SCOPE: FACULTY, STAFF, STUDENTS, AND GUESTS

1. POLICY STATEMENTS

1.1 LIT’s information resources are vital academic and administrative assets which require appropriate safeguards in order to avoid compromising their confidentiality, integrity, and availability. As a public higher institution of education, LIT is subject to various federal, state, and industry regulations that provide requirements and guidance for achieving this goal.

1.2 The purpose of this policy is to establish the framework on which LIT’s information resources policies, standards, guidelines, and procedures are created and maintained.

2. DEFINITIONS

2.1. Accessible – Describes an electronic and information resource that can be used in a variety of ways and (the use of which) does not depend on a single sense or ability. [1 TAC 213.1(1)]

2.2. Account – The representation of a user’s relationship to one or more information resources. Accounts are identified by a unique user name.

2.3. Alternate formats – Alternate formats usable by people with disabilities may include, but are not limited to, Braille, ASCII text, large print, recorded audio, and electronic formats that comply with this chapter. [1 TAC 213.1(2)]

2.4. Alternate methods – Different means of providing information, including product documentation, to people with disabilities. Alternate methods may include, but are not limited to, voice, fax, relay service, TTY, Internet posting, captioning, textto-speech synthesis, and audio description. [1 TAC 213.1(3)]

2.5. Assistive technology – Any item, piece of equipment, or system, whether acquired commercially, modified, or customized, that is commonly used to increase, maintain, or improve functional capabilities of individuals with disabilities. [1 TAC 213.1(4)]

2.6. Authentication – The process of verifying the identity of an account holder.

2.7. Confidential - Information that typically is excepted from the Public Information Act or data whose pubic release may result in adverse consequences to the organization. This includes but is not limited to attorney-client communications, computer vulnerability reports, protected draft communications, student education records as defined under FERPA, personally-identifiable medical records, passport information, crime victim information, library transactions (e.g., circulation records), court sealed records, and access control credentials (e.g., PINs and passwords). Confidential information also includes any of the following when combined with other personally-identifying information: social security number, driver license number, date of birth, payment cardholder information, or financial account information.

2.8. Data Owner – See Information Owner.

2.9. Device – Any hardware component involved with the processing, storage, or forwarding of information making use of the institutional information technology infrastructure or attached to the institutional network. These devices include, but are not limited to, laptop computers, desktop computers, servers, and network devices such as routers, switches, wireless access points, and printers. [TSUS IT.03.03]

2.10. Electronic and information resources (EIR) – Includes information technology and any equipment or interconnected system or subsystem of equipment used to create, convert, duplicate, or deliver data or information. EIR includes telecommunications products (such as telephones), information kiosks and transaction machines, web sites, multimedia, and office equipment such as copiers and fax machines. The term does not include any equipment that contains embedded information technology that is used as an integral part of the product, but the principal function of which is not the acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information. For example, thermostats or temperature control devices, and medical equipment that contain information technology that is integral to its operation, are not information technology. If the embedded information technology has an externally available web or computer interface, that interface is considered EIR. Other terms such as, but not limited to, Information and Communications Technology (ICT), Electronic Information Technology (EIT), etc. can be considered interchangeable terms with EIR for purposes of applicability or compliance. [1 TAC 213.1(6)]

2.11. Guideline – Recommendations or instructions designed to achieve policy objectives by providing direction for implementing compliant procedures.

2.12. Federal Tax Information (FTI) – Includes tax return or return information received directly from the IRS or obtained through an authorized secondary source. FTI includes any information created by the recipient that is derived from federal return or return information received from the IRS or obtained through a secondary source. [IRS Publication 1075]

2.13. Home page – The initial page that serves as the front door or entry point to a state website. [1 TAC 206.1(12)]

2.14. Information Custodian – An entity, including a department, agency, or third-party service provider responsible for implementing the information owner-defined controls and access to an information resource. [1 TAC 202.1(17)]

2.15. Information Owner – A person with statutory or operational authority for information or information resources. [1 TAC 202.1(18)]

2.16. Information Resources – the procedures, equipment, and software that are employed, designed, built, operated, and maintained to collect, record, process, store, retrieve, display, and transmit information, and associated personnel including consultants and contractors. [Section 2054.003(7) Texas Government Code]

2.17. Information Security Program – The policies, standards, procedures, elements, structure, strategies, objectives, plans, metrics, reports, services, and resources that establish an information resources security function within an institution of higher education. [1 TAC 202.1(21)]

2.18. Information System – An interconnected set of information resources under the same direct management control that shares common functionality. An Information System normally includes, but is not limited to, hardware, software, network Infrastructure, information, applications, communications and people. [1 TAC 202.1(22)]

2.19. Information Technology (IT) – Any equipment or interconnected system or subsystem of equipment, that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information. The term includes computers (including desktop and laptop computers), ancillary equipment, desktop software, client-server software, mainframe software, web application software and other types of software, firmware and similar procedures, services (including support services), and related resources. [[1 TAC 213.1(9)]]

2.20. Information Technology Resources – Any of the following that are owned, operated or supplied by the TSUS or one of its component institutions: computer accounts, hardware, software, communication networks and devices connected thereto, electronic storage media, related documentation in all forms, and professional and technical support services. Also included are data files resident on hardware or media owned or supplied by the TSUS or a component, regardless of their size, source, author, or type of recording media, including email messages, system logs, web pages and software. [TSUS IT.03.03]

2.21. Institutional Network – The data transport and communications infrastructure at the institution. It includes the campus backbone, local area networks, and all equipment connected to those networks (independent of ownership). [TSUS IT.03.03]

2.22. Key public entry point – A web page on a state website that is frequently accessed directly by members of the public, which a state agency or institution of higher education has specifically designed to enable direct access to official agency or institution of higher education information. [1 TAC 213.1]

2.23. Login Credentials – A means of identification, usually a User ID and password, which provides evidence of a user’s identity and allows access to that user’s account. 2.24. Major Information Resource Project – (A) any information resources technology project identified in a state agency's biennial operating plan whose development

2.24. Major Information Resource Project – (A) any information resources technology project identified in a state agency's biennial operating plan whose development costs exceed $1 million and that: (i) requires one year or longer to reach operations status; (ii) involves more than one state agency; or (iii) substantially alters work methods of state agency personnel or the delivery of services to clients; and (B) any information resources technology project designated by the legislature in the General Appropriations Act as a major information resources project. [Texas Government Code §2054.003(10)]

2.25. Network Address – A unique number associated with a device's network connection used for the routing of traffic across the Internet or another network. Also known as Internet Protocol Address or IP Address. [TSUS IT.03.03]

2.26. Patch – A change or update to software that eliminates a vulnerability.

2.27. Personally Identifying Information (PII) – Information that alone or in conjunction with other information identifies an individual, including an individual's name, social security number, date of birth, or government-issued identification number; mother's maiden name; unique biometric data, including the individual's fingerprint, voice print, and retina or iris image; unique electronic identification number, address, or routing code; and telecommunication access device as defined by Section 32.51, Penal Code. [Business and Commerce Code 521.002(a)(1)]

2.28. Policy – Formal, high level documents that require compliance and focus on desired results, not on means of implementation.

2.29. Procedure – A description of a process, either text-based or diagrammed, that represents and implementation of policy.

2.30. Public – Information that is freely and without reservation made available to the public. Examples include but are not limited to college publications, press releases, and public web postings.

2.31. Regulated - Information that is controlled by a state or federal regulation or other 3rd party agreement. This includes but is not limited Sensitive Personal Information as defined under the Texas Business and Commerce Code 521.002(a)(1) and 521.002(a)(2), data subject to regulation by the Payment Card Industry Data Security Standards, and Federal tax information.

2.32. Risk Assessment – The process of identifying, evaluating, and documenting the level of impact on an organization's mission, functions, image, reputation, assets, or individuals that may result from the operation of information systems. Risk Assessment incorporates threat and vulnerability analyses and considers mitigations provided by planned or in-place security controls. [1 TAC 202.1(32)]

2.33. Risk Management – The process of aligning information resources risk exposure with the organization's risk tolerance by either accepting, transferring, or mitigating risk exposures. [1 TAC 202.1(33)]

2.34. Self-Contained, Closed Products – Products that generally have embedded software and are commonly designed in such a fashion that a user cannot easily attach or install assistive technology. These products include, but are not limited to, information kiosks and information transaction machines, copiers, printers, calculators, fax machines, and other similar products. [1 TAC 213.1(14)]

2.35. Sensitive – Information that could be subject to release under an open records requests, but should be controlled to protect third parties. This includes data that meets the definition of Personally Identifiable information under the Texas Business and Commerce Code §521.002(a)(1) and §521.002(a)(2), such as employee records and gross salary information. Other examples include but are not limited to emails, voicemails, instant messages, internal communications, and departmental procedures that might reveal otherwise protected information.

2.36. Sensitive Personal Information (SPI) – (A) An individual's first name or first initial and last name in combination with any one or more of the following items, if the name and the items are not encrypted: social security number; driver's license number or government-issued identification number; or account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account; or (B) information that identifies an individual and relates to the physical or mental health or condition of the individual; the provision of health care to the individual; or payment for the provision of health care to the individual. [Business and Commerce Code 521.002(a)(2)]

2.37. Service Account – An account used to communicate between devices, between applications or services, or between applications or services and devices.

2.38. Server – A physical or virtual device that provides a specific type of service on behalf of another computer or computer user (i.e.; client). Examples of services provided by servers include, but are not limited to, file storage, web site hosting, database, and email.

2.39. Standard – A mandatory specification designed to support and conform to policy.

2.40. User – An individual, process, or automated application authorized to access an information resource in accordance with federal and state law, agency policy, and the information owner's procedures and rules. [1 TAC 202.1(38)]

2.41. User ID – The unique user name associated with an account.

2.42. Voluntary Product Accessibility Template (VPAT) – A vendor-supplied form for a commercial Electronic and Information Resource used to document its compliance with technical accessibility standards and specifications. [1 TAC 213.1(19)]

3. GENERAL

3.1. Documentation for LIT’s information resources policy framework is separated into four (4) categories of documentation: policies, standards, guidelines, and procedures.

3.2. Information resources policies shall be managed formally as described in Section 5.

3.3. If standards, guidelines, or procedures are included in policy documents, they are also subject to the same policy management process.

3.4. Standards, guidelines, or procedures referenced by policies but not directly included in policy shall be managed as described in Section 6.

4. INFORMATION TECHNOLOGY (IT) STEERING COMMITTEE

4.1. The IT Steering Committee assists the IRM in ensuring that LIT’s policies and IT projects support the strategic mission and goals of the institution.

4.2. Members of the IT Steering Committee are appointed by the President. The IT Steering Committee operates as per its charter.

5. INFORMATION RESOURCES POLICY MANAGEMENT

5.1. The Information Resource Manager (IRM) is responsible for maintaining information resources policies.

5.2. New and revised information resources policies shall originate from the IRM, the Information Security Officer (ISO), or a designated committee.

5.3. The approval process shall be as follows:

5.3.1. The new or revised draft policy is routed to the IT Steering Committee for review and approval.

5.3.2. LIT has the option to forward the new or revised policy to general counsel, human resources, or other appropriate entities for review.

5.3.3. LIT’s executive management grant final approval.

5.4. Minor revisions to existing information resources policies shall originate from the IRM or the ISO. Minor revisions include changes to the numbering sequence, minor grammatical edits, formatting changes, and updates to hyperlinks. These changes do not require approval.

5.5. Information resources policies shall be reviewed and updated every 3 years at a minimum. Review of policies may also be triggered by changes to Texas State University System policies, federal and state laws, and other regulatory requirements.

5.6. Unit procedures derived from information resources policies shall be reviewed annually and revised as necessary.

6. INFORMATION RESOURCES STANDARDS, GUIDELINES, AND PROCEDURES MANAGEMENT

6.1. LIT Information Technology is responsible for maintaining information resources standards, guidelines, and procedures.

6.2. New and revised standards, guidelines, and procedures shall originate from the IRM, the ISO, or LIT Information Technology.

6.3. New and revised standards, guidelines, or procedures that impact only the LIT Information Technology unit require only the IRM’s approval.

6.4. New and revised standards, guidelines, or procedures that impact other units or the institution as a whole require the timely approval of the IT Steering Committee.

6.5. Minor revisions to existing standards, guidelines, and procedures require approval from the IRM. Minor revisions include changes to the numbering sequence, minor grammatical edits, formatting changes, and updates to hyperlinks.

6.6. Standards, guidelines, and procedures shall be reviewed by LIT Information Technology annually and revised as necessary.

7. AUTHORITY AND RESPONSIBILITY

Questions related to this policy should be addressed to the IRM at irm@lit.edu.

8. RELATED POLICIES

8.1. IRS Publication 1075

8.2. Texas Administrative Code Chapter 202 Information Security Standards

8.3. Texas Administrative Code Chapter 213 Electronic and Information Resources

8.4. Texas Administrative Code Chapter 216 Project Management Practices

8.5. Texas Business and Commerce Code Chapter 521 Unauthorized Use of Identifying Information 8.6. Texas Government Code Chapter 2054 Information Resources

8.7. Texas State University System Policy Guideline: Information Security Policy