IT Policies, Standards & Guidelines
Policies are broad campus-wide rules. They are issued by the UMD president after broad campus input and formal endorsement through shared governance by the University Senate.
The highest level of a governance document, policies typically have general applicability and they rarely change (or are hard to change). They are leadership’s high level statement of information security goals and expectations. The University Senate is one of the largest and most influential governing bodies at the University of Maryland. The senate is composed of faculty, staff, students, and administrators that are peer-elected, volunteer, or appointed. As senators and senate committee members, these constituents directly participate in the shared governance of our university. The primary function of the Senate is to advise the university president on all campus policy matters and concerns, including but not limited to: education, budget, personnel, campus-community, long range plans, facilities, and faculty, staff and student affairs (subject to the limitations imposed by laws or mandates from the University of Maryland System Board of Regents or the chancellor).
The work of the senate and senate committees is supported and coordinated by the staff in the senate office. The senate office consists of the executive secretary and director of the senate (who is a non-voting ex-officio member of both the senate and senate executive committee), a senior policy advisor, and three coordinators.
Campus policies can be initiated via common concerns, industry best practices or state and or federal regulations. Recently the State of Maryland Senate passed a Higher Education Privacy Bill that calls for substantial alterations to how higher education institutions handle, protect, and classify student data.
The University of Maryland has a handful of existing IT policies in place.
Standards state the actions needed to meet policy goals. They are more specific than policies and easier to update in response to changing circumstances. Often, standards set the minimum level of action needed to comply with a policy. The Board of Regents' Information Technology Policy and Section 12-112 of the Education Article of the Maryland Code require that each institution within the University System of Maryland adopt a policy that assigns roles and responsibilities with regard to information technology security.
In addition, it is often asked what is the driving force behind why security standards and policies are required at UMD. This is due to an agreement between all University System of Maryland schools in the form of agreed upon standards, the USM IT Security Standards. These standards were created in agreement amongst the USM CIOs and CISOs to protect the schools in alignment with industry best practices in a manner that can be reasonably deployed in our complex environments.
Every member of the university community is responsible for the protection of the electronic data, applications, computer systems, networks, and accounts under their control. Users are expected to exercise the level of care appropriate to the sensitivity of the data stored on university systems and networks.
University Policy X-1.0(A), UMD Policy on Acceptable Use of Information Technology Resources, establishes that those using university information technology resources are responsible for complying with security standards set forth by the vice president/chief information officer (VP/CIO).
Guidelines are documents that specify recommended actions and advice. Institutional employees may not be required to follow guidelines as part of their jobs, but the guidelines are shared in order to promote good information security hygiene practices.