Information Security Policy

Policy 916

1 Introduction

1.1 Appalachian State University will develop, implement, and maintain a comprehensive Information Security Plan to help safeguard the confidentiality, integrity, and availability of campus information resources and address security requirements defined by University of North Carolina policies, state and federal laws, and relevant contractual obligations.

2 Scope

2.1 This policy applies to all Appalachian State University employees, students, and affiliates.

3 Definitions

3.1 Information Security

Information Security is the preservation of confidentiality, integrity and availability of information.

3.2 Confidentiality

Confidentiality is the property that information is not made available or disclosed to unauthorized individuals, entities, or processes.

3.3 Availability

Availability is the property that information is accessible and usable upon demand by an authorized person or entity.

3.4 Integrity

Integrity is the property that information is accurate and complete.

3.5 Risk

In the context of Information Security, risk is the exposure to potential reduction of confidentiality, integrity, and availability of information assets such as information systems, data, user credentials, and other computing resources.

3.6 Control

A control is a means of managing risk which can be of an administrative, technical, management, or legal nature. Examples include policies, procedures, guidelines, practices or organizational structures.

3.7 Information Security Plan

The Information Security plan is a coherent set of information security policies, processes,

systems, and objectives necessary for cost-effectively managing risks related to University information assets. It is the “blueprint” for how Information Security activities shall be conducted and refined.

3.8 Information Security Program

The Information Security program represents all interrelated services, activities, and initiatives needed to meet the security objectives defined within the Information Security Plan.

3.9 Information Processing Facilities

Any information processing system, service, or infrastructure, or the physical facilities housing them.

3.10 Information Asset

Information Assets are valued physical and electronic resources that can be used to create, store, distribute, use, integrate and manipulate information.

3.11 Information Security Event

Identified occurrence of a system, service, or network state indicating a possible breach of information security policy or failure of safeguards, or a previously unknown situation that may be security relevant.

3.12 Information Security Incident

Unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security.

3.13 Data Maintenance

The action of managing or editing the data inside an administrative system for the purpose of doing business at the University.

3.14 Data Inquiry

The action of querying data from an environment designed for that purpose with the intent of informing and influencing decision making.

3.15 ISO

“ISO” refers to the International Organization for Standardization.

3.16 GLBA

“GLBA” refers to the Gramm-Leach-Bliley Act (Public Law 106-102; 113 Stat. 1338)

3.17 HIPAA

“HIPAA” refers to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191; 110 Stat. 1936)

3.18 CFR

“CFR” refers to the Code of Federal Regulations.

3.19 PCI-DSS

“PCI-DSS” refers to the Payment Card Industry Data Security Standard.

4 Policy and Procedure Statements

5 Additional References

6 Authority

7 Contact Information

8 Original Effective Date

9 Revision Dates