University Policies
Information Security Program Policy
Approved by: President
Approval Date: June 26, 2023
Revision Date: June 25, 2024
POLICY STATEMENT
This document establishes the policy for the Information Security Program at °ÄÃÅÁùºÏ²ÊÀúÊ·¼Ç¼ (°ÄÃÅÁùºÏ²ÊÀúÊ·¼Ç¼). The formation of this policy is driven by many factors, including the need to protect the availability, integrity and confidentiality of °ÄÃÅÁùºÏ²ÊÀúÊ·¼Ç¼ data and systems. The policy sets the ground rules under which °ÄÃÅÁùºÏ²ÊÀúÊ·¼Ç¼ shall operate and safeguard its information and information systems to reduce risk and minimize the effect of security incidents and threats in accordance with °ÄÃÅÁùºÏ²ÊÀúÊ·¼Ç¼’s risk appetite.
SCOPE (WHO SHOULD READ THIS POLICY)
This policy applies to all °ÄÃÅÁùºÏ²ÊÀúÊ·¼Ç¼ information, information systems, information technology activities, and information technology assets owned, leased, controlled, or used by °ÄÃÅÁùºÏ²ÊÀúÊ·¼Ç¼, °ÄÃÅÁùºÏ²ÊÀúÊ·¼Ç¼ agents, contractors, or other business partners on behalf of °ÄÃÅÁùºÏ²ÊÀúÊ·¼Ç¼.
This policy applies to all °ÄÃÅÁùºÏ²ÊÀúÊ·¼Ç¼ employees, contractors, sub-contractors, and their respective facilities supporting °ÄÃÅÁùºÏ²ÊÀúÊ·¼Ç¼ business missions, wherever °ÄÃÅÁùºÏ²ÊÀúÊ·¼Ç¼ data is stored or processed.
POLICY
Background
In order to provide an effective framework for implementing and enforcing the Information Security Program, °ÄÃÅÁùºÏ²ÊÀúÊ·¼Ç¼ has numerous policies and procedures to ensure the confidentiality, integrity and availability of University information and systems and to comply with the security controls included herein.
Information Technology Controls
°ÄÃÅÁùºÏ²ÊÀúÊ·¼Ç¼ collects, generates, and stores student, financial, employee, alumni, donor and other sensitive information. °ÄÃÅÁùºÏ²ÊÀúÊ·¼Ç¼ is responsible and accountable to protect and ensure the confidentiality, integrity and availability of all of its data regardless of how it is created, distributed, or stored. As part of the information security program, °ÄÃÅÁùºÏ²ÊÀúÊ·¼Ç¼ implements IT security controls designed to protect its assets in accordance with the organization’s risk appetite and in compliance with all federal and state regulations and requirements. IT security controls implemented by °ÄÃÅÁùºÏ²ÊÀúÊ·¼Ç¼ follow the framework of Special Publication 800-171; Protecting Controlled Unclassified Information in Non-federal Systems and Organizations and recommended by the Federal Trade Commission (FTC) and the Department of Education. NIST 800-171 consists of over 100 IT controls broken into fourteen (14) control families.
NIST 800-171 Security Control Families
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
Federal Information Processing Standard (FIPS) Publication 199, Standards for Security Categorization of Federal Information and Information Systems, provides a framework for assessing the system security level by evaluating the potential exposure (high, moderate, low) for each of the three security objectives (confidentiality, integrity, and availability). Utilizing NIST 800-171, °ÄÃÅÁùºÏ²ÊÀúÊ·¼Ç¼ has determined a moderate security control baseline for its assets, as recommended by the FTC and Department of Education, per NIST 800-171:
The requirements recommended for use in this publication are derived from FIPS 200 and the moderate security control baseline in SP 800-53 and are based on the CUI regulation [32 CFR 2002]. The requirements and controls have been determined over time to provide the necessary protection for federal information and systems that are covered under the Federal Information Security Management Act (FISMA).
°ÄÃÅÁùºÏ²ÊÀúÊ·¼Ç¼ may elect to tailor the security control baseline applied to an asset to be greater than the moderate baseline, based on the assessed level of risk, but may not apply a baseline of less than moderate unless the asset is determined to contain only data classified as public, per the definitions outlined in the Sensitive Data Handling Procedures outlined in the Administrative Procedures Handbook.
Methodology
Review
Annually, °ÄÃÅÁùºÏ²ÊÀúÊ·¼Ç¼ will perform a risk assessment of the current IT security controls established in the °ÄÃÅÁùºÏ²ÊÀúÊ·¼Ç¼ System Security Plans in accordance with NIST 800-171 control framework. Per the GEN-16-12 guidance issued by the Department of Education, the annual risk assessment will, at a minimum, evaluate whether °ÄÃÅÁùºÏ²ÊÀúÊ·¼Ç¼ performs the following:
- Limit information system access to authorized users;
- Ensure that system users are properly trained;
- Create information system audit records
- Establish baseline configurations and inventories of systems;
- Identify and authenticate users appropriately;
- Establish incident-handling capabilities;
- Perform appropriate maintenance on information systems;
- Protect media, both paper and digital, containing sensitive information;
- Screen individuals prior to authorizing access;
- Limit physical access to systems;
- Conduct risk assessments;
- Assess security controls periodically and implement action plans;
- Monitor, control, and protect organizational communications; and
- Identify, report, and correct information flaws in a timely manner.
Implement
The implementation of security controls to protect °ÄÃÅÁùºÏ²ÊÀúÊ·¼Ç¼’s mission and business processes requires proper implementation of the System Development Life Cycle (SDLC). University Technology staff shall determine how the SDLC applies to each asset within the defined information system boundary to ensure proper security functionality is implemented to the appropriate systems and supporting infrastructure. Security controls must be implemented based on the most stringent requirement to meet all applicable regulatory requirements.
Assess
The security controls must be tested and evaluated prior to implementation to ensure the controls are working as designed. University Technology maintains a change management process to ensure changes to information assets are adequately tested and controlled prior to deployment to production. The results of the security control testing provides feedback to the effectiveness of implemented security controls to the Change Advisory Board and should be considered as a critical factor that may affect the decision to deploy a change. Approval from the University Technology CAB is an essential milestone for the security authorization of system implementation and changes to systems to assure compliance with the information security program policy.
Authorize
All new implementations and changes to existing information systems must be authorized by University Technology. The authority to operate is granted through the approval of the Change Approval Board (CAB) change management approval process. Approval to implement the information system change is based on the verified effectiveness of the security controls to °ÄÃÅÁùºÏ²ÊÀúÊ·¼Ç¼ policies and standards together with an identified risk to the organization’s operation or assets.
Monitor
Periodic or continuous testing and evaluation of security controls in an information system are required on an ongoing basis to ensure that the controls are working as designed and effective in their implementation.
Third-Party Service Providers
The university will routinely monitor and assess the information security controls implemented by its third-party service providers. The university will not enter into contract with a third party service provider without performing an assessment of its information security controls. This assessment must find that the third-party service provider has adequate information security controls that are equivalent or more stringent than those employed by the university.
Technical Risk Assessments
The university must conduct penetration testing on an annual basis and vulnerability scanning on a monthly basis. University Technology must address the findings of the penetration tests and vulnerable scans in a timely manner, commensurate with the risks/threats posed by the vulnerabilities identified.
Incident Response Plan
University technology must maintain a written incident response plan that contains processes for responding to an information security event; clear definition of roles, responsibilities and decision-making authority; a communication plan; a remediation process; documentation and reporting expectations; and requirements for testing, updating and revising the plan, as needed.
Change Management Plan
The University Technology Change Management Plan establishes, maintains, and enforces security controls throughout an information system’s life cycle. The process outlined in the plan is considered holistically to encompass the security authorization of information system changes and implementations. University Technology must maintain the plan, including updating and revising the plan, as needed.
Exceptions
The university must document and formally accept the risk associated with any identified gaps in control implementation or failures to meet university policies/processes if the university is unable to address the failure within one year of identification. If the university is able to address the gap within a year, the control failure/gap must be tracked utilizing a corrective action plan.
RESPONSIBILITIES (Implementation and Enforcement)
The university shall appoint a designated qualified individual responsible for overseeing and implementing and enforcing the information security program. The qualified individual is responsible to report regularly to the CIO and Director of Internal Audit the effectiveness of the information security program. Additionally, the qualified individual is responsible to provide an annual written report to the Board of Trustees of the information security program effectiveness.
Connect with us: