无码专区

Definitions

Confidential Information is a classification for systems or data that, if made available to unauthorized parties, may adversely affect individuals or the university.  This classification includes information required to be protected from disclosure by law or industry regulation (i.e. PII, student data, financial data, medical data, etc.)  This classification may also be applied to information systems with access to confidential data, or systems designated as 鈥淗igh Risk鈥�.

Personal Identifiable Information (PII) is any information about an individual maintained by an agency, including: 

(1) any information that can be used to distinguish or trace an individual鈥榮 identity, such as name, social security number, date and place of birth, mother鈥榮 maiden name, or biometric records; and 

(2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.

Protected information refers to systems or data classified as Confidential or Restricted used in university operations where the confidentiality, integrity, or availability must be protected from disclosure as required by law, regulation, university policy, or moral obligation.

Restricted Information is a classification for systems or data used to conduct university business not intended for public disclosure nor classified as confidential (i.e. intellectual property, software licenses, information relating to contractual obligations, etc.).

 

Purpose

The information security program contains administrative, technical, and physical safeguards that are appropriate to the size and complexity of the university to: 

• Ensure the confidentiality, integrity, and availability of protected information the university collects, creates, uses, and maintains.
• Protect against any anticipated threats to the confidentiality, integrity, and availability of protected information.
• Protect against unauthorized access to or use of the university鈥檚 protected information that could result in substantial harm to the university or any individual entrusting their personal information to the university.

Scope

The scope of this program includes all information systems and technology resources used and/or collected by the university, including third party systems used to store, process, or transmit university data.

Organization and Governance

无码专区 Board of Governors Policy 1.2.040 provides authority to the university president to delegate authority to the Chief Information Officer (CIO) to take prudent steps to secure the university鈥檚 information technology resources.

The CIO delegated responsibility for information security to the Information Security Officer (ISO) to develop a strategic plan for information security to set priorities for how to address the management, control, and protection of the university鈥檚 information assets.

The Vice President for Finance and Operations oversees Accounting Services, Budget and Finance, Human Resources, University Analytics and Institutional Research, Office of Technology, and Facilities Planning and Operations. The CIO reports to the Vice President for Finance and Operations and provides a review of security measures as they relate to those areas.

Roles and Responsibilities

The following key roles are assigned to individuals responsible for management of 无码专区鈥檚 information system security program, coordination among organizational entities, and compliance.

Vice President for Finance and Operations: Senior university official responsible for reporting the status and material matters of the Information Security Program to the Board of Governors.

Chief Information Officer (CIO): Responsible for designating an individual to manage the university鈥檚 information security program and providing resources necessary to ensure successful implementation of the program.

Information Security Officer (ISO): Responsible for management and oversight of the information security program to ensure the confidentiality, integrity, and availability of the university鈥檚 information systems and data.

 

Out of Scope Systems

Information Systems owned and operated by third party organizations and students may operate on the university network and are responsible for adhering to 无码专区鈥檚 Acceptable Use Policy.  Information security of these systems and the data they collect and store is the sole responsibility of the respective organizations and users.

Risk Assessment

This program is based on a risk assessment that identifies reasonably foreseeable internal and external risks to the confidentiality, integrity, and availability of protected information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks.

Security Policies and Standards

The ISO shall develop information security policies, standards, and procedures based on guidance from the National Institute for Standards and Technology (NIST) Special Publication (SP) 800-171 鈥淧rotecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations鈥�.  These policies and standards formally establish the university鈥檚 information security program and set forth employee responsibility to protect the university鈥檚 information systems. Policies and standards are located in the University Policy Library and the Office of Technology Information Security webpage.

Safeguards

The ISO shall design and implement safeguards to control risks identified through risk assessment, including:

• Implement and periodically review access controls, including technical and, as appropriate, physical controls to:
  • Authenticate and permit access to protected information to only authorized users.
  • Limit authorized users鈥� access to protected information only as necessary to perform their duties or functions.
• Identify and manage the data, personnel, devices, systems, and facilities that enable the university to achieve its mission in accordance with their relative importance to the university鈥檚 objectives and risk management strategy.
• Encrypt protected information in-transit and at-rest; or implement compensating controls as approved by the ISO.
• Adopt secure development practices for in-house developed applications for transmitting, accessing, or storing protected information and procedures for evaluating, assessing, or testing the security of externally developed applications utilized to transmit, store, or access protected information.
• Implement multi-factor authentication for any individual accessing any information system transmitting, accessing, or storing protected information, unless the ISO has approved in writing the use of reasonably equivalent or more secure access controls.
• Securely dispose of confidential information no later than two years after the last date the information is used, unless retention of such information is necessary for university operations or other legitimate purpose, is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained.
• Adopt procedures for change management.
• Implement policies, procedures, and controls designed to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, protected information by such users.

Security Assessment

The ISO shall periodically test and monitor the effectiveness of Safeguards鈥� key controls, systems, and procedures, including those to detect actual or attempted attacks on, or intrusions into, information systems.

Vulnerability assessments shall be conducted periodically, at least every six months; and whenever there are material changes to operations or business arrangements; and whenever there are circumstances that may have a material impact on the information security program.  Identified vulnerabilities shall be remediated in a timely manner based on the severity of the vulnerability.

Information systems containing confidential information shall be subject to penetration testing at least annually based on relevant identified risks in accordance with the risk assessment.

Awareness and Training

The ISO shall implement an Information Security Awareness and Training program to make employees and students aware of risks to personal and institutional information and information technology, and to provide them with the skills and knowledge necessary to avoid those risks.

The training program shall include role-based training to users who manage confidential information and to security practitioners sufficient to address security risks and maintain current knowledge of changing information security threats and countermeasures.

Service Providers

The university shall take reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for confidential information.

Any person or entity external to the university that receives, maintains, processes, or otherwise is permitted access to confidential information used in support of the university mission shall be required by contract to implement appropriate safeguards to protect the information from unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information.

Periodic assessments of service providers shall be performed based on the risk they present and the continued adequacy of their safeguards.

Incident Response

The ISO shall establish a written Incident Response Plan to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of confidential information in the university鈥檚 control.

Reporting

The ISO shall report in writing, semi-annually, to the CIO.  The Vice President of Finance and Operations shall report, at least annually, to the board of Governors.  The report shall include the following information: 

(1) The overall status of the information security program and compliance with legal or regulatory requirements; and 

(2) Material matters related to the information security program, addressing issues such as risk assessment, risk management and control decisions, service provider arrangements, results of testing, security events or violations and management's responses thereto, and recommendations for changes in the information security program.

Program Review

The ISO shall review the information security program periodically to make necessary changes based upon results of testing and monitoring, changes to operations, results of risk assessments, or any other circumstances that impact the information security program.