Charter of University Information Security
The University of Minnesota (UMN) values the use of information technology in supporting the mission of the University. The University is committed to preserving the confidentiality, integrity, and availability of information regardless of the form it takes—electronic or non-electronic.
Improper use of information resources may result in harm to the University and its mission of teaching, research, and outreach. University information, whether managed and residing on UMN resources or held in trust and managed by a third party or business partner, is an important asset that must be protected. Any person or organization that uses or holds in trust these assets has a responsibility to maintain and safeguard them.
Mission & Objectives
The mission of the University Information Security is to support the goals of the University by safeguarding UMN information and assets from unauthorized disclosure, use, modification, or loss. It is one of University Information Security’s primary objectives to develop proactive technical and non-technical measures to help identify and prevent security risks and provide effective response in cases where those measures fail.
The Chief Information Officer (CIO), as a system officer, has delegated operational responsibility to University Chief Information Security Officer (CISO) and University Information Security for information security on all campuses of the University for information technology assets belonging to the University. Faculty and staff throughout the University are partners in helping assure the confidentiality, integrity, and availability of University information.
To safeguard University information resources, University Information Security has delegated operational responsibility to remove electronic devices from the network and, as appropriate, retrieve equipment and data as part of an investigation. University Information Security will seek to minimize the negative impact on operations to the extent possible while fulfilling its responsibilities. University Information Security will work closely with the Office of the General Counsel as necessary to help protect the privacy of members of the University community when fulfilling its responsibilities.
Roles & Responsibilities
Chief Information Officer (CIO) responsibilities:
- Identify and delegate responsibility for information security
- Approve technical security policies, standards, and guidelines
- Report periodically to senior administration and the Regents
Chief Information Security Officer (CISO) and University Information Security responsibilities include:
- Protect the University network, systems, and data
- Coordinate with designated campus, collegiate, or unit technical and security staff to ensure the confidentiality, integrity, and availability of University systems and ensure that appropriate and timely action is taken
- Investigate reported and discovered security incidents
- Present information to the Security Advisory Committee and CIO
- Receive reports of information security incidents and coordinate investigation as necessary
- Determine risk reduction and mitigation steps necessary to protect University assets
- Coordinate with the unit administrative and technical/security staff to assure that appropriate diagnostic, protective, remedial, and other actions are taken as necessary to protect University resources
- Coordinate with the appropriate University offices (compliance, legal, human resources, and student conduct) as well as external organizations (law enforcement) as necessary
- Report information security-related metrics and results periodically
- Coordinate compliance activities related to information security for various regulations, laws, and contractual commitments
- Propose information security policies, standards, guidelines, and procedures to the CIO
- Receive and process legal notices from copyright holders and the legal system with the advice of the Office of the General Counsel
Collegiate and unit responsibilities:
- Protect the collegiate or unit systems and data
- Implement information security controls
- Report suspected information security incidents, including suspected data breaches to University Information Security
- Cooperate with University Information Security in investigating information security incidents
- Refer all requests from law enforcement or the legal system to the Office of the General Counsel or University Information Security
- Keep University Information Security informed with up to date contact information for technical staff
- Participate in comp-sec and other campus groups for technical staff to maintain up to date knowledge of securing the University computing environment
A list of IT-related policies is available in the University Policy Library.