IT policies are formal, University-wide statements about the management of IT resources and other technology-related topics.
Policies create the mandate for information security and risk management efforts at the University. Specifics, including procedures and technical requirements, are promulgated in resources such as best practices and the Secure UD Data Governance & Security Program (Secure UD DGSP). The absence of a University policy on a specific topic does not indicate that there are no requirements or guidelines for that topic. For example, the University's password policy is embodied in the Secure UD DGSP and best practice pages.
IT procedures describe how IT handles routine administrative, operational, and technical processes in support of policy and daily functions.
Foundational IT security policies
Three policies form the foundation of the University's information security and risk management framework. These policies provide the mandate for information security and risk management across the University; establish the institution-wide data governance model; and clarify the roles, responsibilities, and requirements for appropriately managing security and risk.
Institutional policies are curated by the Office of General Counsel.
Data Governance Policy
Establishes the University-wide data governance model, including the rules, roles, and responsibilities for data governance.
Information Security Policy
Establishes a University-wide information security framework. The Secure UD DGSP is an extension of this policy and precribes the the administrative, operational, and technical requirements for information security and risk management.
Information Classification Policy
Establishes the three University information classifications and requires that all University information be classified.
IT management policies
IT management policies describe the general management of IT resources. They work within the framework created by the foundational IT Security policies and focus on specific topics in technology and security.
Acceptable Use of IT Resources Policy (draft)
Establishes the governing philosophy and general rules for regulating use of the University's IT resources.
Establishes privacy requirements for e-communications and IT data.
Establishes requirements for posting privacy statements on University websites.
Incident Response Policy (draft)
Establishes rules, responsibilities, and procedures for reporting, investigating, and responding to incidents.