Information security program

The purpose of Lynn University’s information security program is to:

1. Establish a university-wide approach to ensure the security and protection of institutional data in the university’s custody, regardless of format.
2. Prevent and protect against any anticipated threats and hazards to the security or integrity of institutional data.
3. Prevent and protect against the unauthorized access to or use of institutional data.
4. Protect systems from unauthorized access or use, and availability of critical systems.
5. Ensure university-wide compliance to applicable data and student record protection laws, regulations, policies and practices.
6. Develop greater security awareness by educating data users of institutional data of their individual data security responsibilities.
7. Establish processes for monitoring and reviewing the university’s information security program.
8. Establish procedures for responding to potential security incidents.

It is the policy of Lynn University to maintain a comprehensive information security program (“ISP”) in compliance with federal, state and local regulations and contractual agreements. The objective of the university’s ISP is to:

1. Ensure the security and confidentiality of institutional data;
2. Protect against anticipated threats or hazards to the security or integrity of institutional data; and
3. Protect against unauthorized use of institutional data that could result in substantial harm or inconvenience to any Lynn University customer or system or affect system availability.

The university’s ISP incorporates, by reference, information security-related policies and associated standards, guidelines and controls that address the confidentiality, integrity and availability of institutional data. See below the list below.

• Acceptable use of technology
• Cloud computing
• Information system accounts and access control
• Information system and institutional data integrity
• Information system incident response
• Information system maintenance
• Information system personnel security
• Password

Data users - individuals, including, but not limited to, employees, temporary employees, faculty, students, alumni, trustees, campus visitors, contractors, vendors, consultants and their related personnel authorized by the university to access information systems that collect, process, maintain, use, share, disseminate or dispose of institutional data.

High risk data - includes (1) Institutional data that is required by law/regulation to be protected; (2) Institutional data the university is required to self-report to the government and/or provide notice to the individual if the data is inappropriately accessed, and (3) Institutional data that could have a significant adverse impact on the university’s mission, safety, finances, or reputation if there is a loss of confidentiality, integrity, or availability of the data or information system housing the data.

Medium risk data - includes institutional data and information systems not considered to be high risk, and data that is not generally available to the public, or the loss of confidentiality, integrity, or availability of the data or system could have a mildly adverse impact on the institution mission, safety, finances, or reputation.

Low risk data - institutional data and information systems are classified as "low risk" if they are not considered to be medium or high risk, and the data is intended for public disclosure, or the loss of confidentiality, integrity, or availability of the data or system would have no adverse impact on the institution mission, safety, finances, or reputation.

Information system(s) - a set of information resources organized expressly for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. The term system is used to represent all types of computing equipment and platforms that can process, store, or transmit institutional data.

Institutional data - any information collected, manipulated, stored, reported, or presented in any format, on any medium, at any location by any unit, program or office of the university in support of Lynn University’s mission. There are three types of institutional data: high risk; medium risk; and low risk. See the data classification and data governance policy for additional information.

Media - includes, but is not limited to, paper, hard drives, random access memory (RAM), read-only memory (ROM), disks, flash drives, memory devices, phones, mobile devices, networking devices, and all-in-one printers.

To learn more about this policy or the supporting procedures, please contact  Information Technology.

This ISP is subject to periodic review and adjustment. The most frequent of these reviews occurs within information technology, where constantly changing technology and evolving risks mandate increased vigilance. Continued administration of the development, implementation, and maintenance of the ISP the responsibility of the university’s Information Security Officer (ISO), who assigns specific responsibility for information technology implementation and administration as appropriate.

The ISO reviews the standards set forth in this ISP and the university’s information security related policies and associated controls and recommend updates and revisions as necessary. It may be necessary to adjust the plan to reflect changes in technology, the sensitivity of institutional data, and internal, or external threats to institutional data.