Shepherd University logo Information Technology
Services
SEARCH
    
Home | About | Undergraduate | Graduate | Prospective | Current | Athletics | Alumni | Faculty/Staff  

I. T. Services

For Students

For Faculty/Staff

I. T. Services Policies and Procedures

Frequently Asked Questions

Projects and their current status

About Us and Contacts

Shepherd University
Information Security Policy (DRAFT)

Introduction

Information Technology Services invites comments from campus members on the following policy draft. Our expectation is to collect constructive criticism and feedback from the campus community throughout the summer and early fall, incorporate that feedback into a final draft, then request that the final draft be submitted to the Board of Governors at the October or November board meeting. Please send your comments to the Director of IT Services, Robert Spiker, at rspiker@shepherd.edu.


Background

Information security policies are becoming more prevalent in higher education for a number of reasons:

  • Their existence heightens the awareness and importance of protecting sensitive data, such as student identifiers and grades.
  • Their existence and enforcement helps mitigate the risk of incurring a data breach. According to the Ponemon Institute's most recent study on the cost of data breaches, the average cost per compromised record was $202 in 2008. $139 represents lost business (reputational cost); $15 is spent on average just on notification.
  • External organizations are beginning to require that institutions implement a data security policy (the Payment Card Industry Data Security Standards is one such example).
  • Information security policies help define the foundation and rulebook by which subsidiary IT procedures and standards are developed, increasing the transparency of information technology operations.

We have decided to pursue the Board-level policy, rather than promulgate this as an IT Services-issued policy, for the following reasons:

  • Its existence as a Board-level policy states its importance as a University-wide principle.
  • Subsidiary procedures, directives, and guidelines can be altered as needed, while still referring to this policy as foundational guiding principles.
  • If future regulations and external requirements require that an information security policy be specifically a Board-level policy we will already be in compliance.
  • Shepherd University currently has no Board-level information technology policy of any kind. Many, perhaps most, public institutions have at least one such policy in place. These institutions recognize the importance of setting foundational principles for the proper use of information technology, and Shepherd should be one of these institutions.

The process

  • January 2009: Draft policy developed and circulated among IT Services staff for comments.
  • March-May 2009: Draft policy presented to the Technology Oversight Committee, Student Life Committee, Classified Employee Council, and Faculty Senate for comments.
  • June-September 2009 (planned): Open for general comments, and presented to other campus groups for comments (e.g., Banner data custodians, Deans, Student Government).
  • October/November 2009 (planned): Submitted to the Board of Governors.

Draft Policy

The most recent version, as of May 22, 2009, is available in PDF format.