Kansas State University

  1. K-State home
  2. »Policies
  3. »PPM
  4. »3400 Computing and Information Technology
  5. »PPM Chapter 3432: Security Management

Policies

Questions relating to the information in each chapter of the Policies and Procedures Manual should be directed to the office issuing the chapter.

That information is usually located at the end of each chapter.

For policy update questions, please contact policy@ksu.edu.

Security Management

Chapter 3432
Created February 14, 2025

Table of Contents

.010 Purpose
.020 Scope
.030 Definitions
.040 Policy
.050 Roles and Responsibilities
.060 Exception Process
.070 Policy Violations
.080 Periodic Review and Policy Updates
.090 Related Regulations and Laws

The University intends to provide secure Information Technology Resources for the benefit of the University community and to protect these computing resources and the data collected, created and used by the university in pursuit of the missions of education, research, and service.

.010 Purpose

The purpose of this Security Management Policy is to provide for the establishment of University Information Security and Privacy Protection Programs and define the roles and responsibilities of members of the University community in supporting a safe and secure computing and technology environment.

.020 Scope

This Policy applies to all users of the University Information Technology Resources. Those covered by this policy include all staff, students, faculty, contractors, vendors, consultants, visitors, temporary workers and employees.

.030 Definitions

For clarity and to ensure a common understanding of terms used in this policy, please refer to the Glossary of Defined Terms which provides detailed definitions for all key concepts and terminology.

.040 Policy

All members of the University community are responsible for protecting the security and privacy of University Information Systems and University Data by reading, understanding and complying with the published University policies. This includes Universitywide policies and local policies, standards, and procedures, which may be established by colleges, divisions, offices, departments and other units. Local policies, standards and procedures must align and comply with university policies and must not supersede or negate any provisions of university policies. Failure to comply with university policies may result in the loss of computing privileges, restriction of the ability of devices to connect to be used on university networks, and other disciplinary measures as defined in University Sanctions and/or Disciplinary Policies and Procedures.

University policies are published and maintained on the K-State Policies website. Information Technology, Security, and Privacy Policies can be found in Section 3400 of the K-State Policies and Procedures Manual.

The Information Security Office is authorized to maintain an organization-wide Information Security Program. It shall implement and maintain policies and standards in order to maintain the confidentiality, integrity, and availability of university technology resources and data. The Information Security Office and Chief Information Security Officer will support the University’s compliance with applicable legal, regulatory, policy and contractual obligations related to the protection of data and will establish and promote effective information security practices.

The Privacy Office is authorized to maintain an organization-wide Privacy Protection Program and shall implement and maintain policies and standards in order to protect the privacy of personally identifiable information (PII) collected, stored, and maintained by the university. The Privacy Office and Chief Privacy Officer will support the university’s compliance with legal, regulatory, and contractual obligations related to the protection of the privacy of personally identifiable information and will establish and promote effective privacy practices.

  1. Information Security Roles and Responsibilities

    1. Chief Information Security Officer

      The Chief Information Security Officer (CISO) is responsible for developing the University information security strategy and leading the University Information Security Program. The CISO is responsible for overseeing the Information Security Program, which seeks to secure the information assets, data, and services used to support the University missions from misuse, unauthorized access, data breach and/or disclosure, alteration, and destruction. The CISO will develop, maintain, and oversee the implementation of a comprehensive program, and will provide leadership, direction, and guidance in assessing and evaluating information security threats and risks, and will monitor the University’s compliance with legal, regulatory, contractual, and organizational security standards and policies.

    2. Information Security Office

      The Information Security Office, under the leadership and oversight of the Chief Information Security Officer, is responsible for:

      • Developing and maintaining University information security policies and for recommending related standards for the protection of university computing resources and data.
      • Ensuring that information security policies are disseminated to all University personnel and are comprehensively understood.
      • Conducting regular risk assessments to identify, quantify, and prioritize risks to the organization and organizational information assets.
      • Developing risk management and mitigation strategies, and ensuring these strategies are implemented and monitored for effectiveness.
      • Developing and delivering information security training and awareness programs to ensure that University personnel understand their roles and responsibilities in protecting University information assets.
      • Establishing and maintaining an incident response plan and practices to address security incidents and breaches effectively.
      • Serving as an expert advisory body to university leadership on all matters related to information security, and providing guidance and consultancy to departments, schools and units on implementing security measures and best practices in their operations. 

    3. Chief Privacy Officer - Registrar

      The Chief Privacy Officer (CPO) (Registrar) is responsible for ensuring compliance with relevant data protection laws, regulations, standards, and policies and advocates for the protection of the privacy of personal information related to members of the University community. The CPO will develop, maintain, and oversee the implementation of a comprehensive privacy protection program, will provide leadership, direction, and guidance in assessing and evaluating information privacy threats and risks, and will monitor the University’s compliance with legal, regulatory, contractual and organizational privacy standards and policies.

    4. Privacy Office

      The University Privacy Office is responsible for:

      • Developing and maintaining the University’s data privacy policies and recommending standards for protecting the privacy of personal data related to members of the University community.
      • Ensuring that University privacy policies are disseminated to all University personnel and are comprehensively understood.
      • Conducting periodic privacy risk assessments and Privacy Impact Assessments (PIAs) to identify threats to the privacy of personally identifiable information collected, stored, and used by the University.
      • Developing and delivering privacy training and awareness programs to ensure that University personnel understand their roles and responsibilities for protecting the privacy of data entrusted to the University. 
      Developing and delivering privacy training and awareness programs to ensure that University personnel understand their roles and responsibilities for protecting the privacy of data entrusted to the University.
    5. Institutional Data Stewards
      Institutional Data Stewards are individuals with the responsibility and authority to ensure that the University’s data is being used, handled, and secured in accordance with university information security and privacy policies, and to assure that the University data under their authority is managed in accordance with relevant internal and external requirements. Institutional Data Stewards recommend policies for management of data over which they have authority and develop and publish standards for data handling that align with and facilitate compliance with university policy. Data Stewards delegate the implementation of these standards to Data Custodians, who in turn develop processes and procedures addressing specific methods of data use and handling.
    6. Colleges, Divisions, Offices, Departments and Other Units
      Colleges, divisions, offices, departments, and other units are responsible for establishing processes and procedures to ensure the protection of data which is created, used, or acquired from university systems or other sources in compliance with legal, regulatory, or University policy requirements. This includes conducting or participating in periodic risk assessments, developing and implementing security controls and practices (both centralized and local controls), and complying with all requirements delineated in university policy.
    7. Third Parties, Vendors, Contractors and Consultants

      Third parties, vendors, contractors, and consultants who are providing services for or acting on the behalf of the University are subject University information security and privacy policies and will be required to acknowledge this in all contractual agreements. Third parties are subject to the same security, privacy, auditing, and compliance requirements as all University colleges, divisions, offices, departments, and other units.

.050 Roles and Responsibilities

The Chief Information Officer (CIO) is responsible for the implementation, oversight, and maintenance of this policy. The Vice President for Administration and Finance is responsible for the final approval of this policy.

Any questions about the contents of this policy or the applicability of this policy to a particular situation should be referred to the Chief Information Officer.

.060 Exceptions

Exceptions from this policy must be approved as described in the Security Exceptions Management Policy. Any questions about the contents of this policy or the applicability of this policy to a particular situation should be referred to the Office of the Chief Information Officer.

.070 Policy Violations

Failure to comply with university policies may result in the loss of computing privileges, restriction of the ability of devices to connect to or be used on university networks, and other disciplinary measures as defined in Disciplinary Policies and Procedures. Violations may lead to disciplinary actions, including discharge, dismissal, expulsion, legal actions and criminal investigation or prosecution.

.080 Periodic Review and Policy Updates

To ensure relevance and compliance with evolving regulatory, technological, and operational standards, this policy must undergo a comprehensive review at least annually in accordance with the requirements described in the Policy on Policies. During this review, necessary updates will be made to reflect any new legal requirements, organizational changes, or external factors impacting policy efficacy.

.090 Related Regulations and Laws

  • State of Kansas, ITEC Information Technology Policy: Enterprise Security Policy

  • State of Kansas, ITEC Information Technology Standards & Guidelines: IT Security Standards