University-Wide Framework for Information Security Policies and Procedures Adopted

At the recommendation of the Data Security Task Force, the IT Policy Committee has adopted a higher standard for information security policies and procedures in response to external threats and in alignment with best practices.

You must log in with your NetID and password to access these policies and procedures. You can also view the policies and procedures on the Medical Center intranet by logging in with your URMC-SH AD account.

This framework is current policy and practice at the University of Rochester Medical Center. It was adopted at the Medical Center in January 2014. The framework was created in collaboration with academic, healthcare, technology, and information security and privacy leaders. Evolving threats, such as zero day vulnerabilities — the time between when a software vulnerability becomes known and when it is patched — highlight the need for tighter security controls. Having a consistent security framework will better ensure the availability of all University resources by protecting against vulnerabilities, potential data loss, and inappropriate data access while making it easier for Medical Center and non-Medical Center departments to collaborate.

Under the new policy framework, data classification will be used to determine the security measures needed. For example, legally restricted data requires higher levels of security than internal data. The previous data classifications have been updated in the new Data Security Classification Policy.

Two quick reference guides, which indicate the security measures that must be implemented based on data classification, were created to help the University community adopt the new policies and procedures. The User’s Guide is designed to assist all faculty, staff, and students, whereas the IT Professional’s Guide will assist IT administrators. Both guides are available at the top of the information security policies and procedures webpage.

If you have any questions about these policies or the classification of data, contact your IT security liaison or your local IT Help Desk:

  • University IT Help Desk — (585) 275-2000
  • Medical Center (ISD) Help Desk — (585) 275-3200