Practices for the Information Security Policy

Your data are valuable. In order to manage data security risks, units and University community members must ensure that their electronic devices and other resources which store, transmit, or process University information meet the information security processes and standards contained in the Information Security Policy.

Identify the Security Level of Your Data

The University uses the following three-tier security system.

A horizontal bar representing the highest security level.


  • Large amount of data
  • Legally protected data
  • Impact on critical functions
A horizontal, partially-filled bar representing the medium security level.


  • Smaller amount of data
  • Private and/or public data
  • Lower impact on critical functions
A horizontal, partially-filled bar representing the low security level.


  • Smallest scope
  • Public data
  • Low/no impact on critical functions

Begin by identifying your security level. Then use the resources linked below to comply with the Information Security Policy. If you have questions, contact University Information Security.

A gap analysis is not the same as an Information Security Risk Assessment. Learn more about Risk Assessments.

Who Is Responsible?

If you are responsible for how your unit uses or stores data, or if you manage your own data storage or server equipment, you are responsible for ensuring your systems, processes, and practices comply with the Information Security Policy. Typical University roles include:

  • Department/unit executive/head
  • IT director or administrator
  • Researcher who manages your own data storage/server
  • Purchaser of new contracts or systems
  • Employee or University Community Member

Questions? Contact us.

Intended Audience

Staff & Departments
Health Sciences Affiliates
IT Staff and Partners