There are five systems-level IT security policies that define the CU IT Security Program and which are the basis for the on-line Information Privacy and Security awareness courses required to be taken by all CU employees. These policies were developed at the CU-System level and have gone through the formal APS approval process. They apply across all CU campuses and Systems.
These policies can be found on the CU Office of Information Security website at: https://www.cu.edu/policies/aps-az.html.
UCCS has several campus-wide IT security policies. These have gone through the formal UCCS approval process, are designated with a specific policy number (700 series), and apply across the whole Colorado Springs campus. These policies can be found under the Information Technology heading (700 series)at: http://www.uccs.edu/vcaf/uccspol.html.
IT Department “policies” are not formally approved APS’s, but are IT’s rules for IT resource usage. These are statements about the way IT operates its labs, controls access to IT resources and what activities are and are not allowed on UCCS IT resources. Many of these “policies” are helpdesk help sheets.
Some important IT department security documents are:
Some UCCS organizational units are required by the Payment Card Industry (PCI) to have some written procedure or statement about the rules and decisions that govern how they secure their information, such as the Bursar’s office and the Bookstore. Even if not required, it is a good idea for organizational units to have these types of documents. Although in some places they may be referred to as internal “policies,” they are not official policies and thus should be called by a different name. Operating procedures, guidelines, measures, standards – these are all appropriate names. A good example of an organizational unit’s internal security document can be found at: COB Data Security Measures.htm