Skip to main content

University Policy Manual

INFORMATION SECURITY RESPONSIBILITES AND DEFINTIONS

Effective: August 15, 2024

Purpose: Emporia State University understands that some information provided to it by students, faculty, staff, or gained by other means is an important asset that needs to be protected. Measures must be taken to protect the information assets from unauthorized access, use, modification, destruction, or disclosure whether accidental or intentional as well as to assure its confidentiality, integrity, and availability. As a University that prides itself on the free exchange of knowledge and ideas, other information created or maintained by the University can and should be shared with the public.

The University has made substantial investments in both human and financial resources to create a computing environment that enables both our students and employees to access the internet in general as well as information specific to the function of their position whether stored at the University or at sites accessible on the internet or by direct connection to remote sites.

This policy and all policies derived from it have been established in order to:

  • Protect this investment;
  • Safeguard the information contained within this environment;
  • Reduce business and legal risk; and
  • Establish confidence about the University’s business practices to current and prospective students, faculty, and staff.

This policy also serves to provide definitions for Information Technology policies.

Scope: This policy applies to all individuals utilizing information technology infrastructure.

Responsible Office: Information Technology

Policy Statement: The management of the following policies is the responsibility of the Information Security Advisory Committee (hereafter ISAC), a shared governance committee.

If ISAC deems that a proposed change will have a significant impact on faculty, ISAC will present the policy to the Faculty Senate Executive Committee for review.

The University will set a clear policy direction and demonstrate support for, and commitment to, information security by:

  • Appointing an Information Security Officer (ISO) to lead information security efforts;
  • Issue and maintain a set of information security policies, procedures, standards, and guidelines;
  • Apportion budgets that support information security efforts;
  • Establish and maintain a process to periodically review the information policies, procedures, standards, and guidelines and amend as needed; and
  • Establish and maintain a process to audit periodically Information Security controls and perform security audits for compliance.

The ISO has the responsibility to:

  • Develop and maintain written policies, procedures, standards, and guidelines;
  • Perform Information Security Audits per the Information Security Audit Procedures; and
  • Provide appropriate support and guidance to assist students and employees to understand and fulfill their responsibilities under published policies.

Unit Heads have a responsibility to:

  • Ensure all employees are aware of comply with all published policy; and
  • Create appropriate performance standards, control practices, and procedures designed to provide reasonable assurance that all employees observe these policies.

Definitions: All words and phrases shall be interpreted utilizing their plain meanings unless otherwise defined in another University or Board of Regents policy or by statute or regulation.

Active Record – A record that is necessary for the conduct of current business.

Anti-malware (“Anti-virus”) – Any software created for the purpose of removing, blocking, quarantining, or otherwise rendering malware (see below) harmless.  Anti-malware typically is pre-installed on campus workstations or supplied for download to student devices.  The software or its components require frequent updates in order to remain effective against new threats. It may be configured to scan the workstation or device on a regular basis in order to find and disable harmful software.

Application or Application Program – An application program (application or app for short) is a computer program designed to perform a group of coordinated functions, tasks, or activities for the benefit of the user.

Authorized Access – Authorized access is access to ESU information given to authorized users.

Authorized Use – Authorized use of ESU-owned or operated information resources is used consistent with the education, research, and service mission of the University, and incidental personal use, provided that such use does not interfere with ESU operations, does not generate incremental identifiable costs to ESU, and does not negatively impact the user’s job performance.

Authorized Users – Authorized users are (1) current faculty, staff, students, and affiliates of the University and (2) others whose temporary access furthers the mission of the University. Authorized users gain access to University resources through the hiring process, the student admissions process, designation as a University “affiliate”, or as a guest or vendor upon approval by a University administrator.

Cloud Computing (“Cloud Hosted Computing”) – A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. Cloud computing consists of three service models:

  • Infrastructure as a Service (IaaS)
  • Platform as a Service (PaaS)
  • Software as a Service (SaaS)

Cloud Service Provider – A company that offers some component of cloud computing – typically Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS) – to other organizations or individuals.

Computing Equipment – All hardware used to process, store, or transmit University data.

Connection – The physical point where a direct or virtual path (wired or wireless) is established between a device and the University network.

Control – A safeguard or countermeasure. Any administrative, management, technical, or legal method that is used to manage risk related to the confidentiality, integrity, and availability of data and Information System(s). Controls include practices, policies, procedures, programs, techniques, guidelines, and organizational structures.

Cyberbullying – The act of using information technology to bully, intimidate, threaten, or otherwise harm the perpetrator’s target.

Data Breach (“Breach”) – Accidental or intentional disclosure of Confidential or Sensitive data. See Information Classification Policy. For HIPAA purposes, a Breach is the acquisition, access, use, or disclosure of protected health information (PHI) in a manner not permitted by law that compromises the security or privacy of the PHI.

Database – A comprehensive collection of related data organized for convenient access, generally in a computer.

Database Schema – The skeleton structure that represents the logical view of the entire database. It defines how the data is organized and how the relations among them are associated.

Decommission – The act of ceasing to use an Information System, Application and/or Database and appropriately disposing of it in a manner compliant with university records retention policies and Information Technology Services policies.

Department – Department includes academic and administrative organizational entities at ESU.

Digital Accessibility – The ability of a website, mobile application or electronic document to be easily navigated and understood by a wide range of users, including those users who have visual, auditory, motor or cognitive disabilities or impairments.

Disposition – The systematic treatment of records that are no longer active. Options for disposition are:

  • Transfer to an inactive records storage area or commercial records center,
  • Transfer to the University Archives, or
  • Records destruction.

Electronic and Information Technology (EIT) – A definition most associated with Sections 504 and 508 of the Rehabilitation Act, EIT includes information technology and any equipment or interconnected system or subsystem of equipment that is used in the creation, conversion, or duplication of data or information.  The term electronic and information technology includes, but is not limited to, telecommunications products (such as telephones), information kiosks and transaction machines, World Wide Web sites, multimedia, and office equipment such as copiers and fax machines.

Electronic Media – Any device capable of storing electronic information. This includes memory devices in computers and any removable/transportable digital media medium. This includes, but is not limited to:

  • Fixed Storage Media (spinning hard drives, solid state drives, etc.)
  • Portable Storage Media (SIM cards, flash media, USB thumb drive, etc.)

Enterprise Resource Planning (ERP) System – A system that integrates enterprise-wide information including human resources, financials, manufacturing, and distribution as well as connects the organization to its customer and suppliers. This includes systems like Ellucian and Banner.

Enterprise System or Server – A computing device used campus-wide by multiple, if not all, campus entities.

ESU Records Retention Schedule – A university wide document that lists and governs the retention period and the disposition of identified records that are common across the ESU system.

ESU Technology Environment – The ESU computing technology used by various units including infrastructure equipment, telephony equipment, server equipment, desktop equipment, printers and various other technologies in use.

Event – An event logged is anything which modifies the system or configuration; errors; logon and logoff; unsuccessful authorization attempts.

Fixed Storage Media – Any storage device contained within computing equipment that is not readily accessible or removable, such as spinning hard drives and solid state hard drives (SSDs).

Immediate Supervisor – The person an employee reports to for supervision.

Inactive Records – Records that are no longer required for day to day business and may be obsolete. At the end of their active use, records should be systematically removed from active systems and from prime office spaces. If the retention period found in the ESU Records Retention Schedule has lapsed, the inactive records may be eligible for destruction. If the retention periods have not lapsed or the inactive records are still required for a records hold or other legitimate business requirements, they should be managed in secure environments for appropriate lengths of time based on the Schedule prior to their destruction. Should the inactive records have permanent retention periods, they may be eligible to be formally transferred to the University Archives.

Information Assets – A body of information defined and managed as a single unit so it can be understood, shared, protected and exploited effectively.

Information assets include any information in electronic, audio-visual or physical form, or any hardware or software that makes possible the storage, transmission and use of information.

This definition includes but is not limited to electronic mail, voice systems, local databases, externally accessed databases, CD-ROM, motion picture film, recorded magnetic media, photographs, or digitized information. This also includes any wire, radio, electromagnetic, photo optical, photo electronic or other facility used in transmitting electronic communications, and any computer facilities or related electronic equipment that electronically stores such communications.

Information Custodian – Employees designated by the University to control and manage information on its behalf.

Custodians are responsible to:

  • Identify the classification level of the information according to one of the classification levels;
  • Work with the Information Security Officer (ISO) to define and implement the appropriate safeguards to protect the confidentiality, integrity, and accessibility of information;
  • Monitor the safeguards to ensure compliance and report any non-compliance issues to the Information Security Officer (ISO);
  • Develop a system of authorization for personnel requiring business access to that information and the procedures of the removal of access once it is no longer needed; and
  • Monitor the business need of the information and adjust the classification as necessary.

Information System – A discrete set of information system components organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of information.

Infrastructure or Infrastructure Devices – Hardware utilized for creating and managing the University Network.

Infrastructure as a Service (IaaS) – The capability for the consumer to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run their choice of software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure, but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls).

Learning Management System (LMS) – A learning management system is a software application or web-based technology used to administer, deliver, and assess electronic educational technology courses and/or programs. Refer to the ESU Distance Education policy for more details.

Least Privilege – Principle of limiting access, or simply providing no more authorizations than necessary to perform required functions.

Limited Access Environment – Secure space that is accessed by only necessary employees.

Long-term Retention – A retention period of more than five years (including permanent retention).

Malware – Short for Malicious Software.  Any code that is created and/or used for purposes that are detrimental to (1) the User’s well-being, (2) Information Technology systems, or (3) campus information confidentiality, integrity, or accessibility.  This includes (but is not limited to) computer viruses, Trojans (short for ‘Trojan Horse’), self-propagating worms, malvertizement, downloaders, keyloggers, cryptominers, rootkits, ransomware, adware, spyware, or scareware.  Software tools, such as packet capture, network scanners, or remote access tools (“RATs”) that may have legitimate uses are considered malware when used for malicious purposes.  Malware may also include processes, scripts, and code that, on their own, are not considered malware, but are used together in a way not intended by the author to compromise a system or user.  This is also known as “Hacking”.

Metadata – The data providing information about one or more aspects of other data; it is used to summarize basic information about data which can make tracking and working with specific data easier.

Mobile Computing Device (“Mobile Device”) – Any type of device that is designed to be moved and is capable of collecting, storing, transmitting, or processing electronic data or images. Movement in this case refers to the device generally not having a fixed connection to the network. Examples of mobile computing devices include but are not limited to a laptop or tablet computer, smartphone, or portable storage media.

Personally Identifiable Information (PII) – Any information that can be used on its own or with other information to identify or locate a single person.

Record – Any writing, regardless of physical form or characteristics, containing information relating to the conduct of the University, prepared, owned, used, or retained by an operating unit or employee of the University. “Writing” means handwriting, typewriting, printing, photostatting, photographing, photocopying, transmitting by electronic mail or facsimile, and every other means of recording upon any tangible thing any form of communication or representation, including letters, words, pictures, sounds, or symbols, or combination thereof, and any record thereby created, regardless of the manner in which the record has been stored.

The term “administrative record” is used to describe any record that documents or contains valuable information related to the organization, functions, policies, decisions, procedures, operations, or other business activities of the university.

Records Custodian – The individual with responsibility for maintenance of the records of a university department or unit.

Records Life Cycle – The three stages through which records are managed:

  • Creation or receipt;
  • Use;
  • Disposition.

Records Management Coordinator – The individual in each department responsible for the development, coordination, implementation, and management of the Records Management Program at that location.

Records Retention – The maintenance of records for prescribed time periods.

Platform as a Service (PaaS) – The capability for the consumer to deploy consumer-created or acquired applications developed using programming languages, libraries, services, and supported tools onto a cloud infrastructure, administered by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment.

Portable Storage Media – Any storage device or media that is easily accessible, removed, and transported from one device to another with equivalent functionality. Examples include, but are not limited to:

  • SIM Cards
  • Flash media
  • USB thumb drives
  • Tapes
  • Optical discs (CDs, etc.)
  • Floppy disks
  • Mobile Computing Devices containing non-removable storage
  • Portable hard drives

Responsible Office – The University unit, department, or office that is the primary user, or owner of the information system, application, or database. This office often functionally administers and is the subject matter expert of the data within, the information system.

Secure(d) – Information, device or technology which have been assessed for risks and have security controls in place.

Security Control – Something put into place to mitigate security risks which may include policies, procedures, standards, technology enforcements like firewalls, password requirements, traffic-shaping devices or network access controlling devices.

Security Incidents – Security incidents include any actions that have the potential to pose a serious risk to campus information system resources or the Internet. Examples include, but are not limited to, creating and propagating viruses and/or worms, obtaining or allowing unauthorized access to University resources, deliberate attempts to degrade the performance of a computer system or network, deliberate attempts to deprive authorized personnel of access to any University computer system or network, or otherwise intentionally disrupting services or damaging equipment, software, files, or data.

Shared Resources – Shared network storage device.

Short-term Retention – A retention period of five years or less.

Software as a Service (SaaS) – The capability for the consumer to use the provider’s applications running on a cloud infrastructure. SaaS-based applications are accessible from various client devices through either a thin-client interface, such as a web browsers (e.g. – web-based email or LMS), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual capabilities, with the possible exception of limited user-specific application configuration settings.

Transmitting – An action taken to send data from one system to another primarily through the use of FTP, email (whether in the body of the message or an attachment) or upload to/download from a website.

Unit – Academic and administrative organizational entities at ESU.

Unit Head – Chair, director, or supervisor of a unit.

Unit Support Personnel – Employees designated by the unit to be responsible for maintaining the safeguards established by IT Support Personnel. Unit Support Personnel are responsible to:

  • Implement the appropriate safeguards defined by IT to protect the confidentiality, integrity, and accessibility of technology asset;
  • Monitor the safeguards to ensure compliance and report any non-compliance issues to the ISO.

University information or data – Any information or data generated, accessed, modified, transmitted, stored, or otherwise used by the University.

The University Network, ESU Network, or ESU Computing Environment – The University Network, ESU Network, or ESU Computing Environment is an infrastructure of electronic and optical distribution hardware, control software, and wired and wireless media. The University network utilizes various technologies to transport voice, video, and data. The University network begins at the point where an end-user device (located on University owned or leased property) gains access to this infrastructure and ends at the point where the University network attaches to external non-ESU networks. End-user devices that indirectly connect via a third-party telecommunications provider (a connection made to the ESU network via a home broadband or dial up connection for example) are not considered part of the University network or ESU Computing Environment.

User – Any person who utilizes the University network for transmitting and/or receiving information.

VPN – Virtual Private Network allowing secure connection between remote computer and

University Network.

Vulnerability – Any weakness in an Information Technology system that may provide an opportunity for a potential attacker to gain access to that system in such a way that it can be used for malicious purposes.

Vulnerability Scan – Scans using specialized tools for the detection of vulnerabilities within the Information System.

Wired and Wireless Device – Any device that is connected to the University network for the purpose of transmitting and or receiving information, including but not limited to, computers, printers, servers, telephone instruments, and video equipment such as television sets and conferencing systems.

Workstation – Computer(s) assigned to one or more University employees for conducting university business.

Procedures: All procedures linked and related to the policies above shall have the full force and effect of policy if said procedures have first been properly approved by the University’s administrator in charge of Information Technology.

[Information Technology procedures - coming soon]

Related Policy Information: [coming soon]

History and Revisions

Adoption Date:
10/20/2006 [FSB 06009 passed by Faculty Senate and included in UPM as Policy 3J.02]
Revision Date:
09/04/2009 [Policy 3J.01 revised by Information Security Officer]
10/13/2009 [FSB 09001 passed by Faculty Senate on 10/06/2009 and approved by President, revising Policy 3J.02]
10/02/2013 [Policy 3J.01 updated]
12/03/2019 [Policy 3J.02 updated by IS]
02/18/2020 [Policy 3J.02 amended and approved by ISAC on 02/05/2020 and removed from Faculty Senate]
03/09/2020 [FSB 1905 passed by Faculty Senate on 02/18/2020, approved by President, and included in UPM as Policy 3J.0101]
08/15/2024 [UPM Policies 3J.01, 3J.0101, and 3J.02 combined as part of UPM Revision]