Information Security Policy
Effective information security is essential to protect University of Chicago students, faculty, patients and study subjects, staff, and others. Protecting our academic community requires a balanced, multi-faceted, proactive, and collective approach, in which everyone in our University community understands and embraces our shared responsibility to each other to create and diligently maintain a solid information security culture, and honors the trust that others have placed in us as patients, study subjects, funders and colleagues. Maintaining the appropriate balance of open collaboration, secure research, and administrative data requires an informed and aware community. This policy was crafted in consultation with faculty, staff and other University stakeholders. It is not intended to prevent, prohibit, or inhibit effective use of information assets to meet the University’s core missions and campus academic and administrative goals. The program must, where possible, ensure that tools are usable, respect the privacy of individuals, are associated with appropriate levels of staff support, and do not unduly interfere with the University’s mission.
This policy (the “Policy”) sets forth a set of requirements for ensuring security and protecting the confidentiality, integrity, and availability of University information technology resources and data. Specifically, the policy seeks to:
- Foster the University’s academic missions while protecting the University’s community and reputation.
- Secure the data used by University faculty, staff, and students.
- Address specific security requirements defined by federal and state regulations.
- Implement the controls required to fulfill the previous goals without impeding the University’s mission.
All University faculty, associates, other academic appointees, students, staff, volunteers, and contractors (“Covered Persons”) must adhere to this policy.
This Policy applies to all University information technology resources used to conduct University activities in support of the academic, research, and service mandates of the University, connect to the University network, or store University data or information. This includes data processed or stored and applications used by the University in hosted environments where the University does not operate the technology infrastructure.
- Responsible University Officer(s): Chief Information Security Officer
- Responsible Office: Information Security, a department of IT Services
- Effective date: 01.2024
- Last Updated: 01.2024
The University shall develop, implement, maintain, and periodically update a comprehensive information security program (the “Program”) to safeguard the security, confidentiality, integrity, and availability of University information technology resources and data and to address specific security requirements defined by federal, state, and local laws and regulations, University policies, and applicable contractual obligations.
- Through the Information Security Policy, The Program shall implement the information security controls set forth in the University of Chicago Information Security Standard (login required).
- The Program shall encompass policies, standards, procedures, and other guidance as appropriate to accomplish the Program’s goals. Such material shall include minimum technical requirements, the persons responsible for administering and ensuring compliance with the Program, and additional technical details outlining for campus how to comply with them.
- All users are responsible for protecting their University of Chicago credentials from unauthorized use.
- All users of the University’s information technology resources must be identified and may not share credentials.
- All credentials will be unique and sufficiently complex to avoid being compromised.
- Access and use of the University’s confidential information (generally non-public information about a person or an entity) must be for authorized University of Chicago purposes only. All users are responsible for protecting the University’s confidential information on any computer, service, or device that they use. Reference University HR policy 601 Treatment of Confidential Information for more information.
- All systems and services where confidential information is stored must be inventoried by each division and shared with IT Services, complying with the End User Device Policy.
- All third parties who store or access University’s confidential information or sensitive systems must be reviewed and approved by Information Security.
- Electronic and physical records containing University’s confidential information must be protected when transported or transmitted and appropriately disposed of or added to the University Archives where appropriate.
- Electronic and physical records must be maintained or archived according to the Managing University Records policy and in compliance with the Data Classification Guide.
- Any actual or suspected loss, theft, or improper use of or access to the University of Chicago’s confidential information, services, or systems must be reported to the University Information Security office immediately.
- The use of the University’s systems, services, data, and conduct or reporting of research must not violate university policies, federal, state, and local laws, regulations, and contractual obligations.
Consequences of Violating the Policy
Violations of the policy may result in disciplinary action, up to and including the suspension of network privileges, suspension or expulsion from further study and termination of employment.
Roles and Responsibilities
All faculty, students, staff, and associates share the responsibility to protect and secure information technology resources. All faculty, students, staff, and associates must observe all information security-related policies, regulations, procedures, rules, standards, technical specifications, and any other guidance to secure University information technology resources and data. Specific roles and responsibilities for University information security include:
- Chief Information Officer (CIO) – The CIO shall be responsible for maintaining Information Technology Services (ITS) alignment with University risk tolerance levels.
- Chief Information Security Officer (CISO) – The CISO shall be responsible for leading the development, execution, monitoring, and enforcement of the University Information Security Program as defined in this policy.
Associate – An associate is an individual who requires access to information technology resources to work in conjunction with the University but is not a University of Chicago Covered Person (e.g., is not faculty, other academic appointees, students, staff, post-doctoral researchers, volunteers, and contractors).
Confidential Information – Generally consists of non-public information about a person or an entity that, if disclosed, could reasonably be expected to violate the privacy rights and interests of that individual or entity, violate a relationship of trust within which such information was shared, place either the person or the entity at risk of criminal or civil liability or damage to the person or entity’s financial standing, employability, or reputation. Reference University HR policy 601 Treatment of Confidential Information for more information.
Covered Persons – All University faculty, other academic appointees, students, staff, volunteers, and contractors.
Information Security Program (“The Program”) – The Information Security Program is a set of coordinated services and activities designed to protect information technology resources and manage the risks to the University associated with those resources, including the regulations below, as well as the procedures, standards, assessments, protocols to govern information technology resources’ storage, accessibility, and security.
Information Technology Resources – Information technology resources are:
- Computers or electronic resources that are used in the search, access, acquisition, transmission, storage, retrieval, or dissemination of University data. Refer to the Data Classification Guide and Research Data Protection Policy for more information.
- Technologies or services that are owned or managed by the University that connect to the University network link to another University technology or service, or store University data or information.
- Services or applications used by the University in hosted environments where the University does not own or operate the technology infrastructure.
Service – IT infrastructure, platforms, or software that are hosted by third-party providers and made available to users through the internet.
Third-Party – An organization or partner that is approved by the University to perform certain services on systems, software, and services on behalf of the University.
Related Information and Regulations
- Family Educational Rights and Privacy Act of 1974 (FERPA) (pertaining to the privacy of student information)
- Gramm-Leach-Bliley Act of 1999 (GLBA) (about the privacy and safeguarding of consumer financial information)
- Health Insurance Portability and Accountability Act of 1996 (HIPAA) (about the privacy and security of protected health information)
- Payment Card Industry (PCI) Data Security Standard (DSS) (about the security of credit card payment information)
- University of Chicago Secure Research Data Strategy
- Illinois Statute 815 Ill. Comp. Stat. 530/5, 530/10, 530/12, 530/15, 530/20, 530/25
- University HR policy 601 Treatment of Confidential Information
Actual or suspected information security incidents should be reported to firstname.lastname@example.org. The following offices can address questions regarding this Policy:
IT Services Information Security Office
Executive Director and Chief Information Security Officer (CISO)