M-F 8:30 a.m. - 5 p.m.
Information Security Program - USC
Policies | Provisions | Procedure Development
University Procedures and Guidelines | Implementation Guides
Incident Response | Data Standards
Establishing an Information Security Plan for your unit:
Establishing Data Access/Security Standards:
Information Security is the job of all members of the University community. Many of us handle sensitive data routinely, and all of us use University resources, so we should all understand the associated risks to the confidentiality, integrity, and availability of these data and resources. Establishing and following security-conscious procedures is critical to reduce these risks.
This website describes the University's "Information Security Program," as authorized by University Policy IT 3.00. This Program is the collection of actions, Procedures, and Guidelines to be followed by all members of the University community, with respect to Information Security, to be consistent with the Policies of the University, the security of the University's IT assets, and the safety of the University community.
Assessment, Enforcement, and Consequences
The University Information Security Office may perform or coordinate the following measures for the purpose of assessing or enforcing compliance with any University policy, standard, or procedure:
Any University information technology assets or personally owned technologies that are found to be configured or used in a manner that is out of compliance with the Information Security Program, or any other University Policy, Standard, or Procedure, may be disconnected from the network. The University Information Security Office may take actions commensurate with the level of risk to University interests, in order to isolate and deny access to the user, data, or information technology asset. Any attempt to interfere with or avoid information security measures, or any attempt to dissuade any person from reporting a suspected case of noncompliance, is prohibited and may be cause for investigation and disciplinary action.
The following abbreviations are used in this website:
What are Policies, Standards, Guidelines, and Procedures?
Policy framework for the University is organized into the following hierarchy:
click here for a detailed illustration
Provisions of University Policy IT 3.00
Policy IT 3.00 defines the University's stance and infrastructure for implementing Information Security. Sections chartering this document, and establishing responsibility and accountability pertaining to it, are paraphrased below.
The full text of University Policy IT 3.00 is available online in .pdf format at this address: http://www.sc.edu/policies/it300.pdf
Provisions of University Policy IT 1.06
Policy IT 1.06 defines acceptable use of the University's IT resources. The sections most relevant to the Information Security Program are paraphrased below.
The full text of University Policy IT 1.06 is available online in .pdf format at this address: http://www.sc.edu/policies/it106.pdf
Provisions of University Policy UNIV 1.50
Policy UNIV 1.50 defines the University's methodology for managing access to its data. The sections most relevant to the Information Security Program are paraphrased below.
The full text of University Policy UNIV 1.50 is available online in .pdf format at this address: http://www.sc.edu/policies/univ150.pdf
Procedure Detail Development
Because of their broad scope, the Procedures below do not contain a high degree of implementation detail. In brief, these are the guidelines for developing procedure details specific to your OU:
Executive Guide - This document describes the executive level process for establishing your Information Security Plan.
Technical Guide - This document describes the technical process for establishing your Information Security Plan.
University Procedures and Guidelines
The Procedure and Guideline documents below are organized by subject matter hierarchy.
UISO 901 Data Security Procedure
This Procedure establishes a framework for information security practices in keeping with University Policy and Data Steward Standards. [revised DD-Mmm-YYYY]
UISO 901.1 Procurement and Contracts Procedure
Describes provisions to include during procurement process and contract negotiation of software and services. [revised DD-Mmm-YYYY]
Describes a process to be integrated with project management and system development, to include provisions for information security. [revised DD-Mmm-YYYY]
UISO 901.2.1 Security Risk Assessment ProcedureUISO 901.3 Sensitive Data Security Procedure
Establishes a process for performing a Security Risk Assessment for projects or systems. [revised DD-Mmm-YYYY]
Describes security best practices for development of data systems and software applications. [revised DD-Mmm-YYYY]
Establishes a process for properly securing sensitive data while in use, and properly disposing at the conclusion of usage, to include auditing its usage and retention. [revised DD-Mmm-YYYY]
UISO 901.3.1 Media Security Procedure
A process for properly securing data storage media while in use, and properly purging or destroying such media before transferring possession, to prevent accidental leakage of sensitive information or violation of licensing terms. [revised DD-Mmm-YYYY]
Recommends in-processing steps for new employees and out-processing steps for terminated/transferred employees, with regard to information security. [revised DD-Mmm-YYYY]
Establishes secure processes for traveling with a computer: preparing for travel, during travel, and following travel. [revised DD-Mmm-YYYY]
Establishes a process for locating sensitive data on data systems and media. [revised DD-Mmm-YYYY]
UISO 901.4.1 Server Security ProcedureUISO 901.5 Logging Practices Procedure
Describes best practices for secure server configuration, usage, and maintenance. [revised DD-Mmm-YYYY]
Describes best practices for secure workstation/desktop/portable computer configuration, usage, and maintenance. [revised DD-Mmm-YYYY]
Describes best practices for secure configuration, usage, and maintenance of mobile devices. [revised DD-Mmm-YYYY]
Describes the initial process to be followed when compromise of a University system is detected [revised 27-Aug-2013]
Describes best practices for logging and review of security-related events. [revised DD-Mmm-YYYY]
Describes best practices for updating any software, including operating systems, applications, and firmware. [revised DD-Mmm-YYYY]
Describes best practices for password complexity, usage, and protection. [revised DD-Mmm-YYYY]
UISO 901.7.1 Data/System Access Agreement Procedure
Describes a process for establishing an agreement with employees, contractors, and vendors, to ensure they are aware of Policies and Procedures. [revised DD-Mmm-YYYY]
Establishes a process for creating an exemption to a Procedure. [revised DD-Mmm-YYYY]
The documents below provide more detail for implementation of information security processes and technologies. University login required.
UISO 902 Incident Response Procedure
The documents below illustrate the University-wide Information Security Incident Response Procedure. Sub-Procedures within the overall process are maintained with the respective organizational units.
Data Access/Security Standards
The documents below comprise the Data Access Requirements and Data Security Requirements, as approved by the Data Administration Advisory Committee (DAAC) to comply with University Policy UNIV 1.50.