Information Security Policy: Difference between revisions

From Appalachian State University Policy Manual
 
(18 intermediate revisions by 2 users not shown)
Line 30: Line 30:
== Policy and Procedure Statements  ==
== Policy and Procedure Statements  ==
=== Information Security Program ===
=== Information Security Program ===
As mandated by UNC Policy 1400.2, and consistent with the roles and responsibilities outlined in Section 4.3 of this Policy, the University shall develop, implement, and maintain a comprehensive Information Security Program. This program will be updated on a periodic basis or as necessitated by significant changes to the University's mission, major initiatives, or opportunities. The development of the plan will be guided by the following elements:  
The University shall develop, implement, and maintain a comprehensive Information Security Program (the “Program”). The Program will be updated on a periodic basis or as necessitated by significant changes to the University's mission, major initiatives, or opportunities. The development of the plan will be guided by the following elements:
 
<ol>
4.1.1 ISO/IEC 27002:2013 - The University's Information Security Program shall be guided and informed by the ISO/IEC 27002 standard, adopted as the common security framework baseline for campuses of the University of North Carolina (UNC) system.
<li style="list-style-type:lower-alpha">ISO/IEC 27002 - The Program shall be guided and informed by the ISO/IEC 27002 standard, adopted as the common security framework baseline for campuses of the UNC system;</li>
 
<li style="list-style-type:lower-alpha">Legal, Contractual, and Policy Requirements - In relation to the management and protection of Information Resources, the University shall conduct all business in accord with relevant federal and state law, and UNC System policies; and</li>
4.1.2 Legal, Contractual, and Policy Requirements - In relation to the management and protection of information resources, the University shall conduct all business in accord with relevant University of North Carolina policies, state laws, federal laws, and contractual requirements.
<li style="list-style-type:lower-alpha">Proactive Risk Management - The Program shall be driven by the identification, assessment, communication, and cost-effective treatment of risks related to University Information Resources.</li>
 
</ol>
4.1.3 Proactive Risk Management - The development of the University’s Information Security Program shall be driven by the identification, assessment, communication, and cost-effective treatment of risks related to University information resources.


=== Governance, Coordination, and Security Services ===
=== Governance, Coordination, and Security Services ===


4.2.1 Board of Trustees Audit Committee - As mandated by UNC Policy 1400.2, the University’s Board of Trustees Audit Committee will review and provide oversight of information security on at least an annual basis including, but not limited to, emerging information security matters, institutional information security program activities, information technology security controls, and risk assessments. ([https://www.northcarolina.edu/apps/policy/index.php?pg=dl&id=19846&format=pdf&inline=1 UNC Information Security Policy 1400.2, Sections V.A, B, and C])
'''4.2.1 Board of Trustees Audit Committee'''
 
4.2.2 Information Security Advisory Council - To ensure the Information Security Program is aligned with the University’s mission, values, and operational needs, a University Information Security Advisory Council will be formed to oversee the collaborative development of the plan and associated policies, major initiatives, and campus security solutions.


4.2.3 Information Security Liaisons - To ensure that campus units are informed about security initiatives, practices, and requirements, University units that maintain and manage their own Information Technology will appoint Information Security Liaisons to act as central points of contact for communication and coordination with the ITS - Office of Information Security.  
Appalachian’s Board of Trustees Audit Committee will review and provide oversight of Information Security on at least an annual basis including, but not limited to, emerging Information Security matters, institutional Program activities, information technology security Controls, and risk assessments.


4.2.4 ITS - Office of Information Security - The ITS Office of Information Security shall be responsible for providing information security services that help identify risks, establish protective measures, and validate conformance with relevant University Information Security policies and standards.
'''4.2.2 Information Security Advisory Council'''


=== Roles and Responsibilities ===
To ensure the Program is aligned with the University’s mission, values, and operational needs, the Chancellor will appoint a University Information Security Advisory Council to oversee the collaborative development of the plan and associated policies, major initiatives, and campus security solutions.


Information Security is a shared responsibility. All employees of the University share in the responsibility to help protect University information resources.
'''4.2.3 Information Security Liaisons'''


The roles and responsibilities for University Information Security include:
To ensure that campus units are informed about security initiatives, practices, and requirements, University units that maintain and manage their own Information Technology will appoint Information Security Liaisons to act as central points of contact for communication and coordination with the ITS - Office of Information Security.


4.3.1 Chancellor and Chancellor’s Cabinet - The Chancellor and Chancellor’s Cabinet shall be responsible for:
'''4.2.4 ITS - Office of Information Security'''
#Approval of the University’s Information Security policy.
#Providing executive oversight and support of the Information Security Program.
#Providing guidance concerning institutional risk tolerance levels.
#Providing resources to meet approved security objectives.
#Periodically reviewing the University’s information security posture.


4.3.2 The Chief Information Officer - As defined in the UNC Information Security Policy (1400.2), the Chief Information Officer shall have authority and accountability for:
The ITS Office of Information Security shall be responsible for providing Information Security services that help identify risks, establish protective measures, and validate conformance with relevant University Information Security policies and standards.
#The campus-wide adoption, implementation, and enforcement of the Information Security Program.
#Deploying all reasonable measures to maintain the confidentiality, integrity, and availability of information resources.
#Periodically reporting information security posture to the Chancellor and Chancellor’s Cabinet and Board of Trustees Audit Committee.
#Delegating select authority to the Chief Information Security Officer and/or other institutional officers as needed to meet the objectives listed elsewhere in this Policy.


4.3.3 Chief Information Security Officer - The Chief Information Security Officer shall be responsible for:
=== Roles and Responsibilities ===
#Leading the development and execution of the University’s security program.
#Facilitating information security governance and collaboration.
#Advising the Chief Information Officer and senior leadership on security needs and resource investments.
#Development of information security policies, standards, and guidelines.
 
4.3.4 Deans and Department Heads - Deans and Department Heads shall be responsible for:
#Ensuring that units adhere to information security policies and standards.
#Ensuring that reporting staff receives any required security training.


4.3.5 University Employees - All University employees shall be responsible for:
'''4.3.1 Shared Responsibilities'''
#Awareness and adherence to information security policies and standards.
#Attending any required information security training.
#Prompt reporting of potential information security incidents to Office of Information Security without delay.


=== Key Control Requirements ===
Information Security is a shared responsibility. All employees, students, visitors and vendors of the University share
in the responsibility to help protect University Information Resources. The roles and responsibilities for University
Information Security include:


To address relevant policy, legal, and contractual obligations, the following key security control requirements will be addressed through existing controls, compensating controls, or prioritized implementation planning consistent with available resources.
'''4.3.2 Chancellor and Chancellor’s Cabinet'''


4.4.1 Risk Management
The Chancellor and Chancellor’s Cabinet shall be responsible for:
#Regular identification and analysis of risks will be performed for information assets identified as having a high level of importance.
<ol><li style="list-style-type:lower-alpha">Approval of the University’s Information Security policy;</li>
#Risk treatment options, including any cost-effective controls, will be analyzed and identified.
<li style="list-style-type:lower-alpha">Providing executive oversight and support of the Information Security Program;</li>
#Appreciable risks and treatment options will be communicated on a regular basis for decision review. ''Reference: ISO 27002:2013-6.1.1; GLBA:16 CFR §314.4; HIPAA: 45 CFR §164.308(a)(1)(ii)(A); PCI-DSS 3.2-12.2, UNC Information Security Policy (1400.2, Section III)''
<li style="list-style-type:lower-alpha">Providing guidance concerning institutional risk tolerance levels;</li>
<li style="list-style-type:lower-alpha">Providing resources to meet approved security objectives; and</li>
<li style="list-style-type:lower-alpha">Periodically reviewing the University’s Information Security posture.</li>
</ol>


4.4.2 Human Resource Security
'''4.3.3 The Chief Information Officer'''
#Screening/Background Checks - Prospective employees who receive an offer of employment will be vetted via a background check including a criminal background investigation. ''Reference: ISO 27002:2013-7.1.1; HIPAA:45 CFR §164.308(a)(3)(ii)(B); PCI-DSS 3.2-12.7''
#Security Awareness Training - All University employees will receive regular security awareness training in addition to any specific training associated with job responsibilities and employee roles. ''Reference: ISO 27002:2013-7.2.2, PCI-DSS 3.2-12.6''
#Disciplinary Process - Employee disciplinary processes will include applicable provisions to cover any egregious violations of approved information security policies or requirements. ''Reference: ISO 27002:2013 - 7.2.3; HIPAA: 45 CFR §164.308(a)(1)(ii)(C)''
#Termination of Employment - Access to University information resources, work areas, and processing facilities will be revoked and assets returned upon full termination of employment with University. Retirees may retain an institutional email account and associated services to maintain connection to campus. ''Reference: ISO 27002:2013-7.3, 8.1.4; HIPAA: 45 CFR § 164.308(a)(3)(ii)(C); PCI-DSS 3.2: 8.1.3; 9.3''


4.4.3 Asset Management
The Chief Information Officer shall be responsible for oversight of Information Security in accordance with UNC System
#Data Governance - All institutional data will be considered the property of the University and will be treated as an asset. A data management structure will be established that defines responsibilities for secure and effective management of institutional data.
policies, and has authority and accountability for:
#Data Classification – The University will adopt a consistent data classification scheme that takes into account associated business needs and risks related to sharing or restricting information. ''Reference: ISO 27002:2013-8.2''
#Acceptable Use and Security Requirements - Appropriate utilization of University information assets will be clearly defined, including secure practices for handling data classified as sensitive. ''Reference: ISO 27002:2013-8.1.3,8.2.3''
#Inventory of Important Assets - An inventory of all information assets that have a high level of importance will be maintained and indicate their owner, location, and management information. ''Reference: ISO 27002:2013-8.1.1,8.1.2; HIPAA: 45 CFR §164.310(d)(2)(iii)''
#Information Asset Transfer and Destruction - Information assets will be reliably transferred and any data they contain rendered unreadable prior to transfer to another employee, sale or other disposition. ''Reference: ISO 27002:2013-8.1.4,8.3.2,11.2.7; HIPAA: 45 CFR §164.310(d)(2)(i),§164.310(d)(2)(ii); PCI-DSS 3.2-9.8''


4.4.4 Access Control
<ol><li style="list-style-type:lower-alpha">The campus-wide adoption, implementation, and enforcement of the Information Security Program;</li>
#Role Based Access Control - University information asset owners will define appropriate roles associated with the fulfillment of legitimate business needs. These roles should be defined based on two functions:  
<li style="list-style-type:lower-alpha">Deploying all reasonable measures to maintain the confidentiality, integrity, and availability of Information
##Data Maintenance Roles - The access for data maintenance in administrative systems will be determined based on the employee position and location, and will be governed by the business requirements.
Resources;</li>
##Data Inquiry Roles - The access for data inquiry will be determined by the required data set and associated data classification level, and will be governed by the data steward assigned the requested data set. These roles will have associated access control rules, access rights, and restrictions that provide a sufficient degree of access needed to efficiently accomplish these business needs. Assignments to these roles should be periodically reviewed. ''Reference: ISO 27002:2013-9.1; HIPAA: 45 CFR §164.312(a)(1); PCI-DSS 3.2 -7.1'' 
<li style="list-style-type:lower-alpha">Periodically reporting Information Security posture to the Chancellor and Chancellor’s Cabinet and Board of Trustees
#Network Access Control - Local and remote access to University networks and information services will be limited to authorized individuals with legitimate business needs. ''Reference: ISO 27002:2013-9.1.2; HIPAA: 45 CFR §164.312(a)(1); PCI-DSS 3.0 9.1.2'' 
Audit Committee; and</li>
#User Access Management - Formal user provisioning and deprovisioning processes will be implemented to ensure that creation of new accounts is authorized, users are uniquely identified, redundant userIDs are periodically removed, and that userIDs are disabled when no longer required. ''Reference: ISO 27002:2013-9.2.1,9.2.2; HIPAA: 45 CFR §164.312(a)(2)(i),§164.312(a)(2)(d); PCI-DSS 3.2-8.1.2'' 
<li style="list-style-type:lower-alpha">Delegating select authority to the Chief Information Security Officer and/or other institutional officers as needed to
#Management of Privileged Access - Privileged access rights will be appropriately evaluated, approved, periodically reviewed, and limited to only those users and applications with legitimate and sufficient business need. ''Reference: ISO 27002:2013-9.2.3; PCI-DSS 3.2-7.1'' 
meet the objectives listed elsewhere in this policy.</li></ol>
#Password Management - Passwords used to access University resources will be established and managed in a formally approved and consistently secure manner. ''Reference: ISO 27002:2013-9.2.4, HIPAA: 45 CFR §164.308(a)(5)(ii)(D)''
#Secure Logon - Common secure logon practices will be defined and implemented to ensure that means of access to University systems and applications effectively minimize the risks of unauthorized access threats. ''Reference: ISO 27002:2013-9.4.2; HIPAA: 45 CFR §164.312(a)(2)(iii)''
#Source Code Control - Access to program source code for University systems will be strictly controlled to authorized individuals only. ''Reference: ISO 27002:2013-9.4.5''


4.4.5 Cryptographic Security
'''4.3.4 Chief Information Security Officer'''
#Use of Cryptographic Controls - University information systems will utilize cryptographic controls to address appreciable risks related to the confidentiality and integrity of sensitive information and non-repudiation of electronic transactions with University systems. ''Reference: ISO 27002:2013-10.1.1; HIPAA: 45 CFR §164.312(a)(2)(e); PCI DSS 3.2-3.4'' 
#Key Management - University cryptographic keys will be generated, stored, and managed in a secure and approved manner. ''Reference: ISO 27002:2013-10.1.2; PCI-DSS 3.2-3.5,3.6''
 
4.4.6 Physical and Environmental Security
#Physical Security Perimeters - Information processing facilities and other secure areas will have well defined physical boundaries and implement sufficient physical barriers and restrictions to prevent unauthorized entry and physical access. ''Reference: ISO 27002:2013-11.1.1; HIPAA: 45 CFR §164.310(a)(1); PCI-DSS 3.2-9.1,9.3'' 
#Physical Entry Controls - Only authorized personnel will be allowed to enter information processing facilities and other secure areas. All access attempts will be monitored and logged. Unauthorized access attempts will be addressed. ''Reference: ISO 27002:2013-11.1.2; HIPAA: 45 CFR §164.310(a)(2); PCI-DSS 3.2-9.1,9.2'' 
#Environmental Threats - Information processing facilities will be protected against natural disasters and damage from environmental accidents. ''Reference: ISO 27002:2013-11.1.14''
#Information Processing Facilities - Work conducted in Information Processing Facilities will adhere to all documented safety and security requirements. ''Reference: ISO 27002:013-11.1.5''
#Removal of Assets - Equipment, information, or software will not be taken off-campus without prior authorization. ''Reference: ISO 27002:2013-11.2.5; HIPAA: 45 CFR §164.310(d)(1)''
#Unattended Equipment - Unattended user equipment will have appropriate protection controls and measures to prevent unauthorized use. ''Reference: ISO 27002:2013-11.2.8; PCI-DSS 3.2-8.1.8''
 
4.4.7 Operations Security
#Change Management - Changes to business processes, information processes, facilities, and systems that may impact University information security will be appropriately identified, evaluated, communicated, and controlled. ''Reference: ISO 27002:2013-12.1.3; PCI-DSS 3.2-6.4''   
#Capacity Management - The utilization of high value information resources will be monitored, assessed, and optimized to maximize availability in conjunction with appropriate controls. ''Reference: ISO 27002:2013-12.1.3''
#Separation of Development, Testing, and Operational Environments - Development, testing, and operational environments will be sufficiently separated and any sensitive information stored in these environments will have at least equivalent protection measures. ''Reference: ISO 27002:2013-12.1.4; PCI-DSS 3.2-6.4.1''   
#Malware Protection - Detection, Prevention, and Recovery measures will be established to protect University information systems against malicious software applications. ''Reference: ISO 27002:2013-12.2; HIPAA: 45 CFR §164.308(a)(5)(ii)(B); PCI-DSS 3.2-5.1''   
#Information Backups - Backup copies of valuable data will be regularly created, stored securely, validated, and periodically tested for recoverability. ''Reference: ISO 27002:2013-12.3; GLBA: 16 CFR §314.4(2); HIPAA: 45 CFR §164.310(d)(2)(4); PCI-DSS 3.2-9.5''   
#Logging and Monitoring - Important events related to University information assets will be reliably archived, regularly reviewed, and protected from tampering and unauthorized access. ''Reference: ISO 27002:2013-2.4; HIPAA: 45 CFR §164.312(b); PCI-DSS 3.2-10''   
#Clock Synchronization - University information systems’ clocks will be synchronized against a single authorization reference time source. ''Reference: ISO 27002:2013-12.4.4; PCI-DSS 3.2-10.4''   
#Vulnerability Management - Security weaknesses related to University information systems will be promptly identified, assessed, and remediated according to the associated risks they present to the University. ''Reference: ISO 27002:2013-12.6; PCI-DSS 3.2-11.2''
#Information System Audits - Audit activities involving verification of production information systems will be carefully planned, formally authorized, and executed by qualified personnel only. ''Reference: ISO 27002:2013-12.7''


4.4.8 Communications Security  
The Chief Information Security Officer shall be responsible for:
#Network Service Authority - The management and provisioning of University network connections, services, and devices will be limited to authorized staff only. ''Reference: ISO 27002:2013-13.1.1,13.1.2''
<ol><li style="list-style-type:lower-alpha">Leading the development and execution of the Program;</li>
#Network Filtering - Network traffic traversing University owned networks will be filtered to address any appreciable risks and to preserve equitable availability of University network resources. ''Reference: ISO 27002:2013 - 13.1.1.g,13.1.2; GLBA: 16 CFR §314.4(2); PCI-DSS 3.2-1.1''
<li style="list-style-type:lower-alpha">Facilitating Information Security governance and collaboration;</li>
#Network Attack Detection and Prevention - Network traffic traversing University owned networks will be inspected for active attacks against University information assets. Interdiction capabilities will be maintained to effectively block attacks that present appreciable risks to the University. ''Reference: ISO 27002:2013-13.1.1.d; GLBA: 16 CFR §314.4(3); PCI-DSS 3.2-11.4''
<li style="list-style-type:lower-alpha">Advising the Chief Information Officer and senior leadership on security needs and resource investments; and</li>
#Network Segregation - Network services, users, and information services will be segregated on networks based on trust levels and associated risks. ''Reference: ISO 27002:2013-13.13; GLBA: 16 CFR §314.4(2)''
<li style="list-style-type:lower-alpha">Development of Information Security policies, standards, and guidelines.</li></ol>
#Information Transfer - Transfer methods and controls will be defined and adhered to in order to protect University sensitive information traversing all forms of communication facilities to both internal and external senders and recipients. ''Reference: ISO 27002:2013-13.2.1; GLBA: 16 CFR §314.4(2)''
#Electronic Messaging - Protection measures will be established to safeguard University electronic messaging solutions from unauthorized access, modification or denial of service. Retention of electronic messaging communication will be maintained in an approved manner. ''Reference: ISO 27002:2013-13.2.3''
#Confidentiality Agreements - Confidentiality agreements will be used to establish legally enforceable terms of utilization and access for University confidential information for both external parties and employees. ''Reference: ISO 27002:2013-13.2.4''


4.4.9 System Acquisition, Development and Maintenance
'''4.3.5 Deans and Department Heads'''
#Security Requirements Analysis - The development and acquisition of information systems will include the regular evaluation of security requirements in the earliest possible stages of related information system projects. ''Reference: ISO 27002:2013-14.1.1''
#Secure Development - Secure program techniques and modeling methods will be employed to ensure that coding practices adhere to best practices to limit potential for abuse. ''Reference: ISO 27002:2013-14.2.1''
#System Change Control - Change control procedures will be documented and enforced to ensure the confidentiality, integrity, and availability of information systems throughout maintenance efforts. ''Reference: ISO 27002:2013-14.2.2''
#System Security Testing - System acceptance testing will include security testing and validation of effectiveness of controls related to any identified information security requirements. ''Reference: ISO 27002:2013-14.2.2''
#Test data - If viable options are available, data that contains sensitive information will not be used for system or application testing purposes. Test systems that do contain this data must adhere to common data security standards. ''Reference: ISO 27002:2013-14.2.8''


4.4.10 Supplier Relationship
Deans and Department Heads shall be responsible for:
#Supplier Security Agreements - Security requirements will be documented and agreed with each supplier that may access, process, store, or communicate University owned data. ''Reference: ISO 27002:2013 - 15.1.1, 15.1.2; GLBA: 16 CFR §314(d1), 16 CFR 314(d2)''
<ol><li style="list-style-type:lower-alpha">Ensuring that units adhere to Information Security policies and standards; and</li>
#Monitoring and Review of Supplier Services - Periodic review of supplier services will be conducted to ensure that related security agreements are being adhered to and enforced. ''Reference: ISO 27002:2013-15.2.1''
<li style="list-style-type:lower-alpha">Ensuring that reporting staff receives any required security training.</li></ol>


4.4.11 Information Security Incident Management
'''4.3.6 University Employees and Students'''
#Reporting of Information Security Events - Information security events will be reported through an approved channel and reviewed promptly by authorized employees. ''Reference: ISO 27002:2013-16.1.2; PCI-DSS 3.2 12.5.3, 12.10.1''
#Reporting of Information Security Weaknesses - Employees and contractors will be encouraged to note and report any appreciable information security weaknesses observed in systems or services. ''Reference: ISO 27002:2013-16.1.3''
#Response to Information Security Incidents - Response actions related to security incidents will adhere to a documented set of procedures, including appropriate communication and coordination of efforts. ''Reference: ISO 27002:2013-16.1.4, 16.1.5; GLBA: 16 CFR §314.4(b)(3); UNC Information Security Policy (1400.2, Section III)''
#Learning From Information Security Incidents - Knowledge gained during the analysis of security incidents will be captured, reviewed, and appropriately shared to identify security corrections or control measures that may help address similar events. ''Reference: ISO 27002:2013-16.1.6''
#Collection of Evidence - Methods to preserve electronic evidence will follow adequate standards of discovery and preservation to prevent spoliation. ''Reference: ISO 27002:2013-16.1.7''


4.4.12 Business Continuity Management
All University employees and students shall be responsible for:
#Information Security Continuity - Planning will be undertaken to ensure that appropriate levels of information security protection measures are maintained during emergencies or other adverse events. Periodic verification of these plans will be performed on an annual basis. ''Reference: ISO 27002:2013-17.1.1,17.1.2,171.3''
<ol><li style="list-style-type:lower-alpha">Awareness and adherence to Information Security policies, standards, and guidelines;</li>
#Redundant Information Processing Facilities - Information processing facilities will be implemented with redundancy sufficient to meet identified and documented availability needs. ''Reference: ISO 27002:2013-17.2''
<li style="list-style-type:lower-alpha">Attending any required Information Security training; and</li>
<li style="list-style-type:lower-alpha">Prompt reporting of Information Security Events and Incidents to Information Technology Services without delay.</li></ol>


4.4.13 Compliance Management
'''4.3.7 Vendors'''
#Identification of Compliance Requirements - Regular periodic review will be conducted to ensure that relevant policies, legal and contractual requirements are identified for the University and relevant information systems. ''Reference: ISO 27002:2013-18.1.1''
#Intellectual Property Rights - Procedures will be implemented to ensure compliance with applicable legal, regulatory, and contractual requirements related to intellectual property rights and use of proprietary software products. ''Reference: ISO 27002:2013-18.1.2''
#Protection of Records - University records will be protected from loss, destruction, falsification, and unauthorized release in accordance with legal, regulatory, and contractual business requirements. ''Reference: ISO 27002:2013-18.1.3''
#Privacy and Protection of Personally Identifiable Information - The privacy and protection of personally identifiable information will be ensured as required in relevant legal and regulatory frameworks. ''Reference: ISO 27002:2013-18.1.4''


4.4.14 Information Security Review
Complying with all federal and state laws, UNC System policies, Appalachian policies, and contractual obligations with
#Independent Review of Information Security - Assessment of the University’s approach to and management of information security objectives will be performed periodically by a qualified independent third party. ''Reference: ISO 27002:2013-18.2.1''
the University concerning the protection of information resources and information technology.
#Compliance with Security Policies and Standards - Periodic review will be conducted to review the adherence of University units and employees to applicable information security policies and standards. ''Reference: ISO 27002:2013-18.2.2''
#Technical Compliance Evaluations - Periodic technical evaluations, including both automated and manual security assessments, should be performed to ensure that technical controls and security measures adhere to applicable information security policies and standards. ''Reference: ISO 27002:2013-18.2.3''


== Additional References ==
== Additional References ==
:[https://policy.appstate.edu/Payment_Card_Services_Policy Payment Card Industry Data Security Standard]
:[[Payment Card Services Policy|Appalachian Policy 503.8 - Payment Card Services Policy]]
:[http://security.appstate.edu/sites/security.appstate.edu/files/Standards/DataManagementStandard.pdf Data Management Standard]
:[[Information Technology Governance Policy|Appalachian Policy 901 - Information Technology Governance Policy]]
:[https://security.appstate.edu/sites/security.appstate.edu/files/enterprisepasswordstandard.pdf Enterprise Password Management Standard]
:[[Data_Governance|Appalachian Policy 902 - Data Governance Policy]]
:[http://policy.appstate.edu/Payment_Card_Services_Policy Payment Card Services Policy]
:[http://security.appstate.edu/sites/security.appstate.edu/files/Standards/RiskManagementStandard.pdf Information Security Risk Management Standard]
:[https://its.appstate.edu/data-governance/secure-data-handling-standard Secure Data Handling Standards]


== Authority ==
== Authority ==
:[https://www.nccu.edu/formsdocs/proxy.cfm?file_id=3561 UNC Policy Manual, Chapter 100.1, Section 502]
#[https://security.appstate.edu/sites/security.appstate.edu/files/enterprisepasswordstandard.pdf Enterprise Password Management Standard]
:[https://www.northcarolina.edu/apps/policy/index.php?pg=dl&id=19846&format=pdf&inline=1 UNC Policy Manual - 1400.2 Information Security]
#[http://security.appstate.edu/sites/security.appstate.edu/files/Standards/RiskManagementStandard.pdf Information Security Risk Management Standard]
:[https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act Gramm-Leach-Bliley Act (Public Law 106-102; 113 Stat. 1338) 16 CFR Part 314]
#[https://its.appstate.edu/data-governance/secure-data-handling-standard Secure Data Handling Standards]
:[http://www.gpo.gov/fdsys/pkg/PLAW-104publ191/pdf/PLAW-104publ191.pdf Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191; 110 Stat. 1936) 45 CFR Part 164]
#[https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss- Payment Card Industry Data Security Standard]
#[https://www.nccu.edu/formsdocs/proxy.cfm?file_id=3561 UNC Policy Manual, Chapter 100.1, Section 502s]
#[https://www.northcarolina.edu/apps/policy/index.php?pg=dl&id=19846&format=pdf&inline=1 UNC Policy Manual - 1400.2 Information Security]
#[https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act Gramm-Leach-Bliley Act (Public Law 106-102; 113 Stat. 1338) 16 CFR Part 314]
#[http://www.gpo.gov/fdsys/pkg/PLAW-104publ191/pdf/PLAW-104publ191.pdf Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191; 110 Stat. 1936) 45 CFR Part 164]


== Contact Information ==
== Contact Information ==
:[http://security.appstate.edu/ ITS Office of Information Security], 828-262-6277
:Office of the Chief Information Officer (828-262-6278)
:Chief Information Security Officer (828-262-6277)


== Original Effective Date ==
== Original Effective Date ==
Line 202: Line 136:
== Revision Dates ==
== Revision Dates ==
:November 28, 2018
:November 28, 2018
:December 7, 2020
[[Category:Contents]]
[[Category:Information Technology]]

Latest revision as of 14:34, 14 December 2020

Policy 903

Introduction

The purpose of this policy is to outline the framework for the University’s comprehensive Information Security Program to help safeguard the confidentiality, integrity, and availability of campus Information Resources, and comply with federal and state law, and UNC System policies.

Scope

This policy applies to all Appalachian State University employees, students, vendors and visitors.

Definitions

Information Security

The preservation of the confidentiality, integrity and availability of Information Resources and Institutional Data.

Information Security Program

Policies, assessments, protocols, and training designed to govern the security of Information Resources.

Information Resources

Same meaning as defined in Appalachian Pollicy 901 - IT Governance Policy.

Control

The management of risk which can be of an administrative, technical, management, or legal nature. Examples include policies, procedures, guidelines, practices or organizational structures.

Information Security Event

An identified occurrence of a system, service, or network state indicating a possible breach of Information Security policy or failure of safeguards, or a previously unknown situation that may be security relevant.

Information Security Incident

An unwanted or unexpected Information Security Event that has a significant probability of compromising business operations and threatening Information Security.

International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC)

Independent international organizations responsible for the creation of industry technical and administrative security standards.

Policy and Procedure Statements

Information Security Program

The University shall develop, implement, and maintain a comprehensive Information Security Program (the “Program”). The Program will be updated on a periodic basis or as necessitated by significant changes to the University's mission, major initiatives, or opportunities. The development of the plan will be guided by the following elements:

  1. ISO/IEC 27002 - The Program shall be guided and informed by the ISO/IEC 27002 standard, adopted as the common security framework baseline for campuses of the UNC system;
  2. Legal, Contractual, and Policy Requirements - In relation to the management and protection of Information Resources, the University shall conduct all business in accord with relevant federal and state law, and UNC System policies; and
  3. Proactive Risk Management - The Program shall be driven by the identification, assessment, communication, and cost-effective treatment of risks related to University Information Resources.

Governance, Coordination, and Security Services

4.2.1 Board of Trustees Audit Committee

Appalachian’s Board of Trustees Audit Committee will review and provide oversight of Information Security on at least an annual basis including, but not limited to, emerging Information Security matters, institutional Program activities, information technology security Controls, and risk assessments.

4.2.2 Information Security Advisory Council

To ensure the Program is aligned with the University’s mission, values, and operational needs, the Chancellor will appoint a University Information Security Advisory Council to oversee the collaborative development of the plan and associated policies, major initiatives, and campus security solutions.

4.2.3 Information Security Liaisons

To ensure that campus units are informed about security initiatives, practices, and requirements, University units that maintain and manage their own Information Technology will appoint Information Security Liaisons to act as central points of contact for communication and coordination with the ITS - Office of Information Security.

4.2.4 ITS - Office of Information Security

The ITS Office of Information Security shall be responsible for providing Information Security services that help identify risks, establish protective measures, and validate conformance with relevant University Information Security policies and standards.

Roles and Responsibilities

4.3.1 Shared Responsibilities

Information Security is a shared responsibility. All employees, students, visitors and vendors of the University share in the responsibility to help protect University Information Resources. The roles and responsibilities for University Information Security include:

4.3.2 Chancellor and Chancellor’s Cabinet

The Chancellor and Chancellor’s Cabinet shall be responsible for:

  1. Approval of the University’s Information Security policy;
  2. Providing executive oversight and support of the Information Security Program;
  3. Providing guidance concerning institutional risk tolerance levels;
  4. Providing resources to meet approved security objectives; and
  5. Periodically reviewing the University’s Information Security posture.

4.3.3 The Chief Information Officer

The Chief Information Officer shall be responsible for oversight of Information Security in accordance with UNC System policies, and has authority and accountability for:

  1. The campus-wide adoption, implementation, and enforcement of the Information Security Program;
  2. Deploying all reasonable measures to maintain the confidentiality, integrity, and availability of Information Resources;
  3. Periodically reporting Information Security posture to the Chancellor and Chancellor’s Cabinet and Board of Trustees Audit Committee; and
  4. Delegating select authority to the Chief Information Security Officer and/or other institutional officers as needed to meet the objectives listed elsewhere in this policy.

4.3.4 Chief Information Security Officer

The Chief Information Security Officer shall be responsible for:

  1. Leading the development and execution of the Program;
  2. Facilitating Information Security governance and collaboration;
  3. Advising the Chief Information Officer and senior leadership on security needs and resource investments; and
  4. Development of Information Security policies, standards, and guidelines.

4.3.5 Deans and Department Heads

Deans and Department Heads shall be responsible for:

  1. Ensuring that units adhere to Information Security policies and standards; and
  2. Ensuring that reporting staff receives any required security training.

4.3.6 University Employees and Students

All University employees and students shall be responsible for:

  1. Awareness and adherence to Information Security policies, standards, and guidelines;
  2. Attending any required Information Security training; and
  3. Prompt reporting of Information Security Events and Incidents to Information Technology Services without delay.

4.3.7 Vendors

Complying with all federal and state laws, UNC System policies, Appalachian policies, and contractual obligations with the University concerning the protection of information resources and information technology.

Additional References

Appalachian Policy 503.8 - Payment Card Services Policy
Appalachian Policy 901 - Information Technology Governance Policy
Appalachian Policy 902 - Data Governance Policy

Authority

  1. Enterprise Password Management Standard
  2. Information Security Risk Management Standard
  3. Secure Data Handling Standards
  4. Payment Card Industry Data Security Standard
  5. UNC Policy Manual, Chapter 100.1, Section 502s
  6. UNC Policy Manual - 1400.2 Information Security
  7. Gramm-Leach-Bliley Act (Public Law 106-102; 113 Stat. 1338) 16 CFR Part 314
  8. Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191; 110 Stat. 1936) 45 CFR Part 164

Contact Information

Office of the Chief Information Officer (828-262-6278)
Chief Information Security Officer (828-262-6277)

Original Effective Date

March 16, 2015

Revision Dates

November 28, 2018
December 7, 2020