Explainer: Information Security Policy (4-004)
Cybersecurity is everyone’s responsibility. At a personal level, you can decide what that means for you. At the University of Utah, however, everyone must follow Policy 4-004: University of Utah Information Security, which aims to protect the university’s IT resources and systems, and data, including that of students, faculty, staff, guests, patients, vendors, and more .
Since regulations can be difficult to wade through, we’re launching a series of explainers on Policy 4-004, including its rules and guidelines. Today, we start at the beginning, with a look at the overarching policy. We’ll cover the rules and guidelines in future explainers.
What does it say?
Policy 4-004 outlines all the university’s IT security rules, which help protect the university, its IT systems and resources, and data. It also ensures compliance with local, national, and international laws, industry regulations, and business agreements.
Some items covered in the policy:
- IT systems and resources
- User accounts, including usernames and passwords
- Data management, including classification and encryption
- Remote access
- IT security training and awareness
Why should I care?
Any person or organization with an online presence is vulnerable to cybercrime. The University of Utah and its community members, however, are especially at risk because the U is a public higher education institution and a health care organization, both of which handle large amounts of confidential data.
The university — and each of us — has a responsibility to protect that information, as well as the U’s IT systems and resources, from data breaches and other IT security incidents.
IT security incidents are costly, financially and personally. They can lead to identity theft, damaged reputation, fines and/or penalties, operational disruption, compromised devices, lost time, downtime, data loss or manipulation, and service interruptions.
Who does it apply to?
All University of Utah and University of Utah Health community members and organizations must follow Policy 4-004. Simply, it applies to anyone who learns, instructs, or works at the U or does business with the university.
Up next month in August’s Node 4 newsletter:Rule 4-004A: Acceptable Use
Our monthly newsletter includes news from UIT and other campus/ University of Utah Health IT organizations, features about UIT employees, IT governance news, and various announcements and updates.