ITEM 112-110-R0901
September 27-28, 2001
MONTANA BOARD OF REGENTS OF HIGHER EDUCATION
Policy and Procedures Manual
SUBJECT: INFORMATION TECHNOLOGY
Policy 1300.1 - Security of Data and Information Technology Resources; Montana University System
Board Policy:
1. Each campus of the Montana University System is required to establish and maintain policies for the security of data and information technology resources.
2. Policies shall be developed and maintained under the direction of the chief executive officer of each campus. Policies must be approved by the Commissioner of Higher Education.
3. Insofar as security issues are common to campuses, the campuses shall adopt similar policies.
4. The Office of the Commissioner of Higher Education shall develop and maintain policies for the security of data and information technology resources under its direct control.
Procedures:
Policy Development
The chief executive officers of each campus shall assign to appropriate individuals or groups the responsibility for development of policies governing the security of data and information technology resources that specifically encompass the responsibilities outlined in MCA 2-15-114. Those individuals or groups shall engage their campus communities in the identification of security issues and exposures and shall develop draft policies reflecting those concerns.
The Information Technology officers of the Montana University System shall collaborate on security policies and whenever feasible develop consistent language and consistent practices among the campuses and universities of the Montana University System.
The chief executive officer shall review and approve the campus security policy and submit the campus's policy to the Commissioner of Higher Education for approval. Upon the Commissioner's approval, the policy shall become official campus policy.
Policy Review
Periodically, no less often than every three years, campus policies for the security of data and information technology resources shall be reviewed by the chief executive officer of the campus and/or his/her delegates. Revisions shall be undertaken when judged necessary, following the procedure outlined above. Revised policies shall be submitted for the approval of the Commissioner of Higher Education.
Definitions:
Security - Prevention of unauthorized additions, deletions, or modifications to data; prevention of unauthorized access to sensitive or confidential data; protection of the accuracy of data; protection of the privacy or confidentiality of sensitive data; protection against unauthorized access to information technology resources; protection of information technology resources from intrusion, damage, denial of service, or other disruption.
Data - Records (physical, electronic, optical, etc.) detailing or summarizing the financial, human resources, financial aid, or student records aspects of the entities of the Montana University System Information Technology Resources - Voice, data, and video networks and associated electronic equipment; computers; storage devices; databases; application software; operating systems.
History: Legislative Audit Division report on The University of Montana, April 1999, Draft, July 27, 2001, Draft August 23, 2001