Policies and Procedures Manual 2021 - 2022

3.48 Information Security Policy

1. Definitions

  • Confidentiality: refers to ensuring that institutional data is protected from unauthorized disclosure as defined in the Piedmont University Data Classification and Data Access Policies.
  • Information Security Officer (ISO): the senior institutional official charged with the establishment, implementation, maintenance, and assessment of the Information Security Program.
  • Information Security: refers to the protection of institutional data to ensure its confidentiality, integrity, and availability.
  • Information Security Incident: an event that is likely to cause harm to the institution and/or its information assets
  • Information Security Program (ISP): refers to the totality of policies, procedures, training, and other information provided to the University community by the Office of Information Security.
  • Information System: refers to a set of components, procedures and people used to collect, store, maintain, and disseminate institutional data. In this document, such systems can be either electronic (ex. database/spreadsheet) or manual (ex. file cabinet/other manual files).
  • Institutional Data: refers to any data collected, stored, or shared on behalf of Piedmont University in connection with the accomplishment of its mission.
  • Privacy: refers particularly to the protection of personal information from unauthorized disclosure as defined by law, regulation, or institutional privacy policy.

2. Policy

 Piedmont University collects, stores, and shares a variety of data about its faculty, staff, students, and operations as necessary for the accomplishment of its mission. Piedmont University, through its Information Security Program, will protect the security of all data collected, stored, or shared in its various information systems as required by law, regulation, and best practice. Further, Piedmont University will restrict the use of its information resources to only authorized personnel and only for approved purposes, will ensure the accuracy, privacy, and protection of the University’s information resources as required by law, and will retain personal information no longer than necessary as required by law, and in accordance with departmental data retention policies.

3. Organization

 The Office of Information Security, under oversight of the Chief Information Officer (CIO), shall be responsible for the development, implementation, maintenance, and assessment of all institutional policies and procedures related to information security, for the management of information security incidents, and for advising the University community on matters relating to information security.

4. Procedure

The Piedmont University Information Security Program (ISP) shall be based upon, and defined by, an industry-accepted cybersecurity standards framework such as the NIST Cybersecurity Framework or the ISO/IEC 27000 family of standards. Adherence to a standards framework helps insure that the University ISP is comprehensive and in alignment with current best practices.

The Information Security Officer (ISO) will manage the ISP by:

  • Developing and maintaining the University ISP Framework
  • Conducting on-going assessments of the state of the University relative to the framework standards, such that each individual standard is assessed at least biennially, to determine the adequacy of its associated controls.
  • Recommending and monitoring the development of controls in response to security standards requirements including:
    • Policy
    • Procedures
    • Hardware/software
    • Training
  • Maintaining documentation concerning the ISP framework and associated assessments
  • Through the CIO, insuring that senior leadership is informed of the current state of information security readiness.
  • Overseeing University community information security training
  • Ensuring that the University community is informed about the current information security issues
  • Serving as the University coordinator for all information security issues