|
|
INFORMATION SECURITY POLICY | No. 10-1 | Rev. 12-12-06 |
| Date: 04-13-04 | |||
The Information
Security Policy (“Policy”) applies to all organizations within the
University even though not all organizations are the same and the data needed
and used by those organizations are used differently. The principles of academic
freedom and free exchange of ideas apply to this policy, which is not intended
to limit or restrict those principles. Also this Policy is in accordance with
federal and state laws and regulations for information security.
University information technology resources are a valuable
University asset and must be managed accordingly to ensure their integrity,
security and availability for lawful educational purposes. This document is a
high-level confidentiality and information security policy for use by all
University staff, students and users of the University’s information
technology resources.
Note: Throughout the Policy the term data and information are
used interchangeably.
I.
PURPOSE
The purpose of the Information Security Policy is to:
·
Prescribe mechanisms which help identify and prevent the
compromise of information security and the misuse of University data,
applications, networks and computer systems.
·
Define mechanisms which protect the reputation of the University
and allow the University to satisfy its legal and ethical responsibilities with
regard to its networks’ and computer systems’ connectivity to networks
outside the University.
·
Provide written guidelines and procedures to manage and control
information considered to be high-risk, restricted and/or confidential whether
in electronic, paper or other forms.
·
Protect the integrity and validity of University data.
·
Ensure the security and protection of high-risk, restricted and
confidential information in the University’s custody, whether in electronic,
paper, or other forms.
II.
SCOPE
The unauthorized addition, modification, deletion, or
disclosure of high-risk, restricted or confidential information included in
University data files and data systems is expressly forbidden. In certain
limited circumstances, as specified in federal and state legislation, the
University may disclose high-risk, restricted or confidential information.
III.
DEFINITIONS
Data
Classifications
High-Risk
– Data that could be used to steal an individual's identity or cause harm to
the individual, and for which there are legal requirements or industry standards
prohibiting or imposing financial penalties for unauthorized disclosure. Data
covered by GLB and PCI are in this class.
The
Policy recognizes that other data may need to be treated as high-risk because it
would cause severe damage to the University if disclosed or modified. The data
owner (data security custodian) will make this determination. It is the data
security custodian’s responsibility to implement the necessary security
requirements should such data be considered high-risk, restricted or
confidential.
Restricted
– Information assets for which there are legal requirements prohibiting or
imposing financial penalties for unauthorized disclosure.
Data covered by federal and state legislation, such as FERPA, HIPAA,
GRAMA, or the Data Protection Act, are in this class.
Confidential
– Data that the University has determined should be protected because it may
expose the University to loss if disclosed, but is not protected by federal or
state legislation. For example a user ID in combination with a password is
considered to be confidential.
Public
– Although there are no restrictions on disclosure to protect public data
(because the data are provided for broad viewing access), sufficient protection
must be applied to prevent unauthorized modification of such data.
General
Definitions
Centralized Computer
Systems - Computer hardware (including but not limited to Servers, Routers,
Switches and Access Points) and software systems (including but not limited to
Web hosts, Customized databases, University databases, and Faculty developed
software for educational purposes) maintained by the IT Division and located in
the University’s data centers.
Decentralized
Computer Systems - Computer hardware (including but not limited to Servers,
Routers, Switches and Access Points) and software systems (including but not
limited to Web hosts, Customized databases, University databases, and Faculty
developed software for educational purposes) maintained by any non- IT Division
department.
Electronic Media -
Electronic storage media including memory devices in computers (hard drives) and
any removable/transportable digital memory medium, such as magnetic tape or
disk, or CD (optical disk).
Frequently – At
least every 90 days.
Portable
equipment – Laptops, PDAs, and other removable storage devices such as flash
drives (thumb drives).
Strong
Password – A password that is at least 8 characters long and is a combination
of upper and lower case letters, numbers and characters. Strong passwords do not
include phrases, names, or other types of dictionary words.
IV.
ROLES AND RESPONSIBILITIES
The persons responsible for implementing this Policy and
their respective duties and/or responsibilities with respect to this Policy are
described in Appendix A.
V.
POLICY
A.
CENTRALIZED / DECENTRALIZED COMPUTING SYSTEMS
· All University computing systems will comply with this Policy and the University security guidelines identified by the ISTF regardless of whether they are centralized or decentralized. These guidelines are available upon request from the University’s ISO.
·
If decentralized computing systems are unable to adhere to this Policy
and the University security guidelines, decentralized systems must be relocated
to a centralized computing system. Division heads and/or deans may also choose to
have a decentralized system relocated to the centralized computing system if
desired.
B.
COLLECTION OF DATA
·
The collection of high-risk, restricted and confidential
information, not supported by applicable law or policy or otherwise justified by
legitimate University purposes, is not permitted except with notification and
permission of the individual to whom the data applies.
·
The collection of high-risk, restricted and confidential
information must, to
the extent practicable, be collected from the individual directly and not from
other individuals or data sources outside the University.
·
When information is obtained from data sources outside the University or
other individuals, documentation or a log must be maintained of these sources.
·
If providing high-risk, restricted or confidential information is
purely voluntary, this fact must be communicated to the individual providing the
information.
·
Access to high-risk, restricted and confidential information via
the University's computer system is limited to those employees who have a
legitimate business reason to access and/or use such information.
·
Data access control must have sufficient documentation to allow
the appropriate authorized access. There is a delicate balance between
protecting the data and permitting access to those who need to use the data for
authorized purposes. This balance should be recognized.
·
High-risk, restricted and confidential information, electronic or
paper, should not be left in plain sight to prevent unauthorized viewing and
must be secured when unattended.
·
All users of systems that contain high-risk, restricted or
confidential data must have their own user name and use a strong password. The
sharing of user names and passwords is not allowed.
·
The password of empowered accounts, such as administrator, root or
supervisor, must be changed frequently.
·
Passwords used for University access must not be the same as
passwords used for personal accounts (banks, g-mail, and credit cards).
·
Passwords must not be placed in emails unless they have been
encrypted.
·
Human Resources and IT Division will work with other departments
to ensure that terminated employees have their accounts disabled upon transfer
or termination. Since there could be delays in reporting changes in user
responsibilities, periodic user access reviews should be conducted by the
organization’s data security custodian.
·
Personnel who have administrative system access must use other
non-administrative accounts for performing non-administrative tasks.
·
Accessing or attempting to access other computer systems through
the University network, including those external to the University, without
authorization of the owner of that system, as documented in the Acceptable Use
Policy (PPM 2-19), is strictly prohibited.
·
Only authorized users will be permitted to remotely connect to
University computer systems, networks and data repositories to conduct
University related business. Such connections must be done through University
approved, secure, authenticated and centrally managed methods of remote access.
·
Individuals who work from remote locations are required to abide
by the Standard for Secure Remote Access.
E.
PHYSICAL SECURITY
·
The party responsible for ensuring physical protection of all
centralized computer systems is the IT Division.
·
The party responsible for ensuring physical security of
decentralized computer systems is the appropriate Campus Security Contact (CSC).
·
At a minimum, the appropriate responsible party shall comply with
University guidelines and procedures to protect physical areas with shared
electronic information resources that contain high-risk, restricted and
confidential information.
·
Individual organizations/departments within the University are
responsible for physical security for personal computers and other local
electronic information resources, including portable equipment, housed within
their immediate work area or under their control.
·
Permanent copies of high-risk, restricted or confidential data
must not be stored on portable equipment.
·
High-risk, restricted or confidential data must be used only temporarily on portable equipment and then only for the duration of the
necessary use and only if protective measures, such as encryption, are
implemented that will safeguard the confidentiality and integrity of the data in
the event of theft or loss of the portable equipment.
F.
DATA SECURITY
·
All desktop systems and servers that connect to the network must
be protected with an approved licensed anti-virus software product that it is
kept updated according to the vendor’s recommendations.
·
Headers of all incoming data, including electronic mail, must be
scanned for viruses by the email server where such products exist and are
financially feasible to implement. Outgoing electronic mail should also be
scanned where such capabilities exist.
·
All employees, agents, or affiliates of the University who handle
high-risk, restricted or confidential data for the purpose of performing their
job duties or other functions directly related to their contractual affiliation
with the University are responsible for the proper handling of this data while
under their control.
·
The University will take reasonable and appropriate steps
consistent with current technological developments to make sure that all
high-risk, restricted and confidential information is secure, and to safeguard
the integrity of records in storage and transmission.
·
The IT Division requires that all servers must be registered
before being allowed to transmit data through
·
Encryption technology will be utilized for local or central
storage and transmission when required by law, policy, business standards, and
University guidelines.
·
All connections to the Internet must go through a properly secured
connection point to ensure the network is protected when the transmitted data is
classified high-risk, restricted or confidential.
·
All systems connected to the Internet should have a vendor-supported version of the operating system installed, including the most recent
security patches.
G.
BACKUP AND RECOVERY
·
Data backup and copies of data and software associated with any
essential electronic information stored on centralized computer systems must be
sufficient to satisfy disaster recovery requirements and must be stored at a
secure, commercial site that provides standard protection. (see IT Division
Continuity of Service Plan)
·
Backup and recovery procedures are required for essential data and
software stored on decentralized computer systems, including desktop systems.
·
Electronic media used for backup purposes must be stored in a
secured physical location (not an employee’s residence).
H.
SECURITY INCIDENT RESPONSE AND HANDLING
·
The Incident Response guidelines outline procedures for responding
to an actual or attempted unauthorized access to high-risk, restricted and
confidential information. This guideline is available upon request from the
University's Information Security Office function.
·
Any person who becomes aware of any information security incident
involving high-risk, restricted or confidential information must abide by the
Information Security Incident Response Guidelines and Procedures. This guideline
is available upon request from the University's Information Security Office
function.
·
The University will report
and/or publicize unauthorized information disclosures, as required by law or
specific industry requirements.
I.
SERVICE PROVIDERS
Due to the specialized expertise
needed to design, implement, and service new technologies, vendors may be
required to provide resources that the University determines not to provide on
its own. The service provider must provide assurance that it will
protect the University’s high-risk, restricted and confidential information it
receives according to commercially reasonable standards and should include the
following provisions within a contract:
·
An explicit acknowledgment that the contract allows the contract
partner access to high-risk, restricted and/or confidential information.
·
A specific definition or description of the high-risk, restricted
and/or confidential information being provided.
·
A stipulation that the high-risk, restricted and/or confidential
information will be held in strict confidence and accessed only for the explicit
business purpose of the contract.
·
An assurance from the contract partner that the partner will
protect the high-risk, restricted and/or confidential information it receives
according to commercially reasonable standards.
·
A provision providing for the return or destruction of all
high-risk, restricted and/or confidential information received by the contract
provider upon completion or termination of the contract.
·
An agreement that any violation of the contract's confidentiality
conditions may constitute a material breach of the contract and entitles the
University to terminate the contract without penalty.
·
A provision ensuring that the contract's confidentiality
requirements shall survive any termination agreement.
·
An agreement that an audit can be performed by a University
employee, for any or no reason, with the intent of ensuring the integrity and
confidentiality of high-risk, restricted and/or confidential information that
has been provided to a service provider.
·
A provision requiring compliance certificates as proof of a
service provider’s compliance with federal, state, or other industry
regulations that include but are not limited to GLB and PCI.
J.
TRAINING AND AWARENESS
Each new University employee will
be trained on the Acceptable Use Policy and University Information Security
Policy as they relate to individual job responsibilities. Such training
will include information regarding controls and procedures to prevent employees
from providing high-risk, restricted and confidential information to an
unauthorized individual.
K.
EMPLOYEE MANAGEMENT
References must be checked and criminal background
checks obtained for all new employees in compliance with University’s
background check policy.
L.
MONITORING AND TESTING OF NETWORKS
·
Operating system and application software logging processes must
be enabled on all host and server systems. Where possible, alarm and alert
functions, as well as logging and monitoring systems, must also be enabled.
·
Server, firewall, and critical system logs should be reviewed
frequently. Where possible, automated review should be enabled and alerts
should be transmitted to the administrator when a serious security intrusion is
detected.
·
Intruder detection tools must be installed where appropriate and
checked on a regular basis.
·
System integrity checks must be performed on all host and server
systems housing high-risk, restricted or confidential University data.
·
Internal and external network vulnerability scans and penetration
testing will be performed on the network infrastructure on a regular basis and
after any significant change in the infrastructure, application upgrade or
modification (e.g., new system component installations, changes in network
topology, firewall rule modifications or product upgrades).
M.
PENALTIES AND ENFORCEMENT
Penalties and enforcement of this
policy will be in accordance with University policies and appropriate
disciplinary and/or legal action will be taken when warranted in any area
involving information security.
N.
POLICY COORDINATION
·
The University has identified the Information Security Office
function to act as the coordinator of this Policy.
·
The Information Security Office function will be responsible for
assessing the risks associated with high-risk, restricted and confidential
information and developing procedures to minimize those risks to the University.
·
Internal Audit personnel will conduct reviews of areas that have
access to high-risk, restricted and confidential information to verify that
University departments comply with the requirements of this Policy.
O.
REVIEW AND REVISION OF POLICY
·
This Policy will be subject to periodic review and revision.
·
Continued administration of the development, implementation and
maintenance of the Information Security Policy will be the responsibility of the
Information Security Task Force.
·
The Information Security Office function, in consultation with the
Office of University Legal Counsel, will review the standards set forth in this
Policy and recommend updates and revisions as necessary.
APPENDIX
A
Division
Heads/College
Deans - These individuals, including managers of campus auxiliary
organizations, shall be responsible for oversight of their employees’
authorized use and access to high-risk, restricted and confidential information
in their areas of supervision. They
will:
·
Ensure that the management and control of risks outlined in the
Policy are adhered to by employees in their unit.
·
Ensure employees’ access to high-risk, restricted and
confidential data is appropriate.
· Identify the necessary Data Security Custodians and ensure they receive adequate training to perform this role.
·
Provide employees with resources and methods to properly secure
equipment where high-risk, restricted and confidential information is processed,
stored, or handled.
·
Provide employees with approved resources and methods for external
data storage where high-risk, restricted and confidential information is
processed, stored, or handled.
Campus Security
Contact (CSC) - One or more individuals who are responsible for being the
computer or technical support within a business unit, college/school, or
department.
Data Security
Custodian – These individuals who are responsible for business processes
within their areas of supervision will:
·
Implement and administer the Policy in order to protect the
privacy rights of University faculty, staff, and students, and to comply with
legal and policy requirements.
·
Protect confidentiality and security of electronic and paper data
maintained in their area.
·
Define the functions for staff authorized to access confidential
data and approve authorization.
·
Regularly review and document employee access to high-risk,
restricted and confidential data.
·
Ensure that all employees receive employee/student confidentiality
training as directed by the Information Security Task Force.
·
Develop and implement appropriate processes to ensure employees
comply with the required training.
·
Provide an additional level of training for employees with access
to high-risk, restricted and confidential data.
·
Communicate the expectations and
means for the safeguarding of high-risk, restricted and confidential information
to appropriate persons and organizations.
·
Ensure that risk assessments are
conducted when necessary or recommended by Internal Audit.
·
Provide recommendations for revisions to this Policy as
appropriate.
Employees, including
department chairs, faculty, staff, and student workers – These
individuals:
·
Shall not disclose high-risk, restricted and confidential
information to unauthorized individuals.
·
Shall not modify or delete high-risk, restricted and confidential
information unless authorized to do so.
·
Shall maintain high-risk, restricted and confidential data in a
secure manner.
·
Shall complete the employee/student confidentiality training.
·
Shall be required to sign a University confidentiality/FERPA
agreement before access is granted to high-risk, restricted and confidential
data.
·
Shall complete specific confidentiality training if he/she have job
related responsibilities that require access to high-risk, restricted and
confidential information.
·
Implement adequate security measures for computing systems
containing high-risk, restricted and confidential data within his/her
jurisdiction.
·
Implement appropriate security strategies for both the
transmission and the storage of high-risk, restricted and confidential data.
·
Notify appropriate units of possible security infringements.
·
Report any security breach as outlined in section “SECURITY
INCIDENT RESPONSE AND HANDLING” of PPM 5-17.
·
Disseminate technical guidelines related to security to the
appropriate CSC.
Information Security Task Force – This group of individuals appointed by the President will:
· Review and evaluate University security issues such as
current practices and the associated risks to the institution.
·
Identify actions needed to address those risks through appropriate policy
and associated guidelines.
·
Identify new processes that are needed (for example, security
incident management).
·
Implement new security standards as needed.
·
Disseminate general guidelines related to security to the
appropriate CSC.
Information Security
Office Function – This individual, appointed by the Director of Internal
Audit, will:
·
Assist the campus in identifying internal and external risks to
the security and confidentiality of information.
·
Provide guidance for handling high-risk, restricted and
confidential information in the custody of the University.
·
Provide guidance for the security of the equipment or data storage
devices where the information is processed and/or maintained.
·
Promote and encourage good security procedures and practices.
·
Evaluate the effectiveness of the current safeguards for
controlling these risks.
·
Provide recommendations for revisions to this Plan as appropriate.
·
Develop and perform random audits of departments and individuals
as deemed necessary.