Information Security Policy

Princeton University possesses information that is sensitive and valuable, e.g., personally identifiable information, financial data, building plans, research, and other information considered sensitive.  Some information is protected by federal and state laws or contractual obligations that prohibit its unauthorized use or disclosure.  The exposure of sensitive information to unauthorized individuals could cause irreparable harm to the University or members of the University community, and could also subject the University to fines or other government sanctions.  Additionally, if University information were tampered with or made unavailable, it could impair the University's ability to do business.  The University therefore requires all employees to diligently protect information as appropriate for its sensitivity level. 

All Employees and Contractors

1. You may only access information needed to perform your legitimate duties as a University employee and only when authorized by the appropriate Information Guardian or designee.   Click here for a list of Information Guardians.
2. You are expected to ascertain and understand the sensitivity level of information to which you have access through training, other resources or by consultation with your manager or the Information Guardian. 
3. You may not in any way divulge, copy, release, sell, loan, alter or destroy any information except as authorized by the Information Guardian within the scope of your professional activities.
4. You must understand and comply with the University's requirements related to personally identifiable information (PII) .
5. You must adhere to University's requirements for protecting any computer used to conduct University business for any computers used to transact University business regardless of the sensitivity level of the information held on that system.
6. You must protect the confidentiality, integrity and availability of the University's information as appropriate for the information's sensitivity level, wherever the information is located, e.g., held on physical documents, stored on computer media, communicated over voice or data networks, exchanged in conversation, etc.
7. Information deemed Confidential or Highly Confidential under this policy must be handled in accordance with the University's requirements for protecting Confidential and Highly Confidential information. 
8. You must safeguard any physical key, ID card or computer/network account that allows you to access University information. This includes creating difficult-to-guess computer passwords.
9. You must destroy or render unusable any confidential or highly confidential information contained in any physical document (e.g., memos, reports, microfilm, microfiche) or any electronic, magnetic or optical storage medium (e.g., USB key, CD, hard disk, magnetic tape, diskette) before it is discarded.
10. You must report any activities that you suspect may compromise sensitive information to your supervisor or to the University IT Security Officer.
11. Your obligation to protect sensitive information continues after you leave the University.
12. While many federal and state laws create exceptions allowing for the disclosure of confidential information in order to comply with investigative subpoenas, court orders and other compulsory requests from law enforcement agencies, anyone who receives such compulsory requests should contact the Office of the General Counsel before taking any action.
13. If you are performing work in an office that handles information subject to specific security regulations, you will be required to acknowledge that you have read, understand and agree to comply with the terms of this policy annually.

Managers and Supervisors

In addition to complying with the requirements listed above for all employees and contractors, managers and supervisors must:

14. Ensure that departmental procedures support the objectives of confidentiality, integrity and availability defined by the Information Guardians and designees, and that those procedures are followed.
15. Ensure that restrictions are effectively communicated to those who use, administer, capture, store, process or transfer the information in any form, physical or electronic.
16. Ensure that each staff member understands his or her information security-related responsibilities.

17. Understanding the sensitivity level of the information that will be captured by, stored within, processed by, and/or transmitted through their technologies.
18. Developing, implementing, operating and maintaining a secure technology environment that includes:
    1. A cohesive architectural policy,
    2. Product implementation and configuration standards,
    3. Procedures and guidelines for administering network and system accounts and access privileges in a manner that satisfies the security requirements defined by the Information Guardians, and
    4. An effective strategy for protecting information against generic threats posed by computer hackers that adheres to industry-accepted "best practices" for the technology.
19. Ensuring that staff members understand the sensitivity levels of the data being handled and the measures used to secure it. 

Information Guardians

In addition to complying with the requirements listed above, Information Guardians are responsible for:

20. Working with the University IT Security Officer and the Office of the General Counsel to understand the restrictions on the access and use of information as defined by federal and state laws and contractual obligations. 
21. Segregating the information for which he or she is responsible into logical groupings, called information collections,
22. Defining the confidentiality, integrity and availability requirements (sensitivity level) for each of his or her information collections.
23. Conveying in writing the sensitivity level of each information collection for which he or she is responsible to the managers of departments that will have access to the collection,
24. Working with department managers to determine what users, groups, roles or job functions will be authorized to access the information collection and in what manner (e.g., who can view the information, who can update the information).