Administrative number: 7-1 A
Responsible office: Information Technology
Responsible officer: Chief Information Officer (CIO)

Information Technology Procedure

  • Tags:

Purpose:

The purpose of this procedure is to help document known entities and documents that regulate the use of IT resources as outlined in university Policy 7-1 on Information Technology.

Procedure:

It is the responsibility of the campus CIO to maintain and authorize changes to this list and implement appropriate IT policies and procedures to ensure campus compliance.

ISO 27002:13 was adopted as the system wide information security audit standard on June 9th, 2015 by Vice Chancellor Ramon Padilla.  As WSU maintains compliance with the list of known regulating entities, subsequent IT policies, procedures and controls will be published and implemented to this audit standard.  Links to these documents will be published in subsequent procedure.

Known regulating entities and documents that apply to WSU IT resources include but are not limited to:

==> Minnesota State System policies and procedures establishing Information Technology related controls on data, services and behavior include but are not limited to the following:

http://www.minnstate.edu/board/policy/

List of Common MinnState Policies Enforced:

 

==> Federal laws and regulations:

  • FERPA (Family Educational Rights and Privacy Act)
    Designates authority and establishes expectations for handling student records.
    https://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html?src=rn
  • FSA (Federal Student Aid Compliance)
    https://ifap.ed.gov/eannouncements/Cyber.html
  • ITAR (International Traffic in Arms Regulations)
    Designates authority and establishes expectations for handling sensitive research.
    https://www.pmddtc.state.gov/regulations_laws/itar.html
  • Protection of Human Subjects
    Designates authority and establishes expectations for researching human subjects.
    https://www.hhs.gov/ohrp/regulations-and-policy/regulations/45-cfr-46/
  • HIPAA (Health Information Portability and Privacy Act)
    Designates authority and establishes expectations for handling personally identifiable health care information not covered by FERPA.
    https://www.hhs.gov/hipaa/
  • COPPA (Children’s Online Privacy Protection Act) https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/childrens-online-privacy-protection-rule

 

==> Industry Requirements:

  • PCI (Purchasing Card Industry)
    Establishes contractual requirements for storing, processing and transmitting cardholder data and defines civil liability to merchants and services providers who fail to comply.
    https://www.pcisecuritystandards.org

 

==> State legislation and policies including but not limited to:

  • MGDPA (Minnesota Government Data Practices Act)
    Designates authority and establishes expectations for handling classified Minnesota Government data
    https://www.revisor.mn.gov/statutes/?id=13

MN.IT Policies (Minnesota Office of Enterprise Technology)
Designates authority and established expectations for statewide information security standards, acquisition of hardware, software and professional services, accessibility of technology, appropriate use of computing and mobile device usage, social media uses and best practices, and online protection of children.
https://www.mn.gov/mmb/mmbhome/mmb-policies-and-procedures/state-policies-and-procedures.jsp
http://mn.gov/buyit/program_information/purchasing/ITPurchasesReview_2007-03-22.pdf

Authorizing Policy:

History:

10/13/2020 Converted to new WSU format by TES

Adoption date: 06/07/2015
Implementation date: 06/07/2015