University of Notre Dame > OIT

Office of Information Technologies

services banner

IT Policies
IT Standards
OIT Policies & Procedures
Copyright Information

>IT Policies Home

security banner

RSS Feed
Subscribe to the OIT Security Alerts RSS Feed

OIT Home > Policies > Information Technology Policies > Information Security Policy

Information Security Policy

July 2009

To download the Official University Policy [PDF], please go to: http://policy.nd.edu/policy_files/InformationSecurityPolicy.pdf

Policy

Information that Notre Dame or its agents use in the course of conducting University business is an institutional resource. Although individuals, offices, departments, programs, or schools may have responsibilities for creating and maintaining portions of University information and University records, the University itself retains ownership of, and responsibility for, the information. University Officers will appoint Data Stewards, each charged with responsibility for a segment of University information, and with participating as members of the Data Oversight Committee. Data Stewards will assign information under their stewardship to one of four security classifications: public, internal, sensitive and highly sensitive. These classifications are based upon the information’s intended use and the expected impact if disclosed.

The Data Oversight Committee, chaired by the Chief Information Officer (CIO), will publish, at a minimum, the following:

These standards will specify controls to manage risks to the confidentiality, integrity and availability of University information and related assets. All individuals are responsible for complying with these controls. The University will conduct periodic risk assessments to determine the effectiveness of such controls, and perform audits to measure levels of compliance. The Data Oversight Committee will review all standards related to this policy on a regular cycle that it determines to be appropriate.

The Data Oversight Committee will arbitrate disputes related to this policy. Appeals of Data Oversight Committee decisions can be made in writing to the Provost or Executive Vice President.

The Office of Information Technologies will maintain a formal information security awareness, training and education program, to ensure that all individuals are aware of their responsibilities.

The Office of General Counsel and Office of Information Technologies will review information technology product or service contracts. This review will include identification of risks related to information security.

The University’s policy is to comply with all applicable legislative, regulatory and contractual requirements concerning information security. University information security standards may exceed legally prescribed requirements.

Scope

This policy applies to faculty, staff, students, and all others granted use of University information or related assets and defines their responsibility for the protection and appropriate use of University information, applications, computer systems, and networks.

Contacts

Policy Content, Reporting Violations:
OIT Information Security -- Phone: (574) 631-5600, Email: infosec@nd.edu

Policy Process:
University Policy Specialist, Office of the General Counsel -- Phone: (574) 631-6411, Email: policy@nd.edu

 
 

Need answers?
Contact the OIT Help Desk at oithelp@nd.edu or 574-631-8111.