Rule R4-004Q: Information Security Policy Sanctions

1. Cybersecurity Sanctions Matrix

Purpose and Scope‌

1. Purpose

   The purpose of this Information Security Policy Sanctions Rule is to describe the consequences for violating Policy 4-004 or any associated regulations.

2. Scope

   The scope of this rule is all University administrative units, including colleges, divisions, departments, and centers, and all members of the University community, including students, staff, faculty, other permanent or temporary employees, contractors, research collaborators, vendors, and third-party agents.

   This rule supports section Q, titled Violations, of the University of Utah Information Security Policy 4-004.

Definitions‌

The definitions provided in Policy 4-004 apply for this rule.

Rule‌

1. Cybersecurity Sanctions Matrix‌
   
   

   Level of Violation	Accidental	Deliberate	Examples of Violations	Actions to be Taken
   Level I Errors in handling Restricted or Sensitive Data or in Maintaining IT security measures.	Lack of training Inexperience Poor judgement: mistakes made while operation in good faith Poor process	Clerical error Process error Technical error Judgement error	Leaving an active computer unattended which has access to Restricted or Sensitive Data Accessing restricted or Sensitive Data which is no longer part of assigned job duties Failure to complete required cybersecurity training Failure to report a cybersecurity violation	Verbal warning and memo of expectaions/ memo of success Assigned cybersecurity training Required review of policy and procedures
   Level II Errors in handling Restricted or Sensitive Data or in maintaining IT security measures with a disregard for University policy.	Curiosity Concern	Unauthorized Non-job related	Email forwarding and/or the use of an email system that is not approved to conduct University business Failure to implement appropriate Controls for Restricted or Sensitive Data, either at rest or in transit Abuse of computer resources administrative privileges Removal of Uiversity IT security tools from University-owned devices Repeat commission of Level I violations	Inclusion of expectations/ mitigation steps on performance evaluation Assigned cybersecurity training Required review of policy and procedures
   Level III Breach in the terms of the Confidentiality Agreement and/or University policies concerning use and disclosure of Restricted or Sensitive Data or in maintaining IT security measures.	Negligence Personal/ financial gain	Unauthorized Disrespect for co-workers, supervisor, and patients Non-job related	Password/Account sharing Disregard of University policy and procedure resulting in a breach of Restricted or Sensitive Data Violation of policy to the extent that organizational harm may result Storing Restricted or Sensitive Data on an unencrypted storage device Transmission of Restricted or Sensitive Data resulting in a breach Disclosure of Restricted or Sensitive Data to co-workers with no job-related need to know Using someone else's account through the theft/observation of another employee's credentials Adding, deleting, or altering Restricted or Sensitive Data without authorization Posting any Restricted or Sensitive Data on social media that poses harm to the University or individuals it may pertain to Repeat commission of Level I or II violations	Final written warning, requiring written corrective action plan or suspension without pay Suspension of Information System User privileges Referral to VP as violation of faculty code Revocation of Medical Staff privileges Suspension of research projects and inability to participate in research for 12 months Obligation to make restitution Possible referral to law enforcement
   Level IV Breach in the terms of the Confidentiality Agreement and/or University policies concerning use and disclosure of Restricted or Sensitive Data for personal gain or to affect harm on another person.	Revenge Protest Gross negligence Dereliction of duty	Theft, including identity theft Stealth Malicious actions: e.g., alteration or deletion of data, making Information Systems inaccessible Willful neglect	Alteration, deletion, or removal of Restricted or Sensitive Data from University facilities without approval which results in a breach and/or harm to the University and individuals Unauthorized publication or broadcasting of Restricted or Sensitive Data Use or disclosure of Restricted or Sensitive Data for illegal purposes A pattern of routine security violations due to inattention, carelessness, or a cynical attitude toward security discipline Repeated Level II or III violations	Termination of employment and ineligible for rehire Law enforcement engaged Contract of restitution

   ---

   Sections IV- VII are for user information and are not subject to the approval of the Academic Senate or the Board of Trustees. The Institutional Policy Committee, the Policy Owner, or the Policy Officer may update these sections at any time.

   ---

Policies/ Rules, Procedures, Guidelines, Forms, and other Related Resources‌

1. Policies/ Rules.

   1. Policy 4-004: University of Utah Information Security Policy

2. Procedures, Guidelines, and Forms. [ reserved ]

3. Other Related Resources. [ reserved ]

References‌

1. 45 C.F.R. 164: Health Insurance Portability and Accountability Act (HIPAA): Security and Privacy

2. Family Educational Rights and Privacy Act of 1974 ("FERPA", 20 U.S.C. § 1232g)

3. Federal Information Security Management Act of 2002 ("FISMA", 44 U.S.C. § 3541)

4. ISO 27002:2013, Information Technology - Security Techniques - Code of Practice for Information Security Controls

5. NIST 800 Series, Federal Information Security Standards

6. Policy 3-070: Payment Card Acceptance

7. Policy 4-001: University Institutional Data Management

8. Policy 4-003: World Wide Web Resources Policy

9. Policy 5-111: Disciplinary Actions and Dismissal of Staff Employees

10. Policy 6-400: Student Rights and Responsibilities

11. Policy 6-316: Code of Faculty Rights and Responsibilities

12. Pub. 111-5, Division A, Title XIII, Subtitle D: Health Information Technology for Economic and Clinical Health Act (HITECH Act)

13. Omnibus HIPAA Rule: 45 CFR Parts 160 and 164 - Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the HITECH Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule

14. Utah Board of Higher Education Policy R345: Information Technology Resource Security

Contacts‌

The designated contact officials for this Regulation are:

1. Policy Owner(s) (primary contact person for questions and advice): Chief Information Security Officer

2. Policy Officer(s): Chief Information Officer

   See Rule 1-001 for information about the roles and authority of policy owners and policy officers.

History‌

Revision History

1. Current version. Revision 0.

   1. Approved by President Randall as an Interim Rule on September 12, 2023 with effective date of September 12, 2023. Rule finalized with no changes after Board of Trustees approval of Policy 4-004 revisions on November 14, 2023.

   2. Legislative History

   3. Editorial Revisions

2. Previous versions.

3. Renumbering

   1. Not applicable.