This policy assigns responsibility for the security of Wilmington College (College) data and information systems. Components of security include confidentiality, availability and integrity.

5. POLICY

College data and information technology resources must be recognized as valuable and worthy of protection. Depending on the scope and nature of the information, constraints and special procedures for access and handling may be required.

One of the fundamental requirements and goals of college information processing, whether manual or automated, is to manage the information resource. This goal drives all others as the college works to protect and deny or allow access. The individual data elements and their association to the larger process must be protected and managed. Therefore, controls are necessary at the department or service unit, the network, and throughout the various computer systems and services used to collect, process, store and disseminate college data.

It is the policy of the college to maintain security of its data and information technology resources. The college will take appropriate steps to secure information technology resources and sensitive information through the development of an institution-wide information technology security program. All systems must include security safeguards that reflect the importance and sensitivity of the information processed on the system.

All users of college information technology resources are required to adhere to college policies related to information technology.

6. PROCEDURES

In keeping with the responsibilities outlined above, departments and offices shall develop, manage and review local operating policies and procedures to create the proper security posture for sensitive or critical data created and stored locally and on centrally managed computer systems. Integrity constraints, procedures that ensure correct processing of correct data, shall be written as local procedure. Such procedures shall be reviewed as required.

7. RESPONSIBILITIES

   1. Vice presidents, deans, associate/assistant vice presidents and academic/administrative unit heads shall be responsible for identifying critical functions. In addition, they and their staffs are responsible for the security, confidentiality, availability, and integrity of data and software stored on individual workstations or local fileservers and on shared system resources (whether provided on campus or through third-party systems or services) to the extent that they have access and/or access control. This responsibility includes ensuring the backup of key software systems and data on workstations and local file servers.
8. Deans, associate/assistant vice presidents and academic/administrative unit heads are further required to designate a system administrator for any shared file server or application system under their control and not administered by IT.
9. This policy also places responsibility on deans, associate/assistant vice presidents and academic/administrative unit heads to: 1) require appropriate computer use as specified in the Acceptable Use Policy, 2) ensure compliance with information technology policies and standards by people and services under their control, and 3) implement and monitor additional procedures as necessary to provide appropriate security of information and technology resources within their area of responsibility.
10. IT is responsible for establishing and maintaining the physical security of the central computing facilities (including shared file servers managed by IT), the college’s communications network and data for which IT is the custodian. As part of the university's Information Security Program, IT will maintain the College’s computing standards for access to shared system resources.
11. As part of the Information Security Program, IT is responsible for monitoring the college’s technology environment and addressing potential vulnerabilities. IT is also responsible for information security incident response. Anyone who becomes aware of a potential information security incident should delay investigative action and report the concern immediately to the information security officer, IT information security staff or helpdesk@wilmington.edu or call 937-481-2459
12. Additionally, the Director of IT shall be responsible for the administration of the university's Information Security Program and providing technical support to college departments and offices in the development of local security procedures. This program shall extend to all information technology resources of the college. Its emphasis will be on a risk-based approach to protect the college's information technology resources, with particular focus on sensitive information and critical data and applications.
13. All departments, offices and employees that generate, receive or maintain public records under the terms of this policy are also responsible for compliance with the college’s Document and Retention Policy.

14. SANCTIONS

Sanctions will be commensurate with the severity and/or frequency of offense and may include termination of employment or expulsion. In addition, violators may be subject to criminal and/or civil action.

9. EXCLUSIONS

None.

10. INTERPRETATION

Authority to interpret this policy rests with the president and is generally delegated to the Assistant Director of IT and the Director of IT.