Skip to main content
Apply

Enterprise Information Technology

Open Main MenuClose Main Menu

Information Security Policy

3-0603, Administration and Finance

October 2019 

 

PRINT-FRIENDLY PDF

 

Purpose 

1.01

Oklahoma State University (OSU) is committed to protecting the integrity, availability, and confidentiality of sensitive information under University control, complying with legal requirements, and adhering to policies, procedures, standards, and guidelines set by federal and state laws, contractual obligations, the University and Oklahoma A&M System (A&M), or otherwise referenced in this document.

1.02 

The purpose of this policy is to recognize OSU’s responsibilities in, and establish mechanisms for, securing information electronically transmitted, stored, or processed in pursuit of the institution’s mission.

 

Scope

2.01

This policy impacts all employees, staff and faculty of OSU and the Oklahoma A&M System, as well as vendors, contractors, partners, student, collaborators, and any others doing business or research with OSU/A&M.

2.02

This policy applies to certain members of Information Technology, the Oklahoma A&M Chief Information Officer, and identified Technology Coordinators or other personnel tasked with management of University information systems.

 

Definitions

3.01 

Information Assets – any University-owned, -leased, -protected or otherwise authorized information or data.

3.02

Data – for the purposes of this document, electronic information (e.g. databases, spreadsheets, email, etc.) or non-electronic (e.g., paper files, publications, hardcopy research, etc.). Information or knowledge concerning a particular fact or circumstance, gained via business operations, academic study, communications, research, instruction, or otherwise, within the pursuit of the University’s mission.

3.03

Information technology resources – technology and/or computer resources including, but not limited to, personal computers, workstations, mainframes, mobile devices (laptops, tablets, smart phones, etc.), printing equipment, and all associated peripherals and software, and electronic
mail accounts, regardless of whether the resource is used for administration, research, teaching or
other purposes.

3.04

Information systems – any resource or equipment used for accessing or for controlling access of information assets.

3.05

User – For the purposes of this document, a person, authorized or not, who makes use of, accesses, creates, or alters University information assets or technology resources from any location.

 

Policy 

4.01

Information Security Policies
Information Technology (IT) will work with users to adhere to applicable policies, procedures,
standards, and guidelines associated with securing institutional information, including, but not
limited to:

  • 3-0601 Appropriate Use Policy
  • 3-0604 Information & Resources: Access Control Policy
  • 3-0605 Information Security: Security Awareness

4.02

Information Security Committee
Information Technology will establish and maintain an Information Security Committee (Committee) to address information security, compliance, and governance needs.

 

Committee Membership

 

Given the distributed nature of the University’s technology services, the Committee will be
comprised of, but not limited to, the following personnel:

 

  • Chief Information Officer – Oklahoma State University
  • Chief Information Officer – Agriculture and Mechanical Colleges
  • Information Security Officer and Director of IT Security
  • IT Manager designated for IT Governance, Risk and Compliance
  • Technology Coordinators from each of the following OSU campuses or functional areas:
    • OSU-Center for Health Sciences (OSU-CHS)
    • OSU-Institute of Technology (OSUIT)
    • OSU-Oklahoma City (OSU-OKC)
    • Financial Information Management
    • Human Resources Information Management
    • Institutional Research and Information Management
    • Enrollment and Brand Management
    • Office of the Registrar
    • The Honors College
    • College of Arts and Sciences
    • College of Engineering, Architecture and Technolog
    • College of Education and Human Sciences
    • College of Veterinary Medicine
    • Division of Agricultural Sciences and Natural Resources
    • Graduate College
    • Edmon Low Library
    • OSU Research
    • Spears School of Business
  • OSU-Tulsa Administration Representative
  • Additional members as required depending on the topic

 

Committee Operations
The Committee will meet each fall and spring semesters, or as needed depending on identified
needs.


The Chief Information Officer – OSU will be responsible for scheduling and recording Committee
meetings.

 

The Information Security Committee’s responsibilities include:

  • developing policies, general operational procedures, systems configuration or
    technological process standards, and other IT governance and administrative guidance as
    needs are identified within Committee discussions and activities.
  • providing guidance to Committee members or the University regarding enforcement of
    information security policies.
  • as needed or required, in the event of a compromise of information security assisting with
    and following applicable and appropriate procedures toward recovering information,
    mitigating losses, restoring and ensuring data security, and restoring technological services
    and business operations.

Duties of individual members of the Committee include:

  • reporting to the Committee information security, compliance/regulatory, or governance
    needs for their campus/area
  • communicating to students, faculty, staff, or authorized third-parties of policies set by the
    Committee.
  • reporting to the Committee a need for or actions (which have been or are to be) taken
    regarding enforcement of information security policies.

4.03

Non-Compliance
Failure to adhere to the security measures referenced in this policy could result in hindered University operations, impaired organizational business, irreparable damage to institutional resources, persons associated with the institution and the community, and/or fines or other government sanctions. In the event of non-compliance by individuals within the scope of this policy, the University may apply disciplinary procedures including, but not limited to, immediate revocation of user privileges to University information technology resources, revocation of access, required re-training on data security, notification of supervisors, loss of funding, lawsuits, suspension, and possible termination of employment. Further, violations of this policy may result in disciplinary actions including discharge, dismissal, expulsion, and/or legal action, which may include referral for criminal investigation and/or prosecution.

MENUCLOSE