Revised 1/11/07

PURPOSE
The University is steadily becoming more dependent on computerized information systems.  Implementation of more sophisticated technologies implies better service-levels and increasing automation of operational and managerial procedures. Consequently, the University becomes more vulnerable to interruption and corruption of computing resources.

Protection of these resources from deliberate and/or accidental unauthorized access, use or modification is a major concern. Security of resources depends on some combination of access control measures, for which certain users possess keys.  No combination provides absolute security.  Ultimately, the level of security provided at any particular installation must result from a conscious decision weighing the trade-offs between the perceived risk, the cost of reducing that risk and the associated benefit from the risk reduction. The policy identifies the responsibilities of University organizational units with respect to these issues.

POLICY
The Vice President for Information Technology is responsible for providing the means for accomplishing physical and logical security for the hardware, software and data under the direct control of his/her department.

Users are responsible for providing physical and logical security for University resources under their direct control.  In this context, each University organizational unit (including Information Technology) as well as sub units, is considered a user.

Physical security includes but is not limited to:
-  Controlling access to computer hardware.
-  Preventing service interruptions (power, hardware failure).
-  Planning for disaster and other contingencies.

Logical security includes but is not limited to:
-  Controlling access to and use of software and data.
-  Recovering data, transmissions and software.
-  Archiving data, software and documentation.

PROCEDURE
The Chief Security Officer will coordinate ongoing efforts to identify security issues, develop and distribute standards and procedures, and implement both immediate and long range security and control means and strategies. Consultation will be provided, upon request, to the user for areas under his/her direct control.

Physical and logical security status will be monitored, and violations will be reported to the appropriate level of authority.