Georgetown University Information Security Policy
Statement
This Policy defines and describes the responsibilities and required practices for all members of the University community with respect to information security and the protection of University information.
- All members of the University community must comply with secure and responsible administrative, technical, and physical information security practices.
- The Office of Information Services and University Information Services will use appropriate security controls and protocols to protect against any malicious access to, or manipulation of, the University’s information resources and network infrastructure.
Applicability
All access to and use of the University’s network, infrastructure, or information is governed by this policy. This Policy also addresses the use of any information generated, accessed, modified, transmitted, stored, or otherwise used by the University Community on the University’s information resources and network infrastructure.
Guiding Principles and Purpose
This Information Security Policy, and supporting documentation and procedures, provides a framework to implement best practices for information security. All members of the University community are stakeholders in this process.
Georgetown University is committed to protecting the confidentiality, integrity and availability of its information. To achieve these goals, University information and systems are secured and restricted.
This Policy complements and supports other University policies that protect the University’s information assets and resources including, but not limited to, the Information Classification Policy, the Record Retention Policy, and the Policy on the Use, Collection, and Retention of Social Security Numbers.
Administration and Implementation
All members of the University community share responsibility for protecting information resources to which they have access or are stewards. Appropriate information security practices and procedures, as described in the Procedures for the Protection of University Information, should always be followed.
Access to University information classified as Restricted is only granted when documentation demonstrates that such access is required to perform University business and academic functions and processes.
Responsibilities
Members of the Georgetown University community with specific responsibilities governed by this policy are listed below. For clarification on the terms used in this document, please refer to the “Office of Information Services Policy Definitions, Roles, and Responsibilities.” The Procedures for the Protection of University Information define the procedures required to fulfill these responsibilities.
Data Users are responsible for:
- Understanding and adhering to University policies, guidelines, and standards related to the use and administration of data, technology systems, networks, and applications.
- Complying with best practices in cybersecurity as established by the University Information Security Office.
- Completing cybersecurity training regularly and as prescribed by the University, its data stewards, and/or its technology administrators in accordance with data and system security guidelines.
- Using only University-managed, secure computers and laptops to process high-risk data and using authorized University resources to store high-risk data.
- Storing information as required by its assigned classification.
- Distributing and transmitting Restricted Information only through a University or Campus Reporting Center. Until such time as a University or Campus Reporting Center is operational, all extraction and distribution of Restricted Information shall be authorized by the appropriate Data Steward as described in the Georgetown University Procedures for the Transmittal of Restricted University information.
- Accessing and using Social Security Numbers (SSNs) only as authorized under the Policy on the Use, Collection, and Retention of Social Security Numbers at GU.
- Reporting suspected or known compromises of information resources, including contamination of resources by computer viruses, immediately upon discovering the known or suspected compromise, as described in the Procedures for Reporting a Security Incident.
- Securely managing all University information in their possession. Note that this includes information for which the user is not the originator but a subsequent recipient, as well as information originated by the user but intended for use by others.
Data Stewards must meet all the responsibilities of Data Users as well as additional responsibilities described below:
- Authorizing and de-authorizing access to data under their stewardship, based on the principle of least privilege, and in a manner that supports individual accountability for user activity.
- Authorizing University and Campus Reporting Centers to access data under their stewardship.
- Obtaining authorization for use of Social Security Numbers (SSNs) as described in the Policy on the Use, Collection, and Retention of Social Security Numbers.
University and Campus Reporting Center Managers and Analysts must meet all the responsibilities of Data Users as well as additional responsibilities described below:
- Having exclusive responsibility for the creation, distribution, and receipt of reports and data extracts containing Personally Identifiable Information and Restricted Information.
- Securing Restricted Information.
Heads of Academic and Administrative Units, Managers, and Supervisors must meet all the responsibilities of Data Users as well as:
- Assuring that all individuals who fall within the scope of their authority are appropriately educated in the information security requirements of their roles.
The University Information Security Office is responsible for:
- Establishing required minimum security standards for handling University information.
- Overseeing technology policy
- Managing the cybersecurity training and awareness program that is required for members of the University community.
- Overseeing security for University networks and systems, and any systems connecting to the University.
- Handling information security incidents, and incident reporting, for the University.
Enforcement
Pursuant to the Georgetown University Human Resources Confidential Information Policy, employees who violate the University’s Information Security Policy and its associated procedures may be subject to disciplinary action, up to and including dismissal. Unauthorized access or disclosure of legally protected information may result in civil liability or criminal prosecution.
Students who violate the University’s Information Security Policy and its associated procedures are subject to the Code of Student Conduct and may be referred to the Office of Student Conduct for adjudication, notwithstanding any actions that may be taken independently by other offices within Georgetown University when such student is acting as an employee.
Consistent with the Computer Systems Acceptable Use Policy, the University may temporarily suspend, block or restrict a user’s access to information and systems when it reasonably appears necessary to do so in order to protect the integrity, security, or functionality of University resources or to protect the University from liability.
The University may routinely monitor network traffic to assure the continued integrity and security of University resources in accordance with applicable University policies and laws. The University may also refer suspected violations of applicable law to appropriate law enforcement agencies.
Resources
Information and resources supporting this Policy, including anti-virus software, are available on the Georgetown University Information Security Web site. Relevant policies and procedures include:
Policy on the Use, Collection, and Retention of Social Security Numbers by Georgetown University
Georgetown University Record Retention Policy
Georgetown University Information Classification Policy
Georgetown University Human Resources Confidential Information Policy
Georgetown University Acceptable Use Policy
Office of Information Services Policy Definitions, Roles, & Responsibilities
Office of Information Services Procedures for Reporting a Security Incident
Office of Information Services Procedures for the Protection of University Information
Approval
Douglas Little, Chief Information Officer
Micah Czigan, Chief Information Security Officer (CISO)
This policy will be reviewed and updated as needed unless changes in institutional policy or relevant law or regulation dictate otherwise.
Last reviewed and approved: September 2024
- Chief Information Security Officer
- Office of Cyber Risk Management