University of Minnesota
Information Technology Security Charter

Introduction

 

The University of Minnesota (UMN) values the use of information technology in supporting the mission of the University.  The University is committed to preserving the confidentiality, integrity, and availability of information regardless of the form it takes—electronic or non-electronic.  Improper use of information resources may result in harm to the University and its mission of teaching, research, and outreach. University information, whether managed and residing on UMN resources or held in trust and managed by a third party or business partner, is an important asset that must be protected.  Any person or organization that uses or holds in trust these assets has a responsibility to maintain and safeguard them.

 

Mission and Objectives

 

The mission of the Office of Information Technology Security and Assurance office (OITSEC) is to support the goals of the University by safeguarding UMN information and assets from unauthorized disclosure, use, modification, or loss.  It is one of OITSEC’s primary objectives to develop proactive technical and non-technical measures to help identify and prevent security risks and provide effective response in cases where those measures fail.

 

Scope

 

The Chief Information Officer (CIO), as a system officer, has delegated operational responsibility to OITSEC for information security on all campuses of the University for information technology assets belonging to the University.  IT Professionals and staff throughout the University are partners in helping assure the confidentiality, integrity, and availability of University information.

 

To safeguard University information resources, OITSEC has delegated operational responsibility to remove electronic devices from the network and, as appropriate, retrieve equipment and data as part of an investigation.  OITSEC will seek to minimize the negative impact on operations to the extent possible while fulfilling its responsibilities.  OITSEC will work closely with the Office of the General Counsel as necessary to help protect the privacy of members of the University community when fulfilling its responsibilities.

 

 

Roles and Responsibilities

 

Chief Information Officer responsibilities:

• Identify and delegate responsibility for information security
• Approve technical security policies/standards/guidelines
• Report periodically to senior administration and the Regents

 

OITSEC responsibilities include:

• Protecting the University network, systems, and data.
• Coordinating with designated campus, collegiate, or unit technical and security staff to ensure the confidentiality, integrity, and availability of University systems and ensure that appropriate and timely action is taken
• Investigate reported and discovered security incidents
• Presenting information to the Security Advisory Committee and CIO
• Receiving reports of security incidents and coordinate investigation as necessary
• Determining risk reduction and mitigation steps necessary to protect University assets
• Coordinating with the unit administrative and technical/security staff to assure that appropriate diagnostic, protective, remedial, and other actions are taken as necessary to protect University resources
• Coordinating with the appropriate University offices (compliance, legal, human resources, and student conduct) as well as external organizations as necessary.
• Reporting security-related metrics and results periodically
• Coordinating compliance activities for various regulations, laws, and contractual commitments
• Proposing security policies, standards, guidelines, and procedures to the CIO
• Receiving and processing legal notices from copyright holders and the legal system with the advice of the Office of the General Counsel
• Coordinating with law enforcement and with the Office of the General Counsel

 

Collegiate and unit responsibilities:

• Protect the collegiate or unit systems and data
• Implement security controls
• Cooperate with OITSEC in investigating security incidents
• Refer all requests from law enforcement or the legal system to the Office of the General Counsel or OITSEC
• Keep OITSEC informed with up to date contact information for technical staff
• Attend comp-sec, net-people and other campus meetings for technical staff to maintain up to date knowledge of the University computing environment
• Report security incidents to OITSEC
• Implement security controls and protections

 

Policies

 

A list of IT-related policies with links is at:

 

http://www.policy.umn.edu/groups/ppd/documents/index/policycategories.cfm?ctg=4&subctg=37

 

Read more:

• Philosophy
• Policy/Laws
• Tools
• Resources
• Incident Response
• FAQs
• News