Body
University of Montana Information Security Policy
| |
|
| Policy Number |
To be assigned by Legal Counsel |
| Effective Date |
Provisional |
| Responsible Office |
UM Information Security Office |
IN PLAIN LANGUAGE
The University of Montana's Information Security Policy explains how the University protects its data and technology systems while supporting teaching, research, and service. It establishes shared responsibility for managing cybersecurity risk, designates institutional leadership and oversight, and sets expectations for how information is protected based on risk and sensitivity. The policy authorizes a set of security standards that define specific requirements and ensures the University meets legal, regulatory, and contractual obligations while adapting to changing threats and technologies.
1. Purpose
The University of Montana (UM) is committed to protecting the confidentiality, integrity, and availability of University Data and Information Technology Resources. This Information Security Policy establishes the institutional authority, governance framework, and minimum requirements for safeguarding information and information systems across the University of Montana System while supporting the University's missions of education, research, and service.
This policy provides the foundation for the University's Information Security Program and authorizes the development, implementation, and enforcement of information security standards, procedures, and controls aligned with recognized best practices, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0.
2. Scope
This policy applies to:
- All members of the University community, including faculty, staff, students, student employees, affiliates, contractors, vendors, and other third parties with access to University Data or Information Technology Resources
- All University-owned, managed, or operated information systems and technology resources
- All data created, received, stored, processed, transmitted, or disposed of in support of University activities, regardless of format or location
- All campuses within the University of Montana System, including UM Missoula, Montana Tech, UM Western, and Helena College
Note: For purposes of Information Security Standards issued under this policy, requirements may apply specifically to digital University Data and digital systems. Handling and management of non-digital (paper-based or analog) records are governed by records management, privacy, and other applicable University policies.
3. Definitions
For purposes of this policy, definitions related to data, roles, and classifications are established in the UM Data Governance Policy and associated standards. Key terms include, but are not limited to:
University Data (Institutional Data) Information for which the University has legal, contractual, or operational responsibility
Information Technology Resources Hardware, software, networks, systems, and services used to collect, process, store, or transmit University Data
CISO Chief Information Security Officer
Information Security Office (ISO) The University function responsible for administering the Information Security Program under the direction of the Chief Information Security Officer
4. Policy
4.1 Information Security Governance
The University shall maintain an enterprise-wide Information Security Program that:
- Aligns with NIST Cybersecurity Framework (CSF) 2.0
- Integrates administrative, technical, and physical safeguards
- Supports compliance with applicable federal and state laws, regulations, contractual obligations, and Board of Regents policies
- Is risk-based and proportionate to the sensitivity and criticality of University Data and systems
- Is reviewed and improved continuously to address evolving threats, technologies, and institutional priorities
Information security is a shared responsibility across the University. Executive leadership is responsible for establishing risk tolerance and providing appropriate resources to support the Information Security Program.
4.2 Information Security Risk Management
Information security risk management is a core institutional governance function and an integral component of the University's Information Security Program. The University shall manage information security risk in a manner that supports its mission, complies with applicable requirements, and aligns with its risk tolerance.
The University shall:
- Establish and maintain an information security risk management framework aligned with recognized standards, including NIST guidance
- Identify, assess, and document risks to the confidentiality, integrity, and availability of University Data and Information Technology Resources
- Integrate risk considerations throughout the lifecycle of systems, services, projects, and third-party engagements
- Determine and document appropriate risk response strategies, including risk mitigation, acceptance, transfer, or avoidance
- Ensure that information security risk acceptance decisions are made by appropriate institutional authorities and reflect executive-established risk tolerance
- Monitor risk and the effectiveness of implemented controls on an ongoing basis
Detailed risk assessment methodologies, documentation requirements, and procedures are defined in Information Security Risk Management Standards issued under this policy.
4.3 Standards, Procedures, and Control Framework
This policy authorizes the Chief Information Security Officer to establish, maintain, and enforce Information Security Standards and Procedures necessary to implement this policy.
- Compliance with Information Security Standards issued under this policy is mandatory
- Standards define specific security requirements and controls
- Procedures provide detailed implementation guidance
Units may implement additional controls to meet specific legal, regulatory, or operational requirements, provided such controls are not less stringent than University standards.
4.4 Data Protection and Classification
University Data shall be protected in accordance with its classification and applicable requirements. The University shall:
- Classify data based on confidentiality, integrity, and availability requirements
- Assign Data Stewards and Data Custodians with defined responsibilities
- Apply security controls proportional to data classification
- Manage data throughout its lifecycle, including creation, use, storage, sharing, retention, and disposal
Data classification and stewardship are defined in the UM Data Governance Policy. Data protection requirements are defined in Information Security Standards issued under this policy.
4.5 Identity and Access Management
Access to University Information Technology Resources shall be:
- Authorized based on documented business or academic need
- Granted according to the principle of least privilege
- Managed throughout the identity and access lifecycle
- Reviewed regularly and promptly updated when roles or affiliations change
Identity verification, authentication, authorization, and account management requirements are defined in University Identity and Access Management standards.
4.6 Asset, System, and Network Security
Information Technology Resources shall be:
- Inventoried and assigned accountable owners, consistent with University operational stewardship responsibilities and State of Montana asset requirements
- Configured and maintained according to approved security standards
- Protected against unauthorized access, misuse, disruption, or compromise
Security requirements for endpoints, servers, networks, applications, and cloud services are defined in applicable Information Security Standards.
4.7 Security Monitoring and Vulnerability Management
The University shall implement capabilities to:
- Monitor systems and networks for security events and anomalies
- Identify, assess, and remediate vulnerabilities in a timely manner
- Maintain audit logs sufficient to support detection, investigation, and compliance requirements
Monitoring, logging, and vulnerability management activities shall follow University standards and documented procedures.
4.8 Incident Response
The University shall maintain an incident response capability to effectively manage information security incidents. This includes:
- Defined reporting channels for suspected incidents
- Procedures for detection, analysis, containment, eradication, and recovery
- Coordination with legal, privacy, communications, and external authorities as required
- Regular training, testing, and improvement of incident response processes
Incident response activities shall be conducted in accordance with the Incident Response Standard and related procedures issued under this policy.
4.9 Third-Party and Vendor Risk Management
Third parties with access to University Data or systems shall meet University information security requirements. The University shall:
- Assess and manage risks associated with vendors and service providers
- Incorporate security requirements into contracts and agreements
- Monitor third-party compliance throughout the relationship lifecycle
Vendor and third-party security requirements are defined in the Vendor Risk Management Standard and the Hardware, Software, and Services Procurement Standard issued under this policy.
4.10 Security Awareness and Training
The University shall provide information security awareness and role-based training to ensure that members of the University community understand their responsibilities and how to protect University Data and systems.
Completion of required training is mandatory and may be enforced through access controls or other administrative measures.
5. Roles and Responsibilities
5.1 Chief Information Security Officer (CISO)
The CISO is responsible for:
- Overseeing the University-wide Information Security Program
- Developing and maintaining information security policies, standards, and procedures
- Coordinating information security risk management and incident response
- Granting or denying exceptions to information security requirements
- Reporting significant risks and issues to executive leadership
The Information Security Office (ISO) operates the Information Security Program under the authority and direction of the CISO. References to ISO responsibilities reflect delegated operational functions unless otherwise specified.
5.2 Executive Leadership
Executive leadership is responsible for:
- Establishing institutional risk tolerance
- Supporting the Information Security Program through governance and resources
- Accepting or rejecting significant information security risks
5.3 Information Technology Organizations
UM IT, UM System IT, and Distributed IT are responsible for:
- Implementing technical security controls
- Maintaining secure systems and infrastructure
- Supporting monitoring, incident response, and remediation activities
5.4 Data Stewards, Custodians, and Users
Responsibilities for Data Stewards, Data Custodians, and Data Users are defined in the UM Data Governance Policy and include proper handling, protection, and use of University Data.
5.5 All Members of the University Community
All users are responsible for:
- Complying with information security policies and standards
- Protecting University Data and systems
- Completing required security training
- Promptly reporting suspected security incidents
6. Compliance and Enforcement
Failure to comply with this policy or associated standards may result in disciplinary action, loss of access to University systems, contractual remedies, or legal action, as appropriate.
The CISO is authorized to monitor compliance through assessments, audits, and investigations and to escalate non-compliance to appropriate University officials.
Exceptions to this policy or supporting standards must be documented and approved through the established exception process.
7. Review and Maintenance
This policy shall be reviewed at least annually by the UM Information Security Office and the Information Security Advisory Council and updated as necessary to reflect changes in risk, law, technology, or institutional requirements.
8. Related Policies and Standards
This policy is supported by, but not limited to, the following policies and standards issued under its authority or maintained by related governance functions.
Institutional Policies
- UM Data Governance Policy
Information Security Standards
- Information Security Risk Management Standard
- Incident Response Standard
- Audit Log Management Standard
- IT Data Security Standard
- IT Data Disposal & Media Sanitization Standard
- Clean Desk & Clear Screen Standard
- Account Security Standard
- Identity Verification & Proofing Standard
- User Security Awareness & Responsibilities Standard
- Logon Notification Banner Standard
- Endpoint Management & Configuration Standard
- Network Security Standard
- Cloud Computing Security Standard
- Web Application Security Standard
- Electronic Communications Standard
- IT Asset Management Standard
- Hardware, Software, and Services Procurement Standard
- Vendor Risk Management Standard
9. External References
- National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0
- Montana University System Board of Regents Policy 1300
- Applicable federal and state laws and regulations, including FERPA, GLBA, and HIPAA (as applicable)