Information Security Policy: Difference between revisions

From Appalachian State University Policy Manual
No edit summary
 
(65 intermediate revisions by 3 users not shown)
Line 1: Line 1:
Policy 916
Policy 903
== Introduction ==
== Introduction ==
The purpose of this policy is to outline the framework for the University’s comprehensive Information Security Program to help safeguard the confidentiality, integrity, and availability of campus Information Resources, and comply with federal and state law, and UNC System policies.
== Scope ==
== Scope ==
This policy applies to all Appalachian State University employees, students, vendors and visitors.
== Definitions  ==
== Definitions  ==
=== Information Security ===
:The preservation of the confidentiality, integrity and availability of Information Resources and Institutional Data.
=== Information Security Program ===
Policies, assessments, protocols, and training designed to govern the security of Information Resources.
=== Information Resources ===
Same meaning as defined in [[Information Technology Governance Policy|Appalachian Pollicy 901 - IT Governance Policy]].
=== Control ===
:The management of risk which can be of an administrative, technical, management, or legal nature. Examples include policies, procedures, guidelines, practices or organizational structures.
=== Information Security Event ===
:An identified occurrence of a system, service, or network state indicating a possible breach of Information Security policy or failure of safeguards, or a previously unknown situation that may be security relevant.
===  Information Security Incident ===
:An unwanted or unexpected Information Security Event that has a significant probability of compromising business operations and threatening Information Security.
=== International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) ===
Independent international organizations responsible for the creation of industry technical and administrative security standards.
== Policy and Procedure Statements  ==
== Policy and Procedure Statements  ==
=== Information Security Program ===
The University shall develop, implement, and maintain a comprehensive Information Security Program (the “Program”). The Program will be updated on a periodic basis or as necessitated by significant changes to the University's mission, major initiatives, or opportunities. The development of the plan will be guided by the following elements:
<ol>
<li style="list-style-type:lower-alpha">ISO/IEC 27002 - The Program shall be guided and informed by the ISO/IEC 27002 standard, adopted as the common security framework baseline for campuses of the UNC system;</li>
<li style="list-style-type:lower-alpha">Legal, Contractual, and Policy Requirements - In relation to the management and protection of Information Resources, the University shall conduct all business in accord with relevant federal and state law, and UNC System policies; and</li>
<li style="list-style-type:lower-alpha">Proactive Risk Management - The Program shall be driven by the identification, assessment, communication, and cost-effective treatment of risks related to University Information Resources.</li>
</ol>
=== Governance, Coordination, and Security Services ===
'''4.2.1 Board of Trustees Audit Committee'''
Appalachian’s Board of Trustees Audit Committee will review and provide oversight of Information Security on at least an annual basis including, but not limited to, emerging Information Security matters, institutional Program activities, information technology security Controls, and risk assessments.
'''4.2.2 Information Security Advisory Council'''
To ensure the Program is aligned with the University’s mission, values, and operational needs, the Chancellor will appoint a University Information Security Advisory Council to oversee the collaborative development of the plan and associated policies, major initiatives, and campus security solutions.
'''4.2.3 Information Security Liaisons'''
To ensure that campus units are informed about security initiatives, practices, and requirements, University units that maintain and manage their own Information Technology will appoint Information Security Liaisons to act as central points of contact for communication and coordination with the ITS - Office of Information Security.
'''4.2.4 ITS - Office of Information Security'''
The ITS Office of Information Security shall be responsible for providing Information Security services that help identify risks, establish protective measures, and validate conformance with relevant University Information Security policies and standards.
=== Roles and Responsibilities ===
'''4.3.1 Shared Responsibilities'''
Information Security is a shared responsibility. All employees, students, visitors and vendors of the University share
in the responsibility to help protect University Information Resources. The roles and responsibilities for University
Information Security include:
'''4.3.2 Chancellor and Chancellor’s Cabinet'''
The Chancellor and Chancellor’s Cabinet shall be responsible for:
<ol><li style="list-style-type:lower-alpha">Approval of the University’s Information Security policy;</li>
<li style="list-style-type:lower-alpha">Providing executive oversight and support of the Information Security Program;</li>
<li style="list-style-type:lower-alpha">Providing guidance concerning institutional risk tolerance levels;</li>
<li style="list-style-type:lower-alpha">Providing resources to meet approved security objectives; and</li>
<li style="list-style-type:lower-alpha">Periodically reviewing the University’s Information Security posture.</li>
</ol>
'''4.3.3 The Chief Information Officer'''
The Chief Information Officer shall be responsible for oversight of Information Security in accordance with UNC System
policies, and has authority and accountability for:
<ol><li style="list-style-type:lower-alpha">The campus-wide adoption, implementation, and enforcement of the Information Security Program;</li>
<li style="list-style-type:lower-alpha">Deploying all reasonable measures to maintain the confidentiality, integrity, and availability of Information
Resources;</li>
<li style="list-style-type:lower-alpha">Periodically reporting Information Security posture to the Chancellor and Chancellor’s Cabinet and Board of Trustees
Audit Committee; and</li>
<li style="list-style-type:lower-alpha">Delegating select authority to the Chief Information Security Officer and/or other institutional officers as needed to
meet the objectives listed elsewhere in this policy.</li></ol>
'''4.3.4 Chief Information Security Officer'''
The Chief Information Security Officer shall be responsible for:
<ol><li style="list-style-type:lower-alpha">Leading the development and execution of the Program;</li>
<li style="list-style-type:lower-alpha">Facilitating Information Security governance and collaboration;</li>
<li style="list-style-type:lower-alpha">Advising the Chief Information Officer and senior leadership on security needs and resource investments; and</li>
<li style="list-style-type:lower-alpha">Development of Information Security policies, standards, and guidelines.</li></ol>
'''4.3.5 Deans and Department Heads'''
Deans and Department Heads shall be responsible for:
<ol><li style="list-style-type:lower-alpha">Ensuring that units adhere to Information Security policies and standards; and</li>
<li style="list-style-type:lower-alpha">Ensuring that reporting staff receives any required security training.</li></ol>
'''4.3.6 University Employees and Students'''
All University employees and students shall be responsible for:
<ol><li style="list-style-type:lower-alpha">Awareness and adherence to Information Security policies, standards, and guidelines;</li>
<li style="list-style-type:lower-alpha">Attending any required Information Security training; and</li>
<li style="list-style-type:lower-alpha">Prompt reporting of Information Security Events and Incidents to Information Technology Services without delay.</li></ol>
'''4.3.7 Vendors'''
Complying with all federal and state laws, UNC System policies, Appalachian policies, and contractual obligations with
the University concerning the protection of information resources and information technology.


== Additional References ==
== Additional References ==
:[[Payment Card Services Policy|Appalachian Policy 503.8 - Payment Card Services Policy]]
:[[Information Technology Governance Policy|Appalachian Policy 901 - Information Technology Governance Policy]]
:[[Data_Governance|Appalachian Policy 902 - Data Governance Policy]]
== Authority ==
== Authority ==
#[https://security.appstate.edu/sites/security.appstate.edu/files/enterprisepasswordstandard.pdf Enterprise Password Management Standard]
#[http://security.appstate.edu/sites/security.appstate.edu/files/Standards/RiskManagementStandard.pdf Information Security Risk Management Standard]
#[https://its.appstate.edu/data-governance/secure-data-handling-standard Secure Data Handling Standards]
#[https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss- Payment Card Industry Data Security Standard]
#[https://www.nccu.edu/formsdocs/proxy.cfm?file_id=3561 UNC Policy Manual, Chapter 100.1, Section 502s]
#[https://www.northcarolina.edu/apps/policy/index.php?pg=dl&id=19846&format=pdf&inline=1 UNC Policy Manual - 1400.2 Information Security]
#[https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act Gramm-Leach-Bliley Act (Public Law 106-102; 113 Stat. 1338) 16 CFR Part 314]
#[http://www.gpo.gov/fdsys/pkg/PLAW-104publ191/pdf/PLAW-104publ191.pdf Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191; 110 Stat. 1936) 45 CFR Part 164]
== Contact Information ==
== Contact Information ==
:Office of the Chief Information Officer (828-262-6278)
:Chief Information Security Officer (828-262-6277)


== Original Effective Date ==
== Original Effective Date ==
:March 16, 2015


== Revision Dates ==
== Revision Dates ==
:November 28, 2018
:December 7, 2020
[[Category:Contents]]
[[Category:Information Technology]]

Latest revision as of 14:34, 14 December 2020

Policy 903

Introduction

The purpose of this policy is to outline the framework for the University’s comprehensive Information Security Program to help safeguard the confidentiality, integrity, and availability of campus Information Resources, and comply with federal and state law, and UNC System policies.

Scope

This policy applies to all Appalachian State University employees, students, vendors and visitors.

Definitions

Information Security

The preservation of the confidentiality, integrity and availability of Information Resources and Institutional Data.

Information Security Program

Policies, assessments, protocols, and training designed to govern the security of Information Resources.

Information Resources

Same meaning as defined in Appalachian Pollicy 901 - IT Governance Policy.

Control

The management of risk which can be of an administrative, technical, management, or legal nature. Examples include policies, procedures, guidelines, practices or organizational structures.

Information Security Event

An identified occurrence of a system, service, or network state indicating a possible breach of Information Security policy or failure of safeguards, or a previously unknown situation that may be security relevant.

Information Security Incident

An unwanted or unexpected Information Security Event that has a significant probability of compromising business operations and threatening Information Security.

International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC)

Independent international organizations responsible for the creation of industry technical and administrative security standards.

Policy and Procedure Statements

Information Security Program

The University shall develop, implement, and maintain a comprehensive Information Security Program (the “Program”). The Program will be updated on a periodic basis or as necessitated by significant changes to the University's mission, major initiatives, or opportunities. The development of the plan will be guided by the following elements:

  1. ISO/IEC 27002 - The Program shall be guided and informed by the ISO/IEC 27002 standard, adopted as the common security framework baseline for campuses of the UNC system;
  2. Legal, Contractual, and Policy Requirements - In relation to the management and protection of Information Resources, the University shall conduct all business in accord with relevant federal and state law, and UNC System policies; and
  3. Proactive Risk Management - The Program shall be driven by the identification, assessment, communication, and cost-effective treatment of risks related to University Information Resources.

Governance, Coordination, and Security Services

4.2.1 Board of Trustees Audit Committee

Appalachian’s Board of Trustees Audit Committee will review and provide oversight of Information Security on at least an annual basis including, but not limited to, emerging Information Security matters, institutional Program activities, information technology security Controls, and risk assessments.

4.2.2 Information Security Advisory Council

To ensure the Program is aligned with the University’s mission, values, and operational needs, the Chancellor will appoint a University Information Security Advisory Council to oversee the collaborative development of the plan and associated policies, major initiatives, and campus security solutions.

4.2.3 Information Security Liaisons

To ensure that campus units are informed about security initiatives, practices, and requirements, University units that maintain and manage their own Information Technology will appoint Information Security Liaisons to act as central points of contact for communication and coordination with the ITS - Office of Information Security.

4.2.4 ITS - Office of Information Security

The ITS Office of Information Security shall be responsible for providing Information Security services that help identify risks, establish protective measures, and validate conformance with relevant University Information Security policies and standards.

Roles and Responsibilities

4.3.1 Shared Responsibilities

Information Security is a shared responsibility. All employees, students, visitors and vendors of the University share in the responsibility to help protect University Information Resources. The roles and responsibilities for University Information Security include:

4.3.2 Chancellor and Chancellor’s Cabinet

The Chancellor and Chancellor’s Cabinet shall be responsible for:

  1. Approval of the University’s Information Security policy;
  2. Providing executive oversight and support of the Information Security Program;
  3. Providing guidance concerning institutional risk tolerance levels;
  4. Providing resources to meet approved security objectives; and
  5. Periodically reviewing the University’s Information Security posture.

4.3.3 The Chief Information Officer

The Chief Information Officer shall be responsible for oversight of Information Security in accordance with UNC System policies, and has authority and accountability for:

  1. The campus-wide adoption, implementation, and enforcement of the Information Security Program;
  2. Deploying all reasonable measures to maintain the confidentiality, integrity, and availability of Information Resources;
  3. Periodically reporting Information Security posture to the Chancellor and Chancellor’s Cabinet and Board of Trustees Audit Committee; and
  4. Delegating select authority to the Chief Information Security Officer and/or other institutional officers as needed to meet the objectives listed elsewhere in this policy.

4.3.4 Chief Information Security Officer

The Chief Information Security Officer shall be responsible for:

  1. Leading the development and execution of the Program;
  2. Facilitating Information Security governance and collaboration;
  3. Advising the Chief Information Officer and senior leadership on security needs and resource investments; and
  4. Development of Information Security policies, standards, and guidelines.

4.3.5 Deans and Department Heads

Deans and Department Heads shall be responsible for:

  1. Ensuring that units adhere to Information Security policies and standards; and
  2. Ensuring that reporting staff receives any required security training.

4.3.6 University Employees and Students

All University employees and students shall be responsible for:

  1. Awareness and adherence to Information Security policies, standards, and guidelines;
  2. Attending any required Information Security training; and
  3. Prompt reporting of Information Security Events and Incidents to Information Technology Services without delay.

4.3.7 Vendors

Complying with all federal and state laws, UNC System policies, Appalachian policies, and contractual obligations with the University concerning the protection of information resources and information technology.

Additional References

Appalachian Policy 503.8 - Payment Card Services Policy
Appalachian Policy 901 - Information Technology Governance Policy
Appalachian Policy 902 - Data Governance Policy

Authority

  1. Enterprise Password Management Standard
  2. Information Security Risk Management Standard
  3. Secure Data Handling Standards
  4. Payment Card Industry Data Security Standard
  5. UNC Policy Manual, Chapter 100.1, Section 502s
  6. UNC Policy Manual - 1400.2 Information Security
  7. Gramm-Leach-Bliley Act (Public Law 106-102; 113 Stat. 1338) 16 CFR Part 314
  8. Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191; 110 Stat. 1936) 45 CFR Part 164

Contact Information

Office of the Chief Information Officer (828-262-6278)
Chief Information Security Officer (828-262-6277)

Original Effective Date

March 16, 2015

Revision Dates

November 28, 2018
December 7, 2020