This policy applies to every user (including, but not limited to, all faculty, students, staff, contractors, visiting researchers, or guests and volunteers) who accesses, manages, or manipulates institutional information, research data, or information technology resources.
Institutional information, research data, and information technology (IT) resources are critical assets necessary for the University of Massachusetts Amherst (“UMass Amherst”) to fulfill its missions. To maximize the preservation and protection of these assets, and to manage the risks associated with their maintenance and use, this policy establishes information security governance structure, rules, technical standards, and procedures.
Information security is the responsibility of every user of institutional information, research data, and information technology resources. All users who create, access, manage, or manipulate institutional information, research data, or information technology resources must comply with this policy’s administrative, technical, and physical safeguards.
Every person at UMass Amherst has a responsibility to protect institutional information, research data, and information technology resources that they use or are otherwise within their control. These responsibilities vary based on the functional role of the individual.
Depending on those functions, some individuals may have more than one role. This section identifies roles and their corresponding responsibilities. For more information and examples, see: https://umass.service-now.com/kb?id=kb_article_view&sysparm_article=KB0010273.
The following roles have responsibility for University of Massachusetts Amherst information security framework, oversight, and assistance.
The Chancellor has primary responsibility for campus information security and safety. The Chancellor may delegate authority for information security to the Vice Chancellor for Information Services and Strategy and Chief Information Officer.
As a delegate of the Chancellor, the Vice Chancellor for Information Services and Strategy and Chief Information Officer, will provide executive oversight to the University of Massachusetts Amherst Information Security Program.
The Chief Information Security Officer is the University official with the authority to harmonize campus information security. The CISO is responsible for the development, implementation, and maintenance of a comprehensive information security program.
The Vice Chancellors and Deans are responsible for program management oversight for the security of institutional information, research data, and information technology resources within their areas of purview.
As noted in Section II C, institutional information and research data will be categorized in alignment with federal regulations, contractual obligations, and information risk. Specific technical controls adhere to each category. Data Stewards are responsible for the categorization of institutional information and research data under their purview and the implementation of the specific technical controls that adhere to each category. Data Custodians are responsible for following the rules set by the Data Stewards.
For more information see: https://umass.edu/it/security/information-management.
Stewards have the highest level of responsibility for overseeing the categorization of institutional information and research data, and administering the privacy, security, and regulatory compliance of data sets under their purview (e.g., education records, human resources, and financial data). In the case of research data, in additional to acting as a Data Custodian, the Principal Investigator acts as the steward in consultation with research staff.
A steward may designate a delegate who will act on behalf of the steward for a portion or all of the information and data under their purview. The delegate should be identified in writing to the Vice Chancellor for Information Services and Strategy and CIO as well as the Chief Information Security Officer, along with how long the delegation will be in place.
Data Administrators are those individuals who are responsible for a particular line of business or who may have special knowledge of and responsibility for the compliance requirements for certain information or data sets. They have responsibility to inform the appropriate Steward(s) of any requirements or considerations that may influence policy, and set procedures, standards, or guidelines.
Subject Matter Experts are those individuals in roles with expertise such as risk, legal, compliance, privacy, and security who have responsibility to inform the appropriate Steward(s) of any requirements or considerations that may influence policy, and set procedures, standards, or guidelines.
Custodians are any individuals (employees, volunteers, etc.) who access, manage, or manipulate institutional information or research data. Custodians must follow campus policy and stewardship rules for handling of institutional information and research data.
In addition to the responsibilities of Vice Chancellors and Deans as noted in Section IV A 4 above, Vice Chancellors and Dean also have responsibility oversight for the implementation of the information security program within their areas of purview.
Individuals who are responsible for a portion of the campus, such as a program, center, or line of business, shall develop, as needed, more restrictive information security controls for better management of risk to the institutional information or research data for which they are responsible. Supervisors may, at their discretion, create specific forms outlining the duties of their direct reports under this policy for review, signature, or workplace performance.
The unit security liaison is the person or persons designated by the unit head as the primary contact for the CISO. Their primary role is to share information security training in a manner that works for their unit, to be available for incidents, and provide effective communication between the UMass Amherst IT Security Team and the college or division they represent. For more information see: https://umass.service-now.com/kb?id=kb_article_view&sysparm_article=KB0010273.
For central information technology resources, the Chief Technology Officer, in coordination with the CISO, draws up technology architectural outlines, issues standards, and develops uniform templates for use by central IT and the campus community. For current technical architectural outlines, standards, and templates, see: https://umass.sharepoint.com/sites/ITStandards. (Protected by NetID)
A Service Administrator (e.g., application administrator, system administrator, or network administrator) is the individual with principal responsibility for the installation, configuration, and ongoing maintenance of an information technology system.
In accordance with this policy, users must be aware of the value of information. They must protect information reasonably. Users must therefore follow the requirements for:
Information technology resources;
Institutional information; and
Research data
All users must report incidents involving unauthorized access to institutional information, research data, and information technology resources to the Chief Information Security Officer. You may also report them to your local information security liaison and to the UMass Amherst IT Security Team. For more information, see: https://umass.edu/it/security/incident-reporting.
Institutional information and research data will be categorized in alignment with federal regulations, contractual obligations, and information risk*. Specific technical controls adhere to each category. Data Stewards are responsible for the Categorization of institutional information and research data under their purview. Data Custodians are responsible for using the appropriate security controls associated with each data category.
For more information regarding the categorization of institutional information and research data, see: https://www.umass.edu/it/security/data-categorization. For more information regarding the specific technical controls that adhere to each category, see: https://www.umass.edu/it/security/controls.
The user of every device connected to the campus network or that stores or transmits institutional information and research data is responsible for adherence to security control standards.
IT administrators either in UMass IT or in specific colleges or units may do the actual installation and configuration work, but it remains the responsibility of the user of that device to have those controls installed, configured and up to date (even if that simply means that when prompted to keep a computer on for its update, the user will comply with the prompt).
Faculty, staff or researchers who do not have or accept IT administration support are still subject to these rules and assume all responsibility for maintaining up to date controls on their devices that store or transmit institutional information and research data. This rule applies to whether it is an institutionally owned device or personal, and whether it is on the campus network while physically on the campus or from a remote location.
All information technology resources, regardless of ownership, that contain institutional information or research data must have the following foundational information security controls in place and functioning. Alternative, but equally effective, controls may be substituted in accordance with the exception process.
Additional controls may be required based on the categorization of the information or data, the nature of the information technology resource, the applicable regulatory or contractual requirements, or other risk management calculations. For more information see: https://umass.edu/it/security/controls.
The five foundational information security controls identified at the time of this policy’s publication are referenced below. For additional information, or to see a complete, updated list of foundational information security controls, see https://www.umass.edu/it/security/controls.
Security patches must be installed, operational and regularly updated on all information technology resources.
Anti-malware solutions must be installed, operational and regularly updated for applicable information technology resources.
Software to block incoming connections, unless explicitly allowed, must be installed and configured on applicable information technology resources.
All institutional information and research data stored on end-user devices must be encrypted.
All information technology resources that contain institutional information or research data must be disposed of in an authorized manner.
The campus owns all accounts, including NetID, it creates and provisions these accounts to users for the purposes of accessing university resources. All users have a responsibility to protect the university accounts under their care. Protection of these accounts may vary according to the risk that they present. Accounts with enhanced privileges may have additional requirements. For additional information including account standards, and password complexity rules, see: https://umass.edu/it/security/access.
At a minimum, all accounts must adhere to the following:
Credentials for individual accounts must not be shared.
UMASS IT sets password complexity requirements for your NetID. It is against policy for a user to subvert those requirements. Other password protected accounts must establish passwords with equivalent or greater complexity as the NetID requirements.