The policy governing the use, protection, and preservation of computer-based information at the University.
The procedure applying to all IS&T-managed systems that describes the request and approval process for obtaining privileges for a user account, an administrative account, a role-based account, or access to a service or process account.
From the Office of the Executive Vice President, this program describes specific steps members of the University community should take to safeguard personal information. See the Personal Information Protection page for more information.
Policy detailing acceptable access to IS&T data centers, systems, and other services that may be used to store or process controlled information.
Policy for using the BU version of Google Drive to ensure secure storage of confidential information, including FERPA Data
Policy for using the BU version of OneDrive to ensure secure storage of confidential information, including FERPA and HIPPA Data
Data Protection Standards
The standards for data protection include the six documents below. They were created with the input and approval of the Information Security and Business Continuity Governance Committee and are intended to help the University more easily meet the legal, regulatory and best practice requirements that apply to our environment.
Defines and describes the categories under which University Data can be classified: Public, Internal, Confidential, Restricted Use.
Defines the roles for managing data—Data Trustee, Departmental Security Administrators, Data Custodian—and the responsibilities of each. Also provides a list of types of data and the offices that act as trustees or owners of that data.
Defines how access to systems and applications is to be managed. Includes standards for the use, configuration, and care of: passwords, two-factor authentication, single sign-on and shared accounts.
Defines the requirements for protecting information based on the classification of the information. Standards are provided for the collection, storage, access, transmission, and destruction of the information as well as for auditing and incident handling functions.
Provides standards of security for electronic devices. Computers, laptops, tablets, ipads, smartphones, cloud services, etc. may all be used to store and access information. The level of security required of these devices is based on the level of sensitivity of the information that they may be used to access.
Defines responsibilities for education, compliance and remediation activities that may be required by the data protection standards and provides the authority to conduct such activities.