 |
Information Responsibilities
Information Security Policy
The Information Security Policy helps ensure the security, availability, privacy and integrity of DePaul's information systems, networks and data, as well as outline the procedures for reporting breaches of information security and ensuring compliance with various federal and state laws.
Every member of the DePaul community must report all information security breaches and any loss or improper use of DePaul data, systems or devices.
Managers must also ensure proper oversight of outside service providers with access to confidential DePaul data. DePaul is required to enter into a contract with these outside service providers and have it reviewed by the Office of the General Counsel, regardless of dollar amount or contract duration. Before releasing data to a service provider, managers must work with the director of Information Security to confirm that the service provider can maintain protective data safeguards.
Remember: Regardless of the dollar amount involved, before sharing any DePaul data with an outside party, a contract must be entered into and reviewed by the Office of the General Counsel and the director of Information Security must be consulted.
Passwords
Every employee is responsible for maintaining the confidentiality of his or her own password. Passwords are one of the main mechanisms guarding confidential and critical information on the university’s systems. Do not share passwords with others or write them down. To ensure security, it is recommended that employees change their passwords every 90 days. Managers who violate security policies by sharing their passwords will be held accountable for actions taken under their User ID.
Remember: Passwords must be a minimum of eight characters in length. They must contain at least one numeric and one special character. To ensure it cannot easily be guessed, avoid using passwords close to your name, family members’ names or other obvious choices.
Access to and Responsible Use of Data
Information resources, including any accessible data, can only be used for legitimate educational or business purposes for the university.
Remember: Access to internal-sensitive data is granted only by the written authorization of the appropriate data steward and upon completion of a request for data access.
Securing Privacy
Since DePaul is a higher education institution, it operates under the Family Educational Rights and Privacy Act (FERPA). This act protects the privacy of student education records and applies to all schools that receive funds under an applicable program of the U.S. Department of Education.
Managers are responsible for observing any legal or ethical restrictions that may apply to data accessible to everyone in his or her area, and for abiding by applicable federal, state or local laws governing the access, use or disclosure of information.
Remember: You are responsible for ensuring the confidentiality of data and the privacy of individuals at all times.
Business Continuity
Managers should ensure that their mission-critical information is backed up on a regular basis and that recovery procedures for that information is established. If an area has department-specific servers, software or databases housed within their department, IS advises creating a plan to recover these services in the event of a disaster. For example, keep a copy of the software and databases off-site, and document plans for replacement of any necessary equipment.
Records Management
Managers whose jobs include dealing with the handling and retention of university records are responsible for knowing and following local, state or federal guidelines pertaining to records retention for their area. In addition, managers are responsible for following DePaul's Records Management Policy and Records Retention Schedule. This means that managers must know who the Records Coordinator is for their department or college and be in regular contact with that person regarding the retention and destruction of records.
Managers should notify either their department's Record Coordinator or the Records Management Department if they become aware of any changes for their area that need to be reflected on the Records Retention Schedule including any official records that are not accounted for on the Schedule.
Managers are also required to ensure that any records containing covered data as defined in DePaul's Information Security Policy are retained and destroyed in a confidential manner.
Legal Hold and Record Preservation
Under certain circumstances, including when legal action involving the university is commenced or reasonably anticipated, the university must preserve all documents and information that may be relevant to the matter. As soon as the Office of the General Counsel is made aware of circumstances giving rise to this obligation, a "Legal Hold" directive will be issued to the key record custodians.
The Legal Hold directive overrides any records retention or destruction cycle that may have otherwise required or allowed for the transfer, alteration, disposal or destruction of documents and information. Once a Legal Hold directive has been issued, documents and information subject to the Legal Hold may not be transferred, altered, disposed of, or destroyed until the Legal Hold is removed by the Office of the General Counsel.
Individuals who have been notified of a Legal Hold may not alter, dispose of, or transfer or destroy any document or information that falls within the scope of the Legal Hold. Violation of the Legal Hold may subject the individual to disciplinary action, up to and including dismissal for employees, as well as potential legal sanction by the applicable court or law enforcement agency.
External Communications
Unless specifically designated to speak on behalf of DePaul, managers should refer media inquiries to DePaul’s media relations staff.
Copyright
The university’s bookstores are the only authorized locations for the sale of copyrighted materials. Before photocopied materials can be sold in the university’s bookstores, copyright permission must be obtained, and is available, through Distribution Services or directly from the copyright holder.
Establishing a University Policy
Policies and procedures are created by the university to guide the members of DePaul in the conduct of necessary university functions. Some policies and procedures are legally required, while others are developed based on experience and higher education standards.
The Office of the Secretary should be contacted to coordinate the policy development and approval process.
Individual schools, colleges and departments may also establish unit-specific policies and procedures as long as they do not conflict with any university policies and procedures. These policies and procedures should always be made public to the members of the unit.
Faculty Council has responsibility for the university’s academic policies, and the Student Affairs Division has responsibility for policies affecting student life.
Remember: Contact the Office of the Secretary if you feel a new policy is needed.
University Endorsements
Including the DePaul name with an event, project or publication implies a close connection with the university, such as sponsorship or an endorsement. Before using the DePaul name, approval should be obtained from the associate vice president for Public Relations or the associate vice president for Marketing Communications.
Remember: Members of the DePaul University community have a responsibility to protect its name.
|
