The University of New Mexico

University Administrative Policies

Policy Office Site Search

 

Policy Listserv

UNM_Policy_Office-L communicates important policy announcements (such as policy approvals, revisions, or campus review-and-comment periods).




UNM Policy Office

MSC05 3357
1 University of New Mexico
Albuquerque, NM 87131

Physical Location:
Scholes Hall
114 A and B

Phone: (505) 277-2069

Administrative Policies and Procedures Manual - Policy 2550: Information Security

Date Originally Issued: 06-01-2008
Revised: 01-04-2018, 07-01-2024

Authorized by RPM 3.1 ("Responsibilities of the President")

Process Owner: Chief Information Officer

1. General

The University is committed to protecting and safeguarding all data and information that it creates, collects, generates, stores, and/or shares during the generation and transmission of knowledge as well as during the general operation and administration of the University. The University is also committed to complying with all federal and state laws pertaining to securing this data and the associated information systems, and preventing disclosure to unauthorized individuals. These laws include, but are not limited to, 32 CFR Part 2002, also known as the Controlled Unclassified Information (CUI) implementing directive, and the Financial Services Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA). In 2003, the Federal Trade Commission (FTC) confirmed that higher education institutions are considered financial institutions under this federal law and promulgated the GLBA Safeguards Rule, 16 CFR Part 314, which requires higher education institutions to have an information security program to protect the confidentiality and integrity of personal information. In December 2021, the Federal Trade Commission (FTC) updated the GLBA Safeguards Rule (“rule”) to clarify required safeguards for applicable GLBA information and systems. This policy describes the basic components of the UNM Information Security Program which applies to student, staff, and faculty, contractors, vendors, volunteers, and all other individuals who work with UNM data and information.

In accordance with New Mexico law, some employee information is considered public information; however, such information must still be protected from inadvertent destruction or unauthorized changes. Refer to UAP 3710 ("Personal Information Disclosure Policy") for additional information.

2.  UNM Information Security Program

The UNM Information Security Program is designed to protect the confidentiality, integrity, and availability of protected information; protect against anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of protected information that could result in substantial harm to any student, parent, employee, or customer of the University. This program includes the process for identification of risks and defines responsibilities for safeguarding information, monitoring the effectiveness of the safeguards, evaluating service providers, and updating the program itself. The UNM Information Security Program is published on the Information Security & Privacy Office website.

2.1. Protected Information

The GLBA Safeguards Rule mandates that the UNM Information Security Program be designed to safeguard non-public, personally identifiable financial information that

  • is provided to the University,
  • results from any transaction with the consumer or any service performed for the consumer (i.e. students, faculty, staff, employees, associates, donors, patients), or
  • is otherwise obtained by the University. 

The UNM Information Security Program defines what specific data elements, information, and systems (and in what context) constitute to-be-protected non-public, personally identifiable financial information and systems, which includes but is not limited to:

  • social security numbers
  • student financial aid information
  • credit card numbers
  • bank routing and account numbers

2.2. Information Security and Privacy Officer (Qualified Individual)

Under the Authority of the Chief Information Officer (CIO), The University Information Security and Privacy Officer (ISPO), as defined in the updated Rule, is designated as the Qualified Individual to oversee the Information Security Program. This position is responsible for:

  • developing and implementing the UNM Information Security Program;
  • identification of risks to confidentiality, integrity, and availability of protected information;
  • advising on the designing and implementing appropriate safeguards;
  • periodically evaluating the effectiveness of the UNM Information Security Program; and
  • updating the Program to help ensure that reasonably foreseeable risks and threats are appropriately addressed.

2.3. Funding of Information Assurance Measures

The ISPO, will work with the CIO and with data owners, deans, directors, and heads of departments that have access to protected information and systems to identify funding sources, opportunities for economies of scale, and creative means to safeguard UNM data and systems; however, neither the CIO nor the ISPO are fully responsible for the funding and implementation of appropriate safeguards—it is a University-wide responsibility and effort that will only be realized through shared governance, shared responsibility, and common goals.  

2.4. Risk Assessment

The UNM Information Security Program will include processes and procedures to assess the risk to the University’s information and systems. These include all of the hardware and software components of the computing infrastructure as well as individual personal computers, personal digital assistants, phones, servers, networks, and peripheral technologies used for the processing, storage, transmission, retrieval, and disposal of information.    Risks to the University’s information systems extend beyond computer-related hardware and software to include, for example, personnel background checks and other hiring procedures; data handling procedures; training for individuals who have access to information systems and the data therein; and, the buildings and equipment that contain, and physically safeguard any aspect of an information system including the transmission of protected information.

2.5. Employee Management and Training

The success of the Information Security Program depends largely on the employees who implement it. The ISPO will coordinate with UNM Data Stewards, as defined in UAP 2580, as well as with deans, directors, and heads of departments that have access to protected information to evaluate the effectiveness of departmental procedures and practices relating to access to and use of protected information. The UNM Information Security Program details recommended administrative safeguards designed to train all personnel, increase awareness, and reduce risks to the confidentiality, integrity, and availability of protected information. In addition, periodic reviews of access to data and systems must be conducted by management, to help ensure the access is still strictly necessary to perform work duties. Other personnel-management related program activities include, but are not limited to:

  • mandatory information assurance training;
  • periodic audits to ensure individuals have only the appropriate level of information system access rights and permissions required to perform their jobs;
  • periodic reviews of job descriptions and position requirements to ensure the appropriate levels of reference and background checks are conducted before hiring decisions are made;
  • non-disclosure and confidentiality statements required when appropriate; and
  • periodic evaluations of each individual's understanding of the institution, college, and/or departmental data handling procedures.

2.6. Departmental Responsibilities

Deans, directors, and heads of departments that have access to protected information are responsible for informing employees of ongoing updates to security measures, ensuring employees have attended required information security training, and notifying departmental computer system administrators and UNM Information Technologies (UNM IT) when employees no longer require access due to reassignment or termination.

2.7. University-Wide Responsibilities

All suspected and actual breaches of information security must be reported immediately through one of the methods identified on the Information Security & Privacy Office website.

3. Compliance by Service Providers

Service providers and/or contractors who provide IT services that may allow them to access protected information must comply with the GLBA safeguard requirements, the University's Information Security Program, and applicable University policies listed in Section 6, herein, among others. The University Purchasing Department is responsible for reviewing prospective service providers and/or contractors to ensure they have and will maintain reasonable and appropriate safeguards for protected information.

4. Monitoring and Testing

The ISPO will regularly monitor the UNM Information Security Program and periodically test the required and recommended safeguards to help ensure their effectiveness. Based on these assessments, the ISPO will work with all appropriate individuals to implement, correct, or improve safeguards.

The University Internal Audit Department will include as part of its routine audit procedures a review for compliance with the UNM Information Security Program. This review will include an evaluation of the effectiveness of controls, systems, and procedures. Any findings, discrepancies, and/or violations will be reported to the CIO and the ISPO, which will investigate the problem and work with all appropriate individuals to develop a remedy.  

5. Evaluation and Adjustment

The ISPO is responsible for periodically adjusting the UNM Information Security Program to ensure that the required and recommended administrative, physical, and technical safeguards are appropriate to the University's size and complexity, the nature and scope of its activities, and the sensitivity of the data and information the University handles.

Related Policies and/or Information

UAP 2000 ("Responsibility and Accountability for University Information and Transactions")

UAP 2040 ("Identity Theft Prevention Program")

UAP 2030 ("Social Security Numbers")

UAP 2500 ("Acceptable Computer Use")

UAP 2520 ("Computer Security Controls and Guidelines")

UAP 2560 ("Information Technology (IT) Governance")

UAP 2580 ("Data Governance")

UAP 3710 ("Personal Information Disclosure Policy")

"Student Records Policy" published in the Pathfinder