Policy Category | Policy No. & Title | Policy Owner | Effective Date | Revision Number | Revision Eff. Date | Review Cycle |
X Information Governance, Security & Technology |
X-1.13 Employee IT Security |
VP of Information Security | July 1, 2021 | N/A | N/A | Annual |
Purpose
The purpose of this policy is to establish information security standards for the Employee IT Security processes relevant to University of Maryland Global Campus ("UMGC" or "University") Information Technology Resources.
Scope and Applicability
This policy applies to all University Information Systems and Information Technology Resources. Human Resources and Information System Stewards are responsible for adhering to this policy.
Definitions
Capitalized terms shall have the meaning ascribed to them herein and shall have the same meaning when used in the singular or plural form or any appropriate tense.Employee IT Security
Human Resources, Information System Stewards or their designee must comply with applicable University Employee screening policy(ies) to ensure that any Users who will have access to University Information Systems that contains Controlled Unclassified Information (CUI) are adequately vetted before access is granted.
All individuals must be screened prior to authorizing access to University Information Systems containing CUI.
University Information Systems containing CUI must be protected during and after employment actions such as terminations and transfers. Information System Stewards, or other appropriate University Employee, should confirm that when a user leaves:
All University IT equipment (e.g., laptops, cell phones, storage devices) is returned,
All User identification/access cards and/or keys are returned, and
A written notification is provided to remind the User of their obligations to not discuss CUI, even after employment.
Individuals must comply with the Account Management, Media Protection, and Physical Access policy when Employees transfer or are terminated.
Exceptions
Exceptions to this policy should be submitted to the VP of Information Security for review and approval. If an exception is requested a compensating control or safeguard should be documented and approved.
Enforcement
Any Employee, Contractor, or third-party performing duties on behalf of the University with knowledge of an alleged violation of this Policy shall notify the VP of Information Security as soon as practicable.
Any Employee, Contractor, or other third-party performing duties on behalf of the University who violates this Policy may be denied access to Information Resources and may be subject to disciplinary action, up to and including termination of employment or contract or pursuit of legal action.
Related Policies
Account Management
Data Classification
Identify and Access Management
Information Security
Media Protection
Effective Date: This policy is effective as of the Effective Date set forth above.