The Information Resources Use and Security Policy provides The University of Texas at Austin (U. T. Austin) with guidance and defines responsibilities and procedures relating to the operational implementation of the UT System Information Resources Use and Security Policy (UTS 165). For ease of reference both documents share the same organizational structure and a common table of contents.
Title 1 Texas Administrative Code 202.70 (1) states that it is the policy of the state of Texas that information resources residing in the various agencies of State government are strategic and vital assets belonging to the people of Texas. Assets of the university must be available and protected commensurate with their value and must be administered in conformance with federal and state law and UT System Regents' Rules. This Policy provides requirements and guidelines to: establish accountability and prudent and acceptable practices regarding the use and safeguarding of the university's information resources; protect the privacy of personally identifiable information contained in the data that constitutes part of its information resources; ensure compliance with applicable policies and state and federal laws regarding the management and security of information resources; and educate individual Users with respect to the responsibilities associated with use of the university's information resources.
This Policy serves as the foundation for the university's information security program, and provides the Information Security Office the authority to implement policies, practice standards, and/or procedures necessary to implement a successful information security program in compliance with this Policy.
It is the policy of the university to:
Comply with applicable state and federal laws and U.T. System rules governing information resources.
This Policy applies to:
Information that is collected pursuant or related to the U. T. Austin Information Security Program is subject to Section 552.139 of the Texas Government Code and is therefore confidential by law. Accordingly, the university may not withhold information or fail to include information required by this Policy and/or Security Standards to be provided to or included in the U. T. Austin Information Security Program, or for administration of program oversight.
UT-IRUSP Standard 1 Information Resources Security Responsibilities and Accountability
UT-IRUSP Standard 2 Acceptable Use of Information Resources
UT-IRUSP Standard 3 Information Security Programs
UT-IRUSP Standard 5 Administrative/Special Access Accounts
UT-IRUSP Standard 6 Backup and Disaster Recovery
UT-IRUSP Standard 13 Use and Protection of Social Security Numbers
UT-IRUSP Standard 14 Information Services (IS) Privacy
UT-IRUSP Standard 19 Server and Device Configuration and Management
UT-IRUSP Standard 21 System Development and Deployment
UT-IRUSP Standard 22 Vendor and Third-Party Controls and Compliance
The following definitions are used within the context of this Policy and all U. T. Austin Standards established by this Policy.
Authentication - a process used to verify one’s identity.
Backup - copy of files or applications made to avoid loss of data and facilitate recovery in the event of a system failure or other data loss event.
Category-I Data - also known as Confidential data.
Category-II Data - also known as Controlled data.
Category-III Data - also known as Published data.
Centralized IT - the institutional information technology services and support organization, reporting to the highest-ranking information technology administrator/officer at the university, that supports institutional legacy administrative systems or enterprise resource planning (ERP) systems such as student administration (admissions, financial aid, registration, etc.), financial information systems, procurement systems, human resource systems, payroll, research administration (grants and contracts), Network Infrastructure, institutional electronic communications, video, library systems, etc.
Change - any addition or removal of, and any modification or update to an Information Resource.
Change Management - process of controlling the communication, approval, implementation, and documentation of modifications to hardware, software, and Procedures to ensure that Information Resources are protected against improper modification before, during, and after system implementation.
Chief Administrative Officer - the highest ranking executive officer at the university. This is the President for the U. T. Austin.
Cloud Computing (Cloud Services) - has the same meaning as "Advanced Internet-based computing service" as defined in Texas Government Code 2157.007(a): “a service that provides network access to a shared pool of configurable computing resources on demand, including networks, servers, storage, applications, or related technology services, that may be rapidly provisioned and released by the service provider with minimal effort and interaction. The term does not include telecommunications service or the act of hosting computing resources dedicated to a single purchaser.”
Commodity Server – a system providing commodity services to university affiliates (e.g., web servers, e-mail servers, file servers, database servers, directory servers).
Common Use Infrastructure - an IT facility, network, system, or other Information Resource managed, owned or controlled by U. T. System Institutions that provides services to multiple U. T. Institutions under the auspices of the U. T. System. Examples: shared data centers, the U. T. System Network, the U. T. System Identity Management Federation, TexSIS student information system, UTShare HR/Finance, eCRT certification effort reporting system.
Computing Device - any device capable of sending, receiving, or storing Digital Data, including but not limited to: computer servers, workstations, desktop computers, laptop computers, tablet computers, cellular/smart phones, personal digital assistants, USB drives, embedded devices, smart watches and other wearable electronic devices, etc.
Confidential Data - one of three data classifications defined within the U. T. Austin Data Classification Standard. The “Confidential” classification applies to data/information that is exempt from unauthorized disclosure under applicable State law, including the Texas Public Information Act, and Federal laws. Confidential Data is also historically referred to as Category-I data.
Controlled Data - one of three data classifications defined within the U. T. Austin Data Classification Standard. The “Controlled” classification applies to information/data that is not generally created for or made available for public consumption, but that is subject to release to the public through request via the Texas Public Information Act or similar State or Federal law. Controlled Data is also historically referred to as Category-II data.
Data - elemental units, regardless of form or media, that are combined to create information used to support research, teaching, patient care, and other University business processes. Data may include but are not limited to: physical media, digital, video, and audio records, photographs, negatives, etc.
Data Center - a facility used to house computer systems and associated components, such as telecommunications and storage systems.
Decentralized IT - information technology service and support organizations reporting to the heads of business units, departments, or programs that manage or support their own information systems.
Digital Data - the subset of Data (as defined above) that is transmitted by, maintained, or made available in electronic form.
Emergency Change - a change to an Information Resource made in response to unexpected events or circumstances that pose a threat to the environment or institution, and thereby justify use of expedited change procedures.
Electronic Communication - method used to convey a message or exchange information via Electronic Media instead of paper media. It includes the use of Electronic Mail, instant messaging, Short Message Service (SMS), facsimile transmission, Social Media, and other paperless means of communication.
Electronic Mail (Email) - any message, image, form, attachment, data, or other communication sent, received, or stored within an electronic mail system.
Electronic Media - any of the following:
Guideline - recommended, non-mandatory controls that help support Standards or serve as a reference when no applicable Standard is in place.
High Impact Information Resources - Information Resources whose loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Such an event could:
High Risk Computing Device - a computing device meeting any of the following criteria:
Based on these criteria, designation of a computing device as being “High Risk” is made by the Information Resource Owner in consultation with the U. T. Austin Chief Information Security Officer.In event of disagreement regarding the designation of a computing device as being “High Risk,” the Information Resource Manager will work to mediate the disagreement with all parties.
Information - Data organized, formatted and presented in a way that facilitates meaning and decision making. All information is comprised of data.
Information Resources - any and all computer printouts, online display devices, mass storage media, and all computer-related activities involving any device capable of receiving email, browsing Web sites, or otherwise capable of receiving, storing, managing, or transmitting data including, but not limited to, mainframes, servers, Network Infrastructure, personal computers, notebook computers, hand-held computers, pagers, distributed processing systems, network attached and computer controlled medical and laboratory equipment (i.e. embedded technology), telecommunication resources, network environments, telephones, fax machines, printers and service bureaus. Additionally, it is the procedures, equipment, facilities, software, and Data that are designed, built, operated, and maintained to create, collect, record, process, store, retrieve, display, and transmit information.
Information Resources Custodian (Custodian) - an individual, department, Institution, or third-party service provider responsible for supporting and implementing Information Resources Owner defined controls to Information Resources. Custodians include Information Security Administrators, institutional information technology/systems departments, faculty or staff, vendors, and any third-party acting as an agent of or otherwise on behalf of an Institution.
Information Resources Manager (IRM) - the executive responsible for Information Resources across the whole of the institution as defined in Chapter 2054, Subchapter D, Texas Government Code. This is the Chief Information Officer at U.T. Austin.
Information Resources Owner (Owner) - the manager or agent responsible for the business function that is supported by the Information Resource or the individual upon whom responsibility rests for carrying out the program that uses the resources. The Owner is responsible for establishing the controls that provide the security, as well as authorizing access to the Information Resource. The Owner of a collection of information is the person responsible for the business results of that system or the business use of the information. Where appropriate, ownership may be shared. Note: In the context of this Policy and associated Standards, Owner is a role that has security responsibilities assigned to it by Texas Administrative Code (TAC) 202.72. It does not imply legal ownership of an Information Resource. All University Information Resources are legally owned by U. T. Austin or U. T. System.
Information Security Administrator - a departmental employee, designated by management, who assists with information security tasks as described in UTS165 Standard 1 - Information Resources Security Responsibilities and Accountability. The Information Security Administrator is also historically known as the IT Security Custodian.
Information Security Program - the Policies, Standards, Procedures, Guidelines, elements, structure, strategies, objectives, plans, metrics, reports, resources, and services adopted for the purpose of securing University Information Resources.
Information System - an interconnected set of Information Resources under the same direct management control that shares common functionality. An Information System normally includes hardware, software, Network Infrastructure, information, data, applications, communications, and people.
Information Technology (IT) - the hardware, software, services, supplies, personnel, facilities, maintenance, and training used for the processing of Data and telecommunications.
Inherent Impact - the degree of Impact (High, Moderate, or Low) that could result if Information Resources were subjected to unauthorized access, use, disclosure, disruption, modification, or destruction.
Institution - U. T. System Administration, UTIMCO, or any individual University that is part of the University of Texas System. Same as University.
Integrity - the accuracy and completeness of information and assets, and the authenticity of transactions.
Internet - a global system interconnecting computers and public computer networks. The computers and networks are owned separately by a host of organizations, government agencies, companies, and colleges.
Lead Researcher - the person engaged in the conduct of Research with primary responsibility for stewardship of Research Data on behalf of an Institution. For the purpose of this Policy and associated Standards, the term is synonymous with Principal Investigator.
Local Area Network (LAN) - a data communications network spanning a limited geographical area, a few miles at most. It provides communication between computers and peripherals at relatively high data rates and relatively low error rates.
Low Impact Information Resources - Information resources whose loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. Such an event could:
Malware - a computer program that is inserted into an Information System, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of data, applications, or operating system, or of otherwise annoying or disrupting the User or Information System. Malware (malicious software) may attach itself to a file or application; deliver a payload without the knowledge or permission of the User; insert itself as a service or process to intercept sensitive information and/or keystrokes and deliver it to a third-party; or compromise the User’s computer and use it to launch compromises against other computers, among other capabilities. Viruses, worms, Trojan horses, spyware, adware, ransomware, and any code-based entity that infects a host are examples of malicious software.
Mission Critical Information Resources - Information Resources defined to be essential to U. T. Austin’s ability to meet its instructional, research, patient care, or public service missions. The loss of these resources or inability to restore them in a timely fashion would result in the failure of U. T. Austin’s operations, inability to comply with regulations or legal obligations, negative legal or financial impact, or endanger the health and safety of faculty, students, staff, and patients. Mission Critical Information Resources include but are not limited to:
Mission Critical Information Resources Staff - IT Staff generally responsible for the support and operation of Mission Critical Information Resources. These staff will typically have additional security controls applied to their roles given that their access and privilege levels can represent a more significant risk to the university.
Moderate Impact Information Resources - Information Resources whose loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. Such an event could:
Multi-factor Authentication - a process for verifying a person’s identity that requires use of two of the following three elements:
Network Infrastructure - the distributed hardware and software (i.e., cabling, routers, switches, wireless access points, access methods, and protocols), information, and integrating components that allow institutional network hosts to communicate with one another and enable the administrative, learning, research, and health care missions of the Institution.
Non-University Owned Computing Device - any device that is capable of receiving, transmitting, and/or storing electronic data, and that is not owned, leased, or under the management of an Institution, including personally owned devices.
Owner – See Information Resources Owner.
Password - a string of characters used to verify or "authenticate" a person's identity. Passphrases and personal identification numbers (PIN) serve the same purpose as a Password.
Personally Identifiable Information (PII) - information that alone or in conjunction with other information identifies an individual. PII includes, but is not limited to: an individual’s name; a Social Security number; a date of birth; a government-issued identification number; a mother’s maiden name; unique biometric data (including an individual’s fingerprint, voice print, and retina or iris image); a unique electronic identification number, address, or routing code; or a telecommunication access device.
Policy - high level statements of intent relating to the protection of Information Resources across an organization (e.g., the U. T. Austin). Compliance with a Policy is mandatory.
Portable Computing Device - any easily movable device capable of receiving, transmitting, and/or storing data. These include, but are not limited to: notebook computers, handheld computers, tablets (e.g., iPads, etc.), PDAs (personal digital assistants), pagers, smartphones (e.g., iPhones, etc.), Universal Serial Bus (USB) drives, memory cards, external hard drives, data disks, CDs, DVDs, and similar storage devices.
Practice - customary actions, which may or may not be documented, taken to accomplish information security tasks.
Procedure - step by step instructions to assist information security and technology staff, Custodians, and Users in implementing various policies, standards, and guidelines.
Published Data - one of three data classifications within the U. T. Austin Data Classification Standard. This classification includes data/information made available to the public through posting to public websites or distribution through email, social media, print publications, or other media. Published Data is also historically referred to as Category-III data.
Remote Access - access to University Information Resources that originates from a Remote Location.
Remote Location - a location outside the physical boundary of the university (inclusive of university leased/rented properties and locations within the university’s compliance environment).
Residual Risk - the risk (Low, Moderate, or High) that remains after security controls have been applied.
Research - systematic investigation designed to develop and contribute to knowledge and may include all stages of development, testing, and evaluation.
Researcher - Lead Researchers, faculty, staff, graduate students, postdoctoral fellows, residents, and visiting/affiliated scientists who are engaged in or responsible for Research activities.
Risk – a function of the likelihood that a threat will exploit a vulnerability and the resulting impact to University missions, functions, image, reputation, assets, or constituencies if such an exploit were to occur.
Scheduled Change - a change to an Information Resource made under normal working conditions following formally defined change control processes as defined in UT-IRUSP Standard 7 - Change Management.
Security Incident - an event that results in unauthorized access, loss, disclosure, modification, disruption, or destruction of Information Resources whether accidental or deliberate.
Server – a program that provides services to (programs on) other devices. A computer running a server program is frequently referred to as a server, though it may also be running other client (and server) programs.
Social Media - a forum or media for social interaction, using highly accessible and scalable communication techniques. Examples include but are not limited to wikis (e.g., Wikia, Wikimedia); blogs and microblogs (e.g., Blogger, Twitter); content communities (e.g. Flickr, YouTube); social networking sites (e.g., Facebook, MySpace, LinkedIn); virtual game worlds; and virtual communities (e.g., SecondLife)
Standards - specific mandatory controls that are components of this Policy or the U. T. Austin Information Security Program.
State Record – a document, book, paper, photograph, sound recording, or other material, regardless of physical form or characteristic, made or received by a state department or institution according to law or in connection with the transaction of official state business.
Strong Password - a Password constructed so that another User cannot easily guess it and so that a “hacker” program cannot break it within a reasonable amount of time. It typically consists of a minimum number of positions in length and contains a combination of alphabetic, numeric, or special characters.
Two-factor Authentication - a process for verifying a person’s identity that requires use of two of the following three elements:
University - U. T. System Administration, UTIMCO, or any of the academic Institutions, or health science centers, or other entities as from time to time may be assigned by specific legislative act to the governance, control, jurisdiction, or management of U. T. System that comprise The University of Texas System. Same as Institution.
University of Texas System (U. T. System) - the academic institutions and health science centers in The University of Texas System, plus U. T. System Administration and UTIMCO.
University of Texas System Administration (U. T. System Administration) - the central administrative offices that provide oversight and coordination of the activities of U. T. System and its Institutions.
University of Texas System Data (University Data) - All Data or Information held on behalf of U. T. System and its Institutions created as a result of and/or in support of U. T. System business, or residing on U. T. System Information Resources, including paper records.
U. T. System Shared Data Center - any data center governed by the U. T. Shared Data Center (SDC) group on behalf of the U. T. System including the Arlington Data Center (ARDC) and the Houston Data Center (HDC).
U. T. Austin Information Security Program – the U. T. Austin policies, standards, procedures, elements, structure, strategies, objectives, plans, metrics, reports, resources, and services that establish requirements to provide for program oversight.
User - an individual, automated application, or process that is authorized by the Owner to access the resource, in accordance with Federal and State law, university policy, and the Owner's procedures and rules. The User has the responsibility to (1) use the resource only for the purpose specified by the Owner, (2) comply with controls established by the Owner, and (3) prevent the unauthorized disclosure of Confidential Data. A user is any person who has been authorized by the Owner of the information to read, enter, or update that information.
UTIMCO - The University of Texas Investment Management Company that manages U. T. System’s investment assets.
Vendor - any third-party that contracts with U. T. Austin to provide goods and/or services to U. T. Austin.