Security Policy for Technology Professionals

Scope:

This policy covers all of the University of Detroit Mercy’s computing, networking, telephony, and information resources. All members of the University community share in the responsibility for protecting information resources for which they have access or custodianship.

Purpose:

The purpose of this policy is to establish the University’s approach to information security and to establish procedures that will help identify and prevent compromises of information around the University’s computing, networking, telephony, and information resources, as well as to create a secure baseline standard for the University’s computing, networking, telephony and information resources.

Policy:

Individuals Covered

This policy applies to all information technology professionals employed by the University who are responsible for the installation, management, and maintenance of computing, networking, telephony, and information resources. These persons include students, faculty, staff, administrators, persons retained to perform University work, and any other person extended access and use privileges by the University given the availability of these resources and services, and in accordance with University contractual agreements and obligations.

Systems and Resources Covered

This policy covers all computing, networking, telephony, and information resources procured through, operated, or contracted by the University. This policy also covers any computing device connecting to and utilizing University information resources. Such resources include computing and networking systems, such as those that connect to the University telecommunications infrastructure, other computer hardware, software, databases, support personnel and services, physical facilities, and communications systems and services.  Authorized support personnel for high-security systems are outlined in the ITS Roles and Responsibilities Matrix and Audit Calendar.

Information Classification & Protection

In order to ensure that information about members of the University community is properly protected, all information will be classified in accordance with the Data Classification section of the University’s Acceptable Use & Security Policy. Information that is classified as Detroit Mercy Protected or Detroit Mercy Sensitive data will receive additional protections. Data deemed PCI-DSS relevant must comply with all PCI-DSS requirements as outlined by the PCI Data Security Standard Version 3.2. All Personal Health Information (PHI) must be protected or properly redacted as outlined in the HIPAA Privacy Rule.

User Training and Awareness

Effective information security requires a high level of participation from all members of the University and all must be well informed of their responsibilities. To facilitate this, information security awareness materials and training will be provided to the Detroit Mercy community in accordance with the Acceptable Use & Security Policy.

Physical and Environmental Security

Centralized computer facilities will be protected in physically secure locations with controlled access, in accordance with the Access Control Policy. They will also have appropriate environmental safeguards. Departmental computers housing Detroit Mercy Sensitive or Detroit Mercy Public data may require physical and environmental security safeguards. All servers containing Detroit Mercy Protected data must be housed in an approved ITS data center.

Incident Response

Information security incidents have the potential to negatively impact members of the University community and harm the University’s reputation. Therefore, it is important that all information security incidents are handled confidentially and appropriately. All information security incidents will be handled in accordance with the Incident Response Policy.

Risk Assessment

Security incidents are more likely to occur when there are unknown and unaddressed risks and vulnerabilities in information systems. Therefore, risk assessments will be conducted in accordance with the ITS Risk Assessment Process. In addition, the IT Security Team will periodically perform vulnerability assessments, per the Vulnerability Assessment Policy.

Network Security

All networking devices procured through, operated, or contracted by the University will be configured in accordance with the Router & Switch Security Standard, the Network Firewall Policy, or the Wireless Access Point Policy, depending on the type of device that it is.

Computer Security

All workstations, desktops, and laptops procured through, operated, or contracted by the University will be configured in accordance with the Computer Security Standard and the Password Standards.

Server Security

All servers procured through, operated, or contracted by the University will be configured in accordance with the Computer Security Standard and the Password Standards.

Antivirus

Viruses and other malicious programs can compromise the confidentiality, integrity, and availability of information resources. All systems connected to University networks shall abide by the Antivirus Policy.

Key Management

All systems that store Detroit Mercy Protected data will encrypt said data using appropriate encryption techniques, as defined within the Encryption Policy.

Log Management Standard

System logs are required to enable effective troubleshooting of system problems and are a required component of the incident response process. All systems that store, transmit or process Detroit Mercy Protected data shall abide by the Log Management Standard.

Policy adherence:

Failure to follow this policy can result in disciplinary action as provided in the Student Handbook and Employee Policies & Procedures. Disciplinary action for not following this policy may include termination, as provided in the applicable handbook or employment guide.

Exceptions:

Exceptions to this policy will be handled in accordance with the Acceptable Use & Security Policy.

Emergencies:

In emergency cases, actions may be taken by the Information Security Incident Response Team (ISIRT) in accordance with the procedures in the Incident Response Policy. These actions may include rendering systems inaccessible.

Definitions:

Server – a software program or the computer on which that program runs, that provides a service to client software running on the same computer or other computers on a network

History:

June 1, 2021: Initial Policy