10.01 Electronic Information Systems Security and Data Confidentiality Policy

10.01 Electronic Information Systems Security and Data Confidentiality Policy, Chancellor's Office Business Policies & Procedures

Purpose:

The purpose of this policy is to:

protect the integrity of computers, networks, and electronic information systems within the Chancellor's Office
ensure the security and confidentiality of Chancellor's Office data through prudent data management and restrictions on data access and data utilization
ensure compliance with Chancellor's Office policies regarding electronic information systems.

Policy:

Computers, networks, electronic information systems, and data are critical resources for accomplishing the Chancellor's Office's mission. Electronic information systems also include, but are not limited to, e-mail, voice mail and the World Wide Web. The Chancellor's Office gives authorized users access to these resources in support of accomplishing its mission.

These resources are a valuable asset to be managed responsibly to ensure integrity, security, and availability for appropriate educational and business activities. All authorized users of these resources are required to use them in an ethical, professional and legal manner. Users with access to electronic information systems are required to protect resources and maintain appropriate levels of confidentiality.

Who Should Know This Policy:

Anyone permitted access as an authorized user to the Chancellor's Office electronic information systems and data.

User's Rights and Responsibilities:

Users must be aware of the following rights and responsibilities, which apply to all users of the Chancellor's Office's electronic information systems. This policy does not contain an exhaustive list of permitted and disallowed acts, but is intended to illustrate general standards for the acceptable use of electronic information systems. The Related Information section also provides a list of other relevant electronic information systems policies, standards and guidelines. Together, these documents provide information on the user's responsibilities related to personal communication, privacy and security issues, and consequences of violations.

Users should also be aware of the Chancellor's Office's rights and responsibilities, which are defined in a subsequent section. Use of the Chancellor's Office electronic information systems by users constitutes agreement to comply with its policies.

Users of electronic information systems must use them in an ethical, professional and legal manner. Chancellor's Office electronic information systems are to be used predominately for completing Chancellor's Office work related business. Misuse of Chancellor's Office and other Oregon University System electronic information systems is prohibited.

Incidental personal use of Chancellor's Office electronic information systems is allowed provided that such use does not: a) interfere with the Chancellor's Office's operation of electronic information systems, either directly or indirectly, b) interfere with the user's employment, c) impose on the Chancellor's Office any measurable incremental costs, or, d) contradict Chancellor's Office policy or violate legal restrictions.

Chancellor's Office data is an Oregon University System resource. The Chancellor's Office prohibits the use of data for any purpose other than conducting Chancellor's Office business. Authorized users accessing data must comply with requirements for confidentiality and privacy. Additionally, all access to Chancellor's Office data must comply with applicable state and federal laws and regulations.

All authorized users are responsible for notifying their supervisor or Department Head if they become aware of or suspect a breach of security. Authorized users must not take actions that would compromise the investigation of security breaches. Examples of compromising actions would be confronting the suspected individual or initiating an investigation independently. All authorized users are required to cooperate with any investigations of security breaches.

Supervisors or Department Heads may informally address minor and unintended violations of this policy by authorized users. However, repeated minor violations or more serious violations may result in more severe consequences. Such consequences might include temporary or permanent loss of or modification to user access. Also, disciplinary action may be taken, up to and including dismissal, as is governed by applicable Chancellor's Office personnel policies and collective bargaining agreements. Additionally, some violations may lead to the risk of legal sanctions, both civil and criminal.

Chancellor's Office Rights & Responsibilities:

Department Heads or other appropriate personnel must take appropriate and timely action in response to notification of suspected breaches of security that might pose a serious risk to Chancellor's Office electronic information systems.

Access to the Chancellor's Office electronic information systems may be revoked or other disciplinary actions taken as described above in the section titled Users Rights and Responsibilities.

Access:

Physical and electronic access to Chancellor's Office electronic information systems and data is controlled through granting access to various systems and sub-systems. The level of access granted will be based on the electronic information systems access needed to perform assigned duties. User access is restricted through the assignment of user IDs and password verification.Authorized users are responsible for access to systems using their ID. No one should access Chancellor's Office electronic information systems using the ID and password of another authorized user.

Authorized users should not provide their ID and password to others, except as necessary to assist in electronic information systems maintenance and repairs. It is critical that all authorized users select passwords that will protect the security of Chancellor's Office electronic information systems.

Access will be terminated when authorized users no longer need access to perform their assigned duties. Supervisors or Department Heads should follow the appropriate notification procedures to inactivate or delete IDs or passwords in a timely manner.

User Privacy:

Electronic information systems are not routinely monitored for content. However, authorized personnel have authority to access individual user files, data, and e-mail in the process of troubleshooting and maintenance. If there is reasonable suspicion of misuse, authorized personnel may also access them for investigative purposes. If violations to this policy are discovered as a result of these activities, they will be reported to the immediate supervisor and the Vice Chancellor for Finance & Administration. It is the Chancellor's Office policy that personnel will not release user IDs and passwords for any electronic information systems to anyone other than the authorized user without the explicit review by and permission from the user's Department Head.

Definitions:

See 01.10 Definitions

Related Information:

The following is a list of relevant OUS and other entity's electronic information systems policies, standards, and guidelines.

OUS:

OUS Policies:

Chancellor's Office Policies:

Chancellor's Office Business Policies and Responsibilities:

State of Oregon:

Contacts:

Email Chancellor's Office Business Services

History:

12/22/04 Policy approved and issued
08/26/08 Referenced policy links updated

Last Updated: 08/26/08

Oregon University System

You are here