Policy Number : TBD
Effective Date: TBD

Last Revised and approved by Cabinet: TBD

Applicability: This policy applies to all students, faculty members, professional staff members, and all other members of the University community, including but not limited to campus guests, visitors, and third parties doing business or providing services to the University (e.g., vendors, independent contractors and consultants) (hereafter referred to collectively as "User(s)"), Institutional Information (which includes but is not limited to: Personally Identifiable Information (PII)), Protected Health Information (PHI), financial, Payment Card Industry Data Security Standard (PCI DSS), & Family Educational Rights and Privacy Act (FERPA), and computer and network resources (hereafter referred to collectively as "Drexel Network").

Responsible Officer: The Chief Information Security Officer (CISO)

POLICY

Information security is critical to fulfill the educational, service, and research mission of Drexel University (the “University” or “Drexel”). Drexel is dedicated to ensuring the security and proper creation, use and disposal of Institutional Information generated, collected, accessed, modified, transmitted, and/or stored.
 
Maintaining the confidentiality, integrity, and availability of both the Drexel Network and Institutional Information is a shared responsibility among User(s) and Drexel. Best security practices and procedures must always be followed.

This Policy in conjunction with other University policies and practices create Information Security administrative, technical, and physical controls throughout the University. This Policy also establishes an Information Security Team, which will be led by the Chief Information Security Officer (CISO) and defines the Information Security responsibilities of Drexel Network and Institutional Information Users.

RESPONSIBILITIES

The Chief Information Security Officer (CISO) will lead the Information Security Team and implement a University-wide information security training and awareness program. The Chief Information Security Officer will coordinate investigations and responses to actual or suspected breaches with the appropriate internal teams and/or law enforcement offices.

The Information Security Team will oversee the University wide security policies and controls. The Information Security Team will work towards fulfilling their mission to protect the people, the information, and the systems of Drexel University by providing guidance on the risks to Institutional Information and the Drexel Network, taking proactive measures to ensure the security of Institutional Information and the Drexel Network and creating initiatives for security awareness training, compliance, and risk assessments. 
 
System Administrator(s) will ensure the security and proper creation, use and disposal of information created, collected, managed, and/or stored under their authority. Additionally, Administrators, Managers, and Supervisors are responsible for ensuring User(s) within the scope of their authority are trained and follow information security best practices at all times in their daily roles. 

User(s) will strive to minimize or eliminate the creation, collection, handling, storage and use of Sensitive Data. Only those who have a legitimate business need to access Institutional Information should do so, and for as limited a time as possible. When Institutional Information is no longer needed, it will be properly and securely disposed of and/or destroyed. User(s) are required to immediately report any suspected incidents/breaches to the Information Security Team at informationsecurity@drexel.edu.

EXCEPTIONS

Requests for exceptions to this policy will be evaluated according to the standards and principles of the University by the Information Security Team and approved by the CISO. Requests will only be granted upon demonstration of good cause and for no more than 12 months. All exceptions will be reviewed every 12 months.

CROSS-REFERENCE

• Acceptable Use Policy (IT-1)
• Information Security Program for GLB Act (IT-2)
• Security of Enterprise Systems (IT-3)
• Security of Information and Networked Systems (IT-4)
• Radio Spectrum and Wireless Network Control Policy (IT-5)
• Clinical Research Data Storage Policy (IT-6)
• Email Policy (IT-7)
• Information Security for Institutional Information Policy (IT-8)
• Mobile Computing in Medical Education: iPad Policy (IT-9)
• Used Computer Disposal Procedure
• Accounts & Email Terms of Service
• Records Management Policy (OGC-4)
• The Code of Conduct (CPO-1)
• Drexel University Information Security Best Practices

ENFORCEMENT

Penalties for violating this or any other policy covered under this policy, may include restricted access or loss of access to the Drexel Network and Institutional Information, termination and/or expulsion from the University and in some cases, civil and/or criminal liability.

POLICY MANAGEMENT

This policy is maintained by the Office of Information Security. Drexel University reserves the right to update or revise this policy or implement additional policies in the future. Users are responsible for staying informed about Drexel University policies regarding the use of computer and network resources and complying with all applicable policies.