Policy 8060 Managers – Data Security Guidelines
Updated February 2016
Sharing responsibility for information security with the employees they supervise.
Establishing information security procedures
If managers elect to establish more restrictive information security practices for their employees, must meet the Minimum Security Standards for Systems set by the Chief Information Security Officer (CISO), the university’s records retention policy, as well as other university policies, contractual agreements, and governing federal, state and local laws.
Managers must make sure their employees have the authorizations necessary to perform their jobs. The authorizations themselves are acquired from the custodians of the information resources. Managers must ensure that employee access is consistent with employee responsibilities and that requests to deactivate employee accounts are made within 24 hours of an employee’s separation.
User training and awareness
Managers must promote security by ensuring that employees have the training and tools necessary to protect information.
Managers must ensure the physical security of the information technology devices in their area. Doors should be locked to protect equipment when unattended. Portable equipment such as laptops, tablets and cell phones should be registered and regularly inventoried at the department level.
Incident handling and reporting
Managers must report suspected or known compromises of information resources, including contamination of resources by computer viruses, to their managers and per the university’s Incident Response Procedure on the same business day that they become aware of the compromise. Managers must cooperate with the investigation of and recovery from security incidents, including taking any disciplinary action deemed necessary by the appropriate university authorities.