Information security policies are becoming more prevalent in higher education
for a number of reasons:
- Their existence heightens the awareness and importance of protecting sensitive data, such as student
identifiers and grades.
- Their existence and enforcement helps mitigate the risk of incurring a data breach. According to the
Ponemon Institute's most recent study on the cost of data breaches, the average cost per compromised
record was $202 in 2008. $139 represents lost business (reputational cost); $15 is spent on average just
- External organizations are beginning to require that institutions implement a data security policy
(the Payment Card Industry Data Security Standards is one such example).
- Information security policies help define the foundation and rulebook by which subsidiary IT procedures
and standards are developed, increasing the transparency of information technology operations.
We have decided to pursue the Board-level policy, rather than promulgate this as an IT Services-issued
policy, for the following reasons:
- Its existence as a Board-level policy states its importance as a University-wide principle.
- Subsidiary procedures, directives, and guidelines can be altered as needed, while still referring
to this policy as foundational guiding principles.
- If future regulations and external requirements require that an information security policy be
specifically a Board-level policy we will already be in compliance.
- Shepherd University currently has no Board-level information technology policy of any kind. Many,
perhaps most, public institutions have at least one such policy in place. These institutions recognize
the importance of setting foundational principles for the proper use of information technology, and
Shepherd should be one of these institutions.