Security Policy & Governance
Information Security Office (Policies)
The ASU Information Security Policy establishes the framework for the protection of university assets and information resources from accidental or intentional unauthorized access or damage, while also preserving the open information sharing requirements of its academic culture. It describes how information should be accessed, how resources are permitted to be used, how permissions are delegated, and much more.
Internal Computing Controls
ASU policy mandates that all data on its network be encrypted both in transit, and at rest. This ensures that even if a device gets physically stolen, the information on it is inaccessible to the attacker. The Information Security office is available to assist with implementing and reviewing to ensure this requirement is being met.
Antivirus programs protect ASU by preventing malicious programs from invading the network and causing damage or theft of information. ASU recommended antivirus products can be found below.
Data At Rest
Spirion helps organizations avoid costly data breaches by discovering, classifying, monitoring and protecting personal information, medical records, credit card numbers, and intellectual property stored across the enterprise, within e-mail and in the cloud.
Is the process of keeping all the software on all systems on the network up to date. ASU policy mandates that every personal device, device that connects to the network, operates on behalf of ASU, or utilizes ASU services (including ASU owned entities), must be patched with vendor provided security patches.
Helps keep the network secure, by managing the entire thing from a central few servers and administrators. This makes it easy to obtain the status of the entire network, so that in the event of an attack, swift action may be taken against it. At ASU, this is done by the Information Security Office.
In some circumstances, especially specific to research computing, higher-end systems might be required. The school’s information technology team will work with researchers to provide recommendations for high-end systems that might require increased CPU speed, additional memory, additional storage, and GPU compute capabilities.
More details specific to the Fulton Schools process can be found on the FSE Computer Standards page.
Technology Control Plans
ASU Has a thorough, and detailed action plan to control and maintain security integrity for devices on its network that includes:
- Running routine scans on systems
- Documenting the purpose of each device on the network
- Identifying and Responding to security risks
- and more…
The full documentation can be found at the Vulnerability Management Security Standard.
The General Data Protection Regulation (GDPR) is a privacy law implemented and enforced by all countries in the European union (and Switzerland). The primary goal of this law is to give people the right to control their personal data and how it’s used. Full ASU GDPR documentation may be found at the link below.
Data Handling Matrix
The Data Handling Matrix provides a central location for all of the private information that ASU stores to be managed. Each row represents a store of information, and each column represents a standard that it must be upheld to.This helps keep everything organized, so that it may be upheld to regulatory standards.
Data Handling Standards – Information Classification
ASU handles data on a 4 level standard:
- Highly Sensitive
Depending on which level of sensitivity the data is on, different sets of actions will be taken to ensure that the information gets allocated the appropriate level of security. The specifics on how each level of information is protected is described at length in the document below.