”TigerSecurity Policy

Policy Title

Information Security Policy

  1. PURPOSE
    1.1 The purpose of this Information Security Policy is to establish and execute an Information Security program that will:

1.1.1 Implement the University’s policies, plans, procedures, and guidelines related to Information Security to ensure compliance with applicable laws, regulations, and University standards;

1.1.2 Protect the confidentiality, integrity, and availability of the University’s IT Resources; and

1.1.3 Effectively respond to Information Security Incidents to minimize financial and reputational damage.

  1. SCOPE
    This policy applies to all Users of the University’s IT Resources.

 

  1. POLICY STATEMENT

3.1 Information Security Program Authorizations

3.1.1 Establishment and execution of the overall Information Security Program is delegated to the Chief Information Security Officer, Office of Information Security.

3.2 Information Security Program Requirements

3.2.1 The University’s IT Resources are managed in accordance with applicable policies, procedures, standards, and guidelines.  The University’s IT Resources include all Computing Devices and Information Systems that access, store, or process Information within the University Computer Network or in a vendor hosted cloud environment.

3.2.2 The University’s Information is classified, stored, protected, and transmitted in accordance with applicable policies, procedures, standards, and guidelines. This includes all Information pertaining to student records, administration, research projects, and federal or state Information pertaining to the University.

3.2.3 University IT Resources and Data are subject to monitoring and inspection. Access to IT Resources may be restricted when:

3.2.3.1 Authorized Departments of the University or law enforcement agencies present safety or welfare concerns;

3.2.3.2 The CISO considers it reasonably necessary to maintain or protect the integrity, security, and functionality of the University’s IT Resources;

3.2.3.3 The CISO determines there is reasonable cause to believe University policy has been violated or IT Resources misused; and/or

3.2.3.4 Information Systems or User Accounts appear to be engaged in unusual activity.

3.2.4 The CISO, or authorized designee, will address Information Security Incidents related to University IT Resources according to applicable incident response plans, policies, and procedures. All Users with access to the University’s IT Resources are expected to cooperate during Information Security Incident investigations and remediations.

3.3 RECOURSE FOR NONCOMPLIANCE

3.3.1 In cases where the University’s IT Resources are actively threatened, the CISO will secure the IT Resource in a manner consistent with the Information Security Incident Response plan. This may involve suspending access to IT Resources for affected User Accounts and/or Information Systems until the threat is contained.

3.3.2 The CISO is authorized to limit Computer Network access for individuals or Departments not in compliance with applicable Information Security policies and procedures.

3.3.3 In cases of noncompliance with this Policy, the University may apply appropriate User sanctions or administrative actions, in accordance with applicable administrative, academic, and employment policies.

3.4 EXCEPTIONS
Requests for exceptions to Information Security policies (including this policy) may be granted for Information Systems with Compensating Controls in place to mitigate risks. Requests must be submitted to the CISO for review and approval pursuant to implementation of exception procedures.  Exception requests can be sent via email to security@clemson.edu for evaluation.

 

  1. ADDITIONAL RESOURCES

 

  1. RESPONSIBLE DEPARTMENT
    The Office of Information Security, security@clemson.edu

 

  1. APPROVAL & REVISION HISTORY
    President Approval: May 23, 2022
    Last Date of Revision: December 2008
    Originally Issued: December 4, 2007