Information Security Policy
1. Program Scope and Purpose
The purpose of this policy is to ensure the protection of Palo Alto University’s information resources from accidental or intentional unauthorized access or damage while also preserving and nurturing the open, information-sharing requirements of its academic culture.
This policy is applicable to all University students, faculty, and staff along with any other person granted use of Palo Alto University’s information resources. Every user of Palo Alto University’s information resources has some responsibility for the protection of these assets; some offices and individuals have very specific responsibilities.
This policy refers to all University information resources whether individually controlled or shared, stand-alone or networked. It applies to all computer and communication facilities owned, operated, or contracted by the University. This includes networking devices, mobile devices, telephones, personal computers, workstations, and any associated peripherals and software, regardless of whether used for administration, research, teaching, or other purposes.
2. Principles of Information Security
The purpose of information security is to protect the information resources of the University from unauthorized access or damage. Information Security is concerned with Confidentiality, Integrity, and Availability of information.
- Confidentiality is the ability to access or modify information to only authorized users for authorized purposes.
- Integrity refers to the information used in the pursuit of teaching, learning, research, and administration systems that can be trusted to correctly reflect the reality it represents.
- Availability refers to the information resources of the University, including the network, the hardware, the software, the facilities, the infrastructure, and any other such resources, are available to support the teaching, learning, research, or administrative roles for which they are designated.
3. Classification of Information
All University information is classified into one of 4 levels based on sensitivity and risk.
Protection Level Classification
Impact of disclosure or compromise
P4 - High
University Information and related IT Resources whose unauthorized disclosure or modification could result in significant fines, penalties, regulatory action, or civil or criminal violations. Statutory, regulatory, and contract obligations are major drivers for this risk level. Other drivers include, but are not limited to, the risk of significant harm or impairment to PAU internal/external constituents based upon unintentional disclosure of personal information.
P3 - Moderate
University Information and related IT Resources whose unauthorized disclosure or modification could result in small to moderate fines, penalties or civil actions. Institutional Information of which unauthorized use, access, disclosure, acquisition, modification, loss or deletion could result in moderate damage to PAU internal/external constituents; could have a moderate impact on the privacy of a group; could result in moderate financial loss; or could require legal action. This classification level also includes lower risk items that, when combined, represent an increased risk.
P2 - Low
University Information and related IT Resources that may not be specifically protected by statute, regulations or other contractual obligations or mandates, but are generally not intended for public use or access.
P1 - Minimal
Public information or information intended to be readily obtainable by the public, but whose integrity is important and for which unauthorized modification is the primary protection concern. IT Resources for which the application of minimum security requirements is sufficient.
a. Chief Information Officer - The Chief Information Officer is responsible for providing an interpretation of this and other related policies and disseminating related information.
b. Compliance Committee - The Compliance Committee is an advisory group charged with oversight of policies and procedures and one aspect includes the protection and use of information at Palo Alto University.
c. Business and Data Owners - Business and Data Owners are responsible for the application of this policy and related policies to the systems, data, and other information resources under their care or control.
e. System Administrators - System Administrators are responsible for the application of this policy and related policies to the systems, information, and other information resources in their care at the direction of the Business and Data Owners.
f. System Developers and Integrators - System Developers and Integrators are responsible for the application of this policy and related policies to the systems, information, and other information resources in their care at the direction of the Business and Data Owners.
g. Users - Every user of Palo Alto University’s information resources is responsible for the application of this policy and related policies to the systems, information, and other information resources which they use, access, transmit or store.
h. Third-party Affiliates/Vendors - Palo Alto University expects all partners, consultants, and vendors to abide by Palo Alto University’s information security and privacy policies. If non-public information is to be accessed or shared with these third parties, they should be bound by contract to abide by Palo Alto’s information security and privacy policies.
5. Violations of Policy and Misuse of Information
Violations of this policy include, but are not limited to: accessing information to which the individual has no legitimate right; enabling unauthorized individuals to access information; disclosing information in a way that violates applicable policy, procedure, or other relevant regulations or laws; inappropriately modifying or destroying information; inadequately protecting information; or ignoring the explicit requirements of Data Owners for the proper management, use, and protection of information resources.
Violations may result in network removal, access revocation, corrective action, and/or civil or criminal prosecution. Violators may be subject to disciplinary action up to and including dismissal or expulsion, pursuant to campus policies, codes of conduct, or other instruments governing the individual's relationship with the University. Recourse shall be available under the appropriate section of the employee's personnel policy or contract, or by pursuing the applicable legal procedure.
|Information Security Policy
|David Leavitt - Created
|David Leavitt - Revised