920  Information Security

Approved by President
Effective Date: June 5, 2017
Responsible Division: Information Technology
Responsible Office:  Information Technology
Responsible Officer: 
Vice President for Information Technology

I. Purpose

This policy ensures the confidentiality, integrity, availability, and regulatory compliance of Middle Tennessee State University’s (MTSU or University) information assets. This policy pertains to all University information assets, whether the assets are individually or departmentally controlled; enterprise managed; stand-alone; and/or stored via electronic, paper, or other media. The policy reflects MTSU’s commitment to stewardship of sensitive personal information and critical business information, in acknowledgement of the many threats to information security and the importance of protecting the privacy of University constituents, safeguarding vital business information, and fulfilling legal obligations. It is MTSU’s intent to protect the personal information of its students, staff, faculty, alumni, and other individuals associated with the University from unauthorized access or disclosure and possible misuse or abuse.

This policy establishes awareness and provides guidance on the proper handling of personally identifiable information (PII) including individual social security numbers (SSN) maintained by or on behalf of MTSU. MTSU has implemented this policy to reduce the risk of exposure when PII is used as a primary identifier at the University and in other valid business applications and to ensure that all PII is handled consistently throughout the University. Personally identifiable information may not be captured, retained, communicated, transmitted, displayed, or printed, in whole or in part, except where required by law, and/or in accordance with the standards outlined in this policy. For example, because MTSU is a public institution, some PII may be subject to disclosure pursuant to the Tennessee Public Records Act, T.C.A. § 10-7-101 et seq. In addition, the University may disclose information to third parties, when such disclosure is required or permitted by law.

The information assets of the University, including the network, hardware, software, facilities, infrastructure, hard-copy documents and any other such assets must be available to support the teaching, learning, research, and administrative roles for which they are created. The University strives to employ appropriate physical and technical safeguards without creating unjustified obstacles to the conduct of the business and research of the University and the provision of services to its many constituencies in compliance with applicable state and federal laws. As a result, the University requires all employees to complete Information Security training annually to educate University employees on the safeguards and procedures available to protect the University’s information assets.

This policy serves as a companion to Policy 910 Information Technology Resources.

II. Policy Development and Maintenance

This policy was drafted by the Information Security Task Force, and shall be reviewed by the Chief Information Security Officer (CISO) at least every three (3) years. Revisions shall be forwarded to the Vice President for Information Technology and CIO for further review.

III. Scope

MTSU maintains records to carry out its educational mission. Federal and state laws and regulations govern access to these records. This policy and rel