Table of Contents

INFORMATION SECURITY POLICY
DATA CLASSIFICATION POLICY
ORGANIZATION OF INFORMATION
LOGICAL ACCESS CONTROL POLICY
CONFIGURATION AND CHANGE MANAGEMENT
MOBILE DEVICE EMAIL POLICY
PRIVILEGED ACCESS POLICY

I. Information Security Policy

A. Objective

The objective of this policy is to provide the university administration, staff, faculty, students, vendors, and any other users of the University systems or internet connectivity direction and support for cybersecurity by following industry standard, business requirements, and relevant laws and regulations.  As a university with students who reside on-campus during the academic year, the Saint Francis University, Loretto, PA campus is responsible for the security, availability, processing integrity, confidentiality, and privacy of the users, assets, and data which comprises the cybersecurity ecosystem.

B. Policy

All information security policy documents shall be approved by the President's Council and communicated to all employees and relevant external parties.

C. Saint Francis University Cybersecurity Ecosystem

1. Ecosystem Overview
   The Saint Francis University Cybersecurity Ecosystem extends across the Loretto, PA campus and surrounding environs owned by the University, including the golf course, the water tower, and the Curry Building in Altoona, PA.  The ecosystem may also extend to University locations beyond campus as required to support the learning activities and administration of the University.

2. Principle Service Commitments and Cybersecurity Ecosystem Requirements
   Saint Francis University has designed and implemented system components and related policies to meet or exceed compliance standards for all relevant laws and regulations.  These system components establish the boundaries of the system which include all wired and wireless infrastructure within the campus site located in Loretto, PA, and any remote site(s) that interconnect with the main campus.  This infrastructure is made up of any Saint Francis University purchased devices including but not limited to: network appliances, laptop computers, desktop computers, projectors, telephony devices, multifunction printers/copiers, and servers.  Contained within these boundaries are any user's connection through VPN into the established infrastructure and any shared infrastructure.

Student Personal Devices: Saint Francis University does not take responsibility for the data protection or security of student-owned devices.  These policies provide governance for the network and power regulation equipment used to establish connectivity for student devices, but student-owned devices are not within the scope of these policies. 

D. Saint Francis University Cybersecurity Ecosystem - Standard

• The information security policy documents will be reviewed and (re)-approved at least annually by the IT Steering Committee, and if necessary, university leadership.

• The information security policy document shall be reviewed as a result of significant changes in security or the boundaries of the system.

• The policy document shall contain header blocks showing any revision history and approvals.

• An IT Steering Committee shall be established and comprised of university leadership and IT in order to maintain alignment with university goals and IT governance.

• All system users shall have access to the information security policies.

E. Saint Francis University Cybersecurity Ecosystem - User Responsibility

All Saint Francis University cybersecurity ecosystem users have responsibility to maintain confidentiality, integrity, and security.  These responsibilities include but are not limited to:

• Reporting all security or suspected security policy breaches to either the Personal Support Center at sfuhelp@personalsupportcenter.com or the Cybersecurity Team at abuse@francis.edu. 

• Do not tamper with or disable any firewall and/or antimalware applications on university-provided devices.

• Protection of individual passwords, which control access, and other privileges within the Saint Francis University infrastructure.

• Maintaining the confidentiality of any data that may be provided as a user of the system, or data needed as a part of job role.

II. Data Classification Policy

The University has developed a specific, separate policy governing data classification.  Please refer to Data Classification Policy.

III. Organization of Information

A. Objective

Establish a framework for managing the safe and secure flow of information throughout the university.

B. Policy

A management framework shall be established to include the storage, transmission, disposal, time-to-live, and detection or prevention, including reporting of security events for data based on classification.

C. Roles

1. Central Administration
   SFU IT provides consulting and training concerning security, maintaining the security of the central network, a central email service, and providing resources for implementing and supporting encryption technologies.

2. Compliance
   Gramm-Leach-Bliley Act (GLBA) safeguards rule, and the Federal Trade Commission (FTC) safeguards rule requires a designated employee group to coordinate the information security program. This group is the IT Steering Committee.  The following standards based on data classification are specifically implemented as information safeguards to control the risks identified through the storage, transmission, and disposal of data

D. Standard

• The security governance team, and University Leadership shall actively support information security within the organization through clear direction, demonstrated commitment, explicit assignment and acknowledgment of information security responsibilities.

• Information security activities shall be coordinated between resources from different parts of the university.

• The organization shall define and utilize confidentiality and/or non-disclosure agreements.

• Executive Leadership will enforce appropriate procedures for contacting authorities during security events and/or incidents.

• To protect confidential and restricted data as it is transmitted across network infrastructures. Saint Francis University uses secure protocols including, TLS, SSH, and SFTP, where appropriate.

1. Internal Data

Accessing	University need is the primary driver for access requests.  All non-public information must be secured with, at a minimum, a single authentication method, or transmitted through the Internet using secure protocols. (TLS 1.2 or above encryption is the standard for all data transmissions.)
Collecting	No restrictions.
Sharing	Sharing with other internal employees as needed.  Sharing with vendors/third-parties as approved by the department lead, manager, or supervisor.
Sending	Paper	Send information in a manner that protects it from casual reading.
	Electronic	Using a method that requires authentication prior to receipt or using a secure transfer protocol.  Methods such as e-mail, a website that requires a login, or a file server that requires a password or secure email services with more private data.
Storing	Paper	Keep all documents in non-public areas when not in use.
	Electronic	Devices storing electronic non-public information must meet minimum requirements of, at a minimum, a single authentication method.
	Electronic Media	Store all media in non-public areas when not in use.
Incident Reporting	Report the loss of any Internal Data to the local department lead, manager, or supervisor who will determine the requirements, if any, for further reporting.
Auditing	Review of where this data is located, the access control mechanisms, who has access to it, and encryption protocols, are auditing periodically.  Data destruction protocols follow this policy.
Destroying	Paper & Disposable Electronic Media (CDs or DVDs)	Documents with sensitive content should be placed within the [shred boxes located within all facilities. If unable to locate the shred box, the department head will assist you.]
	Electronic Files (Data) Reusable Storage Devices (Flash Drives, Hard Drives)	The use of standard operating system utilities is used to delete files.
	Electronic Storage at End of Life	Data destruction services are provided by [an asset disposal and recycling firm.  The protocol for data removal is either physical hard drive destruction (shredding) or DoD-compatible data cleansing. Contact the [Support Center] to create a ticket for data destruction if needed.]

2. Confidential Data

Accessing	Access to confidential data requires [completion of security awareness and data classification professional development training or acknowledgement.]  Protocols are developed to immediately remove access upon significant change in employment status or any individual with access.  The department lead, manager, supervisor, or [Collegis Security Team] is responsible for removing access from any person(s) that no longer require confidential data access as part of their job function [within 24hrs of filing an appropriate alert].
Collecting	Reduce or eliminate where not required for university need.  The collection of Confidential data about individuals may require the approval of the [Collegis Security Team].  If there is any doubt if the data requires approval, please contact the [Collegis Security Team].
Sharing	Supervisors or the [Collegis Security Team] should be notified if you are uncertain of sharing confidential information.  Information being shared with a small controlled group of internal university staff or faculty members may be shared without the approval; however, if there is any concern in doing so, the supervisors or the [Collegis Security Team] should be involved.  Keeping the need-to-know concept in mind, the university need should drive the sharing of data. Confidential information can be shared with the subject of record and any other individual with permission from the subject of record. Confidential information that is transmitted must use either TLS1.2 or above, or SFTP services for transmission. If confidential information is received but does not follow this standard, please contact the [Collegis Security Team].
Printing, Scanning, and Copying	Copiers and some printers have internal storage devices that can potentially store data.  To preserve confidentiality, avoid printing of confidential data superfluously.
Sending	Paper	Sealed security envelops with the specific intended party addressed appropriately.  Be sure to include "For intended recipient only."  Any confidential information being sent outside of the control of the organization should be sent via a mail service that includes a tracking number.
	Electronic	Confidential data is encrypted in transit by way of TLS1.2 or better encryption, or SFTP, especially data in large volumes.  In some cases, if email is the only method of transmission, encryption services are offered by Microsoft 365 and are employed for these transmissions.  Microsoft Office files containing confidential information should also be password protected, review [the security awareness and data classification professional development training for more information].  If Confidential information is to be stored on removable media (CD/DVD/USB/External Hard Drives) or in the cloud, see the storage section below.
	Fax	Most fax machines and e-fax services often store at a minimum the first page of data within memory, which can be compromised.  All confidential information that must be shared via fax MUST include a cover sheet, marks as confidential, and to be read-only by the recipient.  Consider coordinating with the intended recipient, so they are on hand to directly receive the fax before you being to send.
	Smart Phones and Tablets	If the use of a smartphone or tablet is needed to send or receive confidential information must meet minimum requirements of, at a minimum, a single authentication method, or transmitted through the internet using TLS1.2 or above encryption protocols.
Storing	Physical Paper	Stored in secure areas that are accessible only by authorized individuals.  The number of copies should be kept to a minimum.  Audits of individuals with physical access to these storage locations will be performed periodically.
	Electronic	If data is not stored on one of the encrypted in transit devices.  Confidential data is recommended that it is stored in an encrypted format.  Cloud services may be used if not shared, and shares may be used if approved.  Please refer to the [security awareness and data classification professional development training, or acknowledgment for more information].
	Electronic Media (CD,DVD, USB, etc.)	Encryption of stored data is also recommended.  Store media in a secure location.  The media should be erased or destroyed as it is no longer needed.
Auditing	Each department must review annually where confidential data is stored, user access, encryption protocols, control mechanisms, and data destruction.  Verify that procedures for account access are reviewed and documented.  Data destruction must comply with the university policies.
Incident Reporting	Any unauthorized access or loss of confidential information, intentionally or unintentionally, must be reported to the appropriate manager, department head, or [Collegis Security Team].  If not available, at a minimum, report to the [Support Center].  Managers, supervisors, and [Collegis Security Teamrs] should report significant unauthorized disclosure or losses of Confidential data to the appropriate authorities in compliances with state, local, and federal laws and compliance standards.  If you are unclear if the incident is significant, contact the [Collegis Security Team] for clarification.
Destroying	Paper and Disposable Electronic Media (CDs, DVDs)	Physical destruction using a shredder, shred box, or similar appropriate technology and then recycle or discard.
	Electronic Files (Data) Reusable Electronic Storage Devices (Flash Drives, Hard Drives, External Hard Drives)	Delete using an approved secure deletion program.  If you require assistance in the destruction of data on external media, please contact the [Support Center].
	Electronic Storage at End of Life	Functional electronic media once erased is either disposed of or recycled.  Non-functional media must go through proper disposal procedures.  If you require assistance in the destruction of data on external media, please contact the [Support Center].
	Devices End of Lease or End of Life	Devices such as these contain hard drives, which must be properly eared or "wiped," prior to leaving the universitys control.  For more information on proper destruction of data please refer to the [security awareness and data classification professional development training for more information].

3. Restricted Data

Accessing	Access to restricted data requires the approval of a department lead, manager, or supervisor, [upon completion of either security awareness training or acknowledgment].  Avoid accessing or using restricted data whenever possible, and do so from as few various devices as possible.  Devices used to access restricted data information must have a minimum of single-point authentication methods for access. The department lead, manager, supervisor, or [Collegis Security Team] is responsible for removing access from any person(s) that no longer require restricted data access as part of their job function within [24hrs of filing an appropriate alert].
Collecting	Reduce, refuse, or eliminate where not required for university need.  The collection of Restricted data about individuals may require the approval of the [Collegis Security Team].  If there is any doubt if the data requires approval, please contact the [Collegis Security Team].
Sharing	If at any time you are unsure if a piece of restricted data should be shared, escalate the request to an appropriate department lead, manager, supervisor, or [Collegis Security Teamr].  This information may be shared only for need-to-know business purposes and only as approved by the appropriate department lead, manager, supervisor, or [Collegis Security Teamr], except where the information is being given to approved custodians of this data.  Information being shared with a small controlled group of university internal staff or faculty may be shared without the approval of a [Collegis Security Teamr]; however, if there is any concern in doing so, the [Collegis Security Team] should be involved.  Note: Non-disclosure and other types of agreements may be necessary for any vendors, or external parties to review restricted information.  The [compliance office] must approve such agreements or agreement forms. Any restricted information can be shared with the subject of the record and any other individual with permission from the subject of record. Any restricted information that is received or transmitted must use either TLS1.2 or above encryption, or SFTP services for transmission.
Printing, Copying, and Scanning	Printers and copiers often store the printed documents on a local hard drive, potentially allowing unauthorized access to the information.  Avoid, when possible, the printing of Restricted use data.
Sending	Physical Paper	Address the intended party and send in sealed envelopes for security.  Marked with "For Intended Recipient Only."  The paper document must be sent via with an authorized courier, certified mail, or other mail servicer that includes a tracking number.
	Electronic	Restricted data is encrypted in transit by way of TLS1.2 or above encryption, or SFTP, especially data in large volumes. In some cases, if email is the only method of transmission, encryption services are offered by Microsoft 365 and are employed for these transmissions. Microsoft Office files containing restricted information should also be password protected, review [the security awareness and data classification professional development training for more information].  If restricted information is to be stored on removable media (CD/DVD/USB/External Hard Drives) or in the cloud see the storage section below.
	Fax	Most fax machines and e-fax services often store at a minimum the first page of data within memory, which can be compromised.  All restricted data information that must be shared via fax MUST include a cover sheet, marks as restricted and to be read-only by the recipient.  Consider coordinating with the intended recipient so they are on hand to directly receive the fax before you being to send.
	Smart Phones and Tablets	The use of smart phones to attain access to restricted data is strongly discouraged.  Restricted data must comply with the minimum data protection standard of a single authentication on the device.  If restricted data is asked to be shared via a smart phone, please ask to have this information shared using another form of media.  If there are any questions, please contact the [Collegis Security Team].
Storing	Paper	Stored in secure areas that are accessible only by authorized individuals.  The number of copies should be kept to a minimum.  Audits of individuals with physical access to these storage locations will be performed periodically.
	Electronic	If data is not stored on one of the encrypted in transit devices.  Restricted data is recommended that it is stored in an encrypted format.  Restricted data must never be stored on personally owned devices. University approved cloud-based services are generally approved to store restricted data. Restricted data must never be shared through cloud-based storage unless approved by the department lead, manager, supervisor, or [Collegis Security Team].
	Electronic Media (CD, DVD, USB, External Hard Drive)	Encryption of stored data is required.  Media is only stored within secure locations when not in use.  Media should be inventoried upon creation and destroyed as soon as it is no longer needed. University policy prohibits the use of external media for storing restricted data unless documented prior approval by the [Collegis Security Team] has been granted.
Auditing	Each department must review annually where restricted data is stored, user access, encryption protocols, control mechanisms, and data destruction.  Verify that procedures for account access are reviewed and documented.  Data destruction must comply with these policies.
Incident Reporting	Any unauthorized access or loss of restricted information, intentionally or unintentionally, must be reported to the appropriate manager, department head, or [Collegis Security Team] immediately.  If not available, at a minimum, report to the [Support Center].  Managers, supervisors, and [Collegis Security Teamrs] should report significant unauthorized disclosure or losses of restricted data to the appropriate authorities in compliance with state, local, and federal laws and compliance standards.  If you are unclear if the incident is significant, contact the [Collegis Security Team] for clarification.
Destroying	Paper and Disposable Electronic Media (CDs, DVDs)	Physical destruction using a shredder, shred box, or similar appropriate technology and then recycle or discard.
	Electronic Files (Data) Reusable Electronic Storage Devices (Flash Drives, Hard Drives, External Hard Drives)	Delete using an approved secure deletion program.  If you require assistance in the destruction of data on external media, please contact the [Support Center].
	Electronic Storage at End of Life	Functional electronic media once erased is either disposed of or recycled.  Non-functional media must go through proper disposal procedures.  If you require assistance in the destruction of data on external media, please contact the [Support Center].
	Devices End of Lease or End of Life	Devices such as these contain hard drives, which must be properly eared or "wiped," prior to leaving the universitys control.  For more information on proper destruction of data please refer to [the security awareness and data classification professional development training for more information].

B. Exceptions

The Chief Information Officer is authorized and can grant exceptions to the requirements in this document.  Exceptions will require a thorough investigation of the process and will be based on the execution of appropriate controls.  All exceptions must be documented and approved along with signed acknowledgments of risk and responsibility.

C. Important

Failure to comply with the Organization of Information Security may result in harm to the university, students, vendors, or all parties.  The unauthorized or unacceptable use of data, including the failure to comply with these standards, constitutes a major violation of policy and may be subject the user to revocation of the privilege to use data or information technology.  Disciplinary action, up to and including termination of employment, may also apply. 

IV. Logical Access Control Policy

The University has developed a specific, separate policy governing data classification.  Please refer to Logical Access Control Policy.

V. Configuration and Change Management

A. Objective

Change to information processing facilities and systems shall be communicated, controlled, and approved by the appropriate personnel.

B. Policy

Formal procedures shall be established to manage the configuration or changes to applications, operating systems, hardware, devices, etc.  Procedures shall include steps for the approval, development, implementation, testing, promotion, and acceptance of configurations or changes by technicians and business sponsors.

C. Standard

• Formal management responsibilities and procedures shall be in place to ensure satisfactory control of all configurations and changes.

• All configurations and changes shall include:

  • Authorization and approval by the business and/or technical process owners.

  • Recording and tracking of configuration and change status.

  • Classification and prioritization of all changes based on university risk.

  • Assessment of the potential impacts, including security impacts and impacts on data integrity.

  • Back out procedures, including procedures and responsibilities for rollback and recovery.

  • Planning and testing of configurations and changes.

  • Communication of configurations and change details to relevant parties

• Changes shall be performed in the appropriate maintenance window unless otherwise approved prior to the development of the change control.  Maintenance windows are chosen based on the level of risk and scope of impact.

• Configuration standards shall include:

  • A mandatory baseline configuration of the information system across development, non-prod and production environments, to enable identification of systems configuration at specific points in time.

  • Configuration of security settings of informational technology products to the most restrictive mode consistent with operational requirements as defined by business and technical owners.

  • A unique identifier to a configuration item so the item can be easily tracked.

  • Regular audit activities associated with configuration changes to the information system.

  • A process to revert to the baseline configuration in the event of problems if determined after the initial investigation. 

• Change Standards shall include:

  • An audit log containing all relevant, system-generated, information should be retained per retention guidelines.

  • Management to minimize risk exposure and reduce the severity of any impact and disruption.

  • The approvals to implement a change to the information system, including successful results from the security analysis of the change.

  • A security impact analysis to determine the effects of the changes.

• Emergency Change Procedures

  • Break-fix emergency changes are required after re-establishing functionality of the production environment if an emergency arises, and may be performed without approval when the production environment is malfunctioning.

  • Authorization and approval by at least three IT directors are required to proceed with non-break-fix emergency change requests.  Break-fix requests will need confirmation from at least three IT directors before being closed.

  • Emergency changes follow all other aspects of the normal change control process.

D. Change Maintenance Windows

Scope of Change	Day and Time
Non-Production Impacting Changes	Any day, any time
Small Likelihood of Production Impact or small-scale outage	Tuesdays or Thursday's from 6 am and ending by 8 am, following time zone of the university
Production impacting changes including large-scale outage	Friday's from 2 am ending by 6 am, following time zone of the university

VI. Mobile Device Email Policy

A. Objective

Protect business data transmissions through email communication to only secured devices.

B. Policy

A password policy will be enforced through ActiveSync on mobile devices accessing company provided email.

C. Compatibility

All iOS, Android and Windows Mobile devices should be operating on the most up-to-date version of the software available for that model.  Maintaining compliance with this provision is the responsibility of the device owner, and failure to do so could lead to a termination of access to University data on the mobile device. All iOS, Android and Windows Mobile devices should be operating on the most up-to-date version of the software available for that model.  Maintaining compliance with this provision is the responsibility of the device owner, and failure to do so could lead to a termination of access to University data on the mobile device.

D. Definitions

Alternative Login Capabilities - Alternative login options include pattern unlock, biometric readers, facial recognition, and others. Compatibility with ActiveSync will vary based on the manufacturer, model, service provider, or operating system version.

E. Standard

• All employees shall be responsible for taking appropriate steps to ensure the security and the confidentiality of their personal mobile device passwords.

• Mobile devices attempting to connect to exchange email services must adhere to the following minimal policies: (Alternate login capabilities may also be available)

  • A device password is required.

  • Devices are allowed to contain simple passwords such as 1234, or 1111

  • After [8 failed attempts] to log in, the mobile device will automatically revert to factory settings.

  • [4-character] minimum password length is required

  • After 15-minutes of inactivity the device will automatically lock.

• Password Best Practices Include:

  • Passwords shall not be written down by the user.

  • Passwords shall not be communicated with other account information in any written communication.

  • Try to avoid the use of easily guessed passwords such as 1234, 1111

  • User IDs and passwords must not be shared with others.

VII. Privileged Access Policy

A. Background

Privileged access, or commonly referred to as administrator, system admin, superuser, root access, or allowing an individual elevated permission to the devices they manage or support.  The practice of allowing privileged access to the system or device is standard practice.  Privileged access users have access to servers, networking devices, user accounts and data, personnel data, and desktop operating systems. 

B. Objective

This policy informs privileged users at all levels of the essential responsibilities and obligations that coincide with this access level. 

C. Policy

• Only individuals with specific job role needs and authorization are granted privileged user access

• If methods other than using privileged access will accomplish an action, those other methods must be used unless the burden of time or other resources required clearly justifies using privileged access.  Unless with the appropriate director or above prior approval.

• Privileged access users will have two user IDs: one for normal day-to-day activities and one for performing administrative functions.

• Users with privileged access may only use their elevated access accounts for job functions which require this access level.

• Privileged access users may not use their elevated accounts to gain access to unauthorized servers, networking devices, business systems/application administration, or desktop operating systems for unauthorized viewing, modification, copying, or destruction of system or user data.

• Privileged access accounts shall not have VPN access into the environment

• Privileged access accounts shall not have email accounts associated

• Privileged access may be used to grant, change, or deny resources, access, or privilege to another individual only for authorized account management activities.

  • o Under exceptional circumstances, such actions must follow any existing organizational guidelines and procedures. Examples include:

    • disabling an account apparently responsible for serious misuse such as: attempting to compromise root (UNIX) or the administrator account (Windows), using a host to send harassing or threatening email, using software to mount attacks on other hosts, or engaging in activities designed to disrupt the functioning of the host itself;

    • disconnecting a host or subnet from the network when a security compromise is suspected;

    • accessing files for law enforcement authorities with a valid subpoena.

Privileged users found in violation of this policy, procedures, and responsibilities stated within this policy will be reported to the appropriate director, and disciplinary actions will be taken up to and including termination of employment and legal reparations.

D. Expressly Prohibited Behavior

• Sharing of privileged user access or privileges with any unauthorized individual.

• Any attempts to "hack" and of the universities (networked or non-networked) devices.

• Attempts to gain access to data for which your specific job duties are not specifically authorized to include e-mail and user data.

• Use of the privileged access for non-university business.

• Introduction of any software or hardware to production systems which are not approved through the change management process, or have received IT director approval.

• Disclosure, without prior authorization, of any personally identifying information (PII) that is accessed or learned of as a result of any task or activity that required privileged access.

• Disclosure, without prior authorization, of any sensitive, classified, or compartmented data that is accessed or learned of as a result of any task or activity that required privileged access.

• Accessing computing or networking devices that may have been left unlocked and unattended.

• Circumventing application security through investigation to divulge any unremoved default accounts and passwords. 

• Any unauthorized modification to servers, networking devices, business systems/application administration, or desktop operating systems to the production environment.

• Accessing employee's devices without prior permission or notification.

• Using elevated permissions inside of particular applications for use other than specific do job duties. Examples include, but are not limited to:

  • Student Personal and/or Educational Records

  • Voice or Screen Recordings

  • Data Libraries

  • Virtual Meeting Recordings

E. Procedures and Responsibilities

• Privileged access may be granted to individuals with appropriate area director's approval

• The appropriate privileged users are responsible for creating and documenting any new privileged access accounts.

• Privileged access will not be granted to any positional or generic user's identifiers. Examples include:

  • Shared Departmental Generic Logins 

  • Logins for a particular use, such as monitoring login.

• Users with privileged access will use a different password than their day-to-day user account.

• Privileged access accounts have a more complex password requirement and must be changed more frequently.

• Privileged users will submit to any additional internal investigations and monitoring of elevated privilege activities as required to ensure integrity of this access level. This includes random monitoring or auditing of elevated access activities.

• Privileged access users have a responsibility to protect the confidentiality of any information they encounter while performing their tasks.

• Privileged access users are responsible for complying with all applicable laws, regulations, policies, and procedures.

• Privileged access users must always be aware that these privileges place them in a position of considerable trust. Users must not breach that trust by misusing privileges or failing to maintain a high professional standard. 

• IT Directors are responsible for maintaining a list of all privileged users and supplying this list at random interval to the [Collegis Security Team] for compliance audits. 

• Any modifications including, updates, additions, or deletions of privileged access accounts must be authorized by the appropriate IT director prior to the change.

• Reporting all security or suspected security policy breaches to the [Collegis Security Team] at abuse@francis.edu.

  • All reports of potential misconduct will constitute a follow-up by the [Collegis Security Team].

VIII. KEYWORDS AND DEFINITIONS (in alphabetical order)

IX. RELATED POLICIES, FORMS AND RESOURCES

A. Related Policies

N/A

X. Policy Revision History