How-to Instructions

Practices for the Information Security Policy

Your data are valuable. In order to manage data security risks, units and University community members must ensure that their electronic devices and other resources which store, transmit, or process University information meet the information security processes and standards contained in the Information Security Policy.

What Is the Security Level of Your Data?

The University uses the following three-tier security system.

A horizontal bar representing the highest security level.


  • Large amount of data
  • Legally protected data
  • Impact on critical functions
A horizontal, partially-filled bar representing the medium security level.


  • Smaller amount of data
  • Private and/or public data
  • Lower impact on critical functions
A horizontal, partially-filled bar representing the low security level.


  • Smallest scope
  • Public data
  • Low/no impact on critical functions

Begin by identifying your security level. Then use the resources linked below to comply with the Information Security Policy. If you have questions, contact University Information Security.

When is a Risk Assessment necessary?

University Information Security performs information security risk assessments to assist units in evaluating risks and treatment options as part of the University’s Information Security Risk Management (ISRM) program, or to satisfy legal and regulatory requirements. These risk assessments employ consistent University criteria and are scheduled based on level of risk. Units can also request a risk assessment of current or planned technologies or processes.  Learn more about Risk Assessments.

Who Is Responsible?

If you are responsible for how your unit uses or stores data, or if you manage your own data storage or server equipment, you are responsible for ensuring your systems, processes, and practices comply with the Information Security Policy. Typical University roles include:

  • Department/unit executive/head
  • IT director or administrator
  • Researcher who manages your own data storage/server
  • Purchaser of new contracts or systems
  • Employee or University Community Member

Questions? Contact us.