University Rules

University Rules

24.99.01. L1 Security of Electronic Information Resources

GENERAL

Texas A&M International University's electronic information resources are vital academic and administrative assets which require appropriate safeguards. Computer systems, networks, and data are vulnerable to a variety of threats. These threats have the potential to compromise the integrity, availability, and confidentiality of the information.

Effective security management programs must be employed to appropriately eliminate or mitigate the risks posed by potential threats to the University's information resources. Measures shall be taken to protect these resources against unauthorized access, disclosure, modification or destruction whether accidental or deliberate.

Texas A&M International University, as a State University, is required to comply with the Texas Administrative Code on "Information Security Standards". The Texas Administrative Code assigns responsibility for protection of informational resources to the President. For the purposes of this rule, the authority and responsibility regarding the University's compliance with the Texas Administrative Code on Information Security Standards has been delegated by the President to the Associate Vice President for Information Technology/CIO.

DEFINITIONS

Confidential Information - Information that is exempted from disclosure requirements under the provisions of the Texas Public Information Act or other applicable state or federal laws. Most student records are confidential records.

Mission Critical Information -Information that is defined by Texas A&M International University or any division thereof (department, etc.), to be essential to their function(s) and would cause severe detrimental impact if the data/system were lost and unable to be restored in a timely fashion.

Owner - A person responsible for a University function and for determining controls and access to electronic information resources supporting that University function.

Custodian - A person (or department) providing operational support for an information system and having responsibility for implementing owner-defined controls and access privileges.

Security Officer(s) - A person (or persons) within the Office of Information Technology designed by the Associate Vice President for Information Technology/CIO to assess and report the security posture of information systems and measure compliance with the TAC Information Security Standards.

RESPONSIBILITIES

The Associate Vice President for Information Technology/CIO has designated the Security Officer(s) as the entity responsible for administering the provisions of this rule and the TAC Information Security Standards.

The head or director of a department shall be responsible for ensuring that an appropriate security program is in effect and that compliance with this rule and TAC Standards is maintained for information systems owned and operationally supported by the department.

The head or director of a department that provides operational support (custodian) for information systems owned by another TAMIU department shall have the responsibility for ensuring that an appropriate security program is in effect and that compliance with TAC Standards is maintained for the supported information systems.

Operational responsibility for compliance with TAC Standards may be delegated by the department head or director to the appropriate information system support personnel (e.g. System Administrators) within the department.

Mission Critical or Confidential Information maintained on an individual workstation or personal computer must be afforded the appropriate safeguards stated in the TAC Standards. It is the responsibility of the operator, or owner, and/or departmental Systems Administrator of that workstation or personal computer to insure that adequate security measures are in place.

The Office of Information Technology shall provide a checklist for protection of critical and confidential information based on NIST. The intent of implementing the checklist is to establish guidelines for the proper storage, transmittal, and transport of confidential data. All University. In addition to using this checklist, the OIT requires all departments take the following measures:

Confidential or sensitive data, regardless of its form (electronic, print, or computer screen) must be protected from theft, unauthorized viewing, discloser, access, copying, modification, creation, or destruction by unauthorized people to access such data or perform such actions.

Encrypt all data on mobile computer/devices which carry confidential data.

Log all computer-readable data extracts from databases holding confidential information and verify each extract including sensitive data has been erased after 90 days or its use is no longer required. (as outlined in the University document retention policy)

Placing confidential data, regardless of its form or format, into a global or public shared network folder is forbidden.

All paper copies of confidential or sensitive information must be secured during storage and transportation and has to be disposed when no longer needed.