IT Security
Effective: July 1, 2004
Updated/Revised: October 2025
Contact: Information Technology Services (ITS)
Contents
Introduction
1. Policy Statement
2. Specific Roles and Responsibilities
2.1 Chief Information Officer (CIO)
2.2 Data Steward
2.3 Data Custodian
2.4 Data User
2.5 Colleges, Departments, and Other Units
2.6 Individuals Using Personally-Owned Computers and Other Network Devices
2.7 Third Party Vendors
2.8 Other Registered Entities
3. Risk Assessment
4. Data Protection Requirements
5. Reporting of Security Incidents
6. Vulnerability Management
7. Security Incident Response
8. Exceptions
9. Enforcement
Resources
Introduction
Iowa State University acknowledges its obligation to ensure appropriate security for information and IT (information technology) systems in its domain of ownership and control. Furthermore, the university recognizes its responsibility to promote security awareness among the members of the Iowa State University community.
Iowa State University develops, publishes, and enforces policies and standards in order to achieve and maintain appropriate protection of university information and information processing systems. This document along with related information security policies and standards (see Resources below) identifies key security issues for which individuals, colleges, departments, and units are responsible. top
1. Policy Statement
Every member of the university community, including any entity that is a registered user or connected to the university network, is responsible for protecting the security of university information and information systems by adhering to the objectives and requirements stated within published university policies. Also, individuals are required to comply with the additional security policies, procedures, and practices established by colleges, departments or other units. If multiple policy statements or security standards are relevant for a specific situation, the most restrictive security standards will apply.
All units—from the university level through the college, department, and unit level—must provide opportunities for individuals to learn about their roles in creating a secure IT environment.
2. Specific Roles and Responsibilities
2.1 Chief Information Officer (CIO)
The Office of the Chief Information Officer has overall responsibility for the security of the university's information technologies. Implementation of security policies is delegated throughout the university to various university services (noted below); to colleges, departments, and other units; and to individual users of campus IT resources.
2.2 Data Steward
The data steward is the university office represented by an executive officer charged with the primary responsibility and authority to ensure that Iowa State University meets external and internal requirements for privacy and security of specific types of confidential and business data owned by the university in their functional areas. These data stewards, as a group, are responsible for recommending policies, establishing standards and guidelines for university-wide data administration activities. Data stewards may delegate the implementation of university policies, standards, and guidelines to data custodians. They are also responsible for advising colleges, departments, units, and individuals in security practices relating to these areas:
- Financial information and transactions (Treasurer's Office)
- Health information (Director, Thielen Student Health Center)
- Infrastructure, communications, and systems security (Information Technology Services)
- Law enforcement information (Iowa State University Police)
- Legal issues (Office of General Counsel)
- Library circulation records (Iowa State University Library)
- Personnel information and confidentiality (University Human Resources)
- Physical building security (Facilities Planning and Management)
- Regulated material information (Environmental Health and Safety)
- Research data and sponsored programs information (Vice President for Research)
- Security audits (Office of Internal Audit)
- Student loan information (Office of Student Financial Aid)
- Student record information and confidentiality (Office of the Registrar)
2.3 Data Custodian
The data custodian is the individual or entity (including outsourced services) in possession or control of data and is responsible for safeguarding the data according to the policies and procedures established by the associated data steward. The appropriate level of protection is based on the Data Classification policy and the Minimum Security Standards and Guidance (see Resources below). top
2.4 Data User
The data user, synonymous with user, is the individual, automated application or process that is authorized by the data steward to create, enter, edit, and access data, in accordance with the data steward's policies and procedures. Users have a responsibility to:
- maintain the security of passwords, personal identification numbers (PINs), authentication tokens and certificates; and will be held accountable for any activities linked to their accounts
- manage all forms of authentication and security controls to information processing systems based on the Minimum Security Standards and Guidance
- use the data only for the purpose specified by the data steward
- comply with controls established by the data steward
- prevent disclosure of confidential or sensitive data
- report suspected security incidents that may have breached the confidentiality of data
2.5 Individuals Using Personally-Owned Computers and Other Network Devices
Individuals who use personally-owned systems to access university resources are responsible for the security of their personally-owned computers or other network devices and are subject to the following:
- The provisions of the IT Security policy and the standards, procedures, and guidelines established by IT Services for university computing and network facilities.
- All other laws, regulations, or policies directed at the individual user.
3. Third Party Vendors
Third party vendors need to protect university information in a way that is consistent with Iowa State University's data protection requirements. ITS Security oversees a risk-based assessment of all third-party cloud vendors prior to their use on campus and annually thereafter to provide reasonable assurance that appropriate security controls are in place to protect institutional data. top
4. Risk Assessment
Risk assessment is a systematic process used in determining potential for and impact of a negative event by evaluating the nature of the information and information systems.
All information systems must meet the Minimum Security Standards and Guidance based on the Data Classification policy (see Resources below). Some selected systems will be designated for conducting a risk assessment at a prescribed frequency. These selected systems will have the documented findings and any future actions placed on file for audit and accountability purposes. top
5. Data Protection Requirements
Data is a valuable asset of the university, and some data must be protected with a higher level of attention and caution. The level of protection is based on the method defined by the Data Classification policy along with the Minimum Security Standards and Guidance (see Resources below). top
6. Vulnerability Management
Anyone responsible for an ISU-owned computing system, a system used to process Institutional data, or any internet-accessible system hosted within Iowa State University's campus network or cloud infrastructure, must remediate security vulnerabilities expeditiously in accordance with the timeframes defined in the Minimum Security Standards and Guidance. top
7. Security Incident Response
The ITS Security team is responsible for handling all IT security-related incidents that affect Institutional data and ISU-owned computing assets. The ITS Security Team will maintain an Incident Response Plan that defines how we prepare for, detect, and respond to major IT security incidents at ISU. All individuals are responsible for reporting incidents in which they suspect data, computer or network security may have been compromised. Individuals can report an incident by emailing security@iastate.edu. top
8. Exceptions
If an individual is unable to meet the requirements of this policy, they may request a time-bound exception. Email all policy exception requests to security@iastate.edu.
If an individual would like the results of their exception request further reviewed, they may escalate their concerns to University's Chief Information Security Officer (CISO), Chief Technology Officer (CTO), and/or Chief Information Officer (CIO).top
9. Enforcement
Failure to comply with the requirements of this policy may result in loss of computing privileges, disciplinary action, and/or computing systems blocked from the network. top
Resources
Links
- Acceptable Use of Information Technology Resources policy
- Electronic Privacy policy
- Personal Use and Misuse of University Property policy
- IT Security Incident Reporting form
- IT Security Incident Reporting policy
- Computer and Online Security Tips
- Data Classification Policy
- Data Classification Standards and Guidance
- Minimum Security Standards and Guidance