Policy Statement

Purpose: The University of Maine System (“the University”) is committed to protecting all information that is either wholly or partially owned by the University, has been entrusted to the University, and that supports the University missions and operations.

Information, regardless of format or system, has intrinsic value and potential adverse impact if the confidentiality, integrity or availability of such information is compromised.

This Policy describes the nature, scope, meaning of, and requirements for controls required to protect University information.

Scope: This Policy provides University faculty, staff, employees, and anyone who accesses or possesses University information, with security requirements for protecting the confidentiality, integrity, and availability of such information. These requirements include, but are not limited to, as prescribed by authorizing law, regulation, policy or other obligation.

Security requirements apply to all components of University personnel, information, and information systems.

University institutions or entities may adopt supplemental policy, standards or other guidance, so long as they do not lessen or contradict this Policy.

Roles and Responsibilities: The Board of Trustees of the University of Maine System (“the Board”) is committed to a University-wide Information Security program and security policy to convey direction and requirements for the appropriate use and protection of University information and information systems.

The Board is committed to an Information Security Office, headed by a Chief Information Security Officer (“CISO”), with the purpose of establishing, maintaining, supporting, enforcing, and assigning security roles in support of, this Policy.

An Information Security Governance Council ensures that this information security policy is implemented effectively and provides oversight to the information security program and alignment with organizational goals. The Information Security Governance Council is comprised of cross-functional members and works collaboratively with the Data Governance Council.

The University Information Security program administers information security in a standards-, risk- and exception-based model. The office ensures continual planning, implementation, review, assessment, monitoring, prioritization, authorization, and improvement of the University information security posture. The University CISO may assign supporting roles as appropriate, in assurance for and protection of information and information systems confidentiality, integrity and availability. Examples of roles may include, as appropriate, and are not limited to:

    • Risk management and assessment
    • Systems and security architecture, design and engineering
    • Disaster recovery and backup integrity
    • Procurement provisions
    • Operational and/or user interest representation
    • Compliance audit
    • Compliance enforcement
    • Safety and security of physical environment(s)

Compliance: All individuals regardless of association, including but not limited to, faculty, staff, students, consultants, contractors, and business partners, who access or possess University information are required to comply with this policy.

The University complies with all applicable regulatory, statutory, contract, or other obligations as they pertain to security and privacy, and throughout the information life cycle.

This policy is consistent with, and derived from, recognized standards and standards organizations, including but not limited to, the National Institute of Standards (NIST), the International Organization for Standards (ISO), and Federal Information Processing Standards (FIPS).

Security Control Provisions

The following provisions apply for the security and protection of all University non-publicly accessible information, and, where applicable, for the protections of availability and integrity of publicly accessible information.

Information Security Policy Standards are published for the required level of attainment of this Policy; and for ways in which this Policy will be enforced.

  1. Access Control. The University will manage who may access information, and under what circumstances. Access control authorizes resource usage within or across organizational units, and is based on a need to know information and with only the correct level of privilege necessary to perform University functions. The University will maintain access control in a safe state and such that no permission can be leaked to an unauthorized or uninvited principal.
  2. Awareness and Training. The University will provide security awareness and training to all organizational users to ensure an understanding of information technology security basics and literacy; and address security knowledge for which all employees can reasonably be expected to have in positions and organizational roles.
  3. Audit and Accountability. The University will ensure sufficient controls to provide auditable evidence for system transactions; that key records are available for a sufficient amount of time; and that in the event of system incidents, records are available to identify, investigate, recover data, and rollback changes.
  4. Configuration Management. The University will perform a activities to establish and maintain the integrity of information technology products and information systems, through control of processes for initializing, changing, and monitoring the configurations of those products and systems throughout the information and information systems life cycles.
  5. Identification and Authentication. The University will ensure only identified and authorized users and processes interact with information and information systems; and that identification and authentication is a prerequisite to accessing sensitive information and systems.
  6. Incident Response. The University will identify, detect, investigate, respond to, report, and recover from security incidents and violations of security policies and practices.
  7. Maintenance. The University will maintain systems and infrastructure to ensure operational functionality, mitigate risks of unauthorized access or changes to information systems, and mitigate risks of failure to perform information system updates.
  8. Media Protection. The University will maintain information in a manner that protects its security and integrity, while making it available for authorized use. Security measures are implemented commensurate with the risk to individuals or to the University from unauthorized receipt, use, processing, storing, disclosure, modification or destruction.
  9. Personnel Security. The University will ensure that personnel are adequately vetted for the performance of assigned roles that require access to sensitive information, and that information and information systems are protected during personnel actions such as separation and transfers.
  10. Physical Protection. The University will physically protect tangible and intangible assets. Physical security may include, but is not limited to, securing and monitoring entrances, exits, and physical spaces containing or processing sensitive information and systems; and protecting network, systems and support infrastructure.
  11. Risk Assessment. The University will assess risk to information and information systems, including threats and vulnerabilities, the likelihood of compromise, and the impact on operations and assets.
  12. Security Assessment. The University will assess security controls and safeguards as part of information and systems life cycles. Security assessments will evaluate adequacy of controls and safeguards, and ensure they are operating as intended.
  13. System and Communications Protection. The University will apply security engineering principles to monitor, control and protect systems and communications at external boundaries and key internal boundaries; to prevent unauthorized and unintended information transfer; and to ensure security in systems and systems design.
  14. System and Information Integrity. The University will monitor and ensure the application of security, configuration, and error handling in its information systems.

Last Revised: 6/30/2021
Last Reviewed: 6/20/2023