Information Security Policies
This is a summary of important Information Security policies set forth by the University. All policies are located at: https://www.utep.edu/information-resources/iso/policies/
-
Backup and Disaster Recovery: "All UTEP Data, including Data associated with research, must be backed up in accordance with Risk management decisions implemented by the Data Owner." -- Standard 6
-
Data Classification: "All university data stored, processed, or transmitted on university resources or other resources where university business occurs must be classified into one of the three categories." -- Standard 9
-
"CONFIDENTIAL – Data protected specifically by Federal or State or University of Texas rules and regulations (e.g., HIPAA; FERPA; U.S. Export Controlled information; Sarbanes-Oxley, GrammLeach-Bliley; the Texas Identity Theft Enforcement and Protection Act; University of Texas System Policies; specific donor and employee data). University data that are not otherwise protected by a known civil statute or regulation, but which must be protected due to contractual agreements requiring confidentiality, integrity, or availability considerations (e.g., Non-Disclosure Agreements, Memoranda of Understanding, Service Level Agreements, Granting or Funding Agency Agreements, etc.). Previously referred to as Category I."
CONFIDENTIAL data CANNOT be stored on non-approved cloud storage services (Dropbox, Google Drive, etc.) The only authorized cloud service for CONFIDENTIAL data is the university-contracted Microsoft OneDrive storage service.
-
"CONTROLLED – Data not otherwise identified as Confidential data, but which are releasable in accordance with the Texas Public Act (e.g., contents of specific e-mail, date of birth, salary, etc.). Such data must be appropriately protected to ensure a controlled and lawful release. Previously referred to as Category II."
CONTROLLED data CANNOT be stored on non-approved cloud storage services (Dropbox, Google Drive, etc.) The only authorized cloud service for CONTROLLED data is the university-contracted Microsoft OneDrive storage service.
-
"PUBLISHED – Data not otherwise identified as Confidential or Controlled data (e.g., publicly available). Such data have no requirements for confidentiality, integrity, or availability. Previously referred to as Category III."
-
-
Safeguarding Data: "[Protect] University Data using appropriate administrative, physical, and technical controls..." -- Standard 11
-
"Data Owners must maintain an inventory and have documentation of all systems that house Confidential University Data;"
-
"Confidential documents must not be left in easy to access areas..."
-
"Computing devices left ON while unattended shall have a screen saver enabled that is password-protected and adheres to the University minimum password requirements;"
-
"Accounts and passwords must not be shared under any circumstances;"
-
"Storage of Confidential University Data on electronic media must be encrypted or password protected;"
-
"Confidential University Data may not reside on devices that do not adhere to the system security standards established by the University;"
-
"Confidential University Data may not be transported outside of the United States without the prior approval of the Information Security Office (ISO);"
-
"Purchase of portable storage devices must include encryption technology compatibility with University encryption standards and policies. All Confidential or Controlled University Data that is stored or transported on portable media must be encrypted in accordance with University policies. Security Exceptions to this policy must be submitted to the Chief Information Security Officer (CISO) for approval."
-
"All desktop computers purchased after September 1, 2013 must be Password protected and encrypted, regardless of data classification..."
-
"All laptop computers and other portable computing devices, including but not limited to mobile and smart phones, and tablet computers, that are owned, leased, or controlled by the University, must be encrypted, regardless of data classification..."
-
"USB thumb drives and similar removable storage devices owned, leased, or controlled by the University must be encrypted... before storage of any Confidential or Controlled University Data on the device."
-
"Specific permission must be obtained from the Department Head, Chair or Dean AND the CISO before a user may store Confidential or Controlled University Data on any personally owned computers, mobile devices, USB thumb drives, or similar devices. Such permission should be granted only upon demonstration of a business need and an assessment of the risk introduced by the possibility of unauthorized access or loss of the data. All personally owned computers, mobile devices, USB thumb drives, or similar devices must be Password protected and encrypted... if they contain any of the following types of University Data:"
-
"Information made confidential by Federal or State law, regulation, or other legally binding order or agreement;"
-
"Federal, State, University, or privately sponsored Research that requires confidentiality or is deemed sensitive by the funding entity; or"
-
"any other Information that has been deemed by UTEP as essential to the mission or operations of UTEP to the extent that its Integrity and security should be maintained at all times."
-
-
"[Encryption] exceptions must be filed with the Information Security Office in the event of hardware compatibility conflicts, technology limitations for certain types of devices, etc..."
-
"Data and device owners are responsible for ensuring that encrypted data will be accessible in the event decryption keys or related credentials become lost or forgotten and no other copy of the data is available."
-
"For personally owned devices, the device owner is responsible for ensuring that encrypted Data is backed up to University owned or sanctioned storage..."
-
"All Confidential Data transmitted over the Internet must be appropriately encrypted;"
-
"Confidential Data transmitted between Institutions and Shared Data Centers must be appropriately encrypted;"
-
"Confidential Data transmitted or received must be deleted upon completion of the intended business objective unless otherwise subject to records retention..."
-
"UTEP must discard electronic devices and media containing University Data in a manner that adequately protects the confidentiality of the Data and renders it unrecoverable, such as overwriting or modifying the Electronic Media to make it unreadable or indecipherable or otherwise physically destroying the Electronic Media, and in accordance with the applicable UTEP Records Retention Schedule."
-
-
Security Incident Management: "Security Incidents will be reported as required by State and Federal law and University Policy including U.T. System Information Security Incident Reporting Requirements." -- Standard 12
-
Control and Protection of Social Security Numbers: "The University shall not utilize all or part of an individual’s Social Security Number unless required or permitted by Federal or State law. SSNs shall not be used as the primary identifier for basic campus services, unless required by statute. The SSN may be stored as a confidential attribute associated with an individual only if use of the SSN is essential for the performance of a mission related duty." -- Standard 13
-
Information Services Privacy: "Users who are University employees, including student employees, or who are otherwise serving as an agent or are working on behalf of the University have no expectation of privacy regarding any University Data they create, send, receive, or store on University-owned computers, Servers, or other Information Resources owned by, or held on behalf of, the University unless expressly stated by Regent’s Rules... Users have no expectation of privacy regarding any University Data residing on personally owned devices, regardless of why the Data was placed on the personal device. Users must understand that they have no expectation of privacy in any personal information stored by the User on a System Information Resource, including University email accounts..." -- Standard 14