To:

/

Julie BuehlerVice Chancellor for Information Services & Strategy & Chief Information Officer

From:

/

Tracy MitranoSpecial Advisor to the Vice Chancellor for Information Services & Strategy

Date:

/

March 30, 2017

Re:

/

University of Massachusetts Board of Trustees Data and Computing Policies

Introduction

Please accept this memo in response to your request to review the University of Massachusetts Board of Trustees Data and Computing Policies from the perspective of contemporary information technology policy development in American higher education. Recommendation for revisions, removal and archiving of specific policies currently lists as “Board of Trustee Policies” are noted below. The source for this information may be found on the University of Massachusetts, Office of the President, Board of Trustees Policies and Guidelines web page (https://www.umassp.edu/bot/policies).

(For more information regarding policy development, please see the slide that is an appendix to this memo.)

Executive Summary

For reasons of regulatory compliance, effective and efficient operations, and to minimize risk and legal liability, it is strongly recommended that the University of Massachusetts update its information technology policy framework.

It is therefore recommended that the following policies be removed from the current list:

·  Computer Network and System Records, Logs and Structures Policy

·  Policy Statement on Electronic Data Security, Electronic Mail and Computer Policy Development

·  Cybercrime and Data Security Incident Handling Plan and Process

·  Data Compromise Notice Procedure Summary and Guidance

·  Data Security Breach, Unauthorized Data Disclosure or Compromise Incident Handling and Notice Procedures

·  Procedures for Responding to Notification of Copyright Violation or Requests for the Content of Electronic Communication, Any Information About Users of the University of Massachusetts Systems/Networks, or Traffic on the UMass Network

·  Procedures for the Preservation of and Response to Demands for Electronically Stored Information

N.B. Many of these documents represent procedures that new or revised policies will incorporate.

The following policies should be moved:

·  Record Management, Retention and Disposition Policy and Guidelines

(It is not an information technology policy; it is governance.)

·  World Wide Web Policy

(It should be rewritten, and then placed under an overarching new information technology compliance policy, see new policies below, and graphic.)

The following policies should be revised:

·  Information Security Policy
(As a revised policy, it will incorporate many of the procedures outlined in the documents currently on the site.)

The following policies should be created:

·  Legal and Regulatory Compliance for Information Technology Resources
(This policy will act as umbrella for other compliance areas such as web accessibility, information technology procurement, Digital Millennium Copyright Act procedures; Health Insurance Portability Accountability Act, etc.)

·  Ransomware

For more information and a graphic representation of President/System Information Technology Policies, and their relationship to campus policies, please see the slide that is an appendix to this memo.)

Thank you for your consideration of this matter and please know that I am available to answer any questions or for a follow up discussion.

1