Body
| |
|
| Issued Under Authority of |
UM Information Security Policy |
| Responsible Office |
UM Information Security Office |
| Category |
Technology and Platform Security |
IN PLAIN LANGUAGE
This standard is about reducing everyday risks that can lead to data exposure. When you step away from your workspace, lock your computer screen and make sure sensitive information isn't visible to others. Don't leave confidential papers, removable drives, or devices unattended, and be especially mindful in shared or public spaces like offices, classrooms, libraries, or conference rooms. These simple habits help protect University data, personal information, and your own work from accidental or unauthorized access.
1. Purpose
The purpose of this Standard is to reduce the risk of unauthorized access, disclosure, loss, or theft of University Data by establishing minimum expectations for securing workspaces and computing devices when they are unattended or not actively in use.
This Standard supports the University's Information Security Program by addressing common, low-effort risk scenarios that can result in data exposure and aligns with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0.
2. Scope
This Standard applies to:
- All members of the University community, including faculty, staff, student employees, affiliates, and contractors
- All University-owned computing devices and workspaces
- Personally owned devices when used to access or display University Data
This Standard applies to digital University Data and information systems. Non-digital records are governed by records management, privacy, and other applicable University policies.
3. Roles and Responsibilities
3.1 All Users
All users are responsible for:
- Securing devices and workspaces when unattended
- Preventing unauthorized viewing or access to University Data
- Complying with this Standard and related security policies
4. Clean Desk Requirements
To reduce the risk of unauthorized access to University Data:
- Sensitive or restricted materials must not be left unattended on desks or work surfaces
- Removable storage media containing University Data must be secured when not in use
- Paper containing sensitive information must be retrieved promptly from printers, copiers, and fax machines
- Creation of hardcopy materials containing sensitive information should be limited to the minimum necessary
5. Clear Screen Requirements
To prevent unauthorized viewing of University Data displayed on screens:
- Computing devices must be locked or logged off when unattended
- Automatic screen locking must be enabled where technically feasible
- Users must be mindful of their surroundings and prevent shoulder surfing or inadvertent disclosure
6. Shared and Public Workspaces
Additional care must be taken in shared, public, or semi-public environments, including classrooms, libraries, conference rooms, and open office areas.
In these environments, users should minimize the display of sensitive information and ensure devices are secured when not actively in use.
7. Enforcement and Exceptions
Failure to comply with this Standard may increase the risk of data exposure and may result in corrective action consistent with University policy.
Exceptions to this Standard must be documented, risk-based, and approved by the CISO or designee.
8. Review and Maintenance
This Standard must be reviewed at least annually and updated as necessary to reflect changes in risk, technology, or institutional needs.
9. References
- UM Information Security Policy
- UM IT Data Security Standard
- UM IT Data Disposal & Media Sanitization Standard
- UM Acceptable Use of Technology Resources Policy
- NIST Cybersecurity Framework (CSF) 2.0