Information Security Policy Summary


The ASU Information Security Policy outlines roles, responsibilities, and key measures needed to effectively management risks related to University information resources.
The University depends on Information resources including applications, systems, and data to conduct our mission and achieve our strategic objectives. These assets are often imperiled by a number of risks like computer hacking, environmental threats, and simple accidents. Because of this fact, it is important that we maintain reasonable and consistent security measures to address these risks. One of the most important ways we achieve this is by remembering that Information Security is a shared responsbility. All ASU faculty and staff have a role to play in helping to protect our shared resources and data. For more information our individual security responsiblities, please see the links listed below.

How was this policy developed?

This policy was developed by the ITS Office of Information Security in consultation with the Information Security Advisory Council, Faculty Senate, Staff Senate, Student Government Association,  and numerous leadership and campus technology teams.

What do we need to know?

University Employees

As University employees we must be aware of the responsibilities that are defined for us in the Information Security policy. There are three primary responsibilities that we all share to help protect ASU information resources including both digital and printed information:
1. Awareness and adherence to information security policies and standards
Security requirements change over time. We are all expected to periodically to read updates and review materials related to best practices or required measures needed to help protect University information resources.
2. Attending Information Security Training.
To protect ourselves and ASU against cyber threats, we must remain conscious of risks, fraudulent activities, and best practices that help reduce risks to University information. To meet this objective, the ITS Office of Inforamation Security offers security training opportunities for all University employees.
3. Reporting Potential Information Security Incidents or Issues.
If we have reason to suspect that University Information Resources may have been exposed to unauthorized individuals, lost/stolen, or be exposed to significant risks, then it is our obligation to report this so that the situation can be quickly reviewed to limit impact.

Deans and Department Heads

Under the Information Security Policy, University Dean's and Department Heads have the following responsibilities .
1. Ensuring that reporting units adhere to information security policies and standards.
As unit leads, we have responsibility to make sure that our areas' internal business processes and procedures are consistent and informed by relevant Univ. policies and standards. This includes ensuring that our unit level treatment of University data and information systems is consistent with Information Security Policies and Standards.
2. Ensuring that reporting staff receives relevant security training.
Deans and Department Heads have a responsibility to ensure that reporting staff attend security training relevant to their their role and degree of access to sensitive Unviersity data and systems.
3. Ensuring Information Security Liasons are appointed for all reporting units (see below).
Deans and Departments Heads also have a responsibility to appoint a representative to the IT Security Liaisons group. This group is composed of University technical professionals who have responsibilities for building, maintaining, and operating University information systems.

IT Professionals

As IT Professionals, we have a responsbility to ensure that University information resources (i.e. servers, applications, networking devices) are configured and managed in a manner that it consistent with the Univeristy Information Security Policy and associated standards. To achieve this, some of our core responsibilities include:

1. Coordinating with our unit Information Security Liasons (ISL)
Every campus unit that maintains or manages IT services will have a designated Information Security Liason (ISL) assigned to ensure that security efforts are coordinated with the ITS Office of Information Security. University IT Professionals need to work with their ISL to help ensure that their units IT resources are protected in a manner consistent with standards and associated requirements.

2. Incident Response Assistance
In the event of a significant security incident, ASU IT Professionals may need to work closely with their ISL and the ASU Computer Security Incident Response team(CSIRT). The ASU CSIRT has authority to centrally management all University information security incidents. In these instances, our responsibility is to work in unision with these group and not take individual actions without appropriate communication and coordination.

3. Technical Security Training
As IT professionals, we frequently require privileged access to University Information Systems and Data to do our jobs. Because of our level of access, it is important that we periodically participate in more detailed technical training concerning security issues and concerns.