Information Security Policy: Difference between revisions

From Appalachian State University Policy Manual
 
(36 intermediate revisions by 3 users not shown)
Line 1: Line 1:
Policy 903
Policy 903
== Introduction ==
== Introduction ==
1.1 Appalachian State University will develop, implement, and maintain a comprehensive Information Security Program to help safeguard the confidentiality, integrity, and availability of campus information resources and address security requirements defined by University of North Carolina policies, state and federal laws, and relevant contractual obligations.
The purpose of this policy is to outline the framework for the University’s comprehensive Information Security Program to help safeguard the confidentiality, integrity, and availability of campus Information Resources, and comply with federal and state law, and UNC System policies.


== Scope ==
== Scope ==
2.1 This policy applies to all Appalachian State University employees, students, and affiliates.
This policy applies to all Appalachian State University employees, students, vendors and visitors.


== Definitions  ==
== Definitions  ==
=== Information Security ===
=== Information Security ===
:Information Security is the preservation of confidentiality, integrity and availability of information.
:The preservation of the confidentiality, integrity and availability of Information Resources and Institutional Data.


=== Confidentiality ===
=== Information Security Program ===
:Confidentiality is the property that information is not made available or disclosed to unauthorized individuals, entities, or processes.
Policies, assessments, protocols, and training designed to govern the security of Information Resources.


=== Availability ===
=== Information Resources ===
:Availability is the property that information is accessible and usable upon demand by an authorized person or entity.
Same meaning as defined in [[Information Technology Governance Policy|Appalachian Pollicy 901 - IT Governance Policy]].
 
=== Integrity ===
:Integrity is the property that information is accurate and complete.
 
=== Risk ===
:In the context of Information Security, risk is the exposure to potential reduction of confidentiality, integrity, and availability of information assets such as information systems, data, user credentials, and other computing resources.


=== Control ===
=== Control ===
:A control is a means of managing risk which can be of an administrative, technical, management, or legal nature. Examples include policies, procedures, guidelines, practices or organizational structures.
:The management of risk which can be of an administrative, technical, management, or legal nature. Examples include policies, procedures, guidelines, practices or organizational structures.
 
=== Information Security Program ===
"“Information Security Program” means policies, assessments, protocols, and trainings designed to govern the storage, accessibility, and security of information resources. (UNC Information Security Policy 1400.2, Section IIA)
 
===  Information Processing Facilities ===
:Any information processing system, service, or infrastructure, or the physical facilities housing them.
 
=== Information Resources ===
:“Information resources” means information owned or possessed by the University, or related to business of the University, regardless of form or location, and the hardware and software resources used to electronically store, process, or transmit that information.  


=== Information Security Event ===
=== Information Security Event ===
:Identified occurrence of a system, service, or network state indicating a possible breach of information security policy or failure of safeguards, or a previously unknown situation that may be security relevant.
:An identified occurrence of a system, service, or network state indicating a possible breach of Information Security policy or failure of safeguards, or a previously unknown situation that may be security relevant.
 
=== Information Security Incident ===
:Unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security.
 
=== Data Maintenance ===
:The action of managing or editing the data inside an administrative system for the purpose of doing business at the University.


=== Data Inquiry ===
=== Information Security Incident ===
:The action of querying data from an environment designed for that purpose with the intent of informing and influencing decision making.
:An unwanted or unexpected Information Security Event that has a significant probability of compromising business operations and threatening Information Security.


=== ISO ===
=== International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) ===
:“ISO” refers to the International Organization for Standardization.
Independent international organizations responsible for the creation of industry technical and administrative security standards.
 
=== GLBA ===
"“GLBA” refers to the Gramm-Leach-Bliley Act. ([https://www.gpo.gov/fdsys/pkg/PLAW-106publ102/content-detail.html Public Law 106-102; 113 Stat. 1338])
 
=== HIPAA ===
:“HIPAA” refers to the Health Insurance Portability and Accountability Act of 1996. ([https://www.gpo.gov/fdsys/pkg/PLAW-104publ191/content-detail.html Public Law 104-191; 110 Stat. 1936])
 
=== CFR ===
:“CFR” refers to the Code of Federal Regulations.
 
=== PCI-DSS ===
:“PCI-DSS” refers to the Payment Card Industry Data Security Standard.
 
=== University ===
:“University” means Appalachian State University.


== Policy and Procedure Statements  ==
== Policy and Procedure Statements  ==
=== Information Security Plan ===
=== Information Security Program ===
Consistent with the roles and responsibilities outlined in this policy (4.3), Appalachian State University shall develop, implement, and maintain a comprehensive Information Security Plan. This plan will be updated on a periodic basis or as necessitated by significant changes to the University's mission, major initiatives, or opportunities. The development of the plan will be guided by the following elements:
The University shall develop, implement, and maintain a comprehensive Information Security Program (the “Program”). The Program will be updated on a periodic basis or as necessitated by significant changes to the University's mission, major initiatives, or opportunities. The development of the plan will be guided by the following elements:
 
<ol>
4.1.1 ISO/IEC 27002 - Appalachian State University's Information Security Plan shall be guided and informed by the ISO/IEC 27002 standard, adopted as the common security framework baseline for campuses of the University of North Carolina (UNC) system.
<li style="list-style-type:lower-alpha">ISO/IEC 27002 - The Program shall be guided and informed by the ISO/IEC 27002 standard, adopted as the common security framework baseline for campuses of the UNC system;</li>
 
<li style="list-style-type:lower-alpha">Legal, Contractual, and Policy Requirements - In relation to the management and protection of Information Resources, the University shall conduct all business in accord with relevant federal and state law, and UNC System policies; and</li>
4.1.2 Legal, Contractual, and Policy Requirements - In relation to the management and protection of information resources, Appalachian State University shall conduct all business in accord with relevant University of North Carolina policies, state laws, federal laws, and contractual requirements.
<li style="list-style-type:lower-alpha">Proactive Risk Management - The Program shall be driven by the identification, assessment, communication, and cost-effective treatment of risks related to University Information Resources.</li>
 
</ol>
4.1.3 Proactive Risk Management - The development of the University Information Security Plan shall be driven by the identification, assessment, communication, and cost-effective treatment of risks related to University information resources.


=== Governance, Coordination, and Security Services ===
=== Governance, Coordination, and Security Services ===


4.2.1 Information Security Advisory Council - To ensure the Information Security Plan is aligned to the University mission, values, and operational needs, a University Information Security Advisory Council will be formed to oversee the collaborative development of the plan and associated policies, major initiatives, and campus security solutions.
'''4.2.1 Board of Trustees Audit Committee'''


4.2.2 Information Security Liaisons - To ensure that campus units are informed about security initiatives, practices, and requirements, university units that maintain and manage their own Information Technology will appoint Information Security Liaisons to act as central points of contact for communication and coordination with the ITS - Office of Information Security.
Appalachian’s Board of Trustees Audit Committee will review and provide oversight of Information Security on at least an annual basis including, but not limited to, emerging Information Security matters, institutional Program activities, information technology security Controls, and risk assessments.


4.2.3 ITS - Office of Information Security  - The ITS Office of Information Security shall be responsible for providing information security services that help identify risks, establish protective measures, and validate conformance with relevant University Information Security policies and standards.
'''4.2.2 Information Security Advisory Council'''


=== Roles and Responsibilities ===
To ensure the Program is aligned with the University’s mission, values, and operational needs, the Chancellor will appoint a University Information Security Advisory Council to oversee the collaborative development of the plan and associated policies, major initiatives, and campus security solutions.
Information Security is a shared responsibility.  All employees of Appalachian State University share in the responsibility to help protect University information resources.


The roles and responsibilities for University Information Security include:
'''4.2.3 Information Security Liaisons'''


4.3.1 Chancellor and Chancellor’s Cabinet - The Chancellor and Chancellor’s Cabinet shall be responsible for:
To ensure that campus units are informed about security initiatives, practices, and requirements, University units that maintain and manage their own Information Technology will appoint Information Security Liaisons to act as central points of contact for communication and coordination with the ITS - Office of Information Security.
#Approval of University Information Security policy.
#Providing executive oversight and support of information security plan.
#Providing guidance concerning institutional risk tolerance levels.
#Providing resources to meet approved security objectives.
#Periodically reviewing the University’s information security posture.


4.3.2 The Chief Information Officer - The Chief Information Officer shall be responsible for:
'''4.2.4 ITS - Office of Information Security'''
#Monitoring the effectiveness of the information security program.
#Maintaining alignment of IT services with institutional risk tolerance levels.
#Periodically reporting Information Security posture to the Chancellor and Chancellor’s Cabinet.


4.3.3 Chief Information Security Officer - The Chief Information Security Officer shall be responsible for:
The ITS Office of Information Security shall be responsible for providing Information Security services that help identify risks, establish protective measures, and validate conformance with relevant University Information Security policies and standards.
#Leading the development and execution of the University security program.
#Facilitating information security governance and collaboration.
#Advising senior leadership on security needs and resource investments.
#Development of information security policies, standards, and guidelines.


4.3.4 Deans and Department Heads - Deans and Department Heads shall be responsible for:
=== Roles and Responsibilities ===
#Ensuring that units adhere to information security policies and standards.
#Ensuring that reporting staff receives any required security training.
#Ensuring security liaisons are appointed for all reporting units (see below).
 
4.3.5 Information Security Liaisons - University Security Liaisons shall be responsible for:
#Acting as central point of contact for security efforts and issues.
#Periodically meeting with the ITS-OIS staff for awareness and updates.
#Providing feedback to ITS-OIS staff on information security improvements.
#Periodically reporting regarding unit’s security status and compliance with relevant policies and standards.


4.3.6  University Employees - All University employees shall be responsible for:
'''4.3.1 Shared Responsibilities'''
#Awareness and adherence to information security policies and standards.
#Attending any required information security training.
#Prompt reporting of potential information security incidents to Office of Information Security without delay.


=== Key Control Requirements ===
Information Security is a shared responsibility. All employees, students, visitors and vendors of the University share
To address relevant policy, legal, and contractual obligations, the following key security control requirements will be addressed through existing controls, compensating controls, or prioritized implementation planning consistent with available resources.
in the responsibility to help protect University Information Resources. The roles and responsibilities for University
Information Security include:


4.4.1 Risk Management
'''4.3.2 Chancellor and Chancellor’s Cabinet'''
#Regular identification and analysis of risks will be performed for information assets identified as having a high level of importance (see 4.4.3c).
#Risk treatment options, including any cost-effective controls, will be analyzed and identified.
#Appreciable risks and treatment options will be communicated on a regular basis for decision review. ''Reference:  ISO 27002:2013-6.1.1; GLBA-16 CFR §314.4; HIPAA-45 CFR §164.308(a)(1)(ii)(A); PCI-DSS 3.0-12.2''


4.4.2 Human Resource Security
The Chancellor and Chancellor’s Cabinet shall be responsible for:
#Screening/Background Checks - Prospective employees who receive an offer of employment will be vetted via a background check including a criminal background investigation. ''Reference: ISO 27002:2013-7.1.1; HIPAA-45 CFR §164.308(a)(3)(ii)(B); PCI-DSS 3.0-12.7''   
<ol><li style="list-style-type:lower-alpha">Approval of the University’s Information Security policy;</li>
#Security Awareness Training - All University employees will receive regular security awareness training in addition to any specific training associated with job responsibilities and employee roles. ''Reference: ISO 27002:2013-7.2.2, PCI-DSS 3.0-12.6''
<li style="list-style-type:lower-alpha">Providing executive oversight and support of the Information Security Program;</li>
#Disciplinary Process - Employee disciplinary processes will include applicable provisions to cover any egregious violations of approved information security policies or requirements. ''Reference: ISO 27002:2013 - 7.2.3; HIPAA: 45 CFR §164.308(a)(1)(ii)(C)''
<li style="list-style-type:lower-alpha">Providing guidance concerning institutional risk tolerance levels;</li>
#Termination of Employment - Access to University information resources, work areas, and processing facilities will be revoked and assets returned upon full termination of employment with University. ''Reference: ISO 27002:2013-7.3, 8.1.4; HIPAA: 45 CFR § 164.308(a)(3)(ii)(C); PCI-DSS 3.0: 8.1.3; 9.3''
<li style="list-style-type:lower-alpha">Providing resources to meet approved security objectives; and</li>
<li style="list-style-type:lower-alpha">Periodically reviewing the University’s Information Security posture.</li>
</ol>


4.4.3 Asset Management
'''4.3.3 The Chief Information Officer'''
#Data Governance - All institutional data will be considered the property of Appalachian State University and will be treated as an asset. A data management structure will be established that defines responsibilities for secure and effective management of institutional data.
#Data Classification - University will adopt a consistent data classification scheme that takes into account associated business needs and risks related to sharing or restricting information. ''Reference: ISO 27002:2013-8.2''
#Acceptable Use and Security Requirements- Appropriate utilization of University information assets will be clearly defined, including secure practices for handling data classified as sensitive.  ''Reference: ISO 27002:2013-8.1.3,8.2.3''
#Inventory of Important Assets - An inventory of all information assets that have a high level of importance will be maintained and indicate their owner, location, and management information. ''Reference: ISO 27002:2013-8.1.1,8.1.2; HIPAA-45 CFR-§164.310(d)(2)(iii)''
#Information Asset Transfer and Destruction - Information assets will be reliably transferred and any data they contain rendered unreadable prior to transfer to another employee, sale or other disposition. ''Reference: ISO 27002:2013-8.1.4,8.3.2,11.2.7; HIPAA-45 CFR -§164.310(d)(2)(i),§164.310(d)(2)(ii), PCI-DSS 3.0-9.8''


4.4.4 Access Control
The Chief Information Officer shall be responsible for oversight of Information Security in accordance with UNC System
#Role Based Access Control - University information asset owners will define appropriate roles associated with the fulfillment of legitimate business needs. These roles should be defined based on two functions.
policies, and has authority and accountability for:
##Data Maintenance Roles -  The access for data maintenance in administrative systems will be determined based on the employee position and location, and will be governed by the business requirements.
##Data Inquiry Roles:  The access for data inquiry will be determined by the required data set and associated data classification level, and will be governed by the data steward assigned the requested data set. These roles will have associated access control rules, access rights, and restrictions that provide a sufficient degree of access needed to efficiently accomplish these business needs. Assignments to these roles should be periodically reviewed. ''Reference: ISO 27002:2013-9.1; HIPAA-45 CFR-§164.312(a)(1); PCI-DSS 3.0 -7.1''
#Network Access Control - Local and remote access to University networks and information  services will be limited to authorized individuals with legitimate business needs. ''Reference: ISO 27002:2013-9.1.2; HIPAA-45 CFR-§164.312(a)(1); PCI-DSS 3.0 9.1.2''
#User Access Management - Formal user provisioning and deprovisioning processes will be implemented to ensure that creation of new accounts is authorized, users are uniquely identified, redundant userIDs are periodically removed, and that userIDs are disabled when no longer required.  ''Reference: ISO 27002:2013-9.2.1,9.2.2; HIPAA-45 CFR-§164.312(a)(2)(i),§164.312(a)(2)(d); PCI-DSS 3.0-8.1.2''
#Management of Privileged Access - Privileged access rights will be appropriately evaluated, approved, periodically reviewed, and limited to only those users and applications with legitimate and sufficient business need. ''Reference: ISO 27002:2013-9.2.3; PCI-DSS 3.0-7.1''
#Password Management - Passwords used to access University resources will be established and managed in a formally approved and consistently secure manner. ''Reference: ISO 27002:2013-9.2.4, HIPAA-45 CFR §164.308(a)(5)(ii)(D)''
#Secure Logon - Common secure logon practices will be defined and implemented to ensure that means of access to University systems and applications effectively minimize the risks of unauthorized access threats.  ''Reference: ISO 27002:2013-9.4.2;HIPAA-45 CFR -§164.312(a)(2)(iii)''
#Source Code Control - Access to program source code for University systems will be strictly controlled to authorized individuals only. ''Reference: ISO 27002:2013-9.4.5''


4.4.5 Cryptographic Security
<ol><li style="list-style-type:lower-alpha">The campus-wide adoption, implementation, and enforcement of the Information Security Program;</li>
#Use of Cryptographic Controls - University information systems will utilize cryptographic controls to address appreciable risks related to the confidentiality and integrity of sensitive information and non-repudiation of electronic transactions with University systems. ''Reference: ISO 27002:2013-10.1.1;HIPAA-45 CFR -§164.312(a)(2)(e);PCI DSS 3.0-3.4''
<li style="list-style-type:lower-alpha">Deploying all reasonable measures to maintain the confidentiality, integrity, and availability of Information
#Key Management - University cryptographic keys will be generated, stored, and managed in a secure and approved manner. ''Reference: ISO 27002:2013-10.1.2;PCI-DSS 3.0-3.5,3.6''
Resources;</li>
<li style="list-style-type:lower-alpha">Periodically reporting Information Security posture to the Chancellor and Chancellor’s Cabinet and Board of Trustees
Audit Committee; and</li>
<li style="list-style-type:lower-alpha">Delegating select authority to the Chief Information Security Officer and/or other institutional officers as needed to
meet the objectives listed elsewhere in this policy.</li></ol>


4.4.6 Physical and Environmental Security
'''4.3.4 Chief Information Security Officer'''
#Physical Security Perimeters - Information processing facilities and other secure areas will have well defined physical boundaries and implement sufficient physical barriers and restrictions to prevent unauthorized entry and physical access. ''Reference: ISO 27002:2013-11.1.1; HIPAA-45 CFR §164.310(a)(1); PCI-DSS 3.0-9.1;,9.4''
#Physical Entry Controls - Only authorized personnel will be allowed to enter information processing facilities and other secure areas. All access attempts will be monitored and logged. Unauthorized access attempts will be addressed. ''Reference: ISO 27002:2013-11.1.2; HIPAA-45 CFR §164.310(a)(2); PCI-DSS 3.0-9.1,9.2''
#Environmental Threats - Information processing facilities will be protected against natural disasters and damage from environmental accidents. ''Reference: ISO 27002:2013-11.1.14''
#Information Processing Facilities - Work conducted in Information Processing Facilities will adhere to all documented safety and security requirements. ''Reference: ISO 27002:013-11.1.5''
#Removal of Assets - Equipment, information, or software will not be taken off-campus without prior authorization. ''Reference: ISO 27002:2013-11.2.5; HIPAA-45 CFR §164.310(d)(1)''
#Unattended Equipment - Unattended user equipment will have appropriate protection controls and measures to prevent unauthorized use. ''Reference: ISO 27002:2013-11.2.8; PCI-DSS 3.0-8.1.8''


4.4.7 Operations Security
The Chief Information Security Officer shall be responsible for:
#Change Management - Changes to business processes, information processes, facilities, and systems that may impact University information security will be appropriately identified, evaluated, communicated, and controlled. ''Reference: ISO 27002:2013-12.1.3; PCI-DSS 3.0-6.4'' 
<ol><li style="list-style-type:lower-alpha">Leading the development and execution of the Program;</li>
#Capacity Management - The utilization of high value information resources will be monitored, assessed, and optimized to maximize availability in conjunction with appropriate controls. ''Reference: ISO 27002:2013-12.1.3''
<li style="list-style-type:lower-alpha">Facilitating Information Security governance and collaboration;</li>
#Separation of Development, Testing, and Operational Environments - Development, testing, and operational environments will be sufficiently separated and any sensitive information stored in these environments will have at least equivalent protection measures.  ''Reference: ISO 27002:2013-12.1.4; PCI-DSS 3.0-6.4.1''
<li style="list-style-type:lower-alpha">Advising the Chief Information Officer and senior leadership on security needs and resource investments; and</li>
#Malware Protection - Detection, Prevention, and Recovery measures will be established to protect University information systems against malicious software applications. ''Reference: ISO 27002:2013-12.2; HIPAA-164.308(a)(5)(ii)(B) ; PCI-DSS 3.0-5.1''
<li style="list-style-type:lower-alpha">Development of Information Security policies, standards, and guidelines.</li></ol>
#Information Backups - Backup copies of valuable data will be regularly created, stored securely, validated, and periodically tested for recoverability. ''Reference: ISO 27002:2013-12.3; GLBA-16 CFR 314.4(2); HIPAA-45 CFR §164.310(d)(2)(4) ;PCI-DSS-9.5.1''
#Logging and Monitoring - Important events related to University information assets will be reliably archived, regularly reviewed, and protected from tampering and unauthorized access. ''Reference: ISO 27002:2013-2.4; HIPAA-45 CFR -§164.312(b)(; PCI-DSS 3.0-10''
#Clock Synchronization - University information systems’ clocks will be synchronized against a single authorization reference time source. ''Reference: ISO 27002:2013-12.4.4; PCI-DSS 3.0''
#Vulnerability Management - Security weaknesses related to University information systems will be promptly identified, assessed, and remediated according to the associated risks they present to the University. ''Reference: ISO 27002:2013-12.6''
#Information System Audits - Audit activities involving verification of production information systems will be carefully planned, formally authorized, and executed by qualified personnel only. ''Reference: ISO 27002:2013-12.7''


4.4.8 Communications Security
'''4.3.5 Deans and Department Heads'''
#Network Service Authority - The management and provisioning of University network connections, services, and devices will be limited to authorized staff only.  ''Reference: ISO 27002:2013-13.1.1,13.1.2''
#Network Filtering - Network traffic traversing University owned networks will  be filtered to address any appreciable risks and to preserve equitable availability  of University network resources. ''Reference: ISO 27002:2013 - 13.1.1.g,13.1.2; GLBA-16 CFR 314.4(2)''
#Network Attack Detection and Prevention - Network traffic traversing University owned networks will be inspected for active attacks against University information assets. Interdiction capabilities will be maintained to effectively block attacks that present appreciable risks to the University. ''Reference: ISO 27002:2013-13.1.1.d; GLBA-16 CFR 314.4(3)''
#Network Segregation - Network services, users, and information services will be segregated on networks based on trust levels and associated risks. ''Reference: ISO 27002:2013-13.13;  GLBA -16 CFR 314.4(2)''
#Information Transfer - Transfer methods and controls will be defined and adhered to in order to protect University sensitive information traversing all forms of communication facilities to both internal and external senders and recipients.  ''Reference: ISO 27002:2013-13.2.1;GLBA -16 CFR 314.4(2)''
#Electronic Messaging -  Protection measures will be established to safeguard University electronic messaging solutions from unauthorized access, modification or denial of service. Retention of electronic messaging communication will be maintained in an approved manner. ''Reference: ISO 27002:2013-13.2.3''
#Confidentiality Agreements - Confidentiality agreements will be used to establish legally enforceable terms of utilization and access for University confidential information for both external parties and employees. ''Reference: ISO 27002:2013-13.2.4''


4.4.9 System Acquisition, Development and Maintenance
Deans and Department Heads shall be responsible for:
#Security Requirements Analysis - The development and acquisition of information systems will include the regular evaluation of security requirements in the earliest possible stages of related information system projects. ''Reference: ISO 27002:2013-14.1.1''
<ol><li style="list-style-type:lower-alpha">Ensuring that units adhere to Information Security policies and standards; and</li>
#Secure Development - Secure program techniques and modeling methods will be employed to ensure that coding practices adhere to best practices to limit potential for abuse. ''Reference: ISO 27002:2013-14.2.1''
<li style="list-style-type:lower-alpha">Ensuring that reporting staff receives any required security training.</li></ol>
#System Change Control - Change control procedures will be documented and enforced to ensure the confidentiality, integrity, and availability of information systems throughout maintenance efforts. ''Reference: ISO 27002:2013-14.2.2''
#System Security Testing - System acceptance testing will include security testing and validation of effectiveness of controls related to any identified information security requirements. ''Reference: ISO 27002:2013-14.2.2''
#Test data - If viable options are available, data that contains sensitive information will not be used for system or application testing purposes. Test systems that do contain this data must adhere to common data security standards. ''Reference: ISO 27002:2013-14.2.8''


4.4.10 Supplier Relationship
'''4.3.6 University Employees and Students'''
#Supplier Security Agreements - Security requirements will be documented and agreed with each supplier that may access, process, store, or communicate University owned data. ''Reference: ISO 27002:2013 - 15.1.1, 15.1.2; GLBA -16 CFR 314(d1); 16 CFR 314(d2)''
#Monitoring and Review of Supplier Services - Periodic review of supplier services will be conducted to ensure that related security agreements are being adhered to and enforced. ''Reference: ISO 27002:2013-15.2.1''


4.4.11 Information Security Incident Management
All University employees and students shall be responsible for:
#Reporting of Information Security Events - Information security events will be reported through an approved channel and reviewed promptly by authorized employees. ''Reference: ISO 27002:2013-16.1.2''
<ol><li style="list-style-type:lower-alpha">Awareness and adherence to Information Security policies, standards, and guidelines;</li>
#Reporting of Information Security Weaknesses - Employees and contractors will be encouraged to note and report any appreciable information security weaknesses observed in systems or services. ''Reference: ISO 27002:2013-16.1.3'';
<li style="list-style-type:lower-alpha">Attending any required Information Security training; and</li>
#Response to Information Security Incidents - Response actions related to security incidents will adhere to a documented set of procedures, including appropriate communication and coordination of efforts.  ''Reference: ISO 27002:2013-16.1.4, 16.1.5; GLBA -16 CFR 314.4(3)''
<li style="list-style-type:lower-alpha">Prompt reporting of Information Security Events and Incidents to Information Technology Services without delay.</li></ol>
#Learning From Information Security Incidents - Knowledge gained during the analysis of security incidents will be captured, reviewed, and appropriately shared to identify security corrections or control measures that may help address similar events. ''Reference: ISO 27002:2013-16.1.6''
#Collection of Evidence - Methods to preserve electronic evidence will follow adequate standards of discovery and preservation to prevent spoliation. ''Reference: ISO 27002:2013-16.1.7''


4.4.12 Business Continuity Management
'''4.3.7 Vendors'''
#Information Security Continuity - Planning will be undertaken to ensure that appropriate levels of information security protection measures are maintained during emergencies or other adverse events.  Periodic verification of these plans will be performed on an annual basis. ''Reference: ISO 27002:2013-17.1.1,17.1.2,171.3''
#Redundant Information Processing Facilities - Information processing facilities will be implemented with redundancy sufficient to meet identified and documented availability needs. ''Reference: ISO 27002:2013-17.2''


4.4.13 Compliance Management
Complying with all federal and state laws, UNC System policies, Appalachian policies, and contractual obligations with
#Identification of Compliance Requirements - Regular periodic review will be conducted to ensure that relevant policies, legal and contractual requirements are identified for the University and relevant information systems. ''Reference: ISO 27002:2013-18.1.1''
the University concerning the protection of information resources and information technology.
#Intellectual Property Rights - Procedures will be implemented to ensure compliance with applicable legal, regulatory, and contractual requirements related to intellectual property rights and use of proprietary software products. ''Reference: ISO 27002:2013-18.1.2''
#Protection of Records - University records will be protected from loss, destruction, falsification, and unauthorized release in accordance with legal, regulatory, and contractual business requirements. ''Reference: ISO 27002:2013-18.1.3''
#Privacy and Protection of Personally Identifiable Information - The privacy and protection of personally identifiable information will be ensured as required in relevant legal and regulatory frameworks. ''Reference: ISO 27002:2013-18.1.4''
 
4.4.14 Information Security Review
#Independent Review of Information Security - Assessment of the University’s approach to and management of information security objectives will be performed periodically by a qualified independent third party. ''Reference: ISO 27002:2013-18.2.1''
#Compliance with Security Policies and Standards - Periodic review will be conducted to review the adherence of University units and employees to applicable information security policies and standards. ''Reference: ISO 27002:2013-18.2.2''
#Technical Compliance Evaluations - Periodic technical evaluations, including both automated and manual security assessments, should be performed to ensure that technical controls and security measures adhere to applicable information security policies and standards. ''Reference: ISO 27002:2013-18.2.3''


== Additional References ==
== Additional References ==
:Payment Card Industry Data Security Standard
:[[Payment Card Services Policy|Appalachian Policy 503.8 - Payment Card Services Policy]]
:[http://security.appstate.edu/sites/security.appstate.edu/files/Standards/DataManagementStandard.pdf Data Management Standard]
:[[Information Technology Governance Policy|Appalachian Policy 901 - Information Technology Governance Policy]]
:[http://security.appstate.edu/sites/security.appstate.edu/files/Standards/EnterprisePasswordStandard.pdf Enterprise Password Management Standard]
:[[Data_Governance|Appalachian Policy 902 - Data Governance Policy]]
:[http://security.appstate.edu/sites/security.appstate.edu/files/Standards/MinimumSecurityStandard.pdf Minimum Security Standard]
:[http://policy.appstate.edu/Payment_Card_Services_Policy Payment Card Services Policy]
:[http://security.appstate.edu/sites/security.appstate.edu/files/Standards/RiskManagementStandard.pdf Information Security Risk Management Standard]
:[https://security.appstate.edu/sites/security.appstate.edu/files/Secure%20Data%20Handling%20Standard%20-%20v1.1%20FINAL.pdf Secure Data Handling Standards]


== Authority ==
== Authority ==
:[https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act Gramm-Leach-Bliley Act (Public Law 106-102; 113 Stat. 1338) 16 CFR Part 314]
#[https://security.appstate.edu/sites/security.appstate.edu/files/enterprisepasswordstandard.pdf Enterprise Password Management Standard]
:[http://www.gpo.gov/fdsys/pkg/PLAW-104publ191/pdf/PLAW-104publ191.pdf Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191; 110 Stat. 1936) 45 CFR Part 164]
#[http://security.appstate.edu/sites/security.appstate.edu/files/Standards/RiskManagementStandard.pdf Information Security Risk Management Standard]
#[https://its.appstate.edu/data-governance/secure-data-handling-standard Secure Data Handling Standards]
#[https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss- Payment Card Industry Data Security Standard]
#[https://www.nccu.edu/formsdocs/proxy.cfm?file_id=3561 UNC Policy Manual, Chapter 100.1, Section 502s]
#[https://www.northcarolina.edu/apps/policy/index.php?pg=dl&id=19846&format=pdf&inline=1 UNC Policy Manual - 1400.2 Information Security]
#[https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act Gramm-Leach-Bliley Act (Public Law 106-102; 113 Stat. 1338) 16 CFR Part 314]
#[http://www.gpo.gov/fdsys/pkg/PLAW-104publ191/pdf/PLAW-104publ191.pdf Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191; 110 Stat. 1936) 45 CFR Part 164]


== Contact Information ==
== Contact Information ==
:[http://security.appstate.edu/ ITS Office of Information Security], 828-262-6277
:Office of the Chief Information Officer (828-262-6278)
:Chief Information Security Officer (828-262-6277)


== Original Effective Date ==
== Original Effective Date ==
Line 238: Line 135:


== Revision Dates ==
== Revision Dates ==
:November 28, 2018
:December 7, 2020
[[Category:Contents]]
[[Category:Information Technology]]

Latest revision as of 14:34, 14 December 2020

Policy 903

Introduction

The purpose of this policy is to outline the framework for the University’s comprehensive Information Security Program to help safeguard the confidentiality, integrity, and availability of campus Information Resources, and comply with federal and state law, and UNC System policies.

Scope

This policy applies to all Appalachian State University employees, students, vendors and visitors.

Definitions

Information Security

The preservation of the confidentiality, integrity and availability of Information Resources and Institutional Data.

Information Security Program

Policies, assessments, protocols, and training designed to govern the security of Information Resources.

Information Resources

Same meaning as defined in Appalachian Pollicy 901 - IT Governance Policy.

Control

The management of risk which can be of an administrative, technical, management, or legal nature. Examples include policies, procedures, guidelines, practices or organizational structures.

Information Security Event

An identified occurrence of a system, service, or network state indicating a possible breach of Information Security policy or failure of safeguards, or a previously unknown situation that may be security relevant.

Information Security Incident

An unwanted or unexpected Information Security Event that has a significant probability of compromising business operations and threatening Information Security.

International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC)

Independent international organizations responsible for the creation of industry technical and administrative security standards.

Policy and Procedure Statements

Information Security Program

The University shall develop, implement, and maintain a comprehensive Information Security Program (the “Program”). The Program will be updated on a periodic basis or as necessitated by significant changes to the University's mission, major initiatives, or opportunities. The development of the plan will be guided by the following elements:

  1. ISO/IEC 27002 - The Program shall be guided and informed by the ISO/IEC 27002 standard, adopted as the common security framework baseline for campuses of the UNC system;
  2. Legal, Contractual, and Policy Requirements - In relation to the management and protection of Information Resources, the University shall conduct all business in accord with relevant federal and state law, and UNC System policies; and
  3. Proactive Risk Management - The Program shall be driven by the identification, assessment, communication, and cost-effective treatment of risks related to University Information Resources.

Governance, Coordination, and Security Services

4.2.1 Board of Trustees Audit Committee

Appalachian’s Board of Trustees Audit Committee will review and provide oversight of Information Security on at least an annual basis including, but not limited to, emerging Information Security matters, institutional Program activities, information technology security Controls, and risk assessments.

4.2.2 Information Security Advisory Council

To ensure the Program is aligned with the University’s mission, values, and operational needs, the Chancellor will appoint a University Information Security Advisory Council to oversee the collaborative development of the plan and associated policies, major initiatives, and campus security solutions.

4.2.3 Information Security Liaisons

To ensure that campus units are informed about security initiatives, practices, and requirements, University units that maintain and manage their own Information Technology will appoint Information Security Liaisons to act as central points of contact for communication and coordination with the ITS - Office of Information Security.

4.2.4 ITS - Office of Information Security

The ITS Office of Information Security shall be responsible for providing Information Security services that help identify risks, establish protective measures, and validate conformance with relevant University Information Security policies and standards.

Roles and Responsibilities

4.3.1 Shared Responsibilities

Information Security is a shared responsibility. All employees, students, visitors and vendors of the University share in the responsibility to help protect University Information Resources. The roles and responsibilities for University Information Security include:

4.3.2 Chancellor and Chancellor’s Cabinet

The Chancellor and Chancellor’s Cabinet shall be responsible for:

  1. Approval of the University’s Information Security policy;
  2. Providing executive oversight and support of the Information Security Program;
  3. Providing guidance concerning institutional risk tolerance levels;
  4. Providing resources to meet approved security objectives; and
  5. Periodically reviewing the University’s Information Security posture.

4.3.3 The Chief Information Officer

The Chief Information Officer shall be responsible for oversight of Information Security in accordance with UNC System policies, and has authority and accountability for:

  1. The campus-wide adoption, implementation, and enforcement of the Information Security Program;
  2. Deploying all reasonable measures to maintain the confidentiality, integrity, and availability of Information Resources;
  3. Periodically reporting Information Security posture to the Chancellor and Chancellor’s Cabinet and Board of Trustees Audit Committee; and
  4. Delegating select authority to the Chief Information Security Officer and/or other institutional officers as needed to meet the objectives listed elsewhere in this policy.

4.3.4 Chief Information Security Officer

The Chief Information Security Officer shall be responsible for:

  1. Leading the development and execution of the Program;
  2. Facilitating Information Security governance and collaboration;
  3. Advising the Chief Information Officer and senior leadership on security needs and resource investments; and
  4. Development of Information Security policies, standards, and guidelines.

4.3.5 Deans and Department Heads

Deans and Department Heads shall be responsible for:

  1. Ensuring that units adhere to Information Security policies and standards; and
  2. Ensuring that reporting staff receives any required security training.

4.3.6 University Employees and Students

All University employees and students shall be responsible for:

  1. Awareness and adherence to Information Security policies, standards, and guidelines;
  2. Attending any required Information Security training; and
  3. Prompt reporting of Information Security Events and Incidents to Information Technology Services without delay.

4.3.7 Vendors

Complying with all federal and state laws, UNC System policies, Appalachian policies, and contractual obligations with the University concerning the protection of information resources and information technology.

Additional References

Appalachian Policy 503.8 - Payment Card Services Policy
Appalachian Policy 901 - Information Technology Governance Policy
Appalachian Policy 902 - Data Governance Policy

Authority

  1. Enterprise Password Management Standard
  2. Information Security Risk Management Standard
  3. Secure Data Handling Standards
  4. Payment Card Industry Data Security Standard
  5. UNC Policy Manual, Chapter 100.1, Section 502s
  6. UNC Policy Manual - 1400.2 Information Security
  7. Gramm-Leach-Bliley Act (Public Law 106-102; 113 Stat. 1338) 16 CFR Part 314
  8. Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191; 110 Stat. 1936) 45 CFR Part 164

Contact Information

Office of the Chief Information Officer (828-262-6278)
Chief Information Security Officer (828-262-6277)

Original Effective Date

March 16, 2015

Revision Dates

November 28, 2018
December 7, 2020