Information Security Policy: Difference between revisions

From Appalachian State University Policy Manual
 
(62 intermediate revisions by 3 users not shown)
Line 1: Line 1:
Policy 916
Policy 903
== Introduction ==
== Introduction ==
1.1 Appalachian State University will develop, implement, and maintain a comprehensive Information Security Plan to help safeguard the confidentiality, integrity, and availability of campus information resources and address security requirements defined by University of North Carolina policies, state and federal laws, and relevant contractual obligations.
The purpose of this policy is to outline the framework for the University’s comprehensive Information Security Program to help safeguard the confidentiality, integrity, and availability of campus Information Resources, and comply with federal and state law, and UNC System policies.


== Scope ==
== Scope ==
2.1 This policy applies to all Appalachian State University employees, students, and affiliates.
This policy applies to all Appalachian State University employees, students, vendors and visitors.


== Definitions  ==
== Definitions  ==
=== Information Security ===
=== Information Security ===
:Information Security is the preservation of confidentiality, integrity and availability of information.
:The preservation of the confidentiality, integrity and availability of Information Resources and Institutional Data.
=== Confidentiality ===
:Confidentiality is the property that information is not made available or disclosed to unauthorized individuals, entities, or processes.


=== Availability ===
=== Information Security Program ===
:Availability is the property that information is accessible and usable upon demand by an authorized person or entity.
Policies, assessments, protocols, and training designed to govern the security of Information Resources.
 
=== Information Resources ===
Same meaning as defined in [[Information Technology Governance Policy|Appalachian Pollicy 901 - IT Governance Policy]].
 
=== Control ===
:The management of risk which can be of an administrative, technical, management, or legal nature. Examples include policies, procedures, guidelines, practices or organizational structures.


=== Integrity ===
=== Information Security Event ===
:Integrity is the property that information is accurate and complete.
:An identified occurrence of a system, service, or network state indicating a possible breach of Information Security policy or failure of safeguards, or a previously unknown situation that may be security relevant.


=== Risk ===
=== Information Security Incident ===
:In the context of Information Security, risk is the exposure to potential reduction of confidentiality, integrity, and availability of information assets such as information systems, data, user credentials, and other computing resources.
:An unwanted or unexpected Information Security Event that has a significant probability of compromising business operations and threatening Information Security.
=== Control ===
:A control is a means of managing risk which can be of an administrative, technical, management, or legal nature. Examples include policies, procedures, guidelines, practices or organizational structures.


=== Information Security Plan ===
=== International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) ===
:The Information Security plan is a coherent set of information security policies, processes,
Independent international organizations responsible for the creation of industry technical and administrative security standards.
systems, and objectives necessary for cost-effectively managing risks related to University information assets.  It is the “blueprint” for how Information Security activities shall be conducted and refined.  


== Policy and Procedure Statements  ==
=== Information Security Program ===
=== Information Security Program ===
:The Information Security program represents all interrelated services, activities, and initiatives needed to meet the security objectives defined within the Information Security Plan.
The University shall develop, implement, and maintain a comprehensive Information Security Program (the “Program”). The Program will be updated on a periodic basis or as necessitated by significant changes to the University's mission, major initiatives, or opportunities. The development of the plan will be guided by the following elements:
<ol>
<li style="list-style-type:lower-alpha">ISO/IEC 27002 - The Program shall be guided and informed by the ISO/IEC 27002 standard, adopted as the common security framework baseline for campuses of the UNC system;</li>
<li style="list-style-type:lower-alpha">Legal, Contractual, and Policy Requirements - In relation to the management and protection of Information Resources, the University shall conduct all business in accord with relevant federal and state law, and UNC System policies; and</li>
<li style="list-style-type:lower-alpha">Proactive Risk Management - The Program shall be driven by the identification, assessment, communication, and cost-effective treatment of risks related to University Information Resources.</li>
</ol>
 
=== Governance, Coordination, and Security Services ===
 
'''4.2.1 Board of Trustees Audit Committee'''
 
Appalachian’s Board of Trustees Audit Committee will review and provide oversight of Information Security on at least an annual basis including, but not limited to, emerging Information Security matters, institutional Program activities, information technology security Controls, and risk assessments.
 
'''4.2.2 Information Security Advisory Council'''
 
To ensure the Program is aligned with the University’s mission, values, and operational needs, the Chancellor will appoint a University Information Security Advisory Council to oversee the collaborative development of the plan and associated policies, major initiatives, and campus security solutions.


=== Information Processing Facilities ===
'''4.2.3 Information Security Liaisons'''
:Any information processing system, service, or infrastructure, or the physical facilities housing them.


=== Information Asset ===
To ensure that campus units are informed about security initiatives, practices, and requirements, University units that maintain and manage their own Information Technology will appoint Information Security Liaisons to act as central points of contact for communication and coordination with the ITS - Office of Information Security.
:Information Assets are valued physical and electronic resources that can be used to create, store, distribute, use, integrate and manipulate information.


=== Information Security Event ===
'''4.2.4 ITS - Office of Information Security'''
:Identified occurrence of a system, service, or network state indicating a possible breach of information security policy or failure of safeguards, or a previously unknown situation that may be security relevant.
 
The ITS Office of Information Security shall be responsible for providing Information Security services that help identify risks, establish protective measures, and validate conformance with relevant University Information Security policies and standards.
 
=== Roles and Responsibilities ===
 
'''4.3.1 Shared Responsibilities'''
 
Information Security is a shared responsibility. All employees, students, visitors and vendors of the University share
in the responsibility to help protect University Information Resources. The roles and responsibilities for University
Information Security include:
 
'''4.3.2 Chancellor and Chancellor’s Cabinet'''
 
The Chancellor and Chancellor’s Cabinet shall be responsible for:
<ol><li style="list-style-type:lower-alpha">Approval of the University’s Information Security policy;</li>
<li style="list-style-type:lower-alpha">Providing executive oversight and support of the Information Security Program;</li>
<li style="list-style-type:lower-alpha">Providing guidance concerning institutional risk tolerance levels;</li>
<li style="list-style-type:lower-alpha">Providing resources to meet approved security objectives; and</li>
<li style="list-style-type:lower-alpha">Periodically reviewing the University’s Information Security posture.</li>
</ol>
 
'''4.3.3 The Chief Information Officer'''
 
The Chief Information Officer shall be responsible for oversight of Information Security in accordance with UNC System
policies, and has authority and accountability for:


=== Information Security Incident ===
<ol><li style="list-style-type:lower-alpha">The campus-wide adoption, implementation, and enforcement of the Information Security Program;</li>
:Unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security.
<li style="list-style-type:lower-alpha">Deploying all reasonable measures to maintain the confidentiality, integrity, and availability of Information
Resources;</li>
<li style="list-style-type:lower-alpha">Periodically reporting Information Security posture to the Chancellor and Chancellor’s Cabinet and Board of Trustees
Audit Committee; and</li>
<li style="list-style-type:lower-alpha">Delegating select authority to the Chief Information Security Officer and/or other institutional officers as needed to
meet the objectives listed elsewhere in this policy.</li></ol>


=== Data Maintenance ===
'''4.3.4 Chief Information Security Officer'''
:The action of managing or editing the data inside an administrative system for the purpose of doing business at the University.


=== Data Inquiry ===
The Chief Information Security Officer shall be responsible for:
:The action of querying data from an environment designed for that purpose with the intent of informing and influencing decision making.
<ol><li style="list-style-type:lower-alpha">Leading the development and execution of the Program;</li>
<li style="list-style-type:lower-alpha">Facilitating Information Security governance and collaboration;</li>
<li style="list-style-type:lower-alpha">Advising the Chief Information Officer and senior leadership on security needs and resource investments; and</li>
<li style="list-style-type:lower-alpha">Development of Information Security policies, standards, and guidelines.</li></ol>


=== ISO ===
'''4.3.5 Deans and Department Heads'''
:“ISO” refers to the International Organization for Standardization.


=== GLBA ===
Deans and Department Heads shall be responsible for:
:“GLBA” refers to the Gramm-Leach-Bliley Act (Public Law 106-102; 113 Stat. 1338)
<ol><li style="list-style-type:lower-alpha">Ensuring that units adhere to Information Security policies and standards; and</li>
<li style="list-style-type:lower-alpha">Ensuring that reporting staff receives any required security training.</li></ol>


=== HIPAA ===
'''4.3.6 University Employees and Students'''
:“HIPAA” refers to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191; 110 Stat. 1936)


=== CFR ===
All University employees and students shall be responsible for:
:“CFR” refers to the Code of Federal Regulations.
<ol><li style="list-style-type:lower-alpha">Awareness and adherence to Information Security policies, standards, and guidelines;</li>
<li style="list-style-type:lower-alpha">Attending any required Information Security training; and</li>
<li style="list-style-type:lower-alpha">Prompt reporting of Information Security Events and Incidents to Information Technology Services without delay.</li></ol>


=== PCI-DSS ===
'''4.3.7 Vendors'''
:“PCI-DSS” refers to the Payment Card Industry Data Security Standard.


== Policy and Procedure Statements  ==
Complying with all federal and state laws, UNC System policies, Appalachian policies, and contractual obligations with
the University concerning the protection of information resources and information technology.


== Additional References ==
== Additional References ==
:[[Payment Card Services Policy|Appalachian Policy 503.8 - Payment Card Services Policy]]
:[[Information Technology Governance Policy|Appalachian Policy 901 - Information Technology Governance Policy]]
:[[Data_Governance|Appalachian Policy 902 - Data Governance Policy]]
== Authority ==
== Authority ==
#[https://security.appstate.edu/sites/security.appstate.edu/files/enterprisepasswordstandard.pdf Enterprise Password Management Standard]
#[http://security.appstate.edu/sites/security.appstate.edu/files/Standards/RiskManagementStandard.pdf Information Security Risk Management Standard]
#[https://its.appstate.edu/data-governance/secure-data-handling-standard Secure Data Handling Standards]
#[https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss- Payment Card Industry Data Security Standard]
#[https://www.nccu.edu/formsdocs/proxy.cfm?file_id=3561 UNC Policy Manual, Chapter 100.1, Section 502s]
#[https://www.northcarolina.edu/apps/policy/index.php?pg=dl&id=19846&format=pdf&inline=1 UNC Policy Manual - 1400.2 Information Security]
#[https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act Gramm-Leach-Bliley Act (Public Law 106-102; 113 Stat. 1338) 16 CFR Part 314]
#[http://www.gpo.gov/fdsys/pkg/PLAW-104publ191/pdf/PLAW-104publ191.pdf Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191; 110 Stat. 1936) 45 CFR Part 164]
== Contact Information ==
== Contact Information ==
:Office of the Chief Information Officer (828-262-6278)
:Chief Information Security Officer (828-262-6277)


== Original Effective Date ==
== Original Effective Date ==
:March 16, 2015


== Revision Dates ==
== Revision Dates ==
:November 28, 2018
:December 7, 2020
[[Category:Contents]]
[[Category:Information Technology]]

Latest revision as of 14:34, 14 December 2020

Policy 903

Introduction

The purpose of this policy is to outline the framework for the University’s comprehensive Information Security Program to help safeguard the confidentiality, integrity, and availability of campus Information Resources, and comply with federal and state law, and UNC System policies.

Scope

This policy applies to all Appalachian State University employees, students, vendors and visitors.

Definitions

Information Security

The preservation of the confidentiality, integrity and availability of Information Resources and Institutional Data.

Information Security Program

Policies, assessments, protocols, and training designed to govern the security of Information Resources.

Information Resources

Same meaning as defined in Appalachian Pollicy 901 - IT Governance Policy.

Control

The management of risk which can be of an administrative, technical, management, or legal nature. Examples include policies, procedures, guidelines, practices or organizational structures.

Information Security Event

An identified occurrence of a system, service, or network state indicating a possible breach of Information Security policy or failure of safeguards, or a previously unknown situation that may be security relevant.

Information Security Incident

An unwanted or unexpected Information Security Event that has a significant probability of compromising business operations and threatening Information Security.

International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC)

Independent international organizations responsible for the creation of industry technical and administrative security standards.

Policy and Procedure Statements

Information Security Program

The University shall develop, implement, and maintain a comprehensive Information Security Program (the “Program”). The Program will be updated on a periodic basis or as necessitated by significant changes to the University's mission, major initiatives, or opportunities. The development of the plan will be guided by the following elements:

  1. ISO/IEC 27002 - The Program shall be guided and informed by the ISO/IEC 27002 standard, adopted as the common security framework baseline for campuses of the UNC system;
  2. Legal, Contractual, and Policy Requirements - In relation to the management and protection of Information Resources, the University shall conduct all business in accord with relevant federal and state law, and UNC System policies; and
  3. Proactive Risk Management - The Program shall be driven by the identification, assessment, communication, and cost-effective treatment of risks related to University Information Resources.

Governance, Coordination, and Security Services

4.2.1 Board of Trustees Audit Committee

Appalachian’s Board of Trustees Audit Committee will review and provide oversight of Information Security on at least an annual basis including, but not limited to, emerging Information Security matters, institutional Program activities, information technology security Controls, and risk assessments.

4.2.2 Information Security Advisory Council

To ensure the Program is aligned with the University’s mission, values, and operational needs, the Chancellor will appoint a University Information Security Advisory Council to oversee the collaborative development of the plan and associated policies, major initiatives, and campus security solutions.

4.2.3 Information Security Liaisons

To ensure that campus units are informed about security initiatives, practices, and requirements, University units that maintain and manage their own Information Technology will appoint Information Security Liaisons to act as central points of contact for communication and coordination with the ITS - Office of Information Security.

4.2.4 ITS - Office of Information Security

The ITS Office of Information Security shall be responsible for providing Information Security services that help identify risks, establish protective measures, and validate conformance with relevant University Information Security policies and standards.

Roles and Responsibilities

4.3.1 Shared Responsibilities

Information Security is a shared responsibility. All employees, students, visitors and vendors of the University share in the responsibility to help protect University Information Resources. The roles and responsibilities for University Information Security include:

4.3.2 Chancellor and Chancellor’s Cabinet

The Chancellor and Chancellor’s Cabinet shall be responsible for:

  1. Approval of the University’s Information Security policy;
  2. Providing executive oversight and support of the Information Security Program;
  3. Providing guidance concerning institutional risk tolerance levels;
  4. Providing resources to meet approved security objectives; and
  5. Periodically reviewing the University’s Information Security posture.

4.3.3 The Chief Information Officer

The Chief Information Officer shall be responsible for oversight of Information Security in accordance with UNC System policies, and has authority and accountability for:

  1. The campus-wide adoption, implementation, and enforcement of the Information Security Program;
  2. Deploying all reasonable measures to maintain the confidentiality, integrity, and availability of Information Resources;
  3. Periodically reporting Information Security posture to the Chancellor and Chancellor’s Cabinet and Board of Trustees Audit Committee; and
  4. Delegating select authority to the Chief Information Security Officer and/or other institutional officers as needed to meet the objectives listed elsewhere in this policy.

4.3.4 Chief Information Security Officer

The Chief Information Security Officer shall be responsible for:

  1. Leading the development and execution of the Program;
  2. Facilitating Information Security governance and collaboration;
  3. Advising the Chief Information Officer and senior leadership on security needs and resource investments; and
  4. Development of Information Security policies, standards, and guidelines.

4.3.5 Deans and Department Heads

Deans and Department Heads shall be responsible for:

  1. Ensuring that units adhere to Information Security policies and standards; and
  2. Ensuring that reporting staff receives any required security training.

4.3.6 University Employees and Students

All University employees and students shall be responsible for:

  1. Awareness and adherence to Information Security policies, standards, and guidelines;
  2. Attending any required Information Security training; and
  3. Prompt reporting of Information Security Events and Incidents to Information Technology Services without delay.

4.3.7 Vendors

Complying with all federal and state laws, UNC System policies, Appalachian policies, and contractual obligations with the University concerning the protection of information resources and information technology.

Additional References

Appalachian Policy 503.8 - Payment Card Services Policy
Appalachian Policy 901 - Information Technology Governance Policy
Appalachian Policy 902 - Data Governance Policy

Authority

  1. Enterprise Password Management Standard
  2. Information Security Risk Management Standard
  3. Secure Data Handling Standards
  4. Payment Card Industry Data Security Standard
  5. UNC Policy Manual, Chapter 100.1, Section 502s
  6. UNC Policy Manual - 1400.2 Information Security
  7. Gramm-Leach-Bliley Act (Public Law 106-102; 113 Stat. 1338) 16 CFR Part 314
  8. Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191; 110 Stat. 1936) 45 CFR Part 164

Contact Information

Office of the Chief Information Officer (828-262-6278)
Chief Information Security Officer (828-262-6277)

Original Effective Date

March 16, 2015

Revision Dates

November 28, 2018
December 7, 2020
Retrieved from "https://policy.appstate.edu/index.php?title=Information_Security_Policy&oldid=23309"