IT security policies are critical to the U’s mission

Pop quiz: Can you remember the last time you actually read the terms of use for an app or website?

If you’re the average user, probably not—if ever.

If you’re the average University of Utah faculty or staff member, then it’s also likely that you’ve never read the U’s information technology and IT security policies. It’s even possible that you didn’t know they exist. (You can find them in the university’s Regulations Library under Part 4: Information Technology.)

Broadly speaking, the U’s IT policies outline the proper use and protection of university resources and data. They apply to students, faculty, staff and affiliates, which means we all must follow them—and for good reason, too.

“The U has information technology and information security policies in order to comply with various laws and regulations, and to guide and protect employees from personal liability,” said Chief Information Security Officer Corey Roach, who oversees the Information Security Office (ISO) for the U and University of Utah Health. “They also help protect the information of our students and patients, and the university, so we can accomplish our mission.”

For example, the university follows the Family Educational Rights and Privacy Act (FERPA), which protects student data, and the Health Insurance Portability and Accountability Act (HIPAA), which protects patient information. The university also adheres to the Payment Card Industry (PCI) Data Security Standard, which ensures that the U and its organizations maintain a secure environment to accept, process, store, and transmit credit card information.

Additionally, the university follows certain federal frameworks, such as the Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST), in order to be competitive for research grants from the federal government.

“The University of Utah has a responsibility to its patients, faculty, staff, students and the data that we collect to ensure that it is handled and secured appropriately. And it takes the effort of every user on the network to ensure that is done in a proper manner,” said Laurent Lecointre, a data security analyst for ISO’s Governance, Risk & Compliance (GRC) team.

So which university IT regulations do you need to follow?

The answer depends on your role at the university, but in general, Roach said employees should be aware of and follow 4-001: University Institutional Data Management Policy, 4-002: Information Resources Policy and 4-004: Information Security Policy. (See below for simple summaries of each policy.)

Lecointre and GRC Data Security Analyst Ariel Baughman stressed the importance of the Information Security Policy, especially given the recent frequency of news reports about IT security incidents and cyberattacks. IT technicians, Lecointre said, need to be familiar with the entire policy and its associated rules. Faculty and staff working remotely—during the COVID-19 pandemic and beyond—also must comply with the policy.

“If they are accessing university data, the device they’re accessing that on must be in compliance with Policy 4-004,” he said. “That’s why we strongly encourage that users access institutional data only on devices managed by the university. It’s a good way to reduce risk to the organization.”

The takeaway, he added, is that employees should not use their personal devices to access university data. If you do, Baughman noted, the Telecommuting for Staff Employees Policy states that your devices must comply with all university policies—and that’s a tall order.

Assuming you use only U-owned devices, you may already meet many of the requirements in university policy depending on how they are configured. You, however, should be especially familiar with Rule 4-004A: Acceptable Use and Rule 4-004C: Data Classification and Encryption. The Data Classification and Encryption Rule defines what’s required in order to manage various levels of university data, while the Acceptable Use Rule describes the appropriate way to use the U’s IT resources.

“The vast majority of users should be familiar with the Acceptable Use Rule (4-004A)—don’t share your credentials with anybody—and that would probably get them about 90% of the way to compliance,” Lecointre said.

Unfortunately, the Acceptable Use Rule also is the U regulation that most people—knowingly or unknowingly—violate.
“We see a lot of students who share their login credentials with family members, and any type of account sharing it is prohibited by policy,” Lecointre said. “We also have encountered many instances in which supervisors have provided their usernames and passwords to their employees, so they can do the jobs that they need them to do without the supervisors having to be there to log in for them all the time. And that’s a big no-no.”

Failure to comply with any of the IT policies could result in action by Human Resources, up to termination. Policy also allows UIT to revoke a user’s network access, which can inconvenience students but have significant consequences for employees.

“If you’re a University of Utah employee and you are no longer allowed on our network, I don’t see how you can accomplish your job,” Lecointre said.

Ultimately, our jobs are to support the mission of the university and to do that, we must protect the university’s data and resources, as Roach noted earlier. That’s why it’s so important you know and follow the IT policies.

“A lot of times people view policy as a hurdle or a gate,” Lecointre said, “But I would really encourage our users to view policy as a resource that is there to help them do their job as opposed to a gate that’s keeping them from doing their job.”

IT policies, simplified

We know that policies may be somewhat confusing or overwhelming. To help you understand them a bit better, we’ve put together a few simple summaries for you.

Policy 4-001 explains your role in accessing, managing, and protecting university data. Most employees have access to university data based on the “need to know.”

Policy 4-002 outlines your role and responsibilities regarding the use of university data and information technology resources—think managed devices, cloud services like Box and Microsoft Teams, and the university network. If the U owns or manages it, this policy covers it.

Policy 4-004 outlines the minimum requirements that users must meet and information system owners must comply with to protect the university and its data. This policy ensures the protection of your personal information, and the university’s data and resources.

Resources

We’re here to help! The Information Security Office provides a number of resources, from training to direct outreach.

  • For questions about IT policies, contact the Governance, Risk & Compliance (GRC) team at iso-grc@utah.edu. GRC also provides training and education for U organizations.
  • To learn more about Security Champs, visit the program website.
  • For more information about IT training opportunities, visit the U’s learning platforms.