Information Security, Privacy and Cybersecurity Policy

AAUP is dedicated to the following principles and standards of information security, privacy, and cybersecurity:

1. Information Security:

   • AAUP implements appropriate security controls and measures to protect the confidentiality, integrity, and availability of university information assets, including but not limited to data, systems, networks, and applications.

   • AAUP conducts regular risk assessments, vulnerability assessments, and penetration tests to identify and address potential security threats and vulnerabilities.

2. Data Privacy and Protection:

   • AAUP ensures the protection of personal information and complies with applicable privacy laws and regulations.

   • AAUP establishes procedures and practices to securely collect, process, store, transmit, and dispose of personal data, ensuring informed consent and providing individuals with the rights to access, rectify, and erase their personal information.

3. Access Control and Authentication:

   • AAUP implements access controls and authentication mechanisms to ensure that only authorized individuals can access university systems, applications, and data.

   • AAUP enforces the principle of least privilege, granting users appropriate access rights based on their roles and responsibilities.

4. Incident Response and Management:

   • AAUP establishes incident response procedures to detect, respond to, and mitigate security incidents promptly.

   • AAUP maintains a dedicated incident response team and establishes communication channels to report security incidents and provide timely notification to affected individuals, as required by law.

5. Cybersecurity Awareness and Training:

   • AAUP provides regular training and awareness programs to educate the university community about cybersecurity best practices, social engineering threats, phishing attacks, and other cyber threats.

   • AAUP promotes responsible digital citizenship, emphasizing the importance of password hygiene, safe browsing, and secure use of university IT resources.

6. Compliance and Governance:

   • AAUP adheres to applicable laws, regulations, and industry standards related to information security, privacy, and cybersecurity.

   • AAUP establishes governance structures, policies, and procedures to ensure ongoing compliance and provide oversight of IT security and privacy practices.

To ensure the successful implementation of this policy, AAUP will:

1. Designate the university president’s office for IT affairs and the cybersecurity officers to oversee the implementation, communication, and monitoring of this policy.
    

2. Develop and disseminate guidelines, standards, and procedures that support information security, privacy, and cybersecurity best practices.
    

3. Regularly assess and update IT infrastructure and security measures to address emerging threats and vulnerabilities.
    

4. Provide ongoing training and awareness programs to educate users about information security, privacy, and cybersecurity risks and mitigation strategies.
    

5. Conduct periodic audits and assessments to evaluate compliance with this policy and address any identified gaps or areas for improvement.

The following measures (indicators) can be used to assess the utilization of this policy:

1. Data Breach Incidents: Number of reported data breaches or security incidents and the average time taken for resolution.
    

2. Employee Training and Compliance: Percentage of staff completing information security and privacy training programs.
    

3. Privacy Compliance: Number of privacy regulations or standards complied with (e.g., GDPR) and related assessments conducted.
    

4. Data Access Control: Percentage of authorized access controls implemented for sensitive data.
    

5. User Awareness: Survey results measuring user awareness and understanding of information security and privacy practices.
    

6. Information Security Compliance: The implementation and compliance with international cyber-security standards and systems such as IS0 27001.