultation, and assistance to colleges, departments, and individuals regarding the proper use of computer workstations, Servers, applications, department networks and other IT Resources.
      4. Provide assistance in complying with this policy to IT Resource Stewards, IT Resource Custodians, and IT Administrators as requested.
      5. Implement and enforce baseline perimeter Security practices endorsed for educational institutions by federal, state, and local government agencies, and national organizations such as Educause and SANS.
      6. Monitor and analyze campus network traffic information to ensure compliance with University Security and acceptable use policies, and to evaluate, identify, and resolve Security vulnerabilities, breaches and threats to University IT Resources.
      7. Conduct Security audits as requested by colleges or departments. Conduct Security audits periodically to confirm compliance with this Policy.
      8. Direct the campus Incident Response Team, incident response activities, and incident resolution at the University, departmental, and individual levels. Take appropriate and reasonable remedial action to resolve Security incidents.
      9. Assist University or third-party auditors in the analysis of college and departmental IT Resources to further ensure policy compliance.
      10. Monitor compliance with Security policies and report compliance violations to the relevant cognizant authority.
    2. Information Technology Department: The Information Technology department has primary responsibility for managing IT Resources, including but not limited to the campus network, Servers, storage area networks, the IP phone System, User desktops and notebooks, and all properly licensed software installed on the network. The IT department’s Security responsibilities include but are not limited to:
      1. Monitor the campus network traffic flows, primarily for the purpose of network maintenance and optimization.
      2. Inform the ISO of traffic patterns, which pursuant to best practices, procedures, and standards, may indicate a potential or actual threat to the network backbone and University IT Resources.
      3. Apply Security policy and procedures to IT Resources as directed by the ISO and industry best practices.
    3. Incident Response Team: Under the direction of the ISO, the Incident Response Team is responsible for immediate response to any breach of Security. The Incident Response Team is also responsible for determining and disseminating remedies and preventative measures that develop as a result of responding to and resolving Security breaches. The team consists of the Director of IT Security and designated campus IT managers.
    4. IT Resource Steward: The IT Resource Steward is designated by the cognizant authority of the relevant organization. Responsibilities include but are not limited to:
      1. Determine the purpose and function of the IT Resource.
      2. Determine the level of Security required based on the sensitivity of the IT Resource.
      3. Determine the level of criticality of an IT Resource.
      4. Determine accessibility rights to IT Resources.
      5.  Specify adequate data retention, in accordance with University policies, and state and federal laws for IT Resources consisting of applications or data.
      6. In rare cases, an organization may need to configure IT Resources in a manner that is not compatible with standard Security procedures, best practices, and minimum requirements (i.e., to conduct network and/or Systems research, or for other academic purposes). In such cases, the IT Resource Steward, must accept responsibility for alternative Security measures that may be implemented. The IT Resource Steward may request, and the ISO may grant, a written exemption from standard Security procedures, best practices, and minimum requirements, provided the IT Resource Steward documents the need for an exception, receives a ISO assessment of the risk and vulnerabilities exposed by the exception, and agrees to make every reasonable effort to prevent the exception from causing potential or actual Security threats to the relevant organization and other campus organizations.
      7. An IT Resource Steward in a college or department, which lacks the professional IT staff or expertise to accomplish items (a) through (f) in this section may request assistance from the ISO or the assigned IT Resource Custodian.
    5. IT Resource Custodian: The IT Resource Custodian is responsible for implementing and maintaining Security measures in accordance with the Security level identified by the IT Resource Steward. For example, the Administrative Computing Services department would be the IT Resource Custodian of a central student registration System. Responsibilities include but are not limited to:
      1. Ensure proper controls are in place and followed to meet access requirements and Security levels as determined by the IT Resource Steward.
      2. Determine the appropriate method for providing business continuity for Critical IT Resources (e.g., performing Disaster Recovery at an alternate site, performing equivalent manual Procedures, etc.).
      3. Prepare for Disaster recovery. In the event of a Disaster, provide oversight of the implementation of the Disaster Recovery Plan.
      4. Monitor and analyze network traffic and System log information for the purpose of evaluating, identifying, and resolving Security breaches and/or threats to the IT Resources of the organization for which they have responsibility.
      5. Ensure that data retention requirements are met for IT Resources consisting of applications or data.
    6. IT Systems Administrator: The IT Systems Administrator(s) is responsible for the performance of Security functions and procedures as directed by the IT Resource Custodian and/or IT Resource Steward. It is the IT Systems Administrator’s responsibility to implement and administer the Security of IT Resources in accordance with Southern Utah University and industry best practices and standards.
  22. Exceptions to Policy
    1. Exceptions to this policy and any related rules or procedures may be made where the cost to remediate Systems and processes that are not compliant with applicable policies, rules, standards, procedures, and guidelines greatly exceeds the risks of non-compliance.
    2. Exceptions to policy received and approved by the ISO and IT Resource Stewards will be documented and archived.
    3. Exception requests are reviewed and analyzed by the ISO and the IT Resource Steward (or their designee), and if the request creates significant risks without compensating controls it may not be approved. If denied, appeals may be made to the CIO.
  23. Sanctions and Remedies
    1. The IT department may discontinue service to any User who violates this policy or other IT policies when continuation of such service threatens the Security (including Integrity, privacy and Availability) of University IT Resources. IT may discontinue service to any network segment or networked device if the continued operation of such segments or devices threatens the Security of University IT Resources. The ISO will notify the IT Resource Steward and/or Custodian or their designee to assist in the resolution of non-compliance issues before service(s) are discontinued, unless non-compliance is causing a direct and imminent threat to University IT Resources.
    2. The IT Resource Steward may discontinue service or request that the ISO discontinue service to network segments, network devices, or Users under their jurisdiction, which are not in compliance with this policy. IT Resource Stewards will notify or request that the ISO notify affected individuals to assist in the resolution of non-compliance issues before service(s) are discontinued, unless non-compliance is causing a direct and imminent threat to University, college, or department IT Resources.
    3. A User’s access shall be restored as soon as the direct and imminent Security threat has been remedied.
    4. The University reserves the right to revoke access to any IT Resource for any User who violates this Policy, or for any other business reasons in conformance with applicable University policies.
    5. Violation of the Policy may result in disciplinary action in accordance with University policies referenced in Section II of this Policy.




The responsible office for this Policy is the Vice President for Finance. For questions about this Policy, contact the Director of IT Security.


Date Approved: October 21, 2011

Amended: N/A