Information Security Policy: Difference between revisions
(61 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
Policy | Policy 903 | ||
== Introduction == | == Introduction == | ||
The purpose of this policy is to outline the framework for the University’s comprehensive Information Security Program to help safeguard the confidentiality, integrity, and availability of campus Information Resources, and comply with federal and state law, and UNC System policies. | |||
== Scope == | == Scope == | ||
This policy applies to all Appalachian State University employees, students, vendors and visitors. | |||
== Definitions == | == Definitions == | ||
=== Information Security === | === Information Security === | ||
: | :The preservation of the confidentiality, integrity and availability of Information Resources and Institutional Data. | ||
=== Information Security Program === | === Information Security Program === | ||
Policies, assessments, protocols, and training designed to govern the security of Information Resources. | |||
=== Information | === Information Resources === | ||
Same meaning as defined in [[Information Technology Governance Policy|Appalachian Pollicy 901 - IT Governance Policy]]. | |||
=== | === Control === | ||
: | :The management of risk which can be of an administrative, technical, management, or legal nature. Examples include policies, procedures, guidelines, practices or organizational structures. | ||
=== Information Security Event === | === Information Security Event === | ||
: | :An identified occurrence of a system, service, or network state indicating a possible breach of Information Security policy or failure of safeguards, or a previously unknown situation that may be security relevant. | ||
=== Information Security Incident === | === Information Security Incident === | ||
: | :An unwanted or unexpected Information Security Event that has a significant probability of compromising business operations and threatening Information Security. | ||
=== | === International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) === | ||
Independent international organizations responsible for the creation of industry technical and administrative security standards. | |||
=== | == Policy and Procedure Statements == | ||
:The | === Information Security Program === | ||
The University shall develop, implement, and maintain a comprehensive Information Security Program (the “Program”). The Program will be updated on a periodic basis or as necessitated by significant changes to the University's mission, major initiatives, or opportunities. The development of the plan will be guided by the following elements: | |||
<ol> | |||
<li style="list-style-type:lower-alpha">ISO/IEC 27002 - The Program shall be guided and informed by the ISO/IEC 27002 standard, adopted as the common security framework baseline for campuses of the UNC system;</li> | |||
<li style="list-style-type:lower-alpha">Legal, Contractual, and Policy Requirements - In relation to the management and protection of Information Resources, the University shall conduct all business in accord with relevant federal and state law, and UNC System policies; and</li> | |||
<li style="list-style-type:lower-alpha">Proactive Risk Management - The Program shall be driven by the identification, assessment, communication, and cost-effective treatment of risks related to University Information Resources.</li> | |||
</ol> | |||
=== | === Governance, Coordination, and Security Services === | ||
'''4.2.1 Board of Trustees Audit Committee''' | |||
Appalachian’s Board of Trustees Audit Committee will review and provide oversight of Information Security on at least an annual basis including, but not limited to, emerging Information Security matters, institutional Program activities, information technology security Controls, and risk assessments. | |||
'''4.2.2 Information Security Advisory Council''' | |||
To ensure the Program is aligned with the University’s mission, values, and operational needs, the Chancellor will appoint a University Information Security Advisory Council to oversee the collaborative development of the plan and associated policies, major initiatives, and campus security solutions. | |||
'''4.2.3 Information Security Liaisons''' | |||
4. | |||
To ensure that campus units are informed about security initiatives, practices, and requirements, University units that maintain and manage their own Information Technology will appoint Information Security Liaisons to act as central points of contact for communication and coordination with the ITS - Office of Information Security. | |||
4. | '''4.2.4 ITS - Office of Information Security''' | ||
The ITS Office of Information Security shall be responsible for providing Information Security services that help identify risks, establish protective measures, and validate conformance with relevant University Information Security policies and standards. | |||
=== Roles and Responsibilities === | |||
'''4.3.1 Shared Responsibilities''' | |||
Information Security is a shared responsibility. All employees, students, visitors and vendors of the University share | |||
in the responsibility to help protect University Information Resources. The roles and responsibilities for University | |||
Information Security include: | |||
4.2 | '''4.3.2 Chancellor and Chancellor’s Cabinet''' | ||
The Chancellor and Chancellor’s Cabinet shall be responsible for: | |||
<ol><li style="list-style-type:lower-alpha">Approval of the University’s Information Security policy;</li> | |||
<li style="list-style-type:lower-alpha">Providing executive oversight and support of the Information Security Program;</li> | |||
<li style="list-style-type:lower-alpha">Providing guidance concerning institutional risk tolerance levels;</li> | |||
<li style="list-style-type:lower-alpha">Providing resources to meet approved security objectives; and</li> | |||
<li style="list-style-type:lower-alpha">Periodically reviewing the University’s Information Security posture.</li> | |||
</ol> | |||
4. | '''4.3.3 The Chief Information Officer''' | ||
The Chief Information Officer shall be responsible for oversight of Information Security in accordance with UNC System | |||
The | policies, and has authority and accountability for: | ||
<ol><li style="list-style-type:lower-alpha">The campus-wide adoption, implementation, and enforcement of the Information Security Program;</li> | |||
Information Security | <li style="list-style-type:lower-alpha">Deploying all reasonable measures to maintain the confidentiality, integrity, and availability of Information | ||
Resources;</li> | |||
<li style="list-style-type:lower-alpha">Periodically reporting Information Security posture to the Chancellor and Chancellor’s Cabinet and Board of Trustees | |||
Audit Committee; and</li> | |||
<li style="list-style-type:lower-alpha">Delegating select authority to the Chief Information Security Officer and/or other institutional officers as needed to | |||
meet the objectives listed elsewhere in this policy.</li></ol> | |||
'''4.3.4 Chief Information Security Officer''' | |||
The Chief Information Security Officer shall be responsible for: | |||
<ol><li style="list-style-type:lower-alpha">Leading the development and execution of the Program;</li> | |||
<li style="list-style-type:lower-alpha">Facilitating Information Security governance and collaboration;</li> | |||
<li style="list-style-type:lower-alpha">Advising the Chief Information Officer and senior leadership on security needs and resource investments; and</li> | |||
<li style="list-style-type:lower-alpha">Development of Information Security policies, standards, and guidelines.</li></ol> | |||
4.3. | '''4.3.5 Deans and Department Heads''' | ||
Deans and Department Heads shall be responsible for: | Deans and Department Heads shall be responsible for: | ||
<ol><li style="list-style-type:lower-alpha">Ensuring that units adhere to Information Security policies and standards; and</li> | |||
<li style="list-style-type:lower-alpha">Ensuring that reporting staff receives any required security training.</li></ol> | |||
4.3. | '''4.3.6 University Employees and Students''' | ||
University | |||
All University employees and students shall be responsible for: | |||
All University employees shall be responsible for: | <ol><li style="list-style-type:lower-alpha">Awareness and adherence to Information Security policies, standards, and guidelines;</li> | ||
<li style="list-style-type:lower-alpha">Attending any required Information Security training; and</li> | |||
<li style="list-style-type:lower-alpha">Prompt reporting of Information Security Events and Incidents to Information Technology Services without delay.</li></ol> | |||
4. | '''4.3.7 Vendors''' | ||
Complying with all federal and state laws, UNC System policies, Appalachian policies, and contractual obligations with | |||
the University concerning the protection of information resources and information technology. | |||
== Additional References == | |||
:[[Payment Card Services Policy|Appalachian Policy 503.8 - Payment Card Services Policy]] | |||
:[[Information Technology Governance Policy|Appalachian Policy 901 - Information Technology Governance Policy]] | |||
:[[Data_Governance|Appalachian Policy 902 - Data Governance Policy]] | |||
== Authority == | |||
#[https://security.appstate.edu/sites/security.appstate.edu/files/enterprisepasswordstandard.pdf Enterprise Password Management Standard] | |||
#[http://security.appstate.edu/sites/security.appstate.edu/files/Standards/RiskManagementStandard.pdf Information Security Risk Management Standard] | |||
#[https://its.appstate.edu/data-governance/secure-data-handling-standard Secure Data Handling Standards] | |||
#[https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss- Payment Card Industry Data Security Standard] | |||
#[https://www.nccu.edu/formsdocs/proxy.cfm?file_id=3561 UNC Policy Manual, Chapter 100.1, Section 502s] | |||
#[https://www.northcarolina.edu/apps/policy/index.php?pg=dl&id=19846&format=pdf&inline=1 UNC Policy Manual - 1400.2 Information Security] | |||
#[https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act Gramm-Leach-Bliley Act (Public Law 106-102; 113 Stat. 1338) 16 CFR Part 314] | |||
#[http://www.gpo.gov/fdsys/pkg/PLAW-104publ191/pdf/PLAW-104publ191.pdf Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191; 110 Stat. 1936) 45 CFR Part 164] | |||
== Contact Information == | == Contact Information == | ||
:Office of the Chief Information Officer (828-262-6278) | |||
:Chief Information Security Officer (828-262-6277) | |||
== Original Effective Date == | == Original Effective Date == | ||
:March 16, 2015 | |||
== Revision Dates == | == Revision Dates == | ||
:November 28, 2018 | |||
:December 7, 2020 | |||
[[Category:Contents]] | |||
[[Category:Information Technology]] |
Latest revision as of 14:34, 14 December 2020
Policy 903
Introduction
The purpose of this policy is to outline the framework for the University’s comprehensive Information Security Program to help safeguard the confidentiality, integrity, and availability of campus Information Resources, and comply with federal and state law, and UNC System policies.
Scope
This policy applies to all Appalachian State University employees, students, vendors and visitors.
Definitions
Information Security
- The preservation of the confidentiality, integrity and availability of Information Resources and Institutional Data.
Information Security Program
Policies, assessments, protocols, and training designed to govern the security of Information Resources.
Information Resources
Same meaning as defined in Appalachian Pollicy 901 - IT Governance Policy.
Control
- The management of risk which can be of an administrative, technical, management, or legal nature. Examples include policies, procedures, guidelines, practices or organizational structures.
Information Security Event
- An identified occurrence of a system, service, or network state indicating a possible breach of Information Security policy or failure of safeguards, or a previously unknown situation that may be security relevant.
Information Security Incident
- An unwanted or unexpected Information Security Event that has a significant probability of compromising business operations and threatening Information Security.
International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC)
Independent international organizations responsible for the creation of industry technical and administrative security standards.
Policy and Procedure Statements
Information Security Program
The University shall develop, implement, and maintain a comprehensive Information Security Program (the “Program”). The Program will be updated on a periodic basis or as necessitated by significant changes to the University's mission, major initiatives, or opportunities. The development of the plan will be guided by the following elements:
- ISO/IEC 27002 - The Program shall be guided and informed by the ISO/IEC 27002 standard, adopted as the common security framework baseline for campuses of the UNC system;
- Legal, Contractual, and Policy Requirements - In relation to the management and protection of Information Resources, the University shall conduct all business in accord with relevant federal and state law, and UNC System policies; and
- Proactive Risk Management - The Program shall be driven by the identification, assessment, communication, and cost-effective treatment of risks related to University Information Resources.
Governance, Coordination, and Security Services
4.2.1 Board of Trustees Audit Committee
Appalachian’s Board of Trustees Audit Committee will review and provide oversight of Information Security on at least an annual basis including, but not limited to, emerging Information Security matters, institutional Program activities, information technology security Controls, and risk assessments.
4.2.2 Information Security Advisory Council
To ensure the Program is aligned with the University’s mission, values, and operational needs, the Chancellor will appoint a University Information Security Advisory Council to oversee the collaborative development of the plan and associated policies, major initiatives, and campus security solutions.
4.2.3 Information Security Liaisons
To ensure that campus units are informed about security initiatives, practices, and requirements, University units that maintain and manage their own Information Technology will appoint Information Security Liaisons to act as central points of contact for communication and coordination with the ITS - Office of Information Security.
4.2.4 ITS - Office of Information Security
The ITS Office of Information Security shall be responsible for providing Information Security services that help identify risks, establish protective measures, and validate conformance with relevant University Information Security policies and standards.
Roles and Responsibilities
4.3.1 Shared Responsibilities
Information Security is a shared responsibility. All employees, students, visitors and vendors of the University share in the responsibility to help protect University Information Resources. The roles and responsibilities for University Information Security include:
4.3.2 Chancellor and Chancellor’s Cabinet
The Chancellor and Chancellor’s Cabinet shall be responsible for:
- Approval of the University’s Information Security policy;
- Providing executive oversight and support of the Information Security Program;
- Providing guidance concerning institutional risk tolerance levels;
- Providing resources to meet approved security objectives; and
- Periodically reviewing the University’s Information Security posture.
4.3.3 The Chief Information Officer
The Chief Information Officer shall be responsible for oversight of Information Security in accordance with UNC System policies, and has authority and accountability for:
- The campus-wide adoption, implementation, and enforcement of the Information Security Program;
- Deploying all reasonable measures to maintain the confidentiality, integrity, and availability of Information Resources;
- Periodically reporting Information Security posture to the Chancellor and Chancellor’s Cabinet and Board of Trustees Audit Committee; and
- Delegating select authority to the Chief Information Security Officer and/or other institutional officers as needed to meet the objectives listed elsewhere in this policy.
4.3.4 Chief Information Security Officer
The Chief Information Security Officer shall be responsible for:
- Leading the development and execution of the Program;
- Facilitating Information Security governance and collaboration;
- Advising the Chief Information Officer and senior leadership on security needs and resource investments; and
- Development of Information Security policies, standards, and guidelines.
4.3.5 Deans and Department Heads
Deans and Department Heads shall be responsible for:
- Ensuring that units adhere to Information Security policies and standards; and
- Ensuring that reporting staff receives any required security training.
4.3.6 University Employees and Students
All University employees and students shall be responsible for:
- Awareness and adherence to Information Security policies, standards, and guidelines;
- Attending any required Information Security training; and
- Prompt reporting of Information Security Events and Incidents to Information Technology Services without delay.
4.3.7 Vendors
Complying with all federal and state laws, UNC System policies, Appalachian policies, and contractual obligations with the University concerning the protection of information resources and information technology.
Additional References
- Appalachian Policy 503.8 - Payment Card Services Policy
- Appalachian Policy 901 - Information Technology Governance Policy
- Appalachian Policy 902 - Data Governance Policy
Authority
- Enterprise Password Management Standard
- Information Security Risk Management Standard
- Secure Data Handling Standards
- Payment Card Industry Data Security Standard
- UNC Policy Manual, Chapter 100.1, Section 502s
- UNC Policy Manual - 1400.2 Information Security
- Gramm-Leach-Bliley Act (Public Law 106-102; 113 Stat. 1338) 16 CFR Part 314
- Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191; 110 Stat. 1936) 45 CFR Part 164
Contact Information
- Office of the Chief Information Officer (828-262-6278)
- Chief Information Security Officer (828-262-6277)
Original Effective Date
- March 16, 2015
Revision Dates
- November 28, 2018
- December 7, 2020