The purpose of the Information Technology Division (ITD) Data Security Plan is to
ensure that steps to safeguard data information use, storage and transmission are
- All access to computer servers/networks must be controlled through the use of accounts/passwords
or other ITD approved means.
- All storage devices must be destroyed or wiped clean of all information in such a
manner that will prevent the recovery of any data information when said devices are
transferred from one employee/department to another employee/department or deemed
obsolete/unusable. Storage devices defined as but not limited: Internal and external
hard drives; CD; DVD; flash or USB drives; diskettes; and zip drives.
- Physical access to key areas such as computer server rooms and storage areas must
be restricted to necessary personnel only. These areas are to be locked at all times.
- To protect data information from hackers and other forms of sabotage, the following
will be implemented:
- Anti-virus software and regular updates.
- Regular backups - full, incremental, etc.
- Provide onsite and offsite storage of backups.
- Web Security
- Secured Logins
- Monitoring by ITD staff of the computer servers and networks for any activity such
as hacking, theft of information, unauthorized access to systems and files, or any
activity that violates the integrity or interferes with the normal operation of the
University's computer system or the work of another user.
- The implementation of a University data information disaster recovery/contingency
plan to ensure adequate continuation of data information. The plan should be:
- Updated regularly.
- Tested regularly. All University personnel must adhere to the "Chicago State University
Computer and Information Code of Conduct Policy for Employees".
- All violations will be logged and modifications made to prevent future violations.
- Periodic assessment of firewalls, anti-virus software, and other security software
and devices by ITD. Recommendations for improvement must be given to the Chief Information
- Periodic assessment of all security violations and corrective actions taken.
- All policies, plans, and rules must be made public and available for viewing for all
users of data information. Examples include but are not limited to the Web, paper
copies in computer laboratories and offices.
REVIEWED: August 19, 2010