Information Technology Security Policy
This Information Security Policy (“Policy”) defines the security requirements that everyone who works or studies at KU Lawrence campus and all reporting units is expected to be familiar with and consistently follow. These security measures are set forth to avoid problems that affect the Confidentiality, Integrity, and Availability of information and systems at the University.
This policy applies to all individuals who are issued a KU Online ID. This policy applies to any device owned by the University or any device used for University business by faculty, staff, students, and affiliates. This policy applies to any device that obtains an Internet Protocol (IP) address from the University.
The KU Information Technology Security Office (ITSO) shall be authorized to evaluate the seriousness and immediacy of any threat to information resources and to take action to mitigate that threat, including disconnection of information resources. ITSO shall evaluate the impact of disrupting service when devising an action plan that mitigates any threat.
This policy is an important part of the University’s efforts to create a secure environment in which to carry out the mission of the University. Security requires the participation of each constituent who comes into contact with University information or systems.
This policy shall be supported by standards documents that set forth the detailed requirements that apply to individuals, devices, and systems.
Responsibilities:
KU Information Technology Security Office
The KU Information Technology Security Office (ITSO) shall investigate Security Events and respond to Security Incidents in accordance with established procedures.
ITSO shall cultivate awareness of security issues and vulnerabilities within the University. All KU faculty and staff are required to complete annual security awareness training.
ITSO shall assist Internal Audit to assess risks to University systems as defined by Security Procedure: Risk and Vulnerability Assessments.
The Information Technology Security Office (ITSO) will determine the security specifications and standards for devices connected to the University data network. Devices connected to the University network will be reviewed on a regular basis for the latest operating system and application security patches applicable to that device as well as the latest anti-virus software. Devices not compliant with IT Security Office standards may be disconnected from the University network.
Information Technology Staff
All Information Technology staff must sign the Access to Confidential Data Agreement for University of Kansas Information Technology Employees.
Authorized Users of Information Technology
All authorized users share in responsibility for information security by following all applicable security policies and procedures.
Users must report any discovered unauthorized access attempts or other improper usage of KU information resources. Report observed or suspected violations to the IT Customer Service Center at 785-864-8080 or itcsc@ku.edu.
Variances to this Policy shall only be allowed if previously approved by the KU Information Technology Security Office and such approval is documented and verified by the Chief Information Officer.
Faculty, staff, and student employees who violate this University policy may be subject to disciplinary action for misconduct and/or performance based on the administrative process appropriate to their employment.
Students who violate this University policy may be subject to proceedings for non-academic misconduct based on their student status.
Faculty, staff, student employees, students, and affiliates may also be subject to the discontinuance of specified information technology services based on the policy violation.
Chief Information Officer
1001 Sunnyside Ave.
Lawrence, KS 66045
(785) 864-4999
kucio@ku.edu
Authorized users: (1) current faculty, staff, students, and affiliates of the University and (2) others whose temporary access furthers the mission of the University. Authorized users gain access to University resources through the hiring process, the student admissions process, designation as a University “affiliate”, or as a guest or vendor upon approval by a University administrator.
Security Event: A violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.
Security Incident: A Security Event that is declared to be a Security Incident according to established procedure.
University affiliates: People and organizations associated with the University through some form of formalized agreement.
05/22/2018: Clarified responsibilities of IT Security Office.
03/05/2015: Made update to Related Documents section.
10/07/2014: Updated to reflect current organizational requirements and consistency with ITEC7230A.
08/07/2009: Updated to reflect Legislative Post Audit requirements.