 |
Information Responsibilities
Information Security Policy
The Information Security Policy helps ensure the security, availability, privacy and integrity of DePaul's information systems, networks and data, as well as outline the procedures for reporting breaches of information security and ensuring compliance with various federal and state laws.
Every member of the DePaul community must report all information security breaches and any loss or improper use of DePaul data, systems or devices.
Managers must also ensure proper oversight of outside service providers with access to confidential DePaul data. DePaul is required to enter into a contract with these outside service providers and have it reviewed by the Office of the General Counsel, regardless of dollar amount or contract duration. Before releasing data to a service provider, managers must work with the director of Information Security to confirm that the service provider can maintain protective data safeguards.
Remember: Regardless of the dollar amount involved, before sharing any DePaul data with an outside party, a contract must be entered into and reviewed by the Office of the General Counsel and the director of Information Security must be consulted.
Passwords
Every employee is responsible for maintaining the confidentiality of his or her own password. Passwords are one of the main mechanisms guarding confidential and critical information on the university’s systems. Do not share passwords with others or write them down. To ensure security, it is recommended that employees change their passwords every 90 days. Managers who violate security policies by sharing their passwords will be held accountable for actions taken under their User ID.
Remember: Passwords must be a minimum of eight characters in length. They must contain at least one numeric and one special character. To ensure it cannot easily be guessed, avoid using passwords close to your name, family members’ names or other obvious choices.
Access to and Responsible Use of Data
Information resources, including any accessible data, can only be used for legitimate educational or business purposes for the university.
Remember: Access to internal-sensitive data is granted only by the written authorization of the appropriate data steward and upon completion of a request for data access.
Securing Privacy
Since DePaul is a higher education institution, it operates under the Family Educational Rights and Privacy Act (FERPA). This act protects the privacy of student education records and applies to all schools that receive funds under an applicable program of the U.S. Department of Education.
Managers are responsible for observing any legal or ethical restrictions that may apply to data accessible to everyone in his or her area, and for abiding by applicable federal, state or local laws governing the access, use or disclosure of information.
Remember: You are responsible for ensuring the confidentiality of data and the privacy of individuals at all times.
Business Continuity
Managers should ensure that their mission-critical information is backed up on a regular basis and that recovery procedures for that information is established. If an area has department-specific servers, software or databases housed within their department, IS advises creating a plan to recover these services in the event of a disaster. For example, keep a copy of the software and databases off-site, and document plans for replacement of any necessary equipment.
Records Retention (paper and electronic)
Managers are responsible for knowing and following local, state or federal guidelines pertaining to records retention for their area. DePaul is reviewing a more detailed records retention policy to provide additional guidance to managers whose records are not subject to governmental regulation.
External Communications
Unless specifically designated to speak on behalf of DePaul, managers should refer media inquiries to DePaul’s media relations staff.
Copyright
The university’s bookstores are the only authorized locations for the sale of copyrighted materials. Before photocopied materials can be sold in the university’s bookstores, copyright permission must be obtained through Distribution Services or directly from the copyright holder.
For copyright issues related to library reserves and materials used in course management software, visit: http://distributionservices.depaul.edu/HighVolumeCopying/index.html.
This resource will assist in obtaining copyright permission for such materials.
Establishing a University Policy
Policies and procedures are created by the university to guide the members of DePaul in the conduct of necessary university functions. Some policies and procedures are legally required, while others are developed based on experience and higher education standards.
The Office of the Secretary should be contacted to coordinate the policy development and approval process.
Individual schools, colleges and departments may also establish unit-specific policies and procedures as long as they do not conflict with any university policies and procedures. These policies and procedures should always be made public to the members of the unit.
Faculty Council has responsibility for the university’s academic policies, and the Student Affairs Division has responsibility for policies affecting student life.
Remember: Contact the Office of the Secretary if you feel a new policy is needed.
University Endorsements
Including the DePaul name with an event, project or publication implies a close connection with the university, such as sponsorship or an endorsement. Before using the DePaul name, approval should be obtained from the associate vice president for Public Relations or the associate vice president for Marketing Communications.
Remember: Members of the DePaul University community have a responsibility to protect its name.
|
