Chapter 1: Information Resources Use and Security Policy
1.1 Introduction
The University of Texas at El Paso (also referred to as “Â鶹¹ÙÍø”, “University” or “Institution”) relies on Information Resources to support its mission of achieving excellence in undergraduate and graduate education, research, and public service. These resources are critical to the University's academic, research, and business operations.
The Rules and Regulations governing the use and protection of Information Resources policies for the University are intended to supplement existing policies published by the Texas Department of Information Resources, The Board of Regents of The University of Texas System, and The University of Texas System, as well as reinforcing the Texas Computer Crimes Law and laws governing the use or misuse of state property.
1.2 Purpose
1.2.1 It is the purpose of this Policy to:
a. establish standards regarding the use and safeguarding of University Information Resources;
b. protect the privacy of individuals by preserving the confidentiality of Personally Identifiable Information (PII) entrusted to the University;
c. ensure compliance with applicable policies and state and federal laws and regulations regarding the management of risks to and the security of Information Resources;
d. appropriately reduce the collection, use, or disclosure of social security numbers contained in any medium, including paper records;
e. establish accountability;
f. educate individuals regarding their responsibilities associated with use and management of University Information Resources; and
g. serve as the foundation for the University’s Information Security Program, provide the Information Security Office the authority to implement Policies, Standards, and Procedures necessary to implement an effective Information Security Program in compliance with this Policy.
1.3 Policy Statement
The University recognizes that its Information Resources are strategic and vital assets belonging to the people of Texas. Access to these resources shall be appropriately managed. It is the policy of the University to protect against risk of accidental or unauthorized access, disclosure, modification or destruction of Information Resources, to maintain the confidentiality, integrity and availability of Information Resources, and to take efforts to avoid obstacles which may impede University business, research or other functions of the University.
1.4 Applicability
1.4.1 This Policy applies to:
- all Information Resources owned, leased, operated, or under the custodial care of the University, organization, or facility;
- all Information Resources owned, leased, operated, or under the custodial care of third parties operating on behalf of the University, organization, or facility;
- Information Resources owned by others, such as political subdivisions of the state or agencies of the state or federal government, in which there is a statutory, contractual, or fiduciary duty to protect the resources while in University custody. If the owner has a more restrictive policy than these policies, then the owner's policy will control; and
- all individuals accessing, using, holding, or managing University Information Resources on behalf of the University.
1.5 Compliance with State Law
Information that is collected pursuant to or that is related to any University Information Security Program is subject to Texas Government Code, Section 552.139 and is therefore confidential by law. Accordingly, the University may not withhold information or fail to include information required by this Policy, the U.T. System Policy and/or Security Standards to be provided to or included in the University’s and/or U.T System Information Security Program or for administration of program oversight.
1.6 Implementation
The University’s Chief Information Security Officer (“CISO”) is charged with implementation of this Policy.
1.7 Information Security Standards
1.7.1 The University shall implement and abide by the following Standards:
(a) Â鶹¹ÙÍø Standard 1 Information Resources Security Responsibilities and Accountability
(b) Â鶹¹ÙÍø Standard 2 Acceptable Use of Information Resources
(c) Â鶹¹ÙÍø Standard 3 Information Security Programs
(d) Â鶹¹ÙÍø Standard 4 Access Management
(e) Â鶹¹ÙÍø Standard 5 Administrative/Special Access Accounts
(f) Â鶹¹ÙÍø Standard 6 Backup and Disaster Recovery
(g) Â鶹¹ÙÍø Standard 7 Change Management
(h) Â鶹¹ÙÍø Standard 8 Malware Prevention
(i) Â鶹¹ÙÍø Standard 9 Data Classification
(j) Â鶹¹ÙÍø Standard 10 Risk Management
(k) Â鶹¹ÙÍø Standard 11 Safeguarding Data
(l) Â鶹¹ÙÍø Standard 12 Security Incident Management
(m) Â鶹¹ÙÍø Standard 13 Use and Protection of Social Security Numbers
(n) Â鶹¹ÙÍø Standard 14 Information Services (IS) Privacy
(o) Â鶹¹ÙÍø Standard 15 Passwords
(p) Â鶹¹ÙÍø Standard 16 Data Center Security
(q) Â鶹¹ÙÍø Standard 17 Security Monitoring
(r) Â鶹¹ÙÍø Standard 18 Security Training
(s) Â鶹¹ÙÍø Standard 19 Server and Device Configuration and Management
(t) Â鶹¹ÙÍø Standard 20 Software Licensing
(u) Â鶹¹ÙÍø Standard 21 System Development and Deployment
(v) Â鶹¹ÙÍø Standard 22 Vendor Controls and Compliance
(w) Â鶹¹ÙÍø Standard 23 Security Control Exceptions
(x) Â鶹¹ÙÍø Standard 24 Disciplinary Actions
1.8 Definitions
1.8.1 The following definitions are used within the context of this Policy and all University Standards established by this Policy.
(a) Authentication: A process used to verify one’s identity.
(b) Backup: Copy of files and applications made to avoid loss of data and facilitate recovery in the event of a system failure or other data loss event.
(c) Centralized IT: The institutional information technology services and support organization, reporting to the highest-ranking information technology administrator/officer in the institution, that support institutional legacy administrative systems or enterprise resource planning (ERP) systems such as student administration (admissions, financial aid, registration, etc.), financial information systems, procurement systems, human resource systems, payroll, research administration (grants and contracts), Network Infrastructure, institutional electronic communications, video, library systems, etc.
(d) Change: Any addition or removal of, and any modification or update to, an Information Resource.
(e) Change Management: Process of controlling the communication, approval, implementation, and documentation of modifications to hardware, software, and procedures to ensure that information resources are protected against improper modification before, during, and after system implementation.
(f) Chief Administrative Officer: The highest ranking executive officer at each institution. For most institutions, this is the President.
(g) Cloud Computing (Cloud Services): Has the same meaning as "Advanced Internet-based computing service" as defined in : “a service that provides network access to a shared pool of configurable computing resources on demand, including networks, servers, storage, applications, or related technology services, that may be rapidly provisioned and released by the service provider with minimal effort and interaction. The term does not include telecommunications service or the act of hosting computing resources dedicated to a single purchaser.”
(h) Common Use Infrastructure: An IT facility, network, system, or other Information Resource managed, owned or controlled by U.T. System institutions that provides services to multiple U.T. System institutions under the auspices of the U.T. System. Examples: shared data centers, the U.T. System Network, the U.T. System Identity Management Federation, TexSIS student information system, UTShare HR/Finance, eCRT certification effort reporting system.
(i) Computing Device: Any device capable of sending, receiving, or storing Digital Data, including but not limited to: computer servers, workstations, desktop computers, laptop computers, tablet computers, cellular/smart phones, personal digital assistants, USB drives, embedded devices, smart watches and other wearable electronic devices, etc.
(j) Confidential Data: Data that is exempt from disclosure under applicable state law, including the Texas Public Information Act, and federal laws. Data or information meeting these criteria are designated with the classification of “Confidential” within the Â鶹¹ÙÍø Data Classification Standard.
(k) Controlled Data: One of three data classifications defined within the Â鶹¹ÙÍø Data Classification Standard. The “Controlled” classification applies to information/data that is not generally created for or made available for public consumption, but that is subject to disclosure under the Texas Public Information Act or similar state or federal law.
(l) Data: Elemental units, regardless of form or media, that are combined to create information used to support research, teaching, patient care, and other University business processes. Data may include but are not limited to: written, electronic video, and audio records, photographs, negatives, etc.
(m) Data Center: A facility used to house computer systems and associated components, such as telecommunications and storage systems.
(n) Decentralized IT: Information technology service and support organizations reporting to the heads of business units, departments, or programs that manage or support their own information systems.
(o) Digital Data: The subset of Data (as defined above) that is transmitted by, maintained, or made available in electronic media.
(p) Emergency Change: A change to an Information Resource made in response to unexpected events or circumstances that pose a threat to the environment or institution and thereby justify use of expedited change procedures.
(q) Electronic Communication: Method used to convey a message or exchange information via Electronic Media instead of paper media. It includes the use of Electronic Mail, instant messaging, Short Message Service (SMS), facsimile transmission, Social Media, and other paperless means of communication.
(r) Electronic Mail (Email): Any message, image, form, attachment, data, or other communication sent, received, or stored within an electronic mail system.
(s) Electronic Media: Any of the following:
i. electronic storage media including storage devices in computers (hard drives, memory) and any removable/transportable digital storage medium, such as magnetic tape or disk, optical disk, or digital memory card; or
ii. transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the internet (wide-open), extranet (using internet technology to link a business with information accessible only to collaborating parties), leased lines, dial-up lines, private networks, intranet, and the physical movement of removable/transportable electronic storage media.
(t) Guideline: Recommended, non-mandatory controls that help support Standards or serve as a reference when no applicable Standard is in place.
(u) High Impact Information Resources: Information Resources whose loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Such an event could:
i. cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions;
ii. result in major damage to organizational assets;
iii. result in major financial loss; or
iv. result in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries.
(v) High Risk Computing Device: A computing device meeting any of the following criteria:
i. is located in a public or high-traffic area and is used by a person who has access to Confidential Data;
ii. is used to create, store, or process Confidential Data or is used within a functional area that handles such data;
iii. is used by any executive officers or their support staff; or
iv. contains data that if accessed, changed, or deleted by an unauthorized party could have highly adverse impact on the University or U.T. System.
Based on these criteria, designation of a computing device as being “High Risk” is made by the Information Resource Owner in consultation with the Chief Information Security Officer. In event of disagreement regarding the designation of a computing device as being “High Risk,” the Information Resource Owner of the data placed at potential risk determines the classification of the device.
(w) Information: Data organized, formatted and presented in a way that facilitates meaning and decision making. All information is comprised of data.
(x) Information Resources (IR): Any and all computer printouts, online display devices, mass storage media, and all computer-related activities involving any device capable of receiving email, browsing Web sites, or otherwise capable of receiving, storing, managing, or transmitting data including, but not limited to, mainframes, servers, Network Infrastructure, personal computers, notebook computers, hand-held computers, pagers, distributed processing systems, network attached and computer controlled medical and laboratory equipment (i.e. embedded technology), telecommunication resources, network environments, telephones, fax machines, printers and service bureaus. Additionally, it is the procedures, equipment, facilities, software, and data that are designed, built, operated, and maintained to create, collect, record, process, store, retrieve, display, and transmit information.
(y) Information Resources Custodian (Custodian): An individual, department, institution, or third-party service provider responsible for supporting and implementing Information Resources Owner defined controls to Information Resources. Custodians include Information Security Administrators, institutional information technology/systems departments, vendors, and any third-party acting as an agent of or otherwise on behalf of an institution.
(z) Information Resources Manager (IRM): The executive responsible for IT across the whole of the institution as defined in Texas Government Code, Chapter 2054, Subchapter D. The IRM retains ultimate responsibility for enforcement of the Business Continuity Plan for Disaster Recovery, and all security and risk management policies.
(aa) Information Resources Owner (Owner): The manager or agent responsible for the business function that is supported by the Information Resource or the individual upon whom responsibility rests for carrying out the program that uses the resources. The Owner is responsible for establishing the controls that provide the security and authorizing access to the Information Resource. The Owner of a collection of information is the person responsible for the business results of that system or the business use of the information. Where appropriate, ownership may be shared. NOTE: In the context of this Information Security Policy and Standards, Owner is a role that has security responsibilities assigned to it by Texas Administrative Code (TAC), Section 202.72; it does not imply legal ownership of an Information Resource. All University Information Resources are legally owned by The University of Texas System or the member institution.
(bb) Information Security Administrator: A departmental employee, designated by management, who assists with information security tasks as described in .
(cc) Information Security Program: The Policies, Standards, Procedures, Guidelines, elements, structure, strategies, objectives, plans, metrics, reports, resources, and services adopted for the purpose of securing University Information Resources.
(dd) Information System: An interconnected set of Information Resources under the same direct management control that shares common functionality. An Information System normally includes hardware, software, Network Infrastructure, information, data, applications, communications, and people.
(ee) Information Technology (IT): The hardware, software, services, supplies, personnel, facilities, maintenance, and training used for the processing of data and telecommunications.
(ff) Inherent Impact: The degree of Impact (High, Moderate, or Low) that could result if Information Resources were subjected to unauthorized access, use, disclosure, disruption, modification or destruction.
(gg) Institution: U.T. System Administration, The University of Texas Management Company (“UTIMCO”), or any individual University that is a component of The University of Texas System. (Used interchangeably with “University”.)
(hh) Integrity: The accuracy and completeness of information and assets, and the authenticity of transactions.
(ii) Internet: A global system interconnecting computers and public computer networks. The computers and networks are owned separately by a host of organizations, government agencies, companies, and institutions.
(jj) Lead Researcher: The person engaged in the conduct of Research with primary responsibility for stewardship of Research Data on behalf of an Institution. For the purpose of this Policy, the term is synonymous with Principal Investigator.
(kk) Local Area Network (LAN): A data communications network spanning a limited geographical area, a few miles at most. It provides communication between computers and peripherals at relatively high data rates and relatively low error rates.
(ll) Low Impact Information Resources: Information resources whose loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. Such an event could:
i. cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced;
ii. result in minor damage to organizational assets;
iii. result in minor financial loss; or
iv. result in minor harm to individuals.
(mm) Malware: A computer program that is inserted into an Information System, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of data, applications, or operating system, or of otherwise disturbing or disrupting the User or Information System. Malware (malicious software) may attach itself to a file or application; deliver a payload without the knowledge or permission of the User; insert itself as a service or process to intercept sensitive information and/or keystrokes and deliver it to a third-party; or compromise the User’s computer and use it to launch compromises against other computers, among other capabilities. Viruses, worms, Trojan horses, spyware, adware, ransomware, and any code-based entity that infects a host are examples of malicious software.
(nn) Mission Critical Information Resources: Information Resources defined by an Institution or State agency to be essential to U.T. System or the Institution’s ability to meet its instructional, research, patient care, or public service missions. The loss of these resources or inability to restore them in a timely fashion would result in the failure of U.T. System or Institution’s operations, inability to comply with regulations or legal obligations, negative legal or financial impact, or endanger the health and safety of faculty, students, staff, and patients. Mission Critical Information Resources include but are not limited to:
i. Information Systems managing Confidential Data;
ii. Common Use Infrastructures;
iii. Institutional Network and Data Center Infrastructure;
iv. Identity and Access Management Systems, such as single-sign-on or other applications required to enable access to other critical system;
v. Administrative systems (e.g., HR, Finance, Payroll, student/patient enrollment and billing, etc.);
vi. Student information systems;
vii. Patient care and life-support systems, etc.
(oo) Moderate Impact Information Resources: Information Resources whose loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. Such an event could:
i. cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced;
ii. result in significant damage to organizational assets;
iii. result in significant financial loss; or
iv. result in significant harm to individuals that does not involve loss of life or serious life threatening injuries.
(pp) Network Infrastructure: The distributed hardware and software (i.e., cabling, routers, switches¸ wireless access points, access methods, and protocols), information, and integrating components that allow institutional network hosts to communicate with one another and enable the administrative, learning, research, and health care missions of the Institution.
(qq) Non-University Owned Computing Device: Any device that is capable of receiving, transmitting, and/or storing electronic data, and that is not owned, leased, or under the management of an Institution including personally owned devices.
(rr) Password: A string of characters used to verify or "authenticate" a person's identity. Passphrases and personal identification numbers (PINs) serve the same purpose as a Password.
(ss) Personally Identifiable Information (PII): Information that alone or in conjunction with other information identifies an individual. PII includes, but is not limited to: an individual’s name; Social Security Number; date of birth; a government-issued identification number; a mother ’s maiden name; unique biometric data (including the individual ’s fingerprint, voice print, and retina or iris image); a unique electronic identification number, address, or routing code; or a telecommunication access device.
(tt) Policy: High level statements of intent relating to the protection of Information Resources across an organization (e.g., the U.T. System; Â鶹¹ÙÍø). Compliance with a Policy is mandatory.
(uu) Portable Computing Devices: Any easily movable device capable of receiving, transmitting, and/or storing data. These include, but are not limited to, notebook computers, handheld computers, tablets (e.g., iPADs, etc.), PDAs (personal digital assistants), pagers, smartphones (e.g., iPhones, etc.), Universal Serial Bus (USB) drives, memory cards, external hard drives, data disks, CDs, DVDs and similar storage devices.
(vv) Practice: Customary actions, which may or may not be documented, taken to accomplish information security tasks.
(ww) Procedure: Step by step instructions to assist information security and technology staff, Custodians, and Users in implementing various policies, standards, and guidelines.
(xx) Published Data: One of three data classifications within the Â鶹¹ÙÍø Data Classification Standard. This includes data and information made available to the public through posting to public websites or distribution through email, social media, print publications, or other media.
(yy) Remote Access: Access to University Information Resources that originates from a Remote Location.
(zz) Remote Location: A location outside of the physical boundary of the Institution (includes University leased/rented properties and locations within the University’s compliance environment).
(aaa) Residual Risk: The risk (Low, Moderate, or High) that remains after security controls have been applied.
(bbb) Research: Systematic investigation designed to develop and contribute to knowledge and may include all stages of development, testing and evaluation.
(ccc) Researcher: Faculty, staff, graduate students, postdoctoral fellows, residents, visiting/affiliated scientists or lead researchers who are engaged in or responsible for Research activities.
(ddd) Risk: A function of the likelihood that a threat will exploit a vulnerability and the resulting impact to University missions, functions, image, reputation, assets, or constituencies if such an exploit were to occur.
(eee) Scheduled Change: A change to an Information Resource made under normal working conditions following formally prescribed change management processes as defined .
(fff) Security Incident: An event that results in unauthorized access, loss, disclosure, modification, disruption, or destruction of Information Resources whether accidental or deliberate.
(ggg) Server: A computer program that provides services to other computer programs in the same, or another, computer. A computer running a server program is frequently referred to as a server, though it may also be running other client (and server) programs.
(hhh) Social Media: A forum or media for social interaction, using highly accessible and scalable communication techniques. Examples include but are not limited to wikis (e.g., Wikia, Wikimedia); blogs and microblogs (e.g., Blogger, Twitter); content communities (e.g., Flickr, YouTube); social networking sites (e.g., Facebook, MySpace, LinkedIn); virtual game worlds; and virtual communities (e.g., SecondLife).
(iii) Standards: Specific mandatory controls that are components of the Information Security Policy.
(jjj) State Record: A document, book, paper, photograph, sound recording, or other material, regardless of physical form or characteristic, made or received by a state department or institution according to law or in connection with the transaction of official state business.
(kkk) Strong Passwords: A password constructed so that another User cannot easily guess it and so that a “hacker” program cannot break it within a reasonable amount of time. It typically consists of a minimum number of positions in length and contains a combination of alphabetic, numeric, and special characters.
(lll) Two-Factor Authentication: A process for verifying a person’s identity that requires use of two of the following three elements:
i. something the person knows, such as a password;
ii. something the person has, such as a token or smart card; or
iii. a unique characteristic of the person, such as a fingerprint.
(mmm) University: U.T. System Administration, UTIMCO, or any of the academic Institutions, health science centers, or other entities as from time to time may be assigned by specific legislative act to the governance, control, jurisdiction, or management of U.T. System that comprise The University of Texas System. (Used interchangeably with “Institution”.)
(nnn) University of Texas System (U.T. System): The academic institutions and health science centers in The University of Texas System, plus U.T. System Administration and UTIMCO.
(ooo) University of Texas System Administration (U.T. System Administration): The central administrative offices that provide oversight and coordination of the activities of U.T. System and its Institutions.
(ppp) University of Texas System Data (University Data): All Data or Information held on behalf of U.T. System and its Institutions created as a result of and/or in support of U.T. System business, or residing on U.T. System Information Resources, including paper records.
(qqq) U.T. System Shared Data Center: Any data center governed by the UT Shared Data Center (SDC) group on behalf of the U.T. System including the Arlington Data Center (ARDC) and the Houston Data Center (HDC).
(rrr) U.T. Systemwide Information Security Program: The U.T. System policies, standards, procedures, elements, structure, strategies, objectives, plans, metrics, reports, resources, and services that establish requirements and provide oversight and supplemental support for Institutional Information Security Programs.
(sss) User: An individual, automated application, or process that is authorized by the Owner to access the resource, in accordance with federal and state law, University policy, and the Owner's procedures and rules. Users are responsible for: (1) using the resource only for the purpose specified by the Owner; (2) complying with controls established by the Owner; and (3) preventing the unauthorized disclosure of Confidential Data. The user is any person who has been authorized by the Owner of the information to read, enter, or update that information. The User is the single most effective control for providing adequate security.
(ttt) UTIMCO: The University of Texas Investment Management Company that manages U.T. System’s investment assets.
(uuu) Vendor: Any third-party that contracts with U.T. System or an Institution to provide goods and/or services to U.T. System or the Institution.