黑料社区

Skip Navigation
Request Info
Request Info
Skip to Menu Toggle Button

UMGC Policy X-1.21 UMGC Policy on Information System and Communication Protection

EXPLORE MORE OF UMGC

Policy CategoryPolicy OwnerVersion Effective DateReview CycleLast ReviewedPolicy Contact
X. Information Governance, Security & TechnologySVP, General Counsel, and Chief People OfficerJune 11, 2025Every 2 yearsJune 11, 2025UMGC Info. Security
  1. Purpose
    The purpose of this Policy is to establish information security standards of identification, management, and control of all University of Maryland Global Campus Information Technology Resources that store or transit Personally Identifiable Information (PII), Controlled Unclassified Information (CUI), or other forms of High Risk Data.
  2. Scope and Applicability
    This Policy applies to all University Information Systems and Information Technology Resources. All Users are responsible for adhering to this Policy.
  3. Definitions
    Defined terms are capitalized throughout this Policy and can be found in the Information Governance Glossary.
  4. Information System and Communications Protection
    Information System Stewards or their designee must adhere to this Policy to ensure active identification, management, and control of all University Information Technology Resources that store or transit Personally Identifiable Information (PII), Controlled Unclassified Information (CUI), and other forms of High Risk Data to include:
    1. Monitoring, controlling, and protecting University communications (i.e., Information transmitted or received by University Information Systems) at the external boundaries and key internal boundaries of the Information Systems.
      1. Information System boundary components include, but are not limited to:
        1. gateways,
        2. routers,
        3. firewalls, or
        4. encrypted tunnels.
      2. Restricting or prohibiting interfaces in organizational systems includes, but is not limited to, prohibiting external traffic that appears to be spoofing internal addresses.
    2. Employing architectural designs, software development techniques, and systems engineering principles that promote effective Information security within organizational systems.
    3. Separating User functionality from Information System management functionality.
    4. Preventing unauthorized and unintended Information transfer via shared Information Technology Resources. Verifying that no shared system resource such as cache memory, hard disks, registers, or main memory should be able to pass information from one user to another user.
    5. Implementing subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
    6. Denying network communications traffic by default and allowing network communications traffic by exception (i.e., deny all, permit by exception).
    7. Preventing remote devices from simultaneously establishing non-remote connections with University Information Technology Systems and communicating via some other connection to resources in external networks (i.e., split tunneling).
    8. Implementing cryptographic mechanisms to prevent unauthorized disclosure of High Risk Data during transmission unless otherwise protected by alternative physical safeguards.
    9. Terminating network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity. This includes, but is not limited to, deallocating (stopping) TCP/IP addresses or port pairs at the operating system level, and/or deallocating networking assignments at the application system level if multiple application sessions are using a single, operating system-level network connection.
    10. Establishing and managing cryptographic keys for cryptography employed in University Information Technology Systems to include developing processes and technical mechanisms to protect the cryptographic key's confidentiality, authenticity, and authorized use in accordance with industry standards and regulations.
    11. Employing FIPS-validated cryptography when used to protect the confidentiality of High Risk Data.
    12. Prohibiting remote activation of Collaborative Computing Devices and providing indication of devices in use to users present at the device.
    13. Controlling and monitoring the use of mobile code to include ensuring that mobile code such as Java, ActiveX, Flash is authorized to execute on the network in accordance with the University's policy and technical configuration, and unauthorized mobile code is not.
    14. Controlling and monitoring the use of Voice over Internet Protocol (VoIP) technologies.
    15. Protecting the Authenticity of communications sessions.
    16. Protecting the Confidentiality of High Risk Data at rest.
    17. Implementing a policy restricting the publication of High Risk Data on non-UMGC owned, publicly accessible websites (e.g., forums, LinkedIn, Facebook, Twitter).
  5. Exceptions
    Exceptions to this policy should be submitted to Information Security for review and approval. If an exception is requested a compensating control or safeguard should be documented and approved.
  6. Enforcement
    1. Any Employee, Contractor, or third-party performing duties on behalf of the University with knowledge of an alleged violation of this Policy shall notify Information Security as soon as practicable.
    2. Any Employee, Contractor, or other third-party performing duties on behalf of the University who violates this Policy may be denied access to Information Technology Resources and may be subject to disciplinary action, up to and including termination of employment or contract or pursuit of legal action.
  7. Standards References
    1. Most recent versions:
      1. USM IT Security Standards
      2. NIST SP 800-171 鈥淧rotecting Controlled Unclassified Information in Nonfederal Systems and Organizations鈥
      3. Cybersecurity Maturity Model Certification (CMMC)
  8. Related Policies
    1. UMGC Social Media Guidelines
    2. UMGC Policy X-1.02 Data Classification
    3. UMGC Policy X-1.04 Information Security
    4. UMGC Policy X-1.05 Information Security Awareness and Training
    5. UMGC Policy X-1.06 Information Security Incident Response
    6. UMGC Policy X-1.07 Audit and Accountability
    7. UMGC Policy X-1.08 IT Resource Configuration Management
    8. UMGC Policy X-1.12 Acceptable Use
    9. UMGC Policy X-1.14 Media Protection
    10. UMGC Policy X-1.15 Maintenance of Information Systems and Technology Resources
    11. UMGC Policy X-1.22 System and Information Integrity

By using our website you agree to our use of cookies. Learn more about how we use cookies by reading our聽Privacy Policy.