Purpose The purpose of this policy is to establish information security standards for the Employee IT Security processes relevant to University of Maryland Global Campus ("UMGC" or "University") Information Technology Resources.
Scope and Applicability This policy applies to all University Information Systems and Information Technology Resources. Human Resources and Information System Stewards are responsible for adhering to this policy.
Employee IT Security Human Resources, Information System Stewards, or their designee must comply with applicable University Employee screening policy(ies) to ensure that any Users who will have access to University Information Systems that contains Controlled Unclassified Information (CUI) are adequately vetted before access is granted.
All individuals must be screened prior to authorizing access to University Information Systems containing CUI.
University Information Systems containing CUI must be protected during and after employment actions such as terminations and transfers. Information System Stewards, or other appropriate University Employee, should confirm that when a user leaves:
All University IT equipment (e.g., laptops, cell phones, storage devices) is returned,
All User identification/access cards and/or keys are returned, and
A written notification is provided to remind the User of their obligations to not discuss CUI, even after employment.
Individuals must comply with the Account Management, Media Protection, and Physical Security of Information Technology policies (linked below in Section VIII) when Employees transfer or are terminated. Please refer to the Information Governance policy listing to review the most recent versions of these policies.
Exceptions Exceptions to this policy should be submitted to Information Security for review and approval. If an exception is requested a compensating control or safeguard should be documented and approved.
Enforcement
Any Employee, Contractor, or third-party performing duties on behalf of the University with knowledge of an alleged violation of this Policy shall notify Information Security as soon as practicable.
Any Employee, Contractor, or other third-party performing duties on behalf of the University who violates this Policy may be denied access to Information Resources and may be subject to disciplinary action, up to and including termination of employment or contract or pursuit of legal action.
Standards Referenced
USM IT Security Standards, v.5, dated July 2022
NIST SP 800-171r2 鈥淧rotecting Controlled Unclassified Information in Nonfederal Systems and Organizations鈥, dated February 2020
Cybersecurity Maturity Model Certification (CMMC), v.2.0, dated December 2021