Information Security Policy

The policy governing the use, protection, and preservation of computer-based information at the University.

Account Maintenance and Security Procedure

The procedure applying to all IS&T-managed systems that describes the request and approval process for obtaining privileges for a user account, an administrative account, a role-based account, or access to a service or process account.

Personal Information Protection Program

From the Office of the Executive Vice President, this program describes specific steps members of the University community should take to safeguard personal information.  See the Personal Information Protection page for more information.

Secure Data Center Access Policy

Policy detailing acceptable access to IS&T data centers, systems, and other services that may be used to store or process controlled information.

BU Google Drive Security Guide for FERPA Policy

Policy for using the BU version of Google Drive to ensure secure storage of confidential information, including FERPA Data

Social Media Guidelines

Data Protection Standards

The standards for data protection include the six documents below.  They were created with the input and approval of the Information Security and Business Continuity Governance Committee and are intended to help the University more easily meet the legal, regulatory and best practice requirements that apply to our environment.

  • Data Classification Guide

    Defines and describes the categories under which University Data can be classified: Public, Internal, Confidential, Restricted Use.

  • Data Management Guide

    Defines the roles for managing data—Data Trustee, Departmental Security Administrators, Data Custodian—and the responsibilities of each. Also provides a list of types of data and the offices that act as trustees or owners of that data.

  • Access Management and Authentication Requirements

    Defines how access to systems and applications is to be managed. Includes standards for the use, configuration, and care of: passwords, two-factor authentication, single sign-on and shared accounts.

  • Data Protection Requirements

    Defines the requirements for protecting information based on the classification of the information. Standards are provided for the collection, storage, access, transmission, and destruction of the information as well as for auditing and incident handling functions.

  • Minimum Security Standards

    Provides standards of security for electronic devices. Computers, laptops, tablets, ipads, smartphones, cloud services, etc. may all be used to store and access information. The level of security required of these devices is based on the level of sensitivity of the information that they may be used to access.

  • Education, Compliance and Remediation

    Defines responsibilities for education, compliance and remediation activities that may be required by the data protection standards and provides the authority to conduct such activities.