Information Security Policy

Photo of It-digital-crystals

Information Security Policy

Policy Name: Information Security Policy
Policy ID Number: 03-05-012
Version Effective Date: October 10, 2016
Last Reviewed on: January 1, 2019
Policy Applies To: University wide
Responsible Office: Information Technology


INTRODUCTION AND STATEMENT OF PURPOSE
New Â鶹´«Ã½ City University (Â鶹´«Ã½) is committed to applying the necessary security measures to ensure the protection of the critical information it manages and continuation of the University’s business operations.

It is Â鶹´«Ã½â€™s goal to apply a comprehensive and integrated approach to meet the security requirements necessary to keep a safer business environment for its constituents and maintain compliance with Federal and State laws

The information security policy shall be used to establish the necessary security controls to enable Â鶹´«Ã½ to better protect its information resources and data assets against theft, abuse and any other form of harm or loss. The policy shall also work to maintain compliance with Federal and State laws which include:

  • Gramm-Leach-Bliley Act (GLBA) for protection of financial records collected.
  • Family Educational Rights and Privacy Act (FERPA) for protection of student records/PII collected
  • Payment Card Industry Data Security Standards (PCI DSS) for protection of credit card information collected.
  • Health Insurance Portability and Accountability Act (HIPAA) for protection of medical records collected.
  • General Data Protection Regulation (GDPR) for protection of EU citizen personal records

The goal is to improve the University’s security posture through better risk management and providing assurance that risks to IT assets are being adequately addressed.

POLICY

Scope
The information security policy applies to all – but shall not be limited to – employees, faculty, contractors, consultants, third-party service providers, temporary workers, all campuses, and any others who have direct access to the Â鶹´«Ã½â€™s facilities and information resources.

Roles and Responsibilities
Executive Board
Continued commitment and support of the information security policies, standards, and processes required to maintain a successful information security program.

Deans, Directors, and Department Heads
All Deans, Directors, and Department Heads are responsible for the security of information resources in all areas under their jurisdiction and for implementing information security requirements on an office -wide basis. They shall provide guidance and coordinate the implementation of information security controls within their respective areas.

Employees, Faculty, Students
Employees, faculty, students have a responsibility to manage and protect the confidentiality, availability, and integrity of Â鶹´«Ã½-owned data assets and information resources that have been made accessible to them for use within Â鶹´«Ã½.

Department of Information Technology
All IT group members are responsible for the security and confidentiality, availability, and integrity of information resources in all areas under their jurisdiction and for implementing
information security requirements on a campus-wide basis.

Third-Party Consultants/Contractors
Contractors and/or 3rd party managed service providers have a responsibility to manage and protect the confidentiality, availability, and integrity of Â鶹´«Ã½-owned data assets and information resources that they have been granted to access by an Â鶹´«Ã½ sponsor to fulfil a required service.

Policy Framework
The policy framework establishes the directives towards the security standards, processes, procedures, and controls that shall be implemented within Â鶹´«Ã½ to safeguard its environment.

The following details the information security policy framework that will enable Â鶹´«Ã½ to better protect its business operations and information resources:

  • Risk and Vulnerability Management – Â鶹´«Ã½ shall continuously perform risk assessments for identifying threats, risk factors and areas of vulnerability, and to initiate appropriate mitigation strategies to safeguard business operations.
  • Asset Management – Â鶹´«Ã½ shall implement standards for deploying, operating, managing, maintaining, upgrading, safeguarding, and disposing of information resources and data assets to reduce the chances of an incident occurring.
  • Access Control – Â鶹´«Ã½ shall implement a set of access control standards to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, domains) to safeguard Â鶹´«Ã½ information resources, its operations, and data assets.
  • Systems Configuration Management – Â鶹´«Ã½ shall set secure configuration standards on devices, operating systems, software applications that are or will be connected to the network in order to secure them.
  • Incident Response Management – Â鶹´«Ã½ shall have a documented plan in place that it will use to manage, contain, mitigate the impact, and restore business operations should a security incident occur.
  • Security Awareness – Â鶹´«Ã½ shall establish a security awareness program to ensure security awareness for its staff members, faculty, and students.
  • Compliance – Â鶹´«Ã½ shall set standards to ensure that information security strategies are implemented to keep in compliance with state and federal laws and regulations.
  • Business Continuity and Disaster Recovery – Â鶹´«Ã½ shall implement a plan and have a strategy in place to continue providing services should some event impact business operations, or recover from a disaster caused by either natural or un-natural causes in order to restore business operations.
  • Continuous Monitoring – Â鶹´«Ã½ shall continuously monitor its business operating environment to enable the ability to detect and mitigate security events and other anomalies that can impact or take down the business operations.
  • Network Management – Â鶹´«Ã½ shall implement standards that will allow it to preserve the confidentiality, availability, and integrity of the network operations to mitigate the risks of security threats.
  • User Acceptance – Â鶹´«Ã½ shall implement standards to allow its information resources and data assets to only be used for purposes relating to the university, and not for other purposes that may be illegal or harmful to the university or any other entities.
  • Data Security – Â鶹´«Ã½ shall implement protection mechanisms secure its sensitive data to ensure its confidentiality, availability, and integrity.
  • Physical Security – Â鶹´«Ã½ shall implement security controls to physically secure all critical areas of the business environment.

The security controls that shall be used by Â鶹´«Ã½ can be referenced back to ISO 27002 standards and SANS Top 20 Critical Security Controls.

Â鶹´«Ã½ shall review its information security policy as necessary to adjust for new risks discovered, changes in the environment and/or landscape, laws and regulations, or changes to its business operations.

Exceptions
Any exceptions for non-compliance towards the information security policy must be requested and reviewed by senior management for approval.

Enforcement
Non-compliance to the information security policy without proper approval for exceptions can result in disciplinary action up to and including termination of employment. Students’ sanctions shall be commensurate with the severity and/or frequency of the offense and may include suspension or expulsion.

DATE TO INITIATE REVIEW AND UPDATE
As deemed necessary or appropriate by the Policy Coordinator but at a minimum, at least every 5 years from the date of last review.