Information Security Policy: Difference between revisions
(→Scope) |
|||
Line 7: | Line 7: | ||
== Definitions == | == Definitions == | ||
=== Information Security === | |||
:Information Security is the preservation of confidentiality, integrity and availability of information. | |||
=== Confidentiality === | |||
:Confidentiality is the property that information is not made available or disclosed to unauthorized individuals, entities, or processes. | |||
=== Availability === | |||
:Availability is the property that information is accessible and usable upon demand by an authorized person or entity. | |||
=== Integrity === | |||
:Integrity is the property that information is accurate and complete. | |||
=== Risk === | |||
:In the context of Information Security, risk is the exposure to potential reduction of confidentiality, integrity, and availability of information assets such as information systems, data, user credentials, and other computing resources. | |||
=== Control === | |||
:A control is a means of managing risk which can be of an administrative, technical, management, or legal nature. Examples include policies, procedures, guidelines, practices or organizational structures. | |||
=== Information Security Plan === | |||
:The Information Security plan is a coherent set of information security policies, processes, | |||
systems, and objectives necessary for cost-effectively managing risks related to University information assets. It is the “blueprint” for how Information Security activities shall be conducted and refined. | |||
=== Information Security Program === | |||
:The Information Security program represents all interrelated services, activities, and initiatives needed to meet the security objectives defined within the Information Security Plan. | |||
=== Information Processing Facilities === | |||
:Any information processing system, service, or infrastructure, or the physical facilities housing them. | |||
=== Information Asset === | |||
:Information Assets are valued physical and electronic resources that can be used to create, store, distribute, use, integrate and manipulate information. | |||
=== Information Security Event === | |||
:Identified occurrence of a system, service, or network state indicating a possible breach of information security policy or failure of safeguards, or a previously unknown situation that may be security relevant. | |||
=== Information Security Incident === | |||
:Unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security. | |||
=== Data Maintenance === | |||
:The action of managing or editing the data inside an administrative system for the purpose of doing business at the University. | |||
=== Data Inquiry === | |||
:The action of querying data from an environment designed for that purpose with the intent of informing and influencing decision making. | |||
=== ISO === | |||
:“ISO” refers to the International Organization for Standardization. | |||
=== GLBA === | |||
:“GLBA” refers to the Gramm-Leach-Bliley Act (Public Law 106-102; 113 Stat. 1338) | |||
=== HIPAA === | |||
:“HIPAA” refers to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191; 110 Stat. 1936) | |||
=== CFR === | |||
:“CFR” refers to the Code of Federal Regulations. | |||
=== PCI-DSS === | |||
:“PCI-DSS” refers to the Payment Card Industry Data Security Standard. | |||
== Policy and Procedure Statements == | == Policy and Procedure Statements == | ||
Revision as of 12:50, 18 March 2015
Policy 916
Introduction
1.1 Appalachian State University will develop, implement, and maintain a comprehensive Information Security Plan to help safeguard the confidentiality, integrity, and availability of campus information resources and address security requirements defined by University of North Carolina policies, state and federal laws, and relevant contractual obligations.
Scope
2.1 This policy applies to all Appalachian State University employees, students, and affiliates.
Definitions
Information Security
- Information Security is the preservation of confidentiality, integrity and availability of information.
Confidentiality
- Confidentiality is the property that information is not made available or disclosed to unauthorized individuals, entities, or processes.
Availability
- Availability is the property that information is accessible and usable upon demand by an authorized person or entity.
Integrity
- Integrity is the property that information is accurate and complete.
Risk
- In the context of Information Security, risk is the exposure to potential reduction of confidentiality, integrity, and availability of information assets such as information systems, data, user credentials, and other computing resources.
Control
- A control is a means of managing risk which can be of an administrative, technical, management, or legal nature. Examples include policies, procedures, guidelines, practices or organizational structures.
Information Security Plan
- The Information Security plan is a coherent set of information security policies, processes,
systems, and objectives necessary for cost-effectively managing risks related to University information assets. It is the “blueprint” for how Information Security activities shall be conducted and refined.
Information Security Program
- The Information Security program represents all interrelated services, activities, and initiatives needed to meet the security objectives defined within the Information Security Plan.
Information Processing Facilities
- Any information processing system, service, or infrastructure, or the physical facilities housing them.
Information Asset
- Information Assets are valued physical and electronic resources that can be used to create, store, distribute, use, integrate and manipulate information.
Information Security Event
- Identified occurrence of a system, service, or network state indicating a possible breach of information security policy or failure of safeguards, or a previously unknown situation that may be security relevant.
Information Security Incident
- Unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security.
Data Maintenance
- The action of managing or editing the data inside an administrative system for the purpose of doing business at the University.
Data Inquiry
- The action of querying data from an environment designed for that purpose with the intent of informing and influencing decision making.
ISO
- “ISO” refers to the International Organization for Standardization.
GLBA
- “GLBA” refers to the Gramm-Leach-Bliley Act (Public Law 106-102; 113 Stat. 1338)
HIPAA
- “HIPAA” refers to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191; 110 Stat. 1936)
CFR
- “CFR” refers to the Code of Federal Regulations.
PCI-DSS
- “PCI-DSS” refers to the Payment Card Industry Data Security Standard.