The goal of UMKC Information Services is to provide data and networking services the University requires in fulfilling the mission of this institution
Each member of the university community has a responsibility for the security and preservation of electronic information resources. The responsibility includes, but is not limited to, compliance with the UM System Acceptable Use Policy (UM Policy section 110.005). The resources include the physical components of the network and the data stored therein. The integrity of the electronic information resources must be protected against threats such as unauthorized intrusions, malicious misuse, or inadvertent compromise.
The responsibilities for information security range from maintaining the confidentiality of an individual’s SSO (Single Sign On) password to the protection of the network infrastructure. Each member of the university community usually has more than one role to fulfill.
Administrative Officials are defined as individuals with administrative responsibility for university organizational units (e.g., control unit heads, deans, department chairs, principal investigators, directors, or managers) or individuals having functional ownership of data. The Administrative Officials must:
Providers are defined as individuals who design, manage, and operate campus electronic information resources, e.g. project managers, system designers, application programmers, or system administrators. The Providers must:
Users are defined as individuals who access and use campus electronic information resources. The Users must:
The lack of appropriate security measures at any level may result in damaged, stolen, unreliable, or non-productive resources. For example, if a situation is deemed serious enough, computer(s) posing a threat will be blocked from network access.
Computers must have the most recently available and appropriate software security patches, commensurate with the identified level of acceptable risk. For example, installations that allow unrestricted access to resources must be configured with extra care to minimize security risks.
Adequate authentication and authorization functions must be provided, commensurate with appropriate use and the acceptable level of risk.
Attention must be given not only to large systems but also to smaller computers which, if compromised, could constitute a threat to university or off-campus resources, including computers maintained for a small group or for an individual's personal use.
Appropriate controls must be employed to protect physical access to resources, commensurate with the identified level of acceptable risk. The controls range from extensive security installations to protect a room or facility where server machines are located, to simple measures such as a password secured screensaver on a user’s computer.
Applications must be designed and computers must provide protection for the privacy and confidentiality of the various types of electronic information they process, in accordance with applicable laws and policies.
Users who are authorized to obtain data must ensure that it is protected to the extent required by law or policy after they obtain it. For example, when sensitive data is transferred from a well-secured mainframe system to a User's location, adequate security measures must be in place at the destination computer to protect this "downstream data".
Technical staff assigned to ensure the proper functioning and security of University electronic information resources and services will monitor all network activity. Specific information and electronic communications will not be routinely searched. In the event a security incident requires a search of specific information, the search will follow established guidelines and procedures. These procedures comply with all policies and laws protecting the privacy of electronic information.
University departments, units, or groups should establish security guidelines, standards, or procedures that refine the provisions of this Policy for specific activities under their Control, in accordance with this Policy and other applicable policies and laws.
Policies that apply to all campus electronic information resource security include, but are not limited to, the UM System Acceptable Use Policy (UM Policy section 110.005) and the campus Computer Use Policy. Electronic information resources used in support of University business administration must comply with the provisions of the UM System Acceptable Use Policy (UM Policy section 110.005) as well. Federal and state laws prohibit theft or abuse of computers and other electronic resources.
The following activities are specifically prohibited under this Policy:
In addition to any possible legal sanctions, violators of this Policy may be subject to disciplinary action up to and including dismissal or expulsion, pursuant to current UM System Human Resource Policy.