Access Management
Only authorized users shall have physical, electronic, or other access to Western Michigan University's data resources. Access shall be limited to users with a business need to know, and limited to the requirements of their job function.
Applicable Policies
Awareness Training
Western Michigan University students, faculty, staff, temporary employees, and when appropriate, contractors and third party users shall receive information security awareness training with regular updates on policies, rules, and procedures, as relevant for their role at the University.
Training programs are in development and are anticipated to be made available soon. These programs will be both presentations based and interactive. Contact your department's IT professional/LAN manager for additional information on security practices and procedures within your unit.
Applicable Policies
Backup and Recovery
Information technology resource administrators shall conduct backups of user-level, application-level, and system-level information commensurate with the assessment level of risk and protect backup information at the storage location. Measures to protect backup media shall be commensurate with the importance and sensitivity of the data and should include physically secured off-site copies as appropriate.
Applicable Policies
Change Management
Units (colleges, departments, schools, etc.) responsible for information resources will ensure they have and follow approved change management procedures that include a security review.
See also:
- PeopleSoft—contact your functional security administrator for more information
- Student systems integration team
Applicable Policies
Data Management
Western Michigan University takes measures to protect confidential information that is stored, processed, or transmitted using its computing resources.
Applicable Policies
Disaster Recovery
Western Michigan University shall have, and periodically review, test, and update, a formal, documented disaster recovery plan.
Exceptions
Exceptions to the information security program and any related policies or procedures may be made where costs greatly exceed the risk of non-compliance.
Exception requests are reviewed and analyzed by the Campus Information Security Committee. Exceptions that have been approved will be documented.
Incident Management
Western Michigan University shall have, and periodically review, test, and update, a documented incident response plan that addresses scope, roles, responsibilities, management commitment and coordination among University entities. All students, faculty and staff shall be made aware of the procedures for reporting incidents.
Applicable Policies
- Information security incident response policy
- Information security incident response team
- Lost or stolen devices
Network Security
Access to internal and external networked services shall be controlled, restricted, and protected commensurate with the assessed level of risk. The security of network services shall not be compromised by ensuring that appropriate controls are in place and appropriate authentication mechanisms are applied.
Applicable Policies
- Anti-virus policy
- Data, video, and voice networks policy
- Server registration policy
- Wireless Western guidelines
- WMU Network Acceptable Use Policy
Physical and Environmental Security
All units shall physically protect their computing resources. Locks, cameras, alarms, redundant power systems, fire detection and suppression systems and other safeguards, as appropriate, shall be installed to discourage and respond to unauthorized access.
Applicable Policies
Remote Access
Employees who use computing resources or devices to access, create, receive, or transmit University data are responsible for protecting that information. Appropriate procedures regarding confidentiality and privacy of information should be followed at all times, regardless of location, on, or off, campus.
Applicable Policies
Roles and Responsibilities
The security administrator for Western Michigan University is Robert Johnson in the Office of Information Technology.
The information security incident response team is lead by James Gilchrist, Chief Information Officer, and responds to incidents of information security breaches.
All employees of Western Michigan University are responsible for knowing and adhering to best practices of information security.
Applicable Policies
- Data security responsibilities
- Information security incident response policy
- Information security incident response team
- Lost or stolen devices
Vendor and Business Services Agreement
Western Michigan University may permit vendors, or other third parties, to create, receive, maintain, or transmit confidential University data when assurances are obtained that the vendor will sufficiently safeguard the information. Departments or individuals using University funds to purchase products that will utilize University technology resources must adhere to the Information Technology Acquisition Policy and submit a product review request to the Office of Information Technology to ensure that the product will work within the University's computing and network architecture.
Applicable Policies
- Cloud computing
- E-Commerce
- Payment card industry data security
- Information technology acquisition policy
- Technology Compliance Review
Violations
Non-compliant incidences must be reported to the Security Office who will work with appropriate authorities to resolve the issue. Western Michigan University reserves the right to revoke access to University information resources to anyone who violates information security policies. In addition, violations of policies may result in disciplinary action in accordance with University policy.
The security office may be reached by way of email to oit-security@wmich.edu or by telephone at (269) 387-5430.