...
Title: Information Security Policy
Subject: Information Security
Policy No: ISO:2013:02
Applies: University-Wide
Issuing Authority: SeniorVice President for Information Resources and Chief Information Officer
Responsible Officer: Director of Information Security
Date Adopted: 09/01/2013
AmendedLast Revision: 1108/2123/20132019
Last RevisionReview: 0708/0223/20192018
I. PURPOSE
The purpose of this policy
...
is to establish a framework for the protection of University information resources from accidental or intentional unauthorized access, modification, or damage in order to meet applicable federal, state, regulatory, and contractual requirements.
II. ACCOUNTABILITY
Under the direction of the President
...
, the Chief Information Officer
...
and Director of Information Security shall ensure compliance with this policy. The
...
Vice
...
Presidents, Deans
...
, and
...
other members of management will implement this policy in their respective areas.
III. APPLICABILITY
This policy applies to all
...
members of the Rowan Community who access and use
...
the University
...
's electronic information and information systems.
IV. DEFINITIONS
Refer to Rowan University Technology Terms and Definitions for terms and definitions that are used in this policy.
V. POLICY
Information security is the protection of information from threats to ensure business continuity, minimize risks, and maximize university opportunities.
The Information Security Office (ISO) will manage the information security program at Rowan University and is responsible for developing strategies for managing the processes, tools, and policies necessary to prevent, detect, document and counter threats to information.
The information security program will be advised by the Information Technology Security Board (ITSB) which serves as the advisory board for information security governance at the university. The ITSB represents and advocates for the interest of the Rowan Community during decisions that impact information security at the University.
Information security requires a combination of policies and standards to manage information resources throughout its lifecycle.
Policy Development: Policies and standards are crucial to establishing, maintaining and monitoring proper information security practice and define responsibilities, shape processes and allow for oversight of critical information-related operations. At a minimum, the Information Security policies developed and enforced should include:
Acceptable Use
Access Control
Business Continuity Management
Change Management
Data Backup
Electronic Media Disposal
Encryption
Information Classification
...
IV. POLICY
A. All University faculty, students, staff, temporary employees, contractors, outside vendors and visitors to campus who have access to University-owned or managed information through computing systems or devices (“Users”) must maintain the security of that information and those systems and devices.
B. Basic “minimum” requirements apply to all University-owned or managed information and systems and devices. These can be found in the attached Information Security Standards.
C. More extensive requirements apply to Sensitive Information and Mission-Critical Resources. These are discussed below and in the Procedures and Standards documents, which are found in the attached Information Security Procedures and Information Security Standards.
D. Sensitive Information, as defined below, in all its forms – written, spoken, electronically recorded, or printed – must be protected from accidental or intentional unauthorized modification, destruction, or disclosure. The University requires all Users to protect the University’s Sensitive Information by adhering to all Information Security Policies, Procedures, and Standards including, but not limited to the following:
...
Incident Management Policy
Mobile Computing and Removable Media
...
Physical Security for IT Network Resources
Privileged Account Management
Remote Access
...
Security Awareness and Training
Security Incident Management
Security Monitoring
Transmission of Sensitive Information
...
User Password
Workstation Use and Security
Policy Approval - The Information Security Office will follow the documented process for creating, reviewing and updating policies with final approval from the ITSB
Policy Exceptions - While exceptions to an information security policy or standard may weaken the protection of University information resources, they are occasionally necessary and standard procedures and documents should be in place to manage the exception as well as review the need for the exception periodically.
Policy Sanctions - The ISO is responsible for coordinating and enforcing sanctions against Rowan Community members who fail to comply with the University’s information security policies.
The Information Security Office (ISO) will develop and maintain an information security risk management program to frame, assess, analyze, respond, and monitor risk. Guidance for this program will be based on the NIST 800-37 framework and security regulations such as HIPAA, PCI-DSS, FERPA, GLBA etc. Specific requirements under this program will include:
Risk Analysis - In accordance with the Security Risk Analysis requirement under the Security Management Process of the HIPAA Security Rule (§164.308(a)(1)(ii)(A), Rowan University must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of Electronic Protected Health Information (EPHI) held by the University via its role as a covered entity for Rowan Medicine. Based on guidance from Health and Human Service’s (HHS) Office of Civil Rights (OCR), the risk analysis must at a minimum include the following nine elements:
Scope of the Analysis
Data Collection
Identification and Documentation of Potential Threats and Vulnerabilities
Assessment of Current Security Measures
Determination of the Likelihood of Threat Occurrence
Determination of the Potential Impact of Threat Occurrence
Determination of the Level of Risk
Final Documentation
Periodic Review and Updates to the Risk Assessment
Risk Management Program - In accordance with the Risk Management requirement under the Security Management Process of the HIPAA Security Rule (§164.308(a)(1)(ii)(B), Rowan University must implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. Accordingly, Rowan University should:
Ensure a thorough review of the risk analysis results are performed, and associated risk management plans are documented.
Appropriate risk owners and key stakeholders are involved in this process in order to ensure adequate prioritization of risk and implementation of security measures to reduce those risks identified are addressed within an established timeline.
Roles and Responsibilities -
E. Users who are third-party contractors and vendors must be made aware of this policy and their responsibilities for safeguarding the University’s Sensitive Information. ?
F. Information Classification
All Users must be aware of the classification of the various types of University information to which they have access in order to determine the proper controls for safeguarding the information. Regardless of classification, the integrity and accuracy of all information must be protected. Information must be classified according to the most sensitive detail it includes. Information recorded in several formats (e.g., source document, electronic record, printed report) must have the same classification regardless of format. Only two levels are to be used when classifying information:
- Sensitive Information: “Sensitive Information” is defined above. It is important to note that the unauthorized disclosure of Sensitive Information to individuals without a business need for access may violate laws or University policies and may have significant ramifications for the University, its employees, its students, or its business associates.
Decisions about the provision of access to Sensitive Information must always be made by the Steward (as defined below) of that Sensitive Information. - Public Information: Public Information includes all information made or received by the University that does not constitute Sensitive Information. Sensitive Information that is disclosed without proper authorization does not, by virtue of its disclosure, become Public Information.
Many Users will find that some of the information to which they have access has been classified as Sensitive Information (e.g., employment records, student records) and some of it as Public Information (e.g., most purchase contracts, most accounting records).
F. Roles and Responsibilities
In addition to knowing the classification of each piece of University information to which they have access as either “Sensitive Information” or “Public Information,”
...
users must be aware of whether, with respect to that information, they serve as
...
an Owner/Steward, a Custodian, a Consumer/User
...
or a User Manager
...
as described within this Policy.
Data Steward
of Information or Data: The Steward is the University or Owner - is accountable for data assets from a business perspective and is the university employee responsible for the approval of the creation of a collection of information or data or the primary user of that information or data. For example, the Registrar is the Steward for much of the University’s student information. The Vice President for Human Resources is the Steward for much of the University’s employee information.
Custodian of Information or Data
: The Custodian is Custodian - is accountable for data assets from a technical perspective and is the university employee responsible for the processing and storage of information or data on behalf of the Steward or Owner of that information or data.
Consumer
/or User
: - A Consumer/User is any person authorized to read, enter, copy, query, download, or update information.
User Managers
: - A User Manager is any University administrator, faculty member, or staff member who supervises
Consumeror sponsors consumer/
Users users or who handles University business unit administrative responsibilities. User Managers are responsible for overseeing their Consumer/Users’ access to Sensitive Information, including:
Reviewing and approving all requests for access authorizations and ensuring it accurately reflect each Consumer/User’s role and required access.
Ensuring that the approved procedures are followed for employee
?suspensions, terminations, and transfers, and that appropriate measures are
?taken to revoke access privileges.
Revoking access privileges from students, vendors, consultants, and others
?when access is no longer necessary or appropriate.
Providing the opportunity for training needed to properly use computer
?systems.
Reporting promptly to the
Executive Director
and of Information Security
Officer ?and to the Office of University Counsel any potential or actual unauthorized access of University Sensitive Information
(security breach) in accordance with the University’s
Protocol Protocol for Responding to Security Breaches of Certain Identifying Information.
Initiating appropriate actions when Information Security Incidents are identified in accordance with the Incident Management Policy.
Ensuring that any Information Security requirements are followed for any acquisitions, transfers, and surplus of equipment that processes or stores electronic information,
such as including but not limited to computers, servers, smartphones
/PDAs, mobile devices, fax machines, and
certain copiers
.Information Security Liaison: Each University business unit that is responsible for maintaining its own information technology services must have a designated Information Security Liaison as well as a designated backup Information Security Liaison.
The duties and responsibilities of the Security Liaison are described in detail in the Security Liaison Policy.Information Security
Officer will work with Stewards, Custodians, User Managers, Consumer/Users, and Information Security Liaisons to develop and implement prudent security policies, procedures, and controls, in consultation with the Office of University Counsel.Director of Information Security: The responsibilities of the Office - The Director of Information Security
and overseeing the staff of the Information Security Office
includeis responsible for:
Developing an Information Security Strategy approved by the Chief Information Officer and
Data Governance Committeethe Information Technology Security Board (ITSB).
Developing and maintaining
a the University Information Security Program to provide University services for:
Security Governance and Oversight
Information Security Policies, Procedures, and Standards
Network Security Protection and Monitoring
Endpoint Security Protection and Monitoring
Vulnerability Management
Information Security Incident Management
Annual Security Risk Assessments
Information Security Consulting
Information Security Policies, Procedures, and StandardsInformation Security Awareness
Information Security Design and Architecture
Technology Risk Management
3rd Party Third Party Security Reviews
Serving as the University Security Officer for HIPAA, FERBA, GLBA, and PCI.
Service Serving as the University Security Liaison to all Local, State, and Federal Government Agencies and Law
Enforcement
G. Mission-Critical Resources
Mission-Critical Resources, as defined below, must be protected from accidental or intentional unauthorized modification, destruction, or disclosure.
The University expects members of its faculty, staff, and student body to understand and mitigate the risks to privacy inherent in digital technologies. The University also requires members of its faculty, staff, and student body to protect the University’s Mission-Critical Resources by adhering to the Information Security Procedures and Standards attached. Users who are third-party contractors and vendors must also be made aware of this policy and their responsibilities for safeguarding the University’s Mission-Critical Resources.
- Definition of A Mission Critical Resource: A Mission-Critical Resource includes any resource that is critical to the mission of the University and any device that is running a mission-critical service for the University or a device that is considered mission critical based on the dependency of users or other processes. Mission-critical services must be available. Typical mission-critical services have a maximum downtime of three consecutive hours or less. Mission-Critical resources for Information Security purposes include information assets, software, hardware, and facilities. The payroll system, for example, is a Mission-Critical Resource.
Mission-critical computer systems and the infrastructure required to support them must be installed in access-controlled areas. In addition, the area in and around a computer facility housing Mission-Critical Resources must afford protection against fire, water damage, and other environmental hazards, such as power outages and extreme temperature situations.
Each University business unit housing Mission Critical Resources is required to establish procedures to provide emergency access to those Resources in the event that the assigned Custodians or Stewards are unavailable, or when operating in an emergency.
Additional responsibilities for individuals working with Mission-Critical Resources are discussed in the Information Security Procedures and Standards, which are attached.
- Definition of A Mission Critical Resource: A Mission-Critical Resource includes any resource that is critical to the mission of the University and any device that is running a mission-critical service for the University or a device that is considered mission critical based on the dependency of users or other processes. Mission-critical services must be available. Typical mission-critical services have a maximum downtime of three consecutive hours or less. Mission-Critical resources for Information Security purposes include information assets, software, hardware, and facilities. The payroll system, for example, is a Mission-Critical Resource.
H. Information Security Related Policies, Procedures, and Standards
For additional information on the University’s information security policies, procedures, standards, and practices, please see:
- Information Security Procedures
- Information Security Standards
- Data Governance Policy
- Software Acquisition Policy
- Acceptable Use Policy
- Access Control Policy
- Data Classification Policy
- Incident Management Policy
- Vulnerability Management Policy
- Remote Access Policy
- Workstation Use Policy
- General User Password Policy
- Policy and Standards for Electronic Media Disposal
- Policy on the Transmission of PHI or PII
- Protocol for Responding to Security Breaches of PHI and PII
- Security Awareness and Training Policy
- Security Liaison Policy
I. Policy Review and Adoption
This policy has been reviewed and adopted under the direction of Rowan’s Data Governance Committee and Chief Information Officer (CIO):
V. COMPLIANCE
Enforcement.
VI. POLICY COMPLIANCE
Violations of this policy may subject the violator to disciplinary actions up to or including termination of employment or dismissal from school, subject to applicable collective bargaining agreements and may subject the violator to penalties stipulated in applicable state and federal statutes.
...
Students who fail to adhere to this Policy or the Procedures and Standards will be referred to the Office of Student Affairs and may be expelled.
...
Affiliates, contractors and vendors who fail to adhere to this Policy and the Procedures and Standards may face termination of their business relationships with the University.
...
B. This policy applies to all Users accessing the ROWAN network or ROWAN information through computing devices owned by or managed through ROWAN or through permission granted by ROWAN. All Users must read this Policy Statement and the related Procedures and Standards in their entirety. If you have any questions about whether this Policy Statement applies to you or how it applies to you, please contact the Information Security Office at 856- 256-4498.
VI. ATTACHMENTS
A. Attachment 1, Sensitive Information
Sanctions shall be applied consistently to all violators regardless of job titles or level in the organization per the Acceptable Use Policy.
By Direction of the CIO:
Mira Lalovic-Hand,
SVP and Chief Information Officer
ATTACHMENT 1
SENSITIVE INFORMATION
Sensitive Information includes all data, in its original and duplicate form, which contains:
- “Personal Identifying Information or PII,” as defined by the New Jersey Identity Theft Protection Act. This includes employer tax ID numbers, drivers' license numbers, passport numbers, SSNs, state identification card numbers, credit/debit card numbers, banking account numbers, PIN codes, digital signatures, biometric data, fingerprints, passwords, and any other numbers or information that can be used to access a person's financial resources.
- “Protected Health Information or PHI” as defined by the Health Insurance Portability?and Accountability Act (HIPAA).
- Student “education records,” as defined by the Family Educational Rights and ?Privacy Act (FERPA).
- “Customer record information,” as defined by the Gramm Leach Bliley Act ?(GLBA).
- “Card holder data,” as defined by the Payment Card Industry (PCI) Data ?Security Standard.
- Information that is deemed to be confidential in accordance with the New Jersey Public Records Act. ?Sensitive Information also includes any other information that is protected by University policy or federal or state law from unauthorized access.
...