Go to navigation Go to content

Information Technology & Telecommunications

The policies on this webpage have been streamlined and reformatted, and are now available on the University Policies webpage. We ask that you use this new resource, as future changes, additions to or eliminations of these policies will only be made to the University Policies webpage, and policy manuals you may have used in the past will no longer be updated. Note: On March 31, 2018, this resource will no longer be available. Please update your bookmarks to the University Policies webpage.

BPM-1203 Information Security

April 16, 2008


The University will develop, implement and maintain a comprehensive, system-wide, information security program with appropriate methods and safeguards as required by industry standards, federal and state laws and regulations. Consistent with the University's Collected Rules and Regulations (CRR), the Vice President for Information Technology (VP for IT) will be primarily responsible for the development, implementation and enforcement of this program. The program will apply to all units within the University and to any and all users of University IT resources, regardless of their relationship to the University. Each University entity must comply with the IT security policies and programs or, when necessary, develop specific security policies, programs and processes that are consistent with the systemwide program and are approved by the VP for IT.


The information security program, under the guidance of the Chief Information Security Officer (CISO) will establish policies and processes governing how individuals manage and use the University's IT systems. The program will be applicable to all of the University's IT systems including, but not limited to, applications, databases, networks, computer systems/servers, computing facilities and all computing devices owned by the University or that hold University data. The program may also apply to personally owned devices if such devices are utilized for University purposes.


Vice President for Information Technology
  • Primarily responsible for implementing information security policies and programs.
  • Will designate a Chief Information Security Officer (CISO) for the University System.
  • Will appoint or select members to serve on a System-wide Information Security Advisory Committee (SISAC).

System-wide Information Security Advisory Committee (SISAC)
  • Will consist of the VP for Information Technology, the campus/organization CIOs, the CISO, and other representatives from throughout the University as deemed appropriate.
  • Responsible for defining goals, setting priorities and reviewing policy and program components prior to implementation.

Chief Information Officers (or CIO equivalent) at each campus/organization
  • Responsible for implementing and enforcing IT security policies at their campus or organization.
  • Will either serve as, or designate, an Information Security Officer (ISO) for their campus/organization.

Chief Information Security Officer (CISO)
  • Will ensure consistency and adequacy of information security programs at both the system and campus/organization levels.
  • Will provide guidance related to policy and program priorities for consideration by the SISAC.