804: Frequently Asked Questions
Information Security Manual
Section 800: Awareness and Training
Q. What is the purpose of this Manual?
A. The purpose of this manual is to document all of the University’s Polices and Procedures around Information Security to ensure that we comply with all of the federal and state regulations that we are required to.
Q. Who is responsible for Information Security?
A. Given the nature of Information and how we all use it every day, it is everyone’s responsibility to protect information that we use. Certain roles and responsibilities have been defined within this document to help give guidance on how to do that but it really must be an activity we all take seriously to be effective.
Q. What do I need to protect?
A. This manual outlines three classifications for Information Systems. Protected, Sensitive, and Unrestricted. Each class has different levels of security applied and need to be protected in different ways.
Q. How do I protect it?
A. Baseline standards for each of the classifications are defined within this document and minimum requirements are explained along with some basic rules of thumb for paper documents as well as electronic information.
Q. I am an employee of the University; how do I figure out what classification applies to information I deal with?
A. Protected Information will be designated by Records Custodians who have been assigned by the University to ensure that legal requirements are met for certain types of Information. If you obtain Protected Information such as Student Records, Financial Information, or Employee Records, from a central source such as Banner you should be informed when granted access that the information is Protected. If you collect information directly (web forms for example), the classification still applies and you will be required to determine both who the Records Custodian is and whether or not the information you collect would be considered Protected. In general, other than Student Records, Financial Information, and Personnel Records, it would be at the department’s discretion as to whether or not information is to be classified as Sensitive or Unrestricted if it is not already classified as Protected by a Records Custodian.
Q. What do I do if I suspect a security breach?
A. Report it to your department head and local IT staff who will escalate to appropriate administrative departments.
Q. How do I decide if a public notification is required by the new ID Theft law in Oregon?
A. That determination will be done by legal counsel.