• Their existence heightens the awareness and importance of protecting sensitive data, such as student identifiers and grades.
• Their existence and enforcement helps mitigate the risk of incurring a data breach. According to the Ponemon Institute's most recent study on the cost of data breaches, the average cost per compromised record was $202 in 2008. $139 represents lost business (reputational cost); $15 is spent on average just on notification.
• External organizations are beginning to require that institutions implement a data security policy (the Payment Card Industry Data Security Standards is one such example).
• Information security policies help define the foundation and rulebook by which subsidiary IT procedures and standards are developed, increasing the transparency of information technology operations.

We have decided to pursue the Board-level policy, rather than promulgate this as an IT Services-issued policy, for the following reasons:

• Its existence as a Board-level policy states its importance as a University-wide principle.
• Subsidiary procedures, directives, and guidelines can be altered as needed, while still referring to this policy as foundational guiding principles.
• If future regulations and external requirements require that an information security policy be specifically a Board-level policy we will already be in compliance.
• Shepherd University currently has no Board-level information technology policy of any kind. Many, perhaps most, public institutions have at least one such policy in place. These institutions recognize the importance of setting foundational principles for the proper use of information technology, and Shepherd should be one of these institutions.