UIC Information Techology Security Program
Policy Number: IT-9100-001
Policy Title: UIC Information Technology Security Program
Vice Chancellor/Associate Chancellor: Vice Chancellor for Innovation
Units Responsible for Policy: Technology Solutions, UIC Information Technology Leadership Council Security Committee
Effective Date: February 18, 2022
The UIC IT Security Program (“program”) and its constituent policy informs all campus stakeholders of their responsibilities to improve access and security of digital assets. The program establishes a common framework for identifying and protecting information assets at the university. All university faculty, staff, and other individuals who access university systems and data are responsible for complying with the program. It is also the responsibility of the Vice Chancellors, Deans, or Department/Unit heads to ensure that the requirements of the program are met within their respective units. The program specifically outlines the responsibilities of members of the IT Leadership Council, Chief Information Security and Privacy Officer, campus community and defines roles such as unit information security officer, data custodian, data steward, data user. The program provides the tools and procedures that are to be used to comply with the requirements. The program is subject to an annual review and maintenance to ensure its relevance and keep pace with evolving technology, laws, regulations, statutes, and policies.
Units may implement policy more restrictive than this policy. In the event a unit policy is less restrictive, this policy takes precedence.
The full version of the UIC IT Security Program with all associated policy, procedure, standards and guidelines can be accessed at http://policy.security.uic.edu.
Reason for Policy:
The purpose of the UIC IT Security Program and related policies is to create a culture that respects the obligation we all have to protecting the university’s digital assets. In addition to academic, research, and financial data, we also have protected health information to safeguard.
The specific reasons for having an IT Security Program include, but are not limited to, protecting:
- Student and academic data
- Research data
- Patient and health information data
- Data subject to the attorney-client privilege
- Human resources data
- Financial data, including credit card information
- The university from liability and potential loss of grant funding
Minority Impact Statement:
The University of Illinois Chicago adopted this program to provide a unified structure for information technology security across its campus, and this program is intended to be applied to all Units, faculty and staff at UIC. It is further intended to provide the foundation to treat university information assets as strategic organizational assets, and in a manner consistent with that of other strategic assets of the university such as financial and facility assets.
The manner in which this program is implemented is not intended or expected to have a capability to advance diversity on campus, and it is also not expected to have any differential or adverse impact on diversity at the campus.
Who Should Read the Policy:
UIC faculty, staff, students, and other individuals who access university systems and data.
Campus Community – Participants in the university business processes including its workforce, research partners, affiliates, business associates covered by HIPAA Business Associate Agreements, and those who, through the university’s business processes, have access to non-public university data in performing their responsibilities or obtaining information or services from university data or university computational resources.
Data Custodian – A person with a role responsible for providing and supporting elements of an infrastructure in support of access to university data and its transmission, receipt, and storage, assuring its confidentiality while providing for its availability according to diverse unit business process needs, and ensuring its integrity. The Data Custodian may also provide and support secure access to computational resources utilized by Data Users, the workforce, and the campus community, including, but not limited to, providing physical security, backup and recovery processes, granting access privileges to system Data Users as authorized by Data Stewards, and implementing and administering controls over that data.
Data Steward – The individual (or possibly, a group of individuals) who has a role with direct operational-level responsibility for the acquisition, management, and preservation of university data — usually unit heads or directors. The Data Steward may be the person responsible for the original collection or aggregation of the data; for example, a principal investigator whose study collects ePHI from subjects. As another example, the Data Steward may be the assigned university business process owner; to illustrate this example, a department’s Director of Graduate Admissions who supervises the collection of departmental supplemental graduate applications may be the designated Data Steward.
Data User – An individual who uses university data as part of the individual’s assigned duties or in fulfilling their assigned roles or functions carrying out university business processes within the university community
Electronic Protected Health Information (ePHI) – Is individually identifiable health information.
Unit Information Security Officer (UISO) – Provides day-to-day management of the Security Program at the College or Vice Chancellor level, and general advice on IT Security issues.
Related Laws, Regulations, Statutes, and Policies:
- Family Educational Rights and Privacy Act (FERPA) of 1974
- Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009
- Health Insurance Portability and Accountability Act (HIPAA) of 1996
- Illinois Public Act 094-0036 “Personal Information Protection Act” (PIPA), Illinois Compiled Statutes Chapter 815, Act 530
Approval date: February 17, 2022
Approved as: New policy