The Information Technology Division (ITD) at Chicago State University (CSU) will provide
security for all ITD/CSU managed Information Technology (IT) resources to ensure confidentiality,
integrity and availability of CSU operations.
This process defines responsibilities and general security measure specific to the
use of IY resources managed by ITD at CSU.
This process applies to all CSU purchased IT resources including but not limited to
desktops, laptops, servers, printers, photo-copiers, tablets, iPads, phones, network
devices, among others.
Classification of Data
- Restricted: Information assets for which there are legal requirements for preventing disclosure
or financial penalties for disclosure. Data covered by federal and state legislation,
such as FERPA, HIPAA or the Data Protection Act, are in this class. Payroll, personnel,
and financial information are also in this class because of privacy requirements.
This policy recognizes that other data may need to be treated as high risk because
it would cause severe damage to the University if disclosed or modified. The data
owner should make this determination. It is the data owner's responsibility to implement
the necessary security requirements.
- Sensitive: Data that would not expose the University to loss if disclosed, but that the data
owner feels should be protected to prevent unauthorized disclosure. It is the data
owner's responsibility to implement the necessary security requirements.
- Public: Information that may be freely disseminated.
Note: Every effort should be made to prevent local storing of restricted and sensitive
data on end user devices. Data falling under this classification should be stored
in the University managed servers in the data center.
Classification of Users
- Administrator: Users that have administrative level access to IT resources, mainly from ITD and
key designated individuals from various Colleges.
- IT Resources are categorized as follows: Physical, Logical and Communications. Physical resources
include but are not limited to desktop computers, portable computers, personal information
devices, and printers. Logical resources include computer software and data files
digitally or optically stored as well as information itself. Communication resources
include the capability to send messages either through the CSU internal network or
via the Internet.
- Power User: Users with elevated access to IT resources mainly to support end users in their respective
- End User: Users that have general access to IT resources to perform day to day tasks.
- Consultant/Contractor: Users who are not CSU employees but need access to IT resources for a specific period
- Guest: Users who are not CSU employees but need access to IT resources, mainly in the general
purpose computer laboratories.
Access Control Policy
- Access to University network systems and resources (wired and wireless) should be
made using usernames and passwords.
- Login usernames for use of IT resources to conduct day-to-day operations should not
have administrator level access rights.
- Usernames and passwords should not be shared. ITD should be notified if the password
has been compromised so that the account can be disabled or password reset.
- Passwords should have sufficient level of complexity. The definition of complexity
will be established by the Identity Management Team at CSU.
- Wherever possible, more than one person must have full rights to University owned
servers storing or transmitting restricted or confidential data.
- Users should not install non-standard software applications without informing ITD.
These applications open security holes that can potentially attract virus, malware,
etc. Please review the “Guidelines to Purchase Technology Equipment at Chicago State University” document for the list of standard software applications supported by ITD.
- Passwords and confidential data should not be sent via emails unless they are encrypted.
- Default passwords must be changed after the initially installing the application.
- Terminated employees accounts should be disabled immediately after their last day
of official work. Audit reviews should be conducted on regular basis to ensure that
terminated employees do not have access to IT systems.
- Transferred employees access must be reviewed and adjusted as needed.
- Access rights audit reports should be sent to unit leaders on regular basis and request
- Monitoring must be implemented on all systems including recording logon attempts and
failures, successful logons, date and time of logon and logoff.
- Individuals who have administrative system access should use less powerful accounts
for performing non-administrative tasks. There should be a documented procedure for
reviewing system logs.
- Systems which access or store restricted or confidential information should be encrypted.
Internet Security Policy
- Transfer of data classified as restricted or confidential should be through secure
connections only in order to protect the contents.
- Transfer of University data over the Internet should be done using University provided
accounts, it should not be done using personal accounts.
In certain cases, compliance with specific policy requirements may not be immediately
possible. Reasons include, but are not limited to, the following:
- Required commercial or other software in use is not currently able to support the
- Legacy systems are in use which do not comply, but near-term future systems will,
and are planned for;
- Costs for reasonable compliance are disproportionate relative to the potential damage.
In such cases, units must develop a written explanation of the compliance issue and
a plan for coming into compliance with the University's Information Security Policy
in a reasonable amount of time. Explanations and plans must be submitted to the CIO.