UMKC Information Security Policy

Introduction

The goal of UMKC Information Services is to provide data and networking services the University requires in fulfilling the mission of this institution

Policy

Each member of the university community has a responsibility for the security and preservation of electronic information resources. The responsibility includes, but is not limited to, compliance with the UM System Acceptable Use Policy (UM Policy section 110.005). The resources include the physical components of the network and the data stored therein. The integrity of the electronic information resources must be protected against threats such as unauthorized intrusions, malicious misuse, or inadvertent compromise.

Roles and Responsibilities

The responsibilities for information security range from maintaining the confidentiality of an individual’s SSO (Single Sign On) password to the protection of the network infrastructure. Each member of the university community usually has more than one role to fulfill.

Administrative Officials are defined as individuals with administrative responsibility for university organizational units (e.g., control unit heads, deans, department chairs, principal investigators, directors, or managers) or individuals having functional ownership of data. The Administrative Officials must:

  • Identify the electronic information resources within areas under their control.
  • Define the purpose and function of the resources and ensure that requisite education and documentation are provided to the university community as needed.
  • Establish acceptable levels of security risk for resources by assessing factors such as:
    • How sensitive the data is, such as research data or information protected by law or policy,
    • The level of criticality or overall importance to the continuing operation of the campus as a whole, individual departments, research projects, or other essential activities,
    • How negatively the operations of one or more units would be affected by unavailability or reduced availability of the resources,
    • How likely it is that a resource could be used as a platform for inappropriate acts towards other entities,
    • Limits of available technology, programmatic needs, cost, and staff support.
  • Ensure that requisite security measures are implemented for the resources.

Providers are defined as individuals who design, manage, and operate campus electronic information resources, e.g. project managers, system designers, application programmers, or system administrators. The Providers must:

  • Become knowledgeable regarding relevant security requirements and guidelines.
  • Analyze potential threats and the feasibility of various security measures in order to provide recommendations to Administrative Officials.
  • Implement security measures that mitigate threats, consistent with the level of acceptable risk established by Administrative Officials.
  • Establish procedures to ensure that privileged accounts are kept to a minimum and that privileged users comply with privileged access agreements.
  • Communicate the purpose and appropriate use for the resources under their control.

Users are defined as individuals who access and use campus electronic information resources. The Users must:

  • Become knowledgeable about relevant security requirements and guidelines.
  • Protect the resources under their control, such as SSO passwords, computers, and data they download.

The lack of appropriate security measures at any level may result in damaged, stolen, unreliable, or non-productive resources. For example, if a situation is deemed serious enough, computer(s) posing a threat will be blocked from network access.

Primary Security Components

Logical Security

Computers must have the most recently available and appropriate software security patches, commensurate with the identified level of acceptable risk. For example, installations that allow unrestricted access to resources must be configured with extra care to minimize security risks.

Adequate authentication and authorization functions must be provided, commensurate with appropriate use and the acceptable level of risk.

Attention must be given not only to large systems but also to smaller computers which, if compromised, could constitute a threat to university or off-campus resources, including computers maintained for a small group or for an individual's personal use.

Physical Security

Appropriate controls must be employed to protect physical access to resources, commensurate with the identified level of acceptable risk. The controls range from extensive security installations to protect a room or facility where server machines are located, to simple measures such as a password secured screensaver on a user’s computer.

Privacy and Confidentiality

Applications must be designed and computers must provide protection for the privacy and confidentiality of the various types of electronic information they process, in accordance with applicable laws and policies.

Users who are authorized to obtain data must ensure that it is protected to the extent required by law or policy after they obtain it. For example, when sensitive data is transferred from a well-secured mainframe system to a User's location, adequate security measures must be in place at the destination computer to protect this "downstream data".

Technical staff assigned to ensure the proper functioning and security of University electronic information resources and services will monitor all network activity. Specific information and electronic communications will not be routinely searched. In the event a security incident requires a search of specific information, the search will follow established guidelines and procedures. These procedures comply with all policies and laws protecting the privacy of electronic information.

Compliance with Law and Policy

University departments, units, or groups should establish security guidelines, standards, or procedures that refine the provisions of this Policy for specific activities under their Control, in accordance with this Policy and other applicable policies and laws.

Policies that apply to all campus electronic information resource security include, but are not limited to, the UM System Acceptable Use Policy (UM Policy section 110.005) and the campus Computer Use Policy. Electronic information resources used in support of University business administration must comply with the provisions of the UM System Acceptable Use Policy (UM Policy section 110.005) as well. Federal and state laws prohibit theft or abuse of computers and other electronic resources.

The following activities are specifically prohibited under this Policy:

  • interfering with, tampering with, or disrupting resources;
  • intentionally transmitting any computer viruses, worms, or other malicious software;
  • attempting to access, accessing, or exploiting resources you are not authorized to access;
  • knowingly enabling inappropriate levels of access or exploitation of resources by others;
  • downloading sensitive or confidential electronic information/data to computers that are not adequately configured to protect it from unauthorized access;
  • disclosing any electronic information/data you do not have a right to disclose.

In addition to any possible legal sanctions, violators of this Policy may be subject to disciplinary action up to and including dismissal or expulsion, pursuant to current UM System Human Resource Policy.