Clemson IT policies and procedures updated

Ryan Real, Communications & Marketing
July 18, 2022

CCIT and Clemson leadership regularly revisits its computing policies and procedures to ensure they meet usage, compliance and technological standards. After thorough review, several policies have been updated in 2022. CCIT will continue to update and create more policies as needed.

New policies and procedures

• Acceptable Use of IT Resources Policy (NEW)
  • replaces Use of IT Resources for Employees and Students policies
• Account and Password Management Policy (NEW)
  • replaces Usernames and Password Policy
    
• Incident Reporting Procedures (NEW)
• Information Security Policy (NEW)
• Glossary of Terms added

Key points from the new Acceptable Use Policy

• 2.1 All data pertaining to student records, administration, research projects, federal or state Information, and other data owned or processed by the University shall follow the University’s Data Classification Standards, and must be appropriately safeguarded in accordance with the University’s Minimum IT Security Standards.
• 4.2 All information systems (includes items such as computers, servers, mobile devices, personally owned devices and others) must be configured and maintained in accordance with the published Minimum IT Security Standards. Users are advised to review security standards on a regular basis and reach out to CCIT or local IT support for assistance.
• 6.1 Personally owned computers and mobile devices used for University business are subject to this policy and must comply with the Minimum IT Security Standards.
• 6.2 Access to confidential or restricted data through a personally owned computer or mobile device requires coordination with the Office of Information Security to ensure appropriate safeguards are utilized.
• 6.3 Confidential or restricted data must not be saved to personally owned computers or mobile devices.

Minimum IT Security Standards

• Endpoints, which are any devices that connect to the Clemson network, was redefined to include any desktop or laptop purchased by Clemson and issued to a user.
• All employee endpoints are now required to follow University standards for configuration management, system patching and local encryption through your area’s IT consultant.

Key points from the Accounts and Passwords Policy

• Visitor and miscellaneous accounts that will have access to confidential or restricted data require approval from the Office of Information Security. If you are unclear about your account privileges, please contact the CCIT Support Center.
• Each information system owner must annually review all user accounts with access to that system, storage or service. Information systems include hardware and software that collect, store and process data,  such as PeopleSoft, departmental drives, Box storage, and others.
• Access permissions for IT resources must be given using the principle of least privilege, which is the minimum access required based on a user’s assigned roles and responsibilities.
• No user is permitted access to confidential and restricted information without approval of the applicable Data Trustee or Data Steward.
• A password change is required if a user account has been compromised or is suspected of being compromised.