Information Security

Purpose

The purpose of this policy is to protect University Information and Information Resources that must be protected throughout their lifecycle, including when created or collected, stored, transmitted or transferred, and destroyed.

To accomplish this objective, administrative, technical, and physical safeguards must be in place to adequately protect Information Resources, while supporting their use in furthering UMGC's mission.

1. This policy applies to Information Resources residing in UMGC internal or external environments that store or process UMGC Data.
2. This policy and its supporting standards and procedures apply to all Users who use or have access to UMGC Information and information Resources.
3. This policy applies to any Information System or Information Resource that is owned or managed by the University.

Definitions

Capitalized terms shall have the meaning ascribed to them herein and shall have the same meaning when used in the singular or plural form or any appropriate tense.

1. Availability: The principle of ensuring timely and reliable access to and use of Information based upon the concept of Least Privilege.
2. Confidentiality: The principle of preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
3. Confidential Data: Data that requires restrictions on access and disclosure, including the protection of personal privacy and proprietary information.
4. Data: Elements of Information in the form of facts, such as numbers, words, names, or descriptions of things from which "understandable information" can be derived.
5. Data Steward: The UMGC employees, or designees, who are responsible for determining User access and assigning Data Classifications to data originating from or residing in their respective business units.
6. Incident: An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.
7. Information: Any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual.
8. Information Resources: Anything that is intended to generate, store, or transmit Information.
9. Information Security Program: Provides a formal structure for (1) developing and maintaining University-wide security policies, (2) defines security principles that safeguard University computing resources, and (3) ensures compliance with internal and external regulations.
10. Information Systems: Inter-related components of Information Resources working together for the collection, processing, maintenance, use, sharing, dissemination, or disposition of Information.
11. Integrity: The principle of ensuring records and the Information contained therein are accurate and authentic by guarding against improper modification or destruction.
12. University: University of Maryland Global Campus (or “UMGC”)
13. User: A member of the UMGC community, including but not limited to Staff and Faculty, and other individuals performing services on behalf of UMGC, including Contractors, volunteers and other individuals who may have a need to access, use or control UMGC Data.

1. All Users with access to the University's Information Resources or Information Systems are responsible for reviewing and understanding all UMGC Information Security Policies.
2. The Sr. Director, Information Security and Information Technology Operations are responsible for monitoring compliance with this policy.

1. The University must establish and maintain an Information Security Program that protects all UMGC Information and Information Resources, commensurate with risk. The University System of Maryland ("USM") IT Security Standards shall serve as the framework for UMGC's Information Security Program.
2. The University must establish appropriate security controls that comply with USM IT Security Standards to support the University's Information Security Policy. The security control areas will include Asset Control, Asset Management, Audit & Accountability, Awareness & Training, Configuration Management, Identification & Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Recovery, Risk Management, Security Assessment, Situational Awareness, System & Communications Protection, and System & Information Integrity.
3. The University must establish enforcement for non-compliance with control standards and procedures or for violation of applicable laws or regulations.
4. This policy's further objective is to control standards and procedures to help ensure the following:
   1. Information Resource Availability
      The Information Resources of the University are available to support the teaching, learning, or administrative roles for which they are designated.
   2. Information Integrity
      The Information used in teaching, learning, or administration is guarded against improper information modification or destruction and includes ensuring information non-repudiation and authenticity.
   3. Information Confidentiality
      Information is adequately safeguarded against unauthorized access and disclosure, including means for protecting personal privacy and proprietary information.

1. Suspected violations will be investigated and may result in disciplinary action in accordance with University codes of conduct, policies, or applicable laws. Sanctions may include one or more of the following:
   1. Suspension or termination of access
   2. Removal of devices determined to be using the University's networking resources inappropriately or in violation of the Acceptable Use Policy.
   3. Termination of employment
   4. Student discipline in accordance with applicable University policies
   5. Civil or criminal penalties
2. Report suspected violations of this policy to infosec@umgc.edu, or to the appropriate Data Steward. Reports of violations are considered Confidential Data until otherwise classified.
3. The University reserves the right to disconnect any resource from UMGC networks until suspected Security Incidents are resolved.

1. USM IT Security Standards, v.5, dated July 2022
2. NIST SP 800-171r2 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”, dated February 2020
3.  Cybersecurity Maturity Model Certification (CMMC), v.2.0, dated December 2021

1. UMGC Policy X-1.02 Data Classification
2. UMGC Policy X-1.12 Acceptable Use
3. UMGC Policy X-1.19A Account Management (UMGC Learner Community)
4. UMGC Policy X-1.19B Account Management (UMGC Workforce)