///////

Information Security Policy

Navigation

Information Security Policy

Purpose

The purpose of this policy is to provide a security framework that will ensure the protection of University Information from Unauthorized Access, loss, or damage while supporting the open information-sharing needs of our academic culture.  University Information may be verbal, digital, and/or hardcopy, individually controlled or shared, stand-alone or networked, and used for administration, research, teaching, or other purposes. 

Scope

This policy applies to all University activities, whether on campus or off, and to all University Information regardless of the medium in which it is stored (paper, electronic, etc.) or shared (electronically, verbally, visually, etc.). This policy applies to all staff, faculty, students, and anyone accessing University Systems or information contained on those systems, such as visitors, vendors, and contractors.

Policy History

Effective Date:  April 28, 2025

Approval:  April 28, 2025

Policy History: 

  • Approved in Original Form:  April 28, 2025

Maintenance of Policy:  Vice President and Chief Information Officer, University of Dayton Information Technology (UDit), Assistant Vice President for Compliance, Environmental Health & Safety, Division of Audit, Risk and Compliance and Vice President and General Counsel, Office of Legal Affairs

Definitions

1.  Authentication – the process or action of verifying the identity of a user or process.

2.  Authorization – the function of establishing a user's or process’ privilege levels to access and/or handle information.

3.  Data Governance ­– a discipline that focuses on the quality, security, and availability of an organization’s data. Benefits include: 

     a.  Manage data as a key university asset

     b.  Improve ability to create, preserve, and disseminate knowledge

     c.  Define and monitor quality standards

     d.  Support easier access to data assets with proper protection

     e.  Improve efficiency, quality, and trust in data management decisions

     f.  Record, manage, and utilize data and metadata dictionaries

     g.  Reduce risk through regulatory, policy, and procedural compliance 

More information may be found on the University’s Data Governance website.

4.  Data Steward – within Data Governance, the individuals who are responsible for ensuring that data is managed effectively throughout its lifecycle, from creation or acquisition to retirement.  Key activities include defining data policies and procedures, ensuring compliance with regulatory requirements, managing data quality and consistency, facilitating data integration and sharing, managing data security and privacy, providing training and support to users of data, and monitoring and auditing data usage and access.  A list of general data types and the associated data stewards may be found on the University’s Data Governance website under Teams and Members, Data Governance Core Group.

5.  Sensitive Information – any information other than that intended to be made available to anyone inside and outside the University (classification level of Low/Public as described below).  Note that UDRI’s Sensitive Information Control Procedure further defines Sensitive Information and provides details for those working on sponsored projects managed through UDRI.

6.  Unauthorized Access – looking up, reviewing, copying, modifying, deleting, analyzing, sharing, or otherwise handling University Information without authorization and legitimate business need.  

7.  University Information – information that the University collects, processes, or stores, regardless of its source.  This includes information in hard copy documents or other media, communicated over voice or data networks, or exchanged in conversation.   

8.  University Systems – University-owned or controlled computing devices, data networks, software, databases, servers, and facilities.  Such systems may be operated on campus or in the cloud.  Examples of University Systems include, but are not limited to, computers, network file shares, networkable copiers, University-provided wireless networks (WiFi), and University-provided software or services.

Policy

The University is entrusted with a great deal of information from applicants, students, alumni, employees, business partners, the government, and other sources. That information is critical to the University's teaching, learning, and research mission and to the administrative functions that support that mission. The loss or misuse of information can cause substantial injury to the University, its constituents, and/or affiliates in terms of financial loss, regulatory penalties or exclusions, reputational damage and/or operational capability.  

All University community members are responsible for the security of the information entrusted to them and taking affirmative steps to prevent unauthorized disclosure or loss. This policy sets forth the security requirements all University community members must follow to meet that responsibility.

A.  Classification Levels

All University Information is classified into one of four levels based on its sensitivity and the risks associated with disclosure.  The classification level determines the security protections that must be used for the information. When combining information, the classification level of the resulting information must be re-evaluated independently of each source information’s classification to manage risks.

The classification levels are:

1.  Restricted

University Information is classified as Restricted if inappropriate use could result in criminal or civil penalties, identity theft, personal financial loss, invasion of privacy and/or unauthorized access.  Examples of Restricted University Information includes, but is not limited to:

  • Social security number
  • Bank account, credit/debit card, or other financial information
  • Protected health information (as defined by HIPAA)  
  • Information labeled as Controlled Unclassified Information (CUI) or Export Controlled Information (ECI)

Restricted University Information may not be accessed without the relevant Data Steward’s authorization.  When dealing with Restricted University Information, it must be accessed exclusively through University-provided systems, services, shared drives, and established processes.  Any other use of Restricted University Information requires the approval of the relevant Data Steward.

UDRI administers sponsored research in a variety of areas, many with very demanding compliance requirements. The definition of terms such as sensitive, classified, and classification may differ from those presented here.  If you work on a sponsored project managed through UDRI, make sure to review the Sensitive Information Control Procedure, Security Standard Practices Procedure and other published guidance.  If you have any questions, please reach out to the Facility Security Officer.

2.  High / Sharing Allowed Between Specific University Groups

University Information is classified as High if it falls outside the Restricted classification, but is not intended to be shared freely within or outside the University due to its sensitive nature and/or contractual or legal obligations.   Examples include, but are not limited to:

  • All non-Restricted information contained in personnel files, misconduct, or law enforcement investigation records
  • Education records (as defined by FERPA)
  • Personally identifiable information (PII) not designated directory information where the information could lead to identity theft or other misuse
  • Budget and salary information

High University Information may not be accessed without the relevant Data Steward’s specific authorization.  When dealing with University Information classified as High, any use outside of University-provided systems, services, shared drives, and established processes should be coordinated with the relevant Data Steward. 

3.  Medium / Sharing Unrestricted WIthin the University

University Information is classified as Medium if it falls outside the Restricted and High categories, but is not considered public information.  This category may be accessed by eligible employees and designated appointees of the University for University business, but is not intended to be freely shared either within or outside the University.  Examples include, but are not limited to:

  • University ID numbers
  • University directory information
  • Non-public contracts
  • Internal memos, emails and reports

This information may be used within any system requiring University authentication.

4.  Low / Public

University Information is classified as Low if intended to be made available to anyone within or outside the University.

The four classification levels laid out above comprise the entirety of the University’s data classification categories.  Sharing of Sensitive Information externally may be permissible if necessary to meet the University’s legitimate business needs. Except as otherwise required by law (or for purposes of sharing between law enforcement entities), sharing with parties outside the University, including contractors, requires written agreement (i) to take appropriate measures to safeguard the confidentiality of the information; (ii) not to disclose the information to any other party for any purpose absent the University’s prior written consent or a valid court order or subpoena; and (iii) to notify the University in advance of any disclosure pursuant to a court order or subpoena unless the order or subpoena explicitly prohibits such notification. 

Additionally, handling of University Information from any source other than the University may require compliance with both this policy and the requirements of the individual or entity that created, provided, or controls the information. If you have concerns about your ability to comply, consult the relevant Data Steward.

Responsibilities

Based on its classification, University Information must be appropriately protected from Unauthorized Access, loss, and damage. While all members of the University community share the responsibility for safeguarding University Information, the following individuals/offices have a heightened expectation as outlined below:

A.  Data Steward: Responsible for authorizing access to the University Information for which they are the primary University executive in charge of that functional area (e.g., student academic records fall under the purview of the Registrar).  Also responsible, individually and as members of the Data Governance Committee, for developing policies, procedures, standards, and training specific to their data.

B.  Data Custodian: Responsible for the technical environment where data resides.  Data Custodians must confirm the secure collection, processing, storage, and transport of University Information in whatever format (e.g., electronic, paper, verbal).

C.  UDit: Responsible for the implementation and auditing of functional controls which support the restriction of access to information to individuals with a legitimate business function that have been appropriately approved for such access. 

Together, the three groups above carefully consider things like authentication, role-based authorization, compliance requirements, server best practices, data-specific training, the effects of new technologies such as Artificial Intelligence, etc., to help ensure that University Systems are architected appropriately.

D.  For their part, all University faculty, staff, students (when acting on behalf of the University through service on University bodies), and others granted use of University Information are expected to:

  • Understand the information classification levels described above and handle information in a manner consistent with the information's classification level and type;  
  • Access information only as needed to meet legitimate business needs;
  • Contact the Office of Legal Affairs and the relevant Data Steward before responding to requests for information from regulatory agencies, inspectors, examiners, and/or auditors or to any litigation or law enforcement subpoenas, court orders, media requests and other information requests from private litigants and government agencies.  Requests made by UD’s Public Safety personnel should be accommodated; and
  • Report incidents or suspicious activity related to securing University Information to UD's IT Security Director.

Additional guidance may be found in Appendix A, Information Security Practices.

Violations of this policy may result in disciplinary action up to and including separation from the University. 

Appendix A to Information Security Policy

Information Security Practices

Generally, users of University Systems may expect that their personal communications, activities, and information will not be monitored or examined by the University.  Exceptions are noted in the University’s Fair, Responsible, and Acceptable Use Policy and may be exercised as necessary for reasons such as, but not limited to, maintaining the integrity and quality of service, investigating a potential breach of security or violation of law or University policy, as required by law, upon departure from the University, or in the event of an unplanned leave of absence.

Through their work, however, University employees may be entrusted with access to the personal information of other individuals as well as other information.  To help ensure the University is performing its due care, it needs to balance security and privacy and highlight the following practices so that all the information collected, processed, stored, and transported is managed in accordance with best practices.

The following guidelines are meant to establish a secure baseline for handling university data Any published guidance provided or exceptions granted by the relevant Data Steward(s) will take precedence over this policy.  If you have any questions or would like to request permission to share data outside of established processes or approved systems, submit a Data Request or Question for Data Steward.  Tickets will be routed to the appropriate Data Steward(s) for quick reply and/or approval.

A. Protect System and Network Access

UD’s systems and services are the tools we use to manage our information and operations.  Community members are provided a University account they can use to access those systems, services and information specific to their roles.  Specific to the accounts we use to access our networks and systems, guidelines include, but are not limited to, the following:

  • Know and follow the requirements of the University's Fair, Responsible and Acceptable Use and other University policies.
  • Do not use University systems in a way that negatively impacts the functioning or availability of those systems.
  • Treat credentials for access to University Systems (e.g., usernames and passwords) as Sensitive Information. Such credentials are non-transferable and should never be shared, even with UDit or unit technical support staff.  Also, safeguard any physical keys, ID cards, multi-factor authentication tokens or devices, etc., that allow one to access University Information, University Systems, or its facilities.
  • Do not reuse your University password(s) for non-University systems.  For systems not integrated with the University’s central identity management system, use a different, strong password and multifactor authentication.
  • Personal, non-University accounts should not be used for work, and conversely, University accounts should not be used for personal activities.

B. Protect the Confidentiality of Information

Access to University Information is granted based on an individual’s role at the University.  Specific to provisioned access, guidelines include, but are not limited to, the following:

  • Do not attempt to access University systems unless authorization has been approved.  Access may be requested as documented in the University’s Confidentiality Agreement Requirement for Access to UD’s Central Systems policy or otherwise specified by the relevant Data Steward for the data, systems, or services in question.
  • Employees are responsible for completing the University's annual online security awareness training as well as any subject/information-specific training assigned to them by Data Stewards.
  • Access or modify University Information only as needed to meet legitimate business needs. 
  • Do not share information classified as Restricted or High, internally or externally, except as a part of established processes and/or approved by the relevant Data Steward.
  • Do not leave paper documents containing Sensitive Information where they are accessible to those who do not have a legitimate need to know that information. Secure all such documents in a locked suite, office, desk, or file cabinet.
  • Email is generally not considered a secure method of sharing information and can be sent to the wrong person or intercepted if not configured appropriately.  Do not email information classified as Restricted or High unless you are certain the body itself contains nothing sensitive and any attachments are appropriately encrypted or linked and shared through a supported storage solution requiring authentication such as Google Drive or Box or pursuant to University or departmental procedures regarding the sharing of such information. 
  • Do not use personal accounts, equipment, or media to store University Information.
  • Minimize what you store on your work computer; only keep what you need.
  • While you can keep copies of University Information on your work computer’s hard drive, that shouldn’t be the only copy of important information or work.  Make sure you back up your work to a storage solution approved by the relevant Data Steward.  
  • Protect the intellectual property of others (see UD’s Intellectual Property Policy).
  • Fax Sensitive Information only after confirming that the receiving fax machine is located in a secure area accessed only by those with a legitimate need to see the information being transmitted.

C. Dispose of Information and Equipment Properly

Equipment and media containing University Information should be properly disposed of when no longer needed.  Guidelines include, but are not limited to, the following:

  • Dispose of all University computer equipment in accordance with the University's Disposal and Redisposition of IT Equipment and Removable Media Policy. Such equipment may not only contain sensitive University Information that must be removed, but also hazardous materials requiring special handling.
  • Discard media containing University Information in a manner consistent with the information’s classification and any applicable requirements as laid out in the University’s Record Retention Policy and Schedule. This includes information contained in any hard copy document (such as a memo or report) or any electronic, magnetic, or optical storage medium (such as a memory stick, CD, hard disk, magnetic tape, or disk).
  • Shred all written documents containing Sensitive Information when they are no longer required.

D. Equipment Requirements

Work should be performed on properly configured and provisioned equipment.  Guidelines include, but are not limited to, the following:

  • Employees shall access University Systems and University Information on University-provided equipment. If working remotely, employees should use the University’s VPN solution to access non-public resources.  If University equipment isn’t available, employees shall use the Virtual Desktop solution outlined at go.udayton.edu/keepworking. If necessary, University employees may access University Information not classified as Restricted through services on their personal devices, provided these services require use of University Authentication and the employee does not download or store data or attachments locally. Employees must also adhere to the email requirements outlined above and perform proper device maintenance.  Any other access, storage, or transmission of University Information on personal devices or through personal consumer services requires prior approval from the relevant Data Steward.  
  • Do not download or install computer software on UD-provided equipment except what is available through the software portal onto University Systems without prior approval.  Local administrator access to University-provided equipment requires approval.
  • Mobile devices and removable media pose an increased security risk due to their portability and must be kept up to date, encrypted, and protected by a PIN/password.  
  • Personal devices used for the conduct of University business may need to be collected and examined if they or their contents are determined to be relevant to an incident or litigation.

E. Report Potential Information Security Incidents

Any suspected IT incident should be reported immediately to the University’s IT Security Director - through the IT Security Incident Reporting Form, at itriskmgmt@udayton.edu or 937-229-4387 - who will coordinate the appropriate parties and activities to develop and implement a response. IT security incidents include but are not limited to, fraudulent communications or service calls, malicious software, loss/theft of equipment, and unauthorized access to data.

Contact For questions relating to the University policies of Information Technology, please contact:
Jamie Luckett, Assistant CIO, Community Engagement and Experience
937-229-3195 email