Policy Number: IT-8
Effective Date: May 2014

Last Revised and approved by Cabinet: July 30, 2019

Applicability: This policy applies to all persons using Devices or Services with Institutional Information.

Responsible Officer: Vice President of Information Technology/Chief Information Officer

I. PURPOSE

Drexel University, including its Colleges, Schools, Centers, Institutes, divisions, subsidiaries and affiliates (the "University"), intends to protect the confidentiality, integrity, and availability of Institutional Information. To maintain sufficient protection of Institutional Information, Information Security Requirements will be established by the Responsible Officer and adjusted as needed.

II. DEFINITIONS

"Institutional Information" is educational, financial, health and other personal information provided to the University or created in the course of University business, education, research, and other activities.

"Device" means any Internet-of-Things or Mobile Device, office equipment (including multi-function copiers/printers), computer, or storage system (including arrays, drives, DVDs, CDs, diskettes, and tapes) accessing, collecting, transmitting, and/or storing Institutional Information, regardless of the location or ownership of the Device.

"Service" means any campus- or cloud-based service that collects, processes, transmits, or stores Institutional Information.

"Internet-of-Things or Mobile Device" includes tablets, smart phones, smart watches, other "wearable" devices, surveillance devices, and environmental, geo-positioning or other sensors.

III. POLICY

It is the policy of the University that the Responsible Officer will develop, maintain, and publish Information Security Requirements (the "Requirements") as relates to how Devices and Services may interact with Institutional Information. The Requirements may mandate that certain software and settings be installed on Devices to support compliance with the Requirements.

All Devices and Services must comply with the Requirements. Devices or Services that cannot satisfy Requirements may not be used to access, collect, transmit, or store Institutional Information.

Individuals who and organizations that operate or manage Services that communicate with Devices or other Services must implement the Requirements and take measures to block access by Devices or Services that do not comply with the Requirements.

IV. PROCEDURES

The Responsible Officer and his or her designees, will, based on best practices and emerging standards in higher education, develop and publish Requirements to protect the accessibility, confidentiality, and integrity of Institutional Information. When new Requirements are developed, they must promptly be communicated to the University Community in writing, which may be done electronically. Multiple sets of Requirements may be established to protect different kinds of information, Devices, and/or Services.

The Requirement are to be reviewed at least annually. When changed, a summary of the changes is to be communicated to all Members of the University Community in writing, which may be done electronically.

Within three months of publication, the Requirements must be implemented on all Devices and/or Services. With approval or the President or an Executive Vice President, the three-month implementation period may be shortened.

When differences in Device or Service security capabilities make it necessary to create alternate sets of Requirements to achieve specific information security goals, the highest security level is to be the default. The Responsible Officer and his or her designees, will develop and publish processes by which individuals may seek authorization to use a Requirement set with a lower security level.

V. VIOLATION OF THIS POLICY

Any violation of this policy or failure to comply with its provisions or the provisions of any Information Security Requirement by any Applicable Member may result in disciplinary action up to and including termination.

Inquiries regarding this policy can be directed to the Drexel University Information Technology at 215.895.1434.