UMGC Policy X-1.13

Employee IT Security

Policy Category Policy No. & Title Policy Owner Effective Date Revision Number Revision Eff. Date Review Cycle

X
Information Governance, Security & Technology

X-1.13
Employee IT Security

VP of Information Security

July 1, 2021

N/A

N/A

Annual

  1. Purpose

    The purpose of this policy is to establish information security standards for the Employee IT Security processes relevant to University of Maryland Global Campus ("UMGC" or "University") Information Technology Resources.

  2. Scope and Applicability

    This policy applies to all University Information Systems and Information Technology Resources. Human Resources and Information System Stewards are responsible for adhering to this policy.

  3. Definitions

    Capitalized terms shall have the meaning ascribed to them herein and shall have the same meaning when used in the singular or plural form or any appropriate tense.
    1. Authorized User: A User who has been granted authorization to access electronic Information Resources and is current in their privileges.
    2. Contractor: A person or a company that undertakes a contract to provide materials or labor to perform a service.
    3. Controlled Unclassified Information (CUI): A categorical designation that refers to unclassified information that does not meet the standards for National Security Classification under Executive Order 12958, as amended, but is (i) pertinent to the national interests of the United States or to the important interests of entities outside the federal government, and (ii) under law or policy requires protection from unauthorized disclosure, special handling safeguards, or prescribed limits on exchange or dissemination.
    4. Employee: University staff and faculty, including nonexempt, exempt, and overseas staff and collegiate faculty.
    5. Information Technology Resource: Any equipment or interconnected system or subsystem of equipment that is used in the acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by UMGC directly or by a third party under a contract with UMGC which requires the use of such equipment. The term includes computers, mobile devices, software, firmware, services (including support services), and UMGC's network via a physical or wireless connection, regardless of the ownership of the Information Technology Resource connected to the network.
    6. Information System: Inter-related components of Information Technology Resources working together for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
    7. Information System Steward: A UMGC staff member or other individual providing services to the University who is responsible for the development, procurement, compliance, and/or final disposition of an Information System.
    8. Employee IT Security: The discipline of assessing the conduct, integrity, judgment, loyalty, reliability, and stability of individuals for duties and responsibilities requiring trustworthiness.
    9. User: A University community member, including but not limited to, staff, faculty, students, alumni, and individuals working on behalf of the University, including third party vendors, Contractors, consultants, volunteers, and other individuals who may have a need to access, use or control University Data.
  4. Employee IT Security

    Human Resources, Information System Stewards or their designee must comply with applicable University Employee screening policy(ies) to ensure that any Users who will have access to University Information Systems that contains Controlled Unclassified Information (CUI) are adequately vetted before access is granted.

    1. All individuals must be screened prior to authorizing access to University Information Systems containing CUI.

    2. University Information Systems containing CUI must be protected during and after employment actions such as terminations and transfers. Information System Stewards, or other appropriate University Employee, should confirm that when a user leaves:

      1. All University IT equipment (e.g., laptops, cell phones, storage devices) is returned,

      2. All User identification/access cards and/or keys are returned, and

      3. A written notification is provided to remind the User of their obligations to not discuss CUI, even after employment.

    3. Individuals must comply with the Account Management, Media Protection, and Physical Access policy when Employees transfer or are terminated.

  5. Exceptions

    Exceptions to this policy should be submitted to the VP of Information Security for review and approval. If an exception is requested a compensating control or safeguard should be documented and approved.

  6. Enforcement

    1. Any Employee, Contractor, or third-party performing duties on behalf of the University with knowledge of an alleged violation of this Policy shall notify the VP of Information Security as soon as practicable.

    2. Any Employee, Contractor, or other third-party performing duties on behalf of the University who violates this Policy may be denied access to Information Resources and may be subject to disciplinary action, up to and including termination of employment or contract or pursuit of legal action.

  7. Related Policies

    1. Account Management

    2. Data Classification

    3. Identify and Access Management

    4. Information Security

    5. Media Protection

  8. Effective Date: This policy is effective as of the Effective Date set forth above.