University General Course Catalog 2018-2019 
    
    May 25, 2019  
University General Course Catalog 2018-2019

NSHE Policy Regarding Information Security


BOARD OF REGENTS HANDBOOK

Title 4, Chapter 1, Section 22.7

Information Security Policy: It is the policy of the Board of Regents that sensitive data maintained or transmitted by an NSHE institution must be secure. For the purposes of this section, “sensitive data” means any data associated with an individual, including but not limited to social security number and data that is protected by Board policy, or state or federal law.

  1. Each NSHE institution must develop an information security plan that includes policies, standards, and/or procedures that describe and require appropriate steps to protect sensitive data that is maintained on an institution’s computing devices or transmitted across a public network such as the Internet. The plan must provide for the encryption of personal information when transmitted electronically, or stored on any device that moves beyond the physical control of the institution or its data storage contractor, and for any additional protections required by Chapter 603A of Nevada Revised Statutes. Institutional policies must include the requirements for the eradication of data when computers are sent to surplus or repurposed. Institutions must be aware of all areas where data are stored, both physically and electronically, and must audit these areas annually to ensure that sensitive data are retained or destroyed as appropriate. The plan must include policies and procedures to be followed in the event that sensitive data is released inappropriately, including but not limited to the appropriate disclosure of the breach of sensitive data pursuant to Nevada Revised Statutes 603A.220. The Vice Chancellor for Information Technology shall establish guidelines for the development of institutional information security plans.
  2. Pursuant to the Privacy Act of 1974 (Public Law 93-579), each institution requesting that an individual disclose his or her social security number must inform that individual whether that disclosure is mandatory or voluntary by what authority the number is solicited, and what uses will be made of it.
  3. Each NSHE institution must adhere to the disclosure requirements established pursuant to Nevada Revised Statutes 239B.030.
  4. Each NSHE institution must designate an individual to perform the function of information security officer who is responsible and has authority to implement compliance with this policy. The responsibilities of the information security officer shall include, implementing the institutional information security plan, developing data risk assessment strategies to identify vulnerabilities and threats to information resources, providing for incident response planning and notification procedures, conducting information security awareness training and education, and ensuring compliance with NSHE and institution policy and federal and state law pertaining to the protection of sensitive information. The information security officer will participate in NSHE-wide information security meetings, programs, and collaborative efforts.