Policy Name: Information Security Policy
Policy ID Number: 03-05-012
Version Effective Date: October 10, 2016
Last Reviewed on: January 1, 2019
Policy Applies To: University wide
Responsible Office: Information Technology
INTRODUCTION AND STATEMENT OF PURPOSE
New Jersey City University (NJCU) is committed to applying the necessary security measures to ensure the protection of the critical information it manages and continuation of the University’s business operations.
It is NJCU’s goal to apply a comprehensive and integrated approach to meet the security requirements necessary to keep a safer business environment for its constituents and maintain compliance with Federal and State laws
The information security policy shall be used to establish the necessary security controls to enable NJCU to better protect its information resources and data assets against theft, abuse and any other form of harm or loss. The policy shall also work to maintain compliance with Federal and State laws which include:
The goal is to improve the University’s security posture through better risk management and providing assurance that risks to IT assets are being adequately addressed.
The information security policy applies to all – but shall not be limited to – employees, faculty, contractors, consultants, third-party service providers, temporary workers, all campuses, and any others who have direct access to the NJCU’s facilities and information resources.
Roles and Responsibilities
Continued commitment and support of the information security policies, standards, and processes required to maintain a successful information security program.
Deans, Directors, and Department Heads
All Deans, Directors, and Department Heads are responsible for the security of information resources in all areas under their jurisdiction and for implementing information security requirements on an office -wide basis. They shall provide guidance and coordinate the implementation of information security controls within their respective areas.
Employees, Faculty, Students
Employees, faculty, students have a responsibility to manage and protect the confidentiality, availability, and integrity of NJCU-owned data assets and information resources that have been made accessible to them for use within NJCU.
Department of Information Technology
All IT group members are responsible for the security and confidentiality, availability, and integrity of information resources in all areas under their jurisdiction and for implementing
information security requirements on a campus-wide basis.
Contractors and/or 3rd party managed service providers have a responsibility to manage and protect the confidentiality, availability, and integrity of NJCU-owned data assets and information resources that they have been granted to access by an NJCU sponsor to fulfil a required service.
The policy framework establishes the directives towards the security standards, processes, procedures, and controls that shall be implemented within NJCU to safeguard its environment.
The following details the information security policy framework that will enable NJCU to better protect its business operations and information resources:
The security controls that shall be used by NJCU can be referenced back to ISO 27002 standards and SANS Top 20 Critical Security Controls.
NJCU shall review its information security policy as necessary to adjust for new risks discovered, changes in the environment and/or landscape, laws and regulations, or changes to its business operations.
Any exceptions for non-compliance towards the information security policy must be requested and reviewed by senior management for approval.
Non-compliance to the information security policy without proper approval for exceptions can result in disciplinary action up to and including termination of employment. Students’ sanctions shall be commensurate with the severity and/or frequency of the offense and may include suspension or expulsion.
DATE TO INITIATE REVIEW AND UPDATE
As deemed necessary or appropriate by the Policy Coordinator but at a minimum, at least every 5 years from the date of last review.