No. 10-1 Rev. 06-10-08 Date: 04-13-04
The Information Security Policy (“Policy”) applies to all organizations within the University even though not all organizations are the same and the data needed and used by those organizations are different. The principles of academic freedom and free exchange of ideas apply to this Policy, which is not intended to limit or restrict those principles. This Policy is in accordance with federal and state laws and regulations regarding information security.
Each organization within the University must appropriately apply this Policy to make certain they are meeting the requirements regarding information security. It is recognized that the technology at some organizations may limit immediate compliance with the Policy; such instances of non-compliance must be reviewed and approved by the Information Security Office (ISO) and the Information Security Task Force (ISTF).
University Information Technology Resources are a valuable University asset and must be managed accordingly to ensure their integrity, security and availability for lawful educational purposes. This document describes policy for use by all University staff, students and users of the University’s Information Technology Resources.
Note: Throughout the Policy the terms data and information are used interchangeably.
The purpose of the Information Security Policy is to:
- Provide policy to secure High-Risk, Restricted and/or Confidential information of faculty, staff, students, and others affiliated with the University, and to prevent the loss of information that is critical to the operation of the University.
- Provide reasonable and appropriate procedures to ensure the confidentiality, integrity and availability of the University’s Information Technology Resources.
- Prescribe mechanisms which help identify and prevent the compromise of information security and the misuse of University data, applications, networks and computer systems.
- Define mechanisms which protect the reputation of the University and allow the University to satisfy its legal and ethical responsibilities with regard to its networks’ and computer systems’ connectivity to networks outside the University.
- Provide written guidelines and procedures to manage and control information considered to be High-Risk, Restricted and/or Confidential whether in electronic, paper or other forms.
- Protect the integrity and validity of University data.
- Ensure the Security and protection of High-Risk, Restricted and Confidential information in the University’s custody, whether in electronic, paper, or other forms.
This Policy covers electronic and paper-based data defined to include, but not limited to, all information maintained, processed, or distributed by the University on primary computer systems or any subsidiary systems that contain data defined by law or policy as High-Risk, Restricted or Confidential. This Policy also applies, but is not limited to, all faculty, staff, administrators, students, consultants, and any person or agency employed or contracted by the University or any of its auxiliary organizations who have a legitimate need to have access to University High-Risk, Restricted or Confidential information.
The unauthorized addition, modification, deletion, or disclosure of High-Risk, Restricted or Confidential information included in University data files and data systems is expressly forbidden. In certain limited circumstances, as specified in federal and state legislation, the University may disclose High-Risk, Restricted or Confidential information.
It is the Data Security Steward’s responsibility to implement the necessary Security requirements should such data be considered High-Risk, Restricted or Confidential.
High-Risk – Data that could be used to steal an individual's identity or cause harm to the individual, and which there are legal requirements or industry standards prohibiting or imposing financial penalties for unauthorized disclosure. Data covered by Gramm Liech Blyey (GLBA)and Payment Card Industry Data Security Standards (PCI DSS) are in this class.
This Policy recognizes that other data may need to be treated as High-Risk because it would cause severe damage to the University if disclosed or modified.
Restricted – Information assets for which there are legal requirements prohibiting or imposing financial penalties for unauthorized disclosure. Data covered by federal and state legislation, such as FERPA, HIPAA, GRAMA, or the Data Protection Act, are in this class.
Confidential – Data that the University has determined should be protected because it may expose the University to loss if disclosed, but is not protected by federal or state legislation.
Public – Although there are no restrictions on disclosure to protect public data (because the data is provided for broad viewing access), sufficient protection must be applied to prevent unauthorized modification of such data.
If uncertain whether or not an IT Resource contains High-Risk, Restricted or Confidential information or is a Critical IT Resource, a User must seek direction from the appropriate Data Security Steward, Legal Counsel or Information Security Office.
Centralized Computer Systems - Computer hardware (including but not limited to Servers, Routers, Switches and Access Points) and software systems (including but not limited to Web hosts, Customized databases, University databases, and Faculty developed software for educational purposes) maintained by the IT Division and located in the University’s data centers.
Critical IT Resource - An IT Resource which is required for the continuing operation of the institution and/or its colleges and departments, including any IT Resource which, if it fails to function correctly and/or on schedule, could result in a major failure of mission-critical business functions, a significant loss of funds, or a significant liability or other legal exposure.
Decentralized Computer Systems - Computer hardware (including but not limited to Servers, Routers, Switches and Access Points) and software systems (including but not limited to Web hosts, Customized databases, University databases, and Faculty developed software for educational purposes) maintained by any non- IT Division department.
Electronic Media - Electronic storage media including memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, or CD (optical disk).
Frequently – At least every 120 days.
Information Technology Resource (IT Resource) - A resource used for electronic storage, processing or transmitting of any data or information, as well as the data or information itself. This definition includes but is not limited to electronic mail, voice mail, local databases, externally accessed databases, CD-ROM, recorded magnetic media, photographs, digitized information, or microfilm. This also includes any wire, radio, electromagnetic, photo optical, photo electronic or other facility used in transmitting electronic communications, and any computer facilities or related electronic equipment that electronically stores such communications.
Portable Equipment – Laptops, PDAs, and other removable storage devices such as Flash Drives (Thumb Drive).
Security - Measures taken to reduce the risk of (a) Unauthorized Access to IT Resources, via logical, physical, managerial, or social engineering means; and/or (b) damage to or loss of IT Resources through any type of disaster, including cases where a violation of Security or a disaster occurs despite preventative measures.
Strong Password – A password that is at least 8 characters long and is a combination of upper and lower case letters, numbers and characters. Strong passwords do not include phrases, names, or other types of dictionary words.
Unauthorized Access to IT Resources - Access to High-Risk, Restricted or Confidential Information or Critical IT Resources by a User(s) that does not need access to perform his/her job duties.
User – All faculty, staff, administrators, students, consultants, and any person or agency employed or contracted by the University or any of its auxiliary organizations who have a legitimate need to have access to University High-Risk, Restricted and Confidential information.
IV. ROLES AND RESPONSIBILITIES
The persons responsible for implementing this Policy and their respective duties and/or responsibilities with respect to this Policy are described in Appendix A.
A. CENTRALIZED / DECENTRALIZED COMPUTING SYSTEMS
- All University computing systems will comply with this Policy and the University Security standards or guidelines identified by the ISTF regardless of whether they are centralized or decentralized. These standards and guidelines are available upon request from the University’s ISO.
- If Decentralized Computing Systems are unable to adhere to this Policy and the University Security standards or guidelines, decentralized systems must be relocated to a Centralized Computing System. Division Heads and/or Deans may also chose to have a Decentralized Computing System relocated to the Centralized Computing System if desired.
B. COLLECTION OF DATA
- The collection of High-Risk, Restricted and Confidential information, not supported by applicable law or policy or otherwise justified by legitimate University purposes, is not permitted except with notification and permission of the individual to whom the data applies.
- The collection of High-Risk, Restricted and Confidential information must, to the extent practicable, be collected from the individual directly and not from other individuals or data sources outside the University.
- When information is obtained from data sources outside the University or other individuals, documentation or a log must be maintained of these sources.
- If providing High-Risk, Restricted or Confidential information is purely voluntary, this fact must be communicated to the individual providing the information.
C. ACCESS CONTROL
- Access to High-Risk, Restricted and Confidential information via the University's computer system is limited to those employees who have a legitimate business reason to access and/or use such information.
- Data access control must have sufficient documentation to allow the appropriate authorized access. There is a delicate balance between protecting the data and permitting access to those who need to use the data for authorized purposes. This balance should be recognized.
- High-Risk, Restricted and Confidential information, electronic or paper, should not be left in plain sight to prevent unauthorized viewing and must be secured when unattended.
- All Users of systems that contain High-Risk, Restricted or Confidential data must have their own user name and use a Strong Password. The sharing of user names and passwords is not allowed.
- The password of empowered accounts, such as administrator, root or supervisor, must be changed frequently.
- Passwords used for University access must not be the same as passwords used for personal accounts (banks, g-mail, and credit cards).
- Passwords must not be placed in emails unless they have been encrypted.
First-time passwords for new Users must be set to a unique value for each User and changed after first use.
- Human Resources and the IT Division will work with other departments to ensure that terminated employees have their accounts disabled upon transfer or termination. Since there could be delays in reporting changes in User responsibilities, periodic User access reviews should be conducted by the organization’s Data Security Steward.
- Personnel who have administrative system access must use other non-administrative accounts when performing non-administrative tasks.
- Accessing or attempting to access other computer systems through the University network, including those external to the University, without authorization of the owner of that system, as documented in the Acceptable Use Policy (PPM 10-2) is strictly prohibited.
D. REMOTE ACCESS
- · Only authorized Users will be permitted to remotely connect to University computer systems, networks and data repositories to conduct University related business. Such connections must be done through University approved, secure, authenticated and centrally managed methods of remote access.
- · Individuals who work from remote locations are required to abide by the Standard for Secure Remote Access.
E. PHYSICAL SECURITY
- The party responsible for ensuring physical protection of all Centralized Computing Systems is the IT Division.
- The party responsible for ensuring physical Security of Decentralized Computing Systems is the appropriate IT Specialist.
- At a minimum, the appropriate responsible party shall comply with University guidelines and procedures to protect physical areas with shared electronic information resources that contain High-Risk, Restricted and Confidential information.
- Individual Organizations/Departments within the University are responsible for physical Security for personal computers and other local electronic information resources, including portable equipment, housed within their immediate work area or under their control.
- Permanent copies of High-Risk, Restricted or Confidential data must not be stored on portable equipment.
- High-Risk, Restricted or Confidential data must only be used temporarily on portable equipment and then only for the duration of the necessary use and only if protective measures, such as encryption are implemented that will safeguard the confidentiality and integrity of the data in the event of theft or loss of the portable equipment.
- All University owned computing equipment that has access to University information should be documented and managed (e.g. configuration management database).
F. DATA SECURITY
· Users must not knowingly retain on personal computers, servers, or other computing devices, High-Risk, Restricted or Confidential information, such as social security numbers, financial information including credit card numbers and bank information, or protected health information, including health records and medical information except under the following conditions:
- The User requires such High-Risk, Restricted or Confidential information to perform duties that are necessary to conduct the business of the University, or
- The appropriate Dean, Department Chair, Vice President or Director grants documented permission to the User.
In the event that High-Risk, Restricted or Confidential information is retained on personal computers, server or other computing devices, the User must take reasonable precautions to secure the High-Risk, Restricted or Confidential information, e.g., implement password protection for documents that contain High-Risk, Restricted or Confidential information.
The User must also take reasonable precautions to reduce the risk of loss of High-Risk, Restricted or Confidential data that resides on a User’s personal computer or other computing device, i.e., encryption, backup critical documents on CDs or other media, or back up documents to a storage device or system, at regular intervals.
- All desktop systems and servers that connect to the network must be protected with an approved licensed anti-virus software product that it is kept updated according to the vendor’s recommendations.
- Headers of all incoming data, including electronic mail, must be scanned for viruses by the email server where such products exist and are financially feasible to implement. Outgoing electronic mail should also be scanned where such capabilities exist.
- Any employee, agent, or affiliate of the University who handles High-Risk, Restricted or Confidential data for the purpose of performing their job duties or other functions directly related to their contractual affiliation with the University, is responsible for the proper handling of this data while under their control.
- The University will take reasonable and appropriate steps consistent with current technological developments to make sure that all High-Risk, Restricted and Confidential information is secure, and to safeguard the integrity of records in storage and transmission.
- The IT Division requires that all servers must be registered before being allowed to transmit data through Weber State University's firewall.
- Encryption technology will be utilized for local or central storage and transmission when required by law, policy, business standards, and University standards or guidelines.
- High-Risk, Restricted or Confidential information stored on portable devices must be protected via encryption, where feasible, to reduce the risk of unauthorized access or disclosure.
- All connections to the Internet must go through a properly secured connection point to ensure the network is protected when the transmitted data is classified High-Risk, Restricted or Confidential.
- All systems connected to the Internet should have a vendor supported version of the operating system installed including the most recent security patches.
G. BACKUP AND RECOVERY
- Data backup and copies of data and software associated with any essential electronic information stored on Centralized Computer Systems must be sufficient to satisfy disaster recovery requirements and must be stored at a secure, commercial site that provides standard protection. (see IT Division Continuity of Service Plan)
- Backup and recovery procedures are required for essential data and software stored on Decentralized Computer Systems, including desktop systems.
- Electronic Media used for backup purposes must be stored in a secured physical location (not an employee’s residence).
- Users must take reasonable precautions to reduce the risk of loss of Critical IT Resources that reside on their personal computers or other computing devices, i.e., at regular intervals backup critical documents.
H. SECURITY INCIDENT RESPONSE AND HANDLING
- All suspected or actual Security breaches of University, college or departmental systems must immediately be reported to the Data Security Steward for their respective organization.
- If any High-Risk, Restricted or Confidential information (e.g. credit card information, social security numbers, etc.) has been accessed or compromised by unauthorized persons or organizations, the Data Security Steward for the respective organization must consult with the Information Security Office to assess the level of threat and/or liability posed to the University and to those whose High-Risk, Restricted or Confidential information was accessed.
- The Incident Response guidelines outline procedures for responding to an actual or attempted unauthorized access to High-Risk, Restricted and Confidential information. This guideline is available upon request from the University's Information Security Office.
- The University will report and/or publicize unauthorized information disclosures, as required by law or specific industry requirements.
I. SERVICE PROVIDERS
Due to the specialized expertise needed to design, implement, and service new technologies, vendors may be required to provide resources that the University determines not to provide on its own. The service provider must provide contractual assurance that they will protect the University’s high-risk, restricted and confidential information it receives according to commercially reasonable standards.
Such contracts should be sent to Legal Counsel for review and should include appropriate terminology regarding use and protection of High-Risk, Restricted and Confidential information in accordance with the following guidelines:
- Explicit acknowledgment that the contract allows the contract partner access to High-Risk, Restricted and/or Confidential information.
- A specific definition or description of the High-Risk, Restricted and/or Confidential information being provided.
- A stipulation that the High-Risk, Restricted and/or Confidential information will be held in strict confidence and accessed only for the explicit business purpose of the contract.
- Assurance from the contract partner that the partner will protect the High-Risk, Restricted and/or Confidential information it receives according to commercially reasonable standards.
- A provision providing for the return or destruction of all High-Risk, Restricted and/or Confidential information received by the contract provider upon completion or termination of the contract.
- An agreement that any violation of the contract's confidentiality conditions may constitute a material breach of the contract and entitles the University to terminate the contract without penalty.
- A provision ensuring that the contract's confidentiality requirements shall survive any termination agreement.
- An agreement that an audit can be performed by a University employee, for any or no reason, with the intent of ensuring the integrity and confidentiality of High-Risk, Restricted and/or Confidential information that has been provided to a service provider.
- A provision requiring compliance certificates as proof of a service provider’s compliance with federal, state, or other industry regulations that include but are not limited to GLB and PCI.
J. TRAINING AND AWARENESS
Each new University employee will be trained on the Acceptable Use Policy and University Information Security Policy as they relate to individual job responsibilities. Such training will include information regarding controls and procedures to prevent employees from providing High-Risk, Restricted and Confidential information to an unauthorized individual.
K. EMPLOYEE MANAGEMENT
References must be checked and criminal background checks obtained for all new employees in compliance with University’s Employment of Persons with Criminal Records policy (PPM 3-5a).
L. MONITORING AND TESTING OF NETWORKS
- Operating system and application software logging processes must be enabled on all host and server systems. Where possible, alarm and alert functions, as well as logging and monitoring systems must also be enabled.
- Server, firewall, and critical system logs should be reviewed frequently. Where possible, automated review should be enabled and alerts should be transmitted to the administrator when a serious Security intrusion is detected.
- Intruder detection tools must be installed where appropriate and checked on a regular basis.
- System integrity checks must be performed on all host and server systems housing High-Risk, Restricted or Confidential University data should be performed.
- Internal and external network vulnerability scans and penetration testing will be performed on the network infrastructure on a regular basis and after any significant change in the infrastructure, application upgrade or modification (e.g., new system component installations, changes in network topology, firewall rule modifications or product upgrades).
M. PENALITIES AND ENFORCEMENT
Penalties and enforcement of this policy will be in accordance with University policies and appropriate disciplinary and/or legal action will be taken when warranted in any area involving information security.
N. POLICY COORDINATION
- The University has identified the Information Security Office to act as the coordinator of this Policy.
- The Information Security Office will be responsible for assessing the risks associated with High-Risk, Restricted and Confidential information and developing procedures to minimize those risks to the University.
- Internal Audit personnel will conduct reviews of areas that have access to High-Risk, Restricted and Confidential information to verify that University departments comply with the requirements of this Policy.
O. REVIEW AND REVISION OF POLICY
- This Policy will be subject to periodic review and revision.
- Continued administration of the development, implementation and maintenance of the Information Security Policy will be the responsibility of the Information Security Task Force.
- The Information Security Office, in consultation with the Office of University Legal Counsel, will review the standards set forth in this Policy and recommend updates and revisions as necessary.
Division Heads/College Deans - These individuals, including managers of campus auxiliary organizations, shall be responsible for oversight of their employees’ authorized use and access to High-Risk, Restricted and Confidential information in their areas of supervision. They will:
- Ensure that the management and control of risks outlined in the Policy are adhered to by employees in their unit.
- Ensure employees’ access to High-Risk, Restricted and Confidential data is appropriate.
- Identify the necessary Data Security Steward and ensure they receive adequate training to perform this role.
- Provide employees with resources and methods to properly secure equipment where High-Risk, Restricted and Confidential information is processed, stored, or handled.
- Provide employees with approved resources and methods for external data storage where High-Risk, Restricted and Confidential information is processed, stored, or handled.
IT Specialist - One or more individuals who are responsible for being the computer or technical support within a business unit, college/school, or department.
Data Security Steward – These individuals who are responsible for business processes within their areas of supervision will:
- Implement and administer the Policy in order to protect the privacy rights of University faculty, staff, and students, and to comply with legal and policy requirements.
- Protect confidentiality and Security of electronic and paper data maintained in their area.
- Define the functions for staff authorized to access Confidential data and approve authorization.
- Regularly review and document employee access to High-Risk, Restricted and Confidential data.
- Ensure that all employees receive employee/student confidentiality training as directed by the Information Security Task Force.
- Develop and implement appropriate processes to ensure employees comply with the required training.
- Provide an additional level of training for employees with access to High-Risk, Restricted and Confidential data.
- Communicate the expectations and means for the safeguarding of High-Risk, Restricted and Confidential information to appropriate persons and organizations.
- Provide recommendations for revisions to this Policy as appropriate.
Employees, including department chairs, faculty, staff, and student workers – These individuals:
- Shall not disclose High-Risk, Restricted and Confidential information to unauthorized individuals.
- Shall not modify or delete High-Risk, Restricted and Confidential information unless authorized to do so.
- Shall maintain High-Risk, Restricted and Confidential data in a secure manner.
- Shall complete the employee/student confidentiality training.
- Shall be required to sign a University confidentiality/FERPA agreement before access is granted to High-Risk, Restricted and Confidential data.
- Shall complete specific confidentiality training if they have job related responsibilities that require access to High-Risk, Restricted and Confidential information.
Network Security Administrator - This individual, within the IT Division will:
- Implement adequate Security measures for computing systems containing High-Risk, Restricted and Confidential data within his/her jurisdiction.
- Implement appropriate Security strategies for both the transmission and the storage of High-Risk, Restricted and Confidential data.
- Notify appropriate units of possible Security infringements.
- Report any Security breach as outlined in section H “SECURITY INCIDENT RESPONSE AND HANDLING” of this policy.
- Disseminate technical guidelines related to Security to the appropriate IT Specialists.
Information Security Task Force – A group of individuals appointed by the President to review and evaluate University Security issues such as:
- Current practices and the associated risks to the institution.
- Actions needed to address those risks through appropriate policy and associated guidelines.
- Identify new processes that are needed (for example security incident management).
- Implement new Security standards as needed.
- Disseminate general guidelines related to Security to the appropriate IT Specialists.
- Function as the Incident Response Team
- Responsible for immediate response to any breach of Security.
- Responsible for determining and disseminating remedies and preventative measures that are developed as a result of responding to and resolving security breaches.
Information Security Office – This office, within Administrative Services will:
- Assist the campus in identifying internal and external risks to the Security and confidentiality of information.
- Provide guidance for handling High-Risk, Restricted and Confidential information in the custody of the University.
- Provide guidance for the Security of the equipment or data storage devices where the information is processed and/or maintained.
- Promote and encourage good Security procedures and practices.
- Develop and maintain Security policy, plans, procedures, strategies, best practices.
- Provide standards and guidelines consistent with University policies.
Internal Audit – Internal Audit will:
- Evaluate the effectiveness of the current safeguards for controlling these risks.
- Provide recommendations for revisions to this Policy as appropriate.
- Develop and perform random audits of departments and individuals as deemed necessary.