The Information Security Office oversees activities to identify, detect, protect, respond to and recover from adverse information security events that might affect the University or its employees.

Under the direction of the Chief Information Security Officer, the Information Security Office applies technologies and practices to mitigate and manage risks to University information and information systems. The office promotes, plans for, and guides the safe use of information and information technology, as it integrates into every aspect of the University of Maine System mission.

The office builds awareness of cyber threats, appropriate behavior, and tools and practices in protecting our information assets.

Faculty, staff and students can find information and guidance by visiting the Information Security section of the IT Knowledge Base. 

[Back to Top]


The Information Security Office provides security  awareness and training to University employees.  

  • Annual awareness training is provided through the compliance track of the UMS Academy, which is available through the my campus portal.
  • Role-based or auxiliary trainings are provided on an as needed basis.
  • Articles, notices and security reminders are sent via Information Security Newsletters, Information Security Alert messages, the UMS:IT Newsletter and other forms and campaigns.

[Back to Top]

Policy, Standards & Guidance

The objective of the information security policy is for the Board of Trustees to convey their direction for the appropriate use and protection of UMS information assets and to specify the requirements for protecting those assets.

Auxiliary Standards and guidance support the Policy, and explain and specify a required level of attainment. 

Policy & Standards:

Information Security Policy (Sect. 901)

Full Version of the Information Security Policy

Information Security Standards 

Administrative Practices Letters:

Acceptable Use of Information and Information Systems (VI-H)

Credit/Debit Card Standards APL (IV-F)

Employee Protection of Data APL (VI-C)

Information Security Incident Response APL (VI-B)

Data Classification APL (VI-I)

Information and Communications Technology Accessibility (VI-G)

Directives & Guidance:

Contract Standards for Safeguarding Information (Rider C) (login required)

FERPA Compliance Guidelines

Permitted and Restricted Systems for Data Storage and Data Processing

Safeguarding FERPA Information when Using Cloud-based Resources in a Course Environment

Other guidance is available in the Information Security section of the IT Knowledge Base.

[Back to Top]

Incident Response

Actual or suspected information security incidents must be reported. Timely reporting is a necessity for effective response and remediation. In many cases, reporting, response, and remediation are required by regulation, statute, contract, or other University obligation. 

Generally, incidents may be reported through your campus Help Desk. For incidents that you deem have a high scope, impact, or sensitivity, you may seek guidance through a trusted manager or the Information Security Office. Full directives and guidance may be found in the Information Security Incident Response Administrative Practice Letter, APL VI-B.   

Phishing is fraudulent attempts to gain access to your credentials, University or personal information, account or financial information, or other information of value. Phishing presents a serious and ongoing threat to the University; and is the primary method by which malicious actors and technology are introduced into our environment. The Information Security Office has created a special reporting mechanism for suspected or actual Phish attacks: you may email  phish@maine.edu

[Back to Top]

Contact Information

Telephone: 207-581-9105 (8am-5pm Monday – Friday)

Email: infosecurity@maine.edu

  • John Forker – Chief Information Security Officer
  • Troy Jordan – Senior Cyber-Security Analyst
  • Ben Grooms – Information Security Analyst
  • Lynne Woods – Information Security Analyst

[Back to Top]