All members of the university community share in the responsibility for protecting information resources to which they have access. The purpose of this document is to establish minimum standards and guidelines to protect against accidental or intentional damage or loss of data, interruption of university business, or the compromise of sensitive information. It defines the minimum required information security controls for all technology connected to the University network or used for University purposes, regardless of ownership or management.
The following federal laws and standards are among those that helped guide the content of this document:
The IT-4 Standard for Protecting Sensitive Information applies to all students, faculty, staff, contractors, consultants, temporary employees, affiliates, guests, volunteers, and all other entities or individuals with access to sensitive information ("Restricted" and "High" tiers in Data Classification Standard IT-2) through University of Maryland or its affiliates. This standard also applies to all university information resources, IT systems, including to third-parties providing IT services used for University purposes. It applies to in-house developed software, and to “Internet of Things” (IoT) devices no matter who owns them.
Layers of Physical Security are defined as individual physical barriers around an asset that require a physical key, cardswipe, biometric, or other authentication. This includes barriers at room doors as well as those on cabinets, drawers, and similar storage solutions.
Multi-Factor Authentication refers to an additional layer of security when logging in as provided by the University.
Physical Security refers to the permanent, tangible devices that require authentication or locks.
Portable Device refers to one that: (i) has a small form factor such that it can easily be carried by a single individual; (ii) is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); and (iii) possesses local, non-removable or removable data storage.
Sensitive Information is defined as information that is classified in the top two tiers (High and Restricted) of IT-2: Data Classification Standard.
University Community refers to individuals who use the University of Maryland's information resources, even if they have no responsibility for managing the resources. This includes students, faculty, staff, contractors, consultants, temporary employees, and guests.
USM IT Security Standards are those set by the University System of Maryland and serve as the minimum for compliance by the University.
All members of the university community are responsible for protecting the information resources to which they have access. Their responsibilities cover both computerized and non-computerized information and information technology devices (e.g., paper, reports, books, film, microfiche, microfilms, recordings, computers, removable storage media, printers, phones, fax machines, etc.) that they use or possess. Users must follow the information security practices set by the CIO, as well as any additional departmental or other applicable information security practices.
Users with access to sensitive information are expected to be familiar with and meet or exceed all university policies and exercise good judgment in the protection of information resources. They must be familiar with this document and other information-related policies, approved practices, standards and guidelines, including but not limited to the university’s standards regarding acceptable use, access and privacy.
The University of Maryland account is for the sole purpose of university business, which is inclusive of academic, research, instructional, service, and administrative activities and is assigned to users for the terms of their employment. It is neither a personal account nor an account for conducting outside activities or employment. Unless otherwise approved by the CIO or a delegate, only University owned and managed devices may be used to store, transmit, or process sensitive information.
Departments and users must provide physical security for all information technology devices at all times, as specified in IT-5. Physical security must be provided at an appropriate level based on the criticality and sensitivity of data stored and/or processed by the devices. Departments and users must be aware that some data types may require specific physical security controls be in place in order to comply with federal laws and standards.
Access to sensitive information must be restricted, electronically and physically, to only persons with a legitimate purpose for such access. Administrators with the authority to grant access must receive and retain requests to add users and/or provision roles. This request must include the business reason for granting the access along with any details regarding expiration of the access if it is meant to be only temporary. Additionally, users must be required to sign a written agreement to maintain confidentiality before their access to the sensitive information is granted. Administrators must conduct reviews of system access annually or more frequently as legally or contractually required to ensure all users are still active employees and still require access to the information.
Access to sensitive information must be protected through the use of Multi-Factor Authentication (MFA). User accounts must adhere to the USM IT Security Standards. The university’s Central Authentication System (CAS) is the expected mechanism for achieving these requirements. Alternative authentication systems must be approved by the University Chief Information Security Officer.
Sensitive information must be kept in a place that provides a high level of protection against unauthorized access and must not be removed from the university.
Sensitive information that is transmitted electronically, transported physically, or spoken in conversation must be appropriately protected from unauthorized interception. For electronic transmissions, utilize HTTPS for all websites. Do not transmit sensitive information via email unless using a university-approved secure messaging system.
Ensure that sensitive information is only ever distributed to persons or institutions with a legitimate purpose to receive such information as well as a contract governing the relationship and obligations of each party. When sensitive information is shared using a shared storage solution, ensure that those users it is shared with cannot in turn share the information with additional users that should not have access as per IT-19.
When sensitive information must be shared with institution(s) whose classification of said information is not the same, ensure that the higher of the security controls is applied. For example, if the University of Maryland requires stricter security than the institution the information is being shared with then the University of Maryland's security controls must be applied.
Sensitive information may be subject to records retention requirements. Users are responsible to be aware of and follow records retention schedules such as those reflected in the procurement records retention schedules. Once a record’s retention period has ended, sensitive information must be disposed of in such a manner as to ensure it cannot be retrieved and recovered by unauthorized persons. Physical documents containing sensitive information must be shredded prior to disposal. Electronic information must be securely deleted from all locations where stored (i.e., hard drive, network, cloud, etc.) when no longer needed or no longer valid utilizing appropriately vetted and approved tools.
When hard drives or other devices known to have contained sensitive information reach end-of-life, utilize a secure destruction method to destroy the devices and ensure that information cannot be recovered. The university offers a Storage Destruction Service to campus through Terrapin Trader.
Users must report suspected compromises of information resources, including contamination by computer viruses and phishing attempts, as outlined in IT-17.
DIT shall provide appropriate security awareness training to all faculty and staff members. This training must be provided at the start of employment with the university as well as regularly (at least annually) as a refresher. Training must cover current and common threats as well as appropriate user behaviors.
Apply the following practices, in addition to all others listed in this document, when accessing sensitive information while traveling:
Violations of this standard will be handled consistent with university disciplinary procedures applicable to the relevant individuals or departments. Failure to comply with this standard may also result in the suspension of access to network resources until standards have been met. Should University of Maryland incur monetary fines or other incidental expenses from security breaches, the university may recoup these costs from the non-compliant department, school, or auxiliary organization.
Version 2.0
Approved by CIO and IT Council, December 2025