1.0 Overview

It is essential that all aspects of the Information Security Program be followed at all times.  The purpose of this policy is to outline the auditing procedures that will be used to ensure compliance.

2.0 Purpose

This policy is designed to lay out the framework that governs the regular auditing of the Information Security Program.

3.0 Scope

This policy applies to any University official.

4.0  Policy

To ensure compliance with the requirements set forth as part of this program, regular audits must be performed.  Audit checklists have been developed (Appendices D through I) that must be completed on the following schedule:

Servers                                      Quarterly, or after a significant upgrade or migration
Network Equipment            Quarterly, or after a significant upgrade or migration
Desktops                                   Quarterly
Physical Access                      Quarterly
Passwords                                Annually
Account Deactivation          Semi-Annually (to coincide with the fall  and spring semesters)


It is essential that the Information Security Program be regularly reviewed and updated as necessary.  This review shall occur annually and shall be performed by the Security Engineer, the Manager of Network Operations and the Director of Network Services.  Any changes, additions or deletions from the program that arise from this annual review, shall be performed with unnecessary delay.

5.0 Enforcement

Failure to follow this policy will result in the offender(s) being subject to disciplinary action up to and including a formal written letter of corrective action.

6.0 Revision History

Draft Policy – 19 April 2005 – jfiske

Draft Policy – 5 May 2005 – jfiske

Draft Policy – 10 February 2006 – jfiske

Draft Policy – 10 April 2006 – jfiske

Approved Policy v1.0 – 4 November 2013 – jfiske