Ҹ

Skip Navigation

UMGC Policy X-1.13 Employee IT Security

Policy CategoryPolicy OwnerVersion Effective DateReview CyclePolicy Contact
X. Information Governance, Security & TechnologyChief Transformation OfficerAug. 29, 2023Every 4 yearsUMGC Information Security
  1. Purpose
    The purpose of this policy is to establish information security standards for the Employee IT Security processes relevant to University of Maryland Global Campus ("UMGC" or "University") Information Technology Resources.
  2. Scope and Applicability
    This policy applies to all University Information Systems and Information Technology Resources. Human Resources and Information System Stewards are responsible for adhering to this policy.
  3. Definitions
    Defined terms are capitalized throughout this Policy and can be found in the Information Governance Glossary.
  4. Employee IT Security
    Human Resources, Information System Stewards, or their designee must comply with applicable University Employee screening policy(ies) to ensure that any Users who will have access to University Information Systems that contains Controlled Unclassified Information (CUI) are adequately vetted before access is granted.
    1. All individuals must be screened prior to authorizing access to University Information Systems containing CUI.
    2. University Information Systems containing CUI must be protected during and after employment actions such as terminations and transfers. Information System Stewards, or other appropriate University Employee, should confirm that when a user leaves:
      1. All University IT equipment (e.g., laptops, cell phones, storage devices) is returned,
      2. All User identification/access cards and/or keys are returned, and
      3. A written notification is provided to remind the User of their obligations to not discuss CUI, even after employment.
    3. Individuals must comply with the Account Management, Media Protection, and Physical Security of Information Technology policies (linked below in Section VIII) when Employees transfer or are terminated. Please refer to the Information Governance policy listing to review the most recent versions of these policies.
  5. Exceptions
    Exceptions to this policy should be submitted to Information Security for review and approval. If an exception is requested a compensating control or safeguard should be documented and approved.
  6. Enforcement
    1. Any Employee, Contractor, or third-party performing duties on behalf of the University with knowledge of an alleged violation of this Policy shall notify Information Security as soon as practicable.
    2. Any Employee, Contractor, or other third-party performing duties on behalf of the University who violates this Policy may be denied access to Information Resources and may be subject to disciplinary action, up to and including termination of employment or contract or pursuit of legal action.
  7. Standards Referenced
    1. USM IT Security Standards, v.5, dated July 2022
    2. NIST SP 800-171r2 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”, dated February 2020
    3. Cybersecurity Maturity Model Certification (CMMC), v.2.0, dated December 2021
  8. Related Policies
    1. UMGC Policy X-1.02 Data Classification
    2. UMGC Policy X-1.04 Information Security
    3. UMGC Policy X-1.10 Identify and Access Management
    4. UMGC Policy X-1.14 Media Protection
    5. UMGC Policy X-1.19A Account Management (UMGC Learner Community)
    6. UMGC Policy X-1.19B Account Management (UMGC Workforce)
  9. Effective Date: This policy is effective as of the Version Effective Date set forth above.