Information Security Policy (T10-089)

Doc. T10-089
Passed by the Board of Trustees on December 8, 2010

Purpose, Scope, and Applicability

Information is a critical asset of the University of Massachusetts and protecting information assets and their related processing systems is the primary goal of the University of Massachusetts Information Security Policy Statement. All information created or used in support of the University of Massachusetts business is considered university information. University information will be protected from accidental, malicious or unauthorized disclosure, misuse, modification, destruction, loss and/or damage.

By identifying and monitoring security risks and mitigating the risks through the implementation of information security controls, the security environment at the university is enhanced and trust is established between the university and our customers and regulators.

Policy Statement & Security Controls

This policy statement is established to protect the assets and interests of the University, to increase overall information security awareness and to ensure a coordinated approach for implementing, managing and maintaining a control environment based on industry best practices. This policy statement sets the direction for protecting information and IT resources owned and used by the University of Massachusetts, its employees, subsidiaries, affiliates, service providers and customers.

This policy stipulates putting forth security controls that are based on an information security standard and framework published by the ISO (International Organization for Standardization)/IEC (International Electrotechnical Commission) 27002. This internationally recognized set of security standards addresses various security requirements including risk assessment and treatment, organization of information security, asset management, human resources security, physical and environmental security, communications and operations management, access control, information systems acquisition, development and maintenance, incident management, business continuity and compliance.

Information security controls are to be developed and published to ensure university information is adequately protected. These controls are to be reviewed and updated as needed to ensure continued compliance with industry best practices and regulatory requirements. The information security controls apply to all departments, data processing platforms and systems owned, leased or managed by the University of Massachusetts or by third party providers.

UMass Information Security Governance

The University of Massachusetts Information Security Policy Statement is approved by the Board of Trustees. The policy statement sets the direction for information security at UMASS.

The President shall develop and issue guidelines for campuses to follow in the implementation of this policy.

Additional details are included in the UMASS Written Information Security Plan (WISP). The WISP sets forth university procedures for evaluating electronic and physical methods of accessing, collecting, storing, using, transmitting, and protecting university information assets and technology resources. The WISP is managed by the UMASS Information Security Council (ISC) at the direction of the Information Technology Leadership Council (ITLC).