The University of Massachusetts Amherst Information Security Policy is the formal policy on information security governance structure, technical standards, and procedures to preserve and protect the institutional information, research data, and information technology resources of UMass Amherst. This page provides guidance on frequently asked questions related to the Information Security policy, and other related UMass Amherst policies.
As departments develop standards and practices relevant to their areas for hybrid work, it is important that they consider the potential risks associated with any arrangements and develop appropriate standards that are in line with compliance regulations, privacy concerns, and data risks.
Although the campus information security policy allows for the use of personal devices in general, this practice should be reviewed by the appropriate dean, vice chancellor, director, or supervisor to determine if allowing personal devices for a particular area/role is appropriate given the relative risk this may present.
Example scenarios where personal devices may not be used for remote or hybrid work:
Accessing, storing, or managing research data on a device not owned by the university is generally discouraged. This practice may expose the data and the device owner to risks, potentially violating university policies or compliance requirements detailed in the data owner's Data Use Agreement, Acceptable Use Policy, or other relevant documents. Nonetheless, exceptions may exist where utilizing a non-university-owned device is permissible, assuming it meets certain approved standards. The duty falls to data stewards to identify compliant and suitable platforms for dealing with data entrusted to or produced by the University of Massachusetts Amherst, which includes considering any viable exceptions.
IT Information Security Policy: This policy outlines the information security governance structure, technical standards, and procedures designed to safeguard institutional information, research data, and IT resources at UMass Amherst. It acknowledges the use of personal devices but recommends that the suitability of such use for specific areas or roles be evaluated by the relevant dean, vice chancellor, director, or supervisor, considering the associated risks. (Source: UMass IT Information Security Policy FAQ and UMA Information Security Policy)
Sen. Doc. No. 06-047: Special Report of the Research Council on the Policy on Data Ownership, Retention, and Access: This document is applicable to all campus research data, independent of funding source. It emphasizes that for sponsored research, any additional policies from the sponsor also apply. The policy advocates for restricting access to sensitive data to appropriate secure environments, in compliance with applicable laws. (Source: UMass Amherst Research Administration Data Ownership, Retention, and Access)
Data Storage and Sharing Guide: This guide advises against using Social Security Numbers unless legally required and suggests that data should be stored or shared on services offering equal or higher security levels than required for the data in question. (Source: UMass Amherst IT Data Storage and Sharing Guide)
It is important to note that these policies indicate using a personal device for university affairs may subject the device to public records requests or lawsuits related to the university, potentially leading to personal legal liabilities. Furthermore, UMass IT Enterprise Desktop Support does not extend support to personal devices and prohibits their connection to IT-managed departmental file servers. Other polices that may be relevant to this topic can be found here: Information Technology | Campus Policy Library
Per the Information Security Policy, Information security is the responsibility of every user of institutional information, research data, and information technology resources.
This means it is the responsibility of the user to make sure they have the appropriate controls in place, properly maintain their device(s) to protect the institutional information and research data under their control, and appropriately manage the risks.
According to the Information Security Policy, if using a personal device is not prohibited by the Data Steward and/or your College/Department, a personal device can generally be used for university business.*
*Note: For certain data types or functions additional restrictions may apply. Regulated data, and research data generally are not approved for personal devices. If you are unclear about a particular kind of data, please consult with the appropriate Data Steward or Information Security Office.
When using a personal device for university business:
Examples of Appropriate Controls and Protections include:
IT Risk Management/Information Security can assist with risk assessments: it@umass.edu
Refer to the following policies for more details:
Forwarding your emails outside of the UMass email systems or using your personal email for university business introduces risk to you and the information contained in the email.
Forwarding university email to your personal email account may cause you to be in violation of federal privacy laws, such as FERPA and HIPAA, and the UMass Information Security Policy due to insufficient protections available in your personal account. Note that HIPAA data is not permitted to be transmitted or stored in email.
The university has enterprise contracts with our email providers to help protect the security and privacy of information stored in your university email account. Your personal email account does not have the same protections in place.
Examples of information that is not appropriate for personal email accounts include: Student related information (FERPA), personally identifiable information (PII), and research data. For more information on data management, see Information Management and Storing University Data.
Forwarding your UMass email to your personal email account, and/or conducting university business using your personal email may put your personal email mailbox in scope for UMass related legal and public records requests and may subject you to personal legal liability.
Forwarding you UMass email to your personal email account, and/or conducting university business using your personal email may result in your personal email mailbox in scope for UMass related legal and public records requests and may subject you to personal legal liability.
Your EDS managed device must be running an operating system and software supported by the vendor so it can receive security fixes and application updates.
Also, the foundational security controls, such as anti-virus software, may not function correctly on older or unsupported operating systems.
Service Administrators and end-users are responsible for maintaining the security of the institutional information, research data and IT assets under their purview. The Foundational Information Security Controls and industry standards specify that systems shall be supported by the vendors, patched against vulnerabilities, and have the appropriate security controls, such as updated anti-virus, to resist threats.
If this is not possible, due to hardware incompatibility, a risk assessment will need to be performed. Contact your IT support contact to coordinate the risk assessment.
IT configures university computers with a baseline configuration and software tools to help mitigate risk to university data and systems, and to help effectively manage a large number of computers. These software tools include the Foundational Security Controls, other tools and configurations to manage the computers, as well as business related software requested by the department and/or computer users. The only software IT installs that monitors system activity is the anti-malware software to look for malicious actors on your system.
It is a violation of policy for an IT Administrator to monitor activities on the computer outside of legitimate, authorized work duties. IT administrators can use tools to address legitimate technical and information security related issues. For remote support, IT Enterprise Desktop Support uses remote access software that requires the computer user to acknowledge and authorize the remote connection. For additional information, see the Confidentiality of Institutional Information and Research Data policy.
Please refer to the UMass Property Office website section on Who Owns Equipment.
Questions on equipment ownership and inventory should be directed to the UMass Property Office. property@umass.edu
This extends to equipment purchased with MSP funds.