Interim Information Security Policy
Effective Date: TBD
Last Revised and approved by Cabinet: TBD
Applicability: This policy applies to all students, faculty members, professional staff members, and all other members of the University community, including but not limited to campus guests, visitors, and third parties doing business or providing services to the University (e.g., vendors, independent contractors and consultants) (hereafter referred to collectively as "User(s)"), Institutional Information (which includes but is not limited to: Personally Identifiable Information (PII)), Protected Health Information (PHI), financial, Payment Card Industry Data Security Standard (PCI DSS), & Family Educational Rights and Privacy Act (FERPA), and computer and network resources (hereafter referred to collectively as "Drexel Network").
Responsible Officer: The Chief Information Security Officer (CISO)
Information security is critical to fulfill the educational, service, and research mission of Drexel University (the “University” or “Drexel”). Drexel is dedicated to ensuring the security and proper creation, use and disposal of Institutional Information generated, collected, accessed, modified, transmitted, and/or stored.
Maintaining the confidentiality, integrity, and availability of both the Drexel Network and Institutional Information is a shared responsibility among User(s) and Drexel. Best security practices and procedures must always be followed.
This Policy in conjunction with other University policies and practices create Information Security administrative, technical, and physical controls throughout the University. This Policy also establishes an Information Security Team, which will be led by the Chief Information Security Officer (CISO) and defines the Information Security responsibilities of Drexel Network and Institutional Information Users.
The Chief Information Security Officer (CISO) will lead the Information Security Team and implement a University-wide information security training and awareness program. The Chief Information Security Officer will coordinate investigations and responses to actual or suspected breaches with the appropriate internal teams and/or law enforcement offices.
The Information Security Team will oversee the University wide security policies and controls. The Information Security Team will work towards fulfilling their mission to protect the people, the information, and the systems of Drexel University by providing guidance on the risks to Institutional Information and the Drexel Network, taking proactive measures to ensure the security of Institutional Information and the Drexel Network and creating initiatives for security awareness training, compliance, and risk assessments.
System Administrator(s) will ensure the security and proper creation, use and disposal of information created, collected, managed, and/or stored under their authority. Additionally, Administrators, Managers, and Supervisors are responsible for ensuring User(s) within the scope of their authority are trained and follow information security best practices at all times in their daily roles.
User(s) will strive to minimize or eliminate the creation, collection, handling, storage and use of Sensitive Data. Only those who have a legitimate business need to access Institutional Information should do so, and for as limited a time as possible. When Institutional Information is no longer needed, it will be properly and securely disposed of and/or destroyed. User(s) are required to immediately report any suspected incidents/breaches to the Information Security Team at firstname.lastname@example.org.
Requests for exceptions to this policy will be evaluated according to the standards and principles of the University by the Information Security Team and approved by the CISO. Requests will only be granted upon demonstration of good cause and for no more than 12 months. All exceptions will be reviewed every 12 months.
Penalties for violating this or any other policy covered under this policy, may include restricted access or loss of access to the Drexel Network and Institutional Information, termination and/or expulsion from the University and in some cases, civil and/or criminal liability.
This policy is maintained by the Office of Information Security. Drexel University reserves the right to update or revise this policy or implement additional policies in the future. Users are responsible for staying informed about Drexel University policies regarding the use of computer and network resources and complying with all applicable policies.