- Acceptable Use Policy and User Agreement
- Cell Phone and other Personal Electronic Device Policy
- Chosen First Name Use Policy
- Data Classification Policy
- Guest User Acceptable Use Policy
- Mobile and Remote Device Policy
- Password Policy
- Personal Computing Support Policy
- Screening Movies on Campus Policy
- User Access to Data and Services Policy
- Backup Retention Policy
- Copyright & Fair Use Policy
- Cloud Vendor Policy
- F&M Account Content Access by Non-Account Holder Policy
- Information Security Policy
- Network Security Policy
- Payment Card Industry (PCI) Compliance Policy
- Privacy Notice for F&M Website
- Privileged Account Management Policy
- Technology Hardware Acquisition, Disposition and Replacement Policy
- Wireless Network Policy
Franklin & Marshall College, like all colleges and universities, is responsible for maintaining the integrity of a wealth of personal, sensitive, and confidential information collected during the course of normal business operations. Financial, medical, and academic records include details such as social security numbers, bank accounts, and credit card numbers -- details which are protected by federal and state laws, industry regulations, and contractual obligations. The exposure of such sensitive information could cause irreparable harm to the College or individual members of this community. Therefore, it is imperative that all members of the College community work to diligently protect information to which they are granted access.
This information security policy is not intended to impede the fundamental teaching or research missions of the College; rather, we aim to balance information security with community members’ needs to conduct their work. Should any aspects of the information security policy obstruct teaching, learning, academic freedom, or research endeavors, appropriate provisions will be made to allow these essential functions to proceed in a secure manner.
The Franklin & Marshall College (F&M) Information Security Policy provides the College’s senior staff, College Information Technology Committee (CITC), Chief Information Officer(CIO), and Chief Information Security Officer (CISO) with direction and support, establishes an implementation framework for security, and ensures compliance of information security within F&M. At their discretion, the College Information Technology Committee reserves the right to modify this policy at any point in time. ?Currently, the following policies comprise the Information Security Policy:
- Acceptable Use Policy and User Agreement?
- Access Control Policy?
- Information Security Policy?
- Information Security Policy for Mobile and Remote Devices?
- Password Policy?
- Privileged Account Management Policy
This policy applies to all members of the F&M community, which includes but is not limited to employees, students, alumni, visitors, volunteers, third parties, contractors, consultants, clients, temporaries, and others (collectively known as “users”), who have access to, support, administer, manage, or maintain F&M information assets. ?“Information assets” are defined as the computers, communications facilities, networks, data, and information that may be stored, processed, retrieved or transmitted by them, including programs, specifications, and procedures for their operation, use and maintenance.
The College Information Technology Committee will review this policy on an annual basis. All revisions will be presented to the Chief Information Officer (CIO) for approval.
The Information Security Policy provides a framework for defining the necessary technological and procedural controls necessary to ensure the confidentiality, integrity, and availability of College data and information systems. ?The College’s Senior Staff has approved and endorsed this Information Security Policy. ?The Chief Information Officer (CIO) and Chief Information Security Officer (CISO) are responsible for the development, maintenance, and enforcement of the Information Security Policy.
This policy defines the procedures that will be followed by College personnel to identify any exceptions to policies that must occur in order to successfully complete College operations. It outlines the documentation that must be completed as well as the approvals that must occur before the exception to policy will be allowed
Exceptions to Policy Statement
In instances where there is a justifiable need to perform actions that are in conflict with F&M policy standards, management will consider providing a waiver for these exceptions. In almost all cases, alternative methods which do not conflict with policy can be deployed to solve any given business need. ?Only when such options have been exhausted will an exception be considered. ?F&M recognizes, however, that policies cannot be created and enforced which address 100% of all community issues. Exceptions are designed to facilitate new F&M needs, or to address areas where technological changes are not addressed by current policies. However, it is the responsibility of management to understand and mitigate risks.
Any exceptions will be documented and will be reviewed on a periodic basis as appropriate for the level of risk to the College presented by the exception and the amount of operational oversight and technical configurations necessary to enable and manage the exception.
Requests for exceptions to policies must have a justifiable reason documented and must have the necessary approvals to be considered valid. Exceptions must be approved and signed by the Data Steward and/or Data Owner, the Chief Information Security Officer, and the Chief Information Officer. Once approved, exceptions to policy will be valid for a period of no more than one year at which time the exception must be re-evaluated and re-approved.
Policy Maintained by: Information Technology Services, Vice President and Chief Information Officer
Last Reviewed:? ?August 27, 2020