Information Security Policy

University of Montana Information Security Policy

   
Policy Number To be assigned by Legal Counsel
Effective Date Provisional
Responsible Office UM Information Security Office

IN PLAIN LANGUAGE

The University of Montana's Information Security Policy explains how the University protects its data and technology systems while supporting teaching, research, and service. It establishes shared responsibility for managing cybersecurity risk, designates institutional leadership and oversight, and sets expectations for how information is protected based on risk and sensitivity. The policy authorizes a set of security standards that define specific requirements and ensures the University meets legal, regulatory, and contractual obligations while adapting to changing threats and technologies.

1. Purpose

The University of Montana (UM) is committed to protecting the confidentiality, integrity, and availability of University Data and Information Technology Resources. This Information Security Policy establishes the institutional authority, governance framework, and minimum requirements for safeguarding information and information systems across the University of Montana System while supporting the University's missions of education, research, and service.

This policy provides the foundation for the University's Information Security Program and authorizes the development, implementation, and enforcement of information security standards, procedures, and controls aligned with recognized best practices, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0.

2. Scope

This policy applies to:

  • All members of the University community, including faculty, staff, students, student employees, affiliates, contractors, vendors, and other third parties with access to University Data or Information Technology Resources
  • All University-owned, managed, or operated information systems and technology resources
  • All data created, received, stored, processed, transmitted, or disposed of in support of University activities, regardless of format or location
  • All campuses within the University of Montana System, including UM Missoula, Montana Tech, UM Western, and Helena College

Note: For purposes of Information Security Standards issued under this policy, requirements may apply specifically to digital University Data and digital systems. Handling and management of non-digital (paper-based or analog) records are governed by records management, privacy, and other applicable University policies.

3. Definitions

For purposes of this policy, definitions related to data, roles, and classifications are established in the UM Data Governance Policy and associated standards. Key terms include, but are not limited to:

University Data (Institutional Data) Information for which the University has legal, contractual, or operational responsibility

Information Technology Resources Hardware, software, networks, systems, and services used to collect, process, store, or transmit University Data

CISO Chief Information Security Officer

Information Security Office (ISO) The University function responsible for administering the Information Security Program under the direction of the Chief Information Security Officer

4. Policy

4.1 Information Security Governance

The University shall maintain an enterprise-wide Information Security Program that:

  • Aligns with NIST Cybersecurity Framework (CSF) 2.0
  • Integrates administrative, technical, and physical safeguards
  • Supports compliance with applicable federal and state laws, regulations, contractual obligations, and Board of Regents policies
  • Is risk-based and proportionate to the sensitivity and criticality of University Data and systems
  • Is reviewed and improved continuously to address evolving threats, technologies, and institutional priorities

Information security is a shared responsibility across the University. Executive leadership is responsible for establishing risk tolerance and providing appropriate resources to support the Information Security Program.

4.2 Information Security Risk Management

Information security risk management is a core institutional governance function and an integral component of the University's Information Security Program. The University shall manage information security risk in a manner that supports its mission, complies with applicable requirements, and aligns with its risk tolerance.

The University shall:

  • Establish and maintain an information security risk management framework aligned with recognized standards, including NIST guidance
  • Identify, assess, and document risks to the confidentiality, integrity, and availability of University Data and Information Technology Resources
  • Integrate risk considerations throughout the lifecycle of systems, services, projects, and third-party engagements
  • Determine and document appropriate risk response strategies, including risk mitigation, acceptance, transfer, or avoidance
  • Ensure that information security risk acceptance decisions are made by appropriate institutional authorities and reflect executive-established risk tolerance
  • Monitor risk and the effectiveness of implemented controls on an ongoing basis

Detailed risk assessment methodologies, documentation requirements, and procedures are defined in Information Security Risk Management Standards issued under this policy.

4.3 Standards, Procedures, and Control Framework

This policy authorizes the Chief Information Security Officer to establish, maintain, and enforce Information Security Standards and Procedures necessary to implement this policy.

  • Compliance with Information Security Standards issued under this policy is mandatory
  • Standards define specific security requirements and controls
  • Procedures provide detailed implementation guidance

Units may implement additional controls to meet specific legal, regulatory, or operational requirements, provided such controls are not less stringent than University standards.

4.4 Data Protection and Classification

University Data shall be protected in accordance with its classification and applicable requirements. The University shall:

  • Classify data based on confidentiality, integrity, and availability requirements
  • Assign Data Stewards and Data Custodians with defined responsibilities
  • Apply security controls proportional to data classification
  • Manage data throughout its lifecycle, including creation, use, storage, sharing, retention, and disposal

Data classification and stewardship are defined in the UM Data Governance Policy. Data protection requirements are defined in Information Security Standards issued under this policy.

4.5 Identity and Access Management

Access to University Information Technology Resources shall be:

  • Authorized based on documented business or academic need
  • Granted according to the principle of least privilege
  • Managed throughout the identity and access lifecycle
  • Reviewed regularly and promptly updated when roles or affiliations change

Identity verification, authentication, authorization, and account management requirements are defined in University Identity and Access Management standards.

4.6 Asset, System, and Network Security

Information Technology Resources shall be:

  • Inventoried and assigned accountable owners, consistent with University operational stewardship responsibilities and State of Montana asset requirements
  • Configured and maintained according to approved security standards
  • Protected against unauthorized access, misuse, disruption, or compromise

Security requirements for endpoints, servers, networks, applications, and cloud services are defined in applicable Information Security Standards.

4.7 Security Monitoring and Vulnerability Management

The University shall implement capabilities to:

  • Monitor systems and networks for security events and anomalies
  • Identify, assess, and remediate vulnerabilities in a timely manner
  • Maintain audit logs sufficient to support detection, investigation, and compliance requirements

Monitoring, logging, and vulnerability management activities shall follow University standards and documented procedures.

4.8 Incident Response

The University shall maintain an incident response capability to effectively manage information security incidents. This includes:

  • Defined reporting channels for suspected incidents
  • Procedures for detection, analysis, containment, eradication, and recovery
  • Coordination with legal, privacy, communications, and external authorities as required
  • Regular training, testing, and improvement of incident response processes

Incident response activities shall be conducted in accordance with the Incident Response Standard and related procedures issued under this policy.

4.9 Third-Party and Vendor Risk Management

Third parties with access to University Data or systems shall meet University information security requirements. The University shall:

  • Assess and manage risks associated with vendors and service providers
  • Incorporate security requirements into contracts and agreements
  • Monitor third-party compliance throughout the relationship lifecycle

Vendor and third-party security requirements are defined in the Vendor Risk Management Standard and the Hardware, Software, and Services Procurement Standard issued under this policy.

4.10 Security Awareness and Training

The University shall provide information security awareness and role-based training to ensure that members of the University community understand their responsibilities and how to protect University Data and systems.

Completion of required training is mandatory and may be enforced through access controls or other administrative measures.

5. Roles and Responsibilities

5.1 Chief Information Security Officer (CISO)

The CISO is responsible for:

  • Overseeing the University-wide Information Security Program
  • Developing and maintaining information security policies, standards, and procedures
  • Coordinating information security risk management and incident response
  • Granting or denying exceptions to information security requirements
  • Reporting significant risks and issues to executive leadership

The Information Security Office (ISO) operates the Information Security Program under the authority and direction of the CISO. References to ISO responsibilities reflect delegated operational functions unless otherwise specified.

5.2 Executive Leadership

Executive leadership is responsible for:

  • Establishing institutional risk tolerance
  • Supporting the Information Security Program through governance and resources
  • Accepting or rejecting significant information security risks

5.3 Information Technology Organizations

UM IT, UM System IT, and Distributed IT are responsible for:

  • Implementing technical security controls
  • Maintaining secure systems and infrastructure
  • Supporting monitoring, incident response, and remediation activities

5.4 Data Stewards, Custodians, and Users

Responsibilities for Data Stewards, Data Custodians, and Data Users are defined in the UM Data Governance Policy and include proper handling, protection, and use of University Data.

5.5 All Members of the University Community

All users are responsible for:

  • Complying with information security policies and standards
  • Protecting University Data and systems
  • Completing required security training
  • Promptly reporting suspected security incidents

6. Compliance and Enforcement

Failure to comply with this policy or associated standards may result in disciplinary action, loss of access to University systems, contractual remedies, or legal action, as appropriate.

The CISO is authorized to monitor compliance through assessments, audits, and investigations and to escalate non-compliance to appropriate University officials.

Exceptions to this policy or supporting standards must be documented and approved through the established exception process.

7. Review and Maintenance

This policy shall be reviewed at least annually by the UM Information Security Office and the Information Security Advisory Council and updated as necessary to reflect changes in risk, law, technology, or institutional requirements.

8. Related Policies and Standards

This policy is supported by, but not limited to, the following policies and standards issued under its authority or maintained by related governance functions.

Institutional Policies

  • UM Data Governance Policy

Information Security Standards

  • Information Security Risk Management Standard
  • Incident Response Standard
  • Audit Log Management Standard
  • IT Data Security Standard
  • IT Data Disposal & Media Sanitization Standard
  • Clean Desk & Clear Screen Standard
  • Account Security Standard
  • Identity Verification & Proofing Standard
  • User Security Awareness & Responsibilities Standard
  • Logon Notification Banner Standard
  • Endpoint Management & Configuration Standard
  • Network Security Standard
  • Cloud Computing Security Standard
  • Web Application Security Standard
  • Electronic Communications Standard
  • IT Asset Management Standard
  • Hardware, Software, and Services Procurement Standard
  • Vendor Risk Management Standard

9. External References

  • National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0
  • Montana University System Board of Regents Policy 1300
  • Applicable federal and state laws and regulations, including FERPA, GLBA, and HIPAA (as applicable)
Print Article