Information Security Policy 1. Policy Statement
The purpose of this policy is to provide a security framework that will ensure the protection of University Information from unauthorized access, loss or damage while supporting the open, information-sharing needs of our academic culture. University Information may be verbal, digital, and/or hardcopy, individually-controlled or shared, stand-alone or networked, used for administration, research, teaching, or other purposes. Standards and procedures related to this Information Security Policy will be developed and published separately.

Failure to comply with this policy may subject you to disciplinary action and to potential penalties described in Section 1.1.7 of Rights, Rules, Responsibilities.

2. Who Is Affected By This Policy
The Information Security Policy applies to all University faculty and staff, as well as to students acting on behalf of Princeton University through service on University bodies such as task forces, councils and committees (for example, the Faculty-Student Committee on Discipline). This policy also applies to all other individuals and entities granted use of University Information, including, but not limited to, contractors, temporary employees, and volunteers.

3. Definitions
Authorization – the function of establishing an individual’s privilege levels to access and/or handle information.

Availability – ensuring that information is ready and suitable for use.

Confidentiality – ensuring that information is kept in strict privacy.

Integrity – ensuring the accuracy, completeness, and consistency of information.

Unauthorized access – looking up, reviewing, copying, modifying, deleting, analyzing, or handling information without proper authorization and legitimate business need.

University Information – information that Princeton University collects, possesses, or has access to, regardless of its source. This includes information contained in hard copy documents or other media, communicated over voice or data networks, or exchanged in conversation.

4. Policy
Princeton University appropriately secures its information from unauthorized access, loss or damage while supporting the open, information-sharing needs of our academic culture.

A. Classification Levels
All University Information is classified into one of four levels based on its sensitivity and the risks associated with disclosure. The classification level determines the security protections that must be used for the information.

When combining information, the classification level of the resulting information must be re-evaluated independently of the source information’s classification to manage risks.

Additional requirements for the protection of information in each classification level are identified in the Princeton Information Protection Standards and Procedures.

What are expected actions of firewalls in this policy?