• Home
  • Information Technology Security Policy

Information Technology Security Policy

Policy
Purpose: 

This Information Security Policy (“Policy”) defines the security requirements that everyone who works at KUL is expected to be familiar with and consistently follow. These security measures are set forth to avoid problems that affect the Confidentiality, Integrity, and Availability of information and systems at the University.

The Policy is an important part of the University’s efforts to create a secure environment in which to carry out the mission of the University. Security requires the participation of each constituent who comes into contact with University information or systems.

Applies to: 

This policy applies to all individuals who are issued a KU Online ID. This policy applies to any device owned by the University or any device used for University business by faculty, staff, students, and affiliates. This policy applies to any device that obtains an Internet Protocol (IP) address from the University.

Campus: 
Lawrence
Edwards
Parsons
Juniper Gardens
Yoder
Topeka
Policy Statement: 

The KU Information Technology Security Office (ITSO) shall be authorized to evaluate the seriousness and immediacy of any threat to information resources and to take action to mitigate that threat, including disconnection of information resources. ITSO shall evaluate the impact of disrupting service when devising an action plan that mitigates any threat.

This policy shall be supported by standards documents that set forth the detailed requirements that apply to individuals, devices, and systems. 

Responsibilities

KU Information Technology Security Office

The KU Information Technology Security Office (ITSO) shall investigate Security Events and respond to Security Incidents in accordance with established procedures.

ITSO shall cultivate awareness of security issues and vulnerabilities within the University.

ITSO shall assess risks to University systems as defined by this policy in accordance with established procedures.

Information Technology Staff

All Information Technology staff must sign the Information Technology Employee Privileged Access and Confidentiality Agreement.

Authorized Users of Information Technology

All authorized users share in responsibility for information security by following all applicable security policies and procedures.

Users must report any discovered unauthorized access attempts or other improper usage of KU information resources. Report observed or suspected violations to the IT Customer Service Center (864-8080; itcsc@ku.edu).

Computer Security Incident Response Team (CSIRT)

The CSIRT shall be responsible for the detection, containment, and eradication of threats, and recovery of compromised devices and restoration of affected services during an incident. The CSIRT shall be responsible for coordinating evidence gathering and documentation, and for seeking legal and public affairs advice when appropriate during an incident.

Exclusions or Special Circumstances: 

Variances to this Policy shall only be allowed if previously approved by the KU Information Technology Security Office and this approval is documented and verified by the Chief Information Officer.

Consequences: 

Faculty, staff, and student employees who violate this University policy may be subject to disciplinary action for misconduct and/or performance based on the administrative process appropriate to their employment.

Students who violate this University policy may be subject to proceedings for non-academic misconduct based on their student status.

Faculty, staff, student employees, and students may also be subject to the discontinuance of specified information technology services based on the policy violation.

Contact: 

Chief Information Officer
343 Strong Hall
1450 Jayhawk Blvd
Lawrence, KS 66045
(785) 864-4999
kucio@ku.edu

Approved by: 
Provost and Executive Vice Chancellor
Approved on: 
Friday, May 23, 2003
Effective on: 
Friday, May 23, 2003
Review Cycle: 
Annual (As Needed)
Definitions: 

Authorized users are (1) current faculty, staff, students, and affiliates of the University and (2) others whose temporary access furthers the mission of the University. Authorized users gain access to University resources through the hiring process, the student admissions process, designation as a University “affiliate”, or as a guest or vendor upon approval by a University administrator.

Security Event is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.

Security Incident is a Security Event that is declared to be a Security Incident according to established procedure.

University affiliates are people and organizations associated with the University through some form of formalized agreement.

Keywords: 
security incident
Review, Approval & Change History: 

3/5/2015:  Made update to Related Documents section.

10/07/2014:  Updated to reflect current organizational requirements and consistency with ITEC7230A.

08/07/2009:  Updated to reflect Legislative Post Audit requirements.

Information Access & Technology Categories: 
Privacy & Security

Moderation History

Updated: March 25, 2015 - 17:19

Log message: Edited by easan@ku.edu. Updated contact information.

Updated: March 13, 2015 - 13:12

Log message: Edited by easan@ku.edu. Updated contact information.

Can't Find What You're Looking For?
Policy Library Search
KU Today
One of 34 U.S. public institutions in the prestigious Association of American Universities
Nearly $290 million in financial aid annually
44 nationally ranked graduate programs.
—U.S. News & World Report
Top 50 nationwide for size of library collection.
—ALA
23rd nationwide for service to veterans —"Best for Vets," Military Times