Policy number: 8.2
Policy section: Information Technology
Revised Date: July 28, 2023
Definitions of capitalized terms are set forth in Appendix A.
2. Policy Statement
It is the policy of the University to manage and protect the privacy and Personally Identifiable Information of all students, employees and other members of the University community consistent with federal and state privacy laws. Personally Identifiable Information is protected by federal laws including but not limited to the Gramm- Leach-Bliley Act (“GLBA”) for the safeguarding of non-public information, the Family Educational Rights and Privacy Act (“FERPA”) for the protection of information contained in student records, and, to the extent applicable, the Health Insurance Portability and Accountability Act (“HIPAA”) for the management of protected health information.
The Information Security Program is designed (i) to assist University employees in the identification of reasonably foreseeable internal risks to the security of Personally Identifiable Information and University Data, the assessment of the potential damage of those risks and the evaluation of the sufficiency of existing procedures, business practices, and other safeguards; (ii) to create procedures, business practices, or safeguards to minimize those risks; and (iii) to monitor and improve of the effectiveness of those procedures, business practices and safeguards. This policy provides a minimum security standard for protecting Personally Identifiable Information and University Data and does not restrict creation and enforcement of more restrictive policies for individual University administrative or academic units, provided that such additional policies conform to this policy.
The purpose of this policy is to promote effective administrative, technical, and physical safeguards for the protection of Personally Identifiable Information and University Data maintained by the University on the University’s Resources. Resources are valuable University assets and the University must manage Resources properly to ensure their integrity, confidentiality, and availability for lawful University educational, research, service and administrative activities.
This policy applies to all Users and to all Resources, whether managed by the Office of Information Technology (“OIT”) or by another person or entity. In addition to addressing information stored on computing Resources, this policy addresses protection of Personally Identifiable Information stored on paper records and protection of
- All Users are responsible for managing Resources for the purposes stated in this policy. At a minimum, each User must comply with the following requirements:
- All University-owned laptop computers must be encrypted;
- All University-owned computers must be configured according to OIT minimum security standards, including antivirus, password-enabled screen savers, and inventory. This security lockout feature must automatically initiate after the computer remains idle from user interaction after a predefined time period.
- Users must immediately report to the OIT Help Desk at email@example.com:
- stolen laptop computers and other security breaches;
- suspected unauthorized access to Resources or other suspected security breaches; or
- disclosure or suspected disclosure of Personally Identifiable Information.
- Users must comply with all requirements of OIT’s Information Security Incident Response Procedures, available at http://www.smu.edu/OIT/Infosec/Policy. Because specific processes have been established to address security breaches, any suspected security breach should be reported immediately to the IT Help Desk, firstname.lastname@example.org.
- It is University policy to regulate and manage the selection, distribution, use, modification and testing of computer access authentication solutions such as biometrics and/or smart cards. Effective password management is a critical element in assuring the overall security of the University’s information systems and protection of its information assets. Unauthorized use of a computer password is a violation of University policy and may lead to disciplinary action.
- OIT shall establish minimum baseline standards for passwords on all multi-user systems for which it has responsibility. These standards shall include minimum length, characteristics, and expiration cycles for all Resources. OIT’s responsibility for monitoring the overall security of the University’s information technology environment includes testing the strength of passwords on all multi-user systems. The computer access authentication solution standards established by OIT are available to campus users as part of the Procedures for Using Information Technology Resources at SMU on the University web site (http://www.smu.edu/OIT/Infosec/Password).
- In addition to complying with the requirements of this policy, Users are directed to University Policies 8.1, Acceptable Use, 4.4, Collection of Funds, 8.3 Mobile Equipment and Mobile Services, and 8.6, Institutional Data Governance for additional requirements.
- OIT is responsible for establishing and maintaining the security of Personally Identifiable Information and University Data stored on Resources and, together with the Police Department, for establishing and maintaining the security of Servers. As part of the University’s Information Security Program, OIT will establish baseline standards for access to Resources and University Data stored on Resources. Automated procedures are used to assess and process potentially relevant security related threat activity or vulnerabilities to ensure that University Data and Resources are protected.
- In order to protect Personally Identifiable Information and University Data, faculty and staff members must regularly receive comprehensive security training that includes confidentiality best practices, privacy awareness, and required procedures. Training is incorporated into all full time staff and faculty new orientation requirements and must be completed within 6 months of hire and annually thereafter.
- User and managers of University administrative or academic units are responsible for the security of Resources, Personally Identifiable Information and University Data stored within their individual domains. Each User and each manager of a University administrative or academic unit is responsible for determining whether particular University Data must be maintained in confidence and, with the assistance of OIT, for implementing and enforcing restrictions on confidential University Data equivalent to the restrictions set forth in this policy with respect to Personally Identifiable Information.
- Users must abide by all applicable University guidelines, policies and procedures and with all applicable federal and state laws and regulations.
- System Administrators must monitor and assure compliance with this policy by the System Administrator’s administrative or academic unit. System Administrators are also responsible for promptly identifying and reporting suspected abuse to OIT, especially any damage to or problems with files or systems. Electronic logs of all security problems and related matters must be maintained by each System Administrator.
- Users must cooperate with System Administrators in any investigation of System Abuse.
- The Chief Security Officer (“CSO”), or a person designated by the Chief Information Officer (“CIO”), will establish and chair an Information Security Advisory Council that includes representation from Academic Affairs, the University Internal Auditor, Campus Services, Development and External Affairs, Student Affairs, and other divisions of the University. The ISAC shall meet regularly to review and recommend policy changes, additions or requests for exceptions. Each member of the Council will serve as a liaison to that member’s administrative or academic units and other units as assigned by the CSO for communication and training related to the Information Security Program.
- The CSO, or a person designated by the CIO, is the primary contact for the interpretation, enforcement and monitoring of this policy and the resolution of issues, including resolving conflicts between security policies and procedures of University administrative or academic units and this policy. The CSO is responsible for the administration of the University’s Information Security Program and will provide technical data security support to University administrative or academic units in the development of unit security policies and procedures. The CSO is responsible for overseeing internal security and risk assessments, and penetration testing. In the event of a conflict between this policy and any security policies or procedures of a University administrative or academic unit, this policy controls. Legal questions must be referred to the Office of Legal Affairs.
- Any User who fails to cooperate with System Administrators and/or the CSO in any investigation of System Abuse may have access privileges cancelled or face other disciplinary and/or legal action. Additional sanctions are set forth in Paragraph 19 of University Policy 8.1, Acceptable Use. In cases where Resources are threatened, the CSO will act in the best interest of the University by securing the Resources. When possible, the CSO will abide by the incident handling procedures to mitigate the threat. In an urgent situation requiring immediate action and leaving no time for collaboration, the CSO is authorized to disconnect any affected device from the network. University Resources are subject to vulnerability assessment and safeguard verification by the CSO.
7. Protection of Personally Identifiable Information
- Users will protect and safeguard against unlawful disclosure or unlawful use of any Personally Identifiable Information collected or maintained by the University in the regular course of business according to the Identity Theft Protection Program available at http://www.smu.edu/OIT/Infosec/Policy.
- Each University administrative or academic unit that collects or processes data will determine which Users may have access rights to Personally Identifiable Information. Personally Identifiable Information will be stored in the minimum number of places possible to protect the Personally Identifiable Information, while continuing to conduct University business effectively and efficiently. Access to Resources and any other records or files containing Personally Identifiable Information is restricted to those who need such information to perform their job duties.
- Users must comply with the following requirements:
- Personally Identifiable Information may only be released in accordance with University Policies, OIT procedures, and policies and procedures of University administrative or academic units;
- Any member of the campus community who is contacted by individuals who identify themselves as law enforcement officers or otherwise request information for law enforcement purposes must direct the requestor to the University Police Department. See University Policy 1.9, Service of Subpoenas and Agency Requests, for Information.
- Personally Identifiable Information will be treated as follows:
- No Personally Identifiable Information may be stored on a non-University-owned Resource without the written permission of the CIO or his/her designee. If the CIO or his/her designee grants approval, the CSO must approve the security configuration of the non-University-owned Resource.
- University-owned resources or approved 3rd party services which store Personally Identifiable Information must be protected as provided by the security procedures established by OIT and set forth at: http://www.smu.edu/OIT/Infosec/Policy
- Non-University-owned Resources which have been approved to store Personally Identifiable Information and all University-owned Resources must be protected per the security procedures established by OIT available at: http://www.smu.edu/OIT/Infosec/Policy
- In addition to the requirements relating to computing Resources, paper records or files containing Personally Identifiable Information will be kept in secured locations on the University premises and no paper records or files containing Personally Identifiable Information may be stored outside of the University premises without approval of the President or a Vice President of the University.
- Each University administrative or academic unit responsible for Personally Identifiable Information will arrange for the destruction of records or files containing Personally Identifiable Information that are not to be retained, by shredding, erasing, or otherwise modifying the Personally Identifiable Information to make the information unreadable or undecipherable through any means. OIT-approved procedures for the destruction of electronic media are available at: http://www.smu.edu/OIT/Infosec/Policy.
It is the University’s policy that all individuals involved in research at the University, including faculty, staff, and students, conduct their research-related activities and transactions in accordance with research-sponsor requirements, federal and state laws and regulations, and University policies and procedures. Research data that incorporates sensitive data, proprietary University information or trade secrets, or includes controlled unclassified information or export controlled information, must have adequate security protections in place. It is the responsibility of the Principal Investigator to properly identify the classification of research data in their custody, and to coordinate with the CSO and OIT in coordination with the Office of Research to ensure appropriate protections are in place. It is the responsibility of the Principal Investigator to immediately report any suspected or proven disclosure or exposure of Personally Identifiable Information or other restricted data in the custody of the Principal Investigator to the CSO.
The CIO or designee shall be responsible for interpretation of this policy, resolution of problems and conflicts with departmental policies, and special situations. The CIO may grant exceptions to this policy and/or standards after a formal review as provided below.
Appendix A: Definitions
“Breach” means an unauthorized access to, unauthorized use of, or disclosure of unencrypted data or encrypted data along with the key used to decrypt the encrypted data that is capable of compromising the security, confidentiality, or integrity of Personally Identifiable Information. A good faith but unauthorized acquisition of Personally Identifiable Information for lawful purposes is not considered a breach unless the information is used in an unauthorized manner or is subject to further unauthorized disclosure.
“CIO” means the Chief Information Officer of the University.
“Information Security Program” consists of the information security procedures, daily operational tasks, and the Security Awareness Education and Training programs of the University, set forth at http://www.smu.edu/OIT/Infosec/Policy.
“ISAC” means the Information Security Advisory Council established by this policy.
“CSO” means the Chief Security Officer of the University.
“Mobile Equipment” means cellular telephones, smart phones, data cards, hotspot devices, tablets, accessories and other telecommunications equipment requiring access to a telecommunications service provider network.
“OIT” means the Office of Information Technology of the University.
“Paper Records” means physical documents created or maintained by the University which contain Personally Identifiable Information.
“Personally Identifiable Information” means information that alone or in conjunction with other information identifies an individual, including:
- Standalone Information - information that alone identifies an individual, including:
- social security number;
- driver’s license number or government-issued identification number; or
- any information described under “Combined Information” that alone identifies a person or permits access to the University’s or an individual's financial account.
- Combined Information - an individual's first name or first initial and last name, or other unique identifier, in combination with any one or more of the following items, if the name and the items are not encrypted (or, if encrypted, are accompanied by the key used to decrypt the encrypted information):
- unique biometric data, including the individual's fingerprint, voice print, and retina or iris image;
- personal medical information;
- mother’s maiden name;
- date of birth;
- financial information pertaining to an individual; or
- credit or debit card number (including a University-issued procurement card number), unique electronic identification number, address, routing code or financial institution account number, in combination with any required security code, access code, or password that would permit access to the University’s or an individual's financial account.
- Sensitive Personal Information that identifies an individual and relates to:
- the physical or mental health or condition of the individual;
- the provision of health care to the individual; or
- payment for the provision of health care to the individual.
Personally Identifiable Information does not include directory information described in Policy 1.10 (Privacy of Education Records (FERPA)) (applying that definition to University trustees, officers, employees, students, alumni, applicants, volunteers, donors, guests, customers and contractors engaged in University sponsored activities) or publicly available information that is lawfully made available to the public from the federal government or a state or local government.
"Principal Investigator/Project Director” means the individual solely responsible for technical conduct of a Sponsored Project, technical contact with the Sponsor, expenditure of Sponsored Project Funding, and fulfillment of technical performance and reporting obligations under an Award. "Principal Investigator” (PI) includes an individual designated in an Award as "Project Director" (PD), when performing the functions of a Principal Investigator, or other individuals performing the functions of a Principal Investigator. For the period of the Award, the Principal Investigator/Project Director must be a full-time employee (staff, tenured or, tenure track faculty, Research Professor, Research Associate Professor, Research Assistant Professor, or, if approved by the Provost or his or her designee, a non-tenure track, non-tenure eligible faculty member) appointed pursuant to University Policy 2.3, Faculty Ranks, Academic Titles, and Voting Rights.
“Resources” means the University’s computing, communications, and other information technology systems and includes all hardware, software (including data and documentation), local area networks, internet systems, and applications and data stored on such information technology systems and any other electronic device or service that can store, transmit, or receive information. Resources include, but are not limited to, Servers, computers, personal computers, workstations, laptops, mainframes, minicomputers, Mobile Equipment, land line telephones, wireless devices, media players, storage media, computer networks, connections to network services such as the Internet and web pages, subscriptions to external computer services, networking devices, and any associated peripherals and software, regardless of whether used for educational, research, service, administrative or other purposes.
“Responsible Official” with respect to this policy is the CIO.
“Server” is any computer which shares applications, peripherals, file storage and other Resources, with client computers on a network.
“System Abuse” means the proscribed activities described in Policy 8.1 (Acceptable Use) and any other activities deemed abusive by the CIO.
“System Administrator” means an employee of the University who has been delegated responsibility for the operation, maintenance and administration of a Server or other Resource. The term "System Administrator" may apply.
Revised: July 28, 2023
Adopted: February 25, 2002