Information Security Plan

Purpose

The purpose of the Information Technology Division (ITD) Data Security Plan is to ensure that steps to safeguard data information use, storage and transmission are established.

  1. All access to computer servers/networks must be controlled through the use of accounts/passwords or other ITD approved means.
  2. All storage devices must be destroyed or wiped clean of all information in such a manner that will prevent the recovery of any data information when said devices are transferred from one employee/department to another employee/department or deemed obsolete/unusable.  Storage devices defined as but not limited: Internal and external hard drives; CD; DVD; flash or USB drives; diskettes; and zip drives.
  3. Physical access to key areas such as computer server rooms and storage areas must be restricted to necessary personnel only. These areas are to be locked at all times.
  4. To protect data information from hackers and other forms of sabotage, the following will be implemented:
    • Firewall(s)
    • Anti-virus software and regular updates.
      1. Servers
      2. Microcomputers
    • Backups
      1. Regular backups - full, incremental, etc.
      2. Provide onsite and offsite storage of backups.
    • Web Security
    • Secured Logins
    • Monitoring by ITD staff of the computer servers and networks for any activity such as hacking, theft of information, unauthorized access to systems and files, or any activity that violates the integrity or interferes with the normal operation of the University's computer system or the work of another user.
  5. The implementation of a University data information disaster recovery/contingency plan to ensure adequate continuation of data information.  The plan should be:
    • Updated regularly.
    • Tested regularly.  All University personnel must adhere to the "Chicago State University Computer and Information Code of Conduct Policy for Employees".
  6. All violations will be logged and modifications made to prevent future violations.
  7. Periodic assessment of firewalls, anti-virus software, and other security software and devices by ITD. Recommendations for improvement must be given to the Chief Information Officer.
  8. Periodic assessment of all security violations and corrective actions taken.
  9. All policies, plans, and rules must be made public and available for viewing for all users of data information. Examples include but are not limited to the Web, paper copies in computer laboratories and offices.

REVIEWED:  August 19, 2010