Information Technology Security Policy
This Information Security Policy (“Policy”) defines the security requirements that everyone who works at KUL is expected to be familiar with and consistently follow. These security measures are set forth to avoid problems that affect the Confidentiality, Integrity, and Availability of information and systems at the University.
The Policy is an important part of the University’s efforts to create a secure environment in which to carry out the mission of the University. Security requires the participation of each constituent who comes into contact with University information or systems.
This policy applies to all individuals who are issued a KU Online ID. This policy applies to any device owned by the University or any device used for University business by faculty, staff, students, and affiliates. This policy applies to any device that obtains an Internet Protocol (IP) address from the University.
The KU Information Technology Security Office (ITSO) shall be authorized to evaluate the seriousness and immediacy of any threat to information resources and to take action to mitigate that threat, including disconnection of information resources. ITSO shall evaluate the impact of disrupting service when devising an action plan that mitigates any threat.
This policy shall be supported by standards documents that set forth the detailed requirements that apply to individuals, devices, and systems.
KU Information Technology Security Office
The KU Information Technology Security Office (ITSO) shall investigate Security Events and respond to Security Incidents in accordance with established procedures.
ITSO shall cultivate awareness of security issues and vulnerabilities within the University.
ITSO shall assess risks to University systems as defined by this policy in accordance with established procedures.
Information Technology Staff
All Information Technology staff must sign the Information Technology Employee Privileged Access and Confidentiality Agreement.
Authorized Users of Information Technology
All authorized users share in responsibility for information security by following all applicable security policies and procedures.
Users must report any discovered unauthorized access attempts or other improper usage of KU information resources. Report observed or suspected violations to the IT Customer Service Center (864-8080; firstname.lastname@example.org).
Computer Security Incident Response Team (CSIRT)
The CSIRT shall be responsible for the detection, containment, and eradication of threats, and recovery of compromised devices and restoration of affected services during an incident. The CSIRT shall be responsible for coordinating evidence gathering and documentation, and for seeking legal and public affairs advice when appropriate during an incident.
Variances to this Policy shall only be allowed if previously approved by the KU Information Technology Security Office and this approval is documented and verified by the Chief Information Officer.
Faculty, staff, and student employees who violate this University policy may be subject to disciplinary action for misconduct and/or performance based on the administrative process appropriate to their employment.
Students who violate this University policy may be subject to proceedings for non-academic misconduct based on their student status.
Faculty, staff, student employees, and students may also be subject to the discontinuance of specified information technology services based on the policy violation.
Chief Information Officer
343 Strong Hall
1450 Jayhawk Blvd
Lawrence, KS 66045
Authorized users are (1) current faculty, staff, students, and affiliates of the University and (2) others whose temporary access furthers the mission of the University. Authorized users gain access to University resources through the hiring process, the student admissions process, designation as a University “affiliate”, or as a guest or vendor upon approval by a University administrator.
Security Event is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.
Security Incident is a Security Event that is declared to be a Security Incident according to established procedure.
University affiliates are people and organizations associated with the University through some form of formalized agreement.
3/5/2015: Made update to Related Documents section.
10/07/2014: Updated to reflect current organizational requirements and consistency with ITEC7230A.
08/07/2009: Updated to reflect Legislative Post Audit requirements.