The mission of the
UWSP Information Security Office is to safeguard the confidentiality, integrity, and availability of information systems, identity, and data assets by providing proactive security expertise, creating and maintaining a resilient and secure infrastructure, and fostering a culture of security awareness and compliance throughout the organization.
The
UWSP Information Security program (ISP) is overseen and implemented by the UWSP Information Security Office (ISO), a unit of UWSP Information Technology (IT). ISP is led by the Chief Information Security Officer (CISO) at the behest of the Chief Information Officer (CIO) as a function of Academic Affairs. The CISO is responsible for ensuring that information is adequately protected within our and our affiliates information systems while also supporting the needs of the University.
This program is in addition to and in alignment with the
University of Wisconsin System
Information Security Policy.
Program Design
The design and direction of the ISP is driven by:
-
United States Federal Law
-
UW System administrative policy
-
University business objectives
-
The need for regularly performed risk assessments and audits
-
Industry trends
-
Information Technology, being an ever evolving field, will spur changes to move to a more secure future, and the ISP remains ever vigilant in looking for new ways to further enhance the security of our users and their information.
Information security program means the administrative, technical, or physical safeguards you use to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information.
Program Details
Access to information
- Access to information is controlled with role based access controls, ensuring that only those that are authorized to access pieces of information are able to do so. Privileged roles are monitored for change to further prevent unauthorized access.
Collection of information
- Information may be collected via forms, cookies or other automated functions. Some UWSP services or websites may have their own privacy statements in addition to UWSP's privacy policy that provide more detail into their specific data collection and use practices.
Distribution of information
- Information is not shared with third parties without notice, unless required to disclose information to law enforcement or other entities with a legal authority to obtain said information. Details about which third parties information is shared to will be outlined in the privacy policy for a specific service.
Processing of information
- Obtained information is processed by the system that obtains said information, unless additional external processing is needed or required in order to complete the processing objective.
Protection of information
- Information is protected in a manner appropriate for its sensitivity using encryption, access controls, and extensive auditing for record keeping purposes.
Storage of information
- Information is stored in a manner appropriate for its sensitivity using encryption, physical access controls, and technical controls to prevent unauthorized access.
Usage of information
- Information that is collected as part of a process or over the course of a service will be used by the system collecting that information, and any external entities outlined in the privacy policy for a specific service.
Disposal of information
- Information disposal is an important component of the information lifecycle. To prevent unauthorized access to information stored on workstations, all devices are encrypted to the highest possible degree without affecting functionality. Devices that are not encrypted are
wiped in a manner appropriate for the highest sensitivity of information stored on the device before resale. If a device is not possible to securely wipe, it is recycled by an authorized third party. Server storage is sent to an authorized recycler for shredding after it has exited service.
Definitions
Information Systems:
Information system means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of electronic information containing customer information or connected to a system containing customer information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental controls systems that contain customer information or that is connected to a system that contains customer information.
16 CFR 314.2(j)
https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-314#p-314.2(j)
From <https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-314>