IV. Confidentiality and Security of Electronic Information

    The University strives to maximize the confidentiality and security of its information systems and services within the limitations of available resources. As with paper-based systems, no technology can be guaranteed to be 100% secure. All users should be aware of this fact and should not have an expectation of total privacy regarding information that is created, stored, sent or received on any networked system. The most important first line of defense in information security is the password, and it is for that reason that the University username and password must be adamantly protected as described above. And institutional custodians of private information should exercise prudence, using secure technologies when appropriate and feasible.

    The Internet environment offers tremendous opportunities to provide convenient access to University information and services to authorized individuals wherever they may be. Users who serve as custodians of institutional information should be particularly aware of the potential for unauthorized access to or tampering with on-line information and services in the Internet environment. Techniques such as the use of encryption, secure web servers or restricting access based on specific criteria may be appropriate based on the balance between access and security applicable to any specific application or service. Technology administrators are responsible to provide reasonable measures of protection of the underlying technology systems and infrastructure they manage. But risk assessment and risk management strategies are the responsibility of the functional custodians of specific information and services, in consultation with technology managers who should describe the specific technical safeguards in place.