IUP IT Security is governed via a distributed set of policies, procedures, and guidelines some of which in turn refer to both internal and external laws and policies that impact IT security at the university.
This distributed approach results from the fact that a number of broad governing policies, etc. (such as a variety of laws, general university policies, employment terms/CBA, the student handbook, FERPA regulations, IUP’s Gramm-Leach-Bliley Information
Security Plan, and IUP Retention of University Records Policy) include elements that apply to IT security. Therefore, any attempt to create an all-encompassing IT Security Policy would run the risk of including conflicting and/or inaccurate components as those broader policies, etc. would change over time
and/or new governing policies, etc. are introduced.
Any IT security-specific policy, procedure, or guideline is created when these broad policies, etc. fail to address needs. Examples include the Acceptable Use of Information Technology Resources and the Information Protection policies, the Enhanced PC User Privilege Procedure, and the Mobile Device Security Guidelines. A comprehensive list of these specific
policies, procedures and guidelines can be found on the
IT Support Center website.
The creation of IT security-specific policies, procedures, and guidelines are overseen by the chief information officer (CIO) or their designee. The CIO is responsible for escalating IT security-related policies to the Senate Library and Educational Services (LESC) Committee for action, with approval by the full
Senate. Related procedures and guidelines do not require Senate review.
Details concerning duties and responsibilities, enforcement methods, or potential sanctions for IT security activities across different roles and organizations are contained in the various policies, procedures, and guidelines.
IUP’s IT security office is responsible for maintaining IT security policies, procedures, and guidelines to ensure that each remains accurate and effective. Although IUP does not have a single information security officer, the IT security office is also responsible for fielding inquiries related to information
security and routing inquiries to the appropriate governing entities depending upon which policy, procedures, and/or guidelines are relevant.
Confidential Information Addendum for Contractors
Information Security Awareness Handout
Information Protection Procedures