Information Technology Security Policies and Guidelines

Official University Policies

All students, faculty, and staff are expected to comply with the policies below that are designed to protect University IT resources.  


IT6003 - Acceptable Use of Information Technology Resources

IT6005 - Data Security Policy

IT6000 - Data Access

IT6008 - Email Use

IT6004 - Security and Protection of Electronic Information Resources

IT6007 - Information Security Program



All students, faculty, and staff are encouraged to review and comply with the guidelines below to prevent security incidents that could lead to a violation of University policies.

Working with Restricted University Data

In compliance with University policy IT6005 - Data Security Policy, restricted University data must be protected against physical theft or loss, electronic invasion, or unintentional exposure.  The following guidelines outline practices for working with Restricted University data.

Data Storage

ITS has developed guidelines to recommend appropriate storage services and locations to be utilized for restricted and all other classifications of University data. Please refer to the Guidelines for Storage of University Electronic Data page for a listing of storage services and locations by data classification.

Data Encryption

ITS has developed standards for encryption to ensure restricted University data is protected from disclosure. In compliance with University policy IT6005 - Data Security Policy, employees are responsible for protecting restricted University data to which they have access.  University owned laptops and portable media devices storing restricted University data must be encrypted. Local Support Providers (LSPs) in each department are responsible for assisting faculty and staff with this process.

ITS has defined the following standards for encryption software:

Data Destruction

In compliance with University policy IT6005 - Data Security Policy, restricted University data must be securely erased from all equipment or portable media prior to disposal. Deleting files from your computer or laptop does not permanently remove the data. The hard drive must be overwritten (sometimes called "wiping" the drive) before disposal to ensure that deleted files cannot be recovered. Local Support Providers (LSPs) in each department are responsible for assisting faculty and staff with disposal of University equipment.

Family Educational and Privacy Rights Act

The University adheres to the requirements of the Family Educational and Privacy Rights Act (FERPA). Additional information regarding FERPA is located on the Registrar's FERPA Compliance page.

Protecting Your Account


Maintain a complex password and do not share it with others. Sharing your University passwords is a violation of University policy IT6003 - Acceptable Use of Information Technology Resources. Additional guidelines and information can be found on the Password Security page.

Duo Account Security

The University Single Sign-On (SSO) system supports Multi-factor Authentication (MFA) capabilities using a product from Duo Security. Duo protects user's accounts by requiring a second means of authentication in addition to the password. Password-based authentication has become increasingly hackable and MFA greatly reduces the threat of someone else gaining access to accounts.  

New employees are walked through the steps of using DUO during orientation. Users can use the Duo Mobile app to enroll their smartphone or tablet to receive online push notifications, or generate a one-time passcode. Users can also enroll an SMS number (a phone number that can receive texts) to receive notifications via text, or enroll a phone number to receive a phone call, depending on their preference.

Report a Security Incident or Abuse

Individuals should report potential security issues which include but not limited to lost/stolen devices, potential data breaches or exposure, compromised University account credentials, and malicious network activity via the IT Security Incident Report Form.

ITS will never ask individuals to send personal information such as usernames, passwords or social security numbers via email. Additionally, individuals may occasionally receive unsolicited emails (spam) or phishing emails specifically designed to trick one into clicking inappropriate links. These types of emails may be forwarded to the University of Memphis Information Security Abuse group via email at abuse@memphis.edu.

Protecting Your Computer

Anti-Virus Software

Viruses can corrupt data and slow down entire computer networks. To protect your computer from infection, install anti-virus software, and update when prompted.

University owned computers/laptops can get anti-virus software installed at no cost. Contact the umTech Service Desk at 901.678.8888 to request this service by your Local Support Provider (LSP).

Anti-Malware Software

Malware (malicious software) is software installed on your computer without your knowledge. It may be installed while you are downloading an application, browsing websites, reading emails, opening email attachments, or using a file sharing program online. It is recommended to use an approved Anti-Virus or Anti-Malware product as mentioned above.

Software Updates

New security vulnerabilities are found every day. The best way to protect a computer or device against threats is to install security updates to the operating system. Supported versions of MacOS and Microsoft updates are FREE to download.

Windows: Windows Update: FAQ
Mac: Apple Support Downloads

Additionally, it is important to install security updates for any applications installed on a computer or device, such as third party web browsers, PDF readers, Java, Flash or other plugins.

ITS reserves the right to block devices from the network running vulnerable versions of software applications or unsupported operating systems that no longer receive software updates.


Other Guidelines

Peer-to-Peer File Sharing

Peer-to-Peer (P2P) file sharing allows individuals to share files with other users. Additional information about P2P file sharing can be found in a Wikipedia article located here.  There are many potential legal issues surrounding inappropriate use of P2P applications and users of these programs are encouraged to review and abide by applicable copyright laws that can be reviewed here.  Violation of copyright laws or other inappropriate use of P2P file sharing may result in a violation of policy IT6003 - Acceptable Use of Information Technology Resources.  Sharing of copyrighted music, videos, movies, and documents are examples that may constitute a violation of University policy.

Vulnerability Response Timeline

Information Technology Services is responsible for creating a culture this is committed to information security. As an expression of this commitment, the Vulnerability Response Timeline provides guidelines for resolution and documentation of system vulnerabilities. These guidelines apply to systems and software supplied by Information Technology Services, University departments, and vendors.