Skip to main content

Policy 8060 Managers – Data Security Guidelines

Updated February 2016

Sharing responsibility for information security with the employees they supervise.

Establishing information security procedures

If managers elect to establish more restrictive information security practices for their employees, must meet the Minimum Security Standards for Systems set by the Chief Information Security Officer (CISO), the university’s records retention policy, as well as other university policies, contractual agreements, and governing federal, state and local laws.

Managing authorizations

Managers must make sure their employees have the authorizations necessary to perform their jobs. The authorizations themselves are acquired from the custodians of the information resources. Managers must ensure that employee access is consistent with employee responsibilities and that requests to deactivate employee accounts are made within 24 hours of an employee’s separation.

User training and awareness

Managers must promote security by ensuring that employees have the training and tools necessary to protect information.

Physical security

Managers must ensure the physical security of the information technology devices in their area. Doors should be locked to protect equipment when unattended. Portable equipment such as laptops, tablets and cell phones should be registered and regularly inventoried at the department level.

Incident handling and reporting

Managers must report suspected or known compromises of information resources, including contamination of resources by computer viruses, to their managers and per the university’s Incident Response Procedure on the same business day that they become aware of the compromise. Managers must cooperate with the investigation of and recovery from security incidents, including taking any disciplinary action deemed necessary by the appropriate university authorities.