Information Security
ITS Information Security promotes the idea that security is a shared responsibility and seeks collaborative engagement with the campus community. The Information Security Team is committed to providing a safe and reliable computing environment for students, faculty and staff. We do this by safeguarding the confidentiality, integrity, and availability of information systems, identity, and data assets. Our goal is to provide proactive security expertise and maintain a resilient and secure infrastructure, while fostering a culture of security awareness and compliance throughout the University.
Information Security Program
Information Security administers the University's Information Security Program and is the go-to resource for guidance on compliance. We work to mitigate cyber security risks through outreach, awareness, assessment, policy, and best practices. We provide a number of critical services, including:
- Monitoring threats and attacks to the University's users and IT infrastructure
- Providing cyber security awareness training
- Leveraging vulnerability management tools and web application scanning
- Managing user accounts and identity management
- Reviewing and building secure access protocols and network architecture
- Providing guidance for the University's data governance process and security policies
Security Apps & Guides
LastPass Password Manager
Secure File Transfer
Policies & Guidance
The Data Classification Policy provides a structured and consistent classification framework for defining the university’s data security levels. It covers all data produced, collected or used by the Â鶹´«Ã½, its employees, student workers, contractors or volunteers while conducting University business.
The Online Privacy Policy applies when you visit the Â鶹´«Ã½ website and mobile applications (which we refer to as “sites”), we may collect some information about you and your visit. This policy governs and explains our collection and use of this information.
The Mass Email Policy defines the standards for using the University’s email systems for mass communications.
The Payment Card Policy pertains to all Â鶹´«Ã½ departments at all campuses and affiliated locations that accept, process, transmit, and/or handle payment card data on behalf of the University.
The Remote Access Policy defines the standards for connecting to the St. Thomas network from remote devices.
The Personal Device and Remote Work Technology Policy establishes the expectations around the use of personal devices to perform work for St. Thomas and the use of technologies to perform work remotely for St. Thomas.
The Responsible Use Policy is a broad document establishing responsibilities and acceptable conduct of users of university computing, networking, telephony, and information resources.
The Workstation Administrator Access Policy protects St. Thomas computing and information assets through the implementation of a university-wide policy on access to administrative rights on campus workstations.
The IT Change Management Policy ensures that all changes to university IT resources are tracked in order to
support continuity of IT services, and reduce negative impact on services and users.
The Written Information Security Program (“WISP”) Policy defines, documents, and supports the implementation and maintenance of the administrative, technical, and physical safeguards St. Thomas has selected to protect the personal information it collects, creates, uses, and maintains.
The purpose of the St. Thomas Minimum Security Standards is to establish the information security standards necessary to comply with the University’s policies. These standards provide an effective baseline of appropriate system, administrative, and physical controls to apply to data based upon its classification. These standards are intended to reflect the minimum level of care necessary for St. Thomas’ sensitive data. As cybersecurity is a rapidly evolving field that continuously presents new challenges, these standards will be revised and updated accordingly. Review our current standards for:
St. Thomas has also classified information assets into risk-based categories for the purpose of determining who is allowed to access the information and what security precautions must be taken to protect against unauthorized access. Review the current risk matrix.