ROWAN UNIVERSITY POLICY
Title: Information Security Policy
...
A. All University faculty, students, staff, temporary employees, contractors, outside vendors and visitors to campus who have access to University-owned or managed information through computing systems or devices (“Users”) must maintain the security of that information and those systems and devices.
B. Basic “minimum” requirements apply to all University-owned or managed information and systems and devices. These can be found in the attached Information Security Standards.
C. More extensive requirements apply to Sensitive Information and Mission-Critical Resources. These are discussed below and in the Procedures and Standards documents, which are found in the attached Information Security Procedures and Information Security Standards.
D. Sensitive Information, as defined below, in all its forms – written, spoken, electronically recorded, or printed – must be protected from accidental or intentional unauthorized modification, destruction, or disclosure. The University requires all Users to protect the University’s Sensitive Information by adhering to all Information Security Policies, Procedures, and Standards including, but not limited to the following:
- Acceptable Use Policy
- Access Control Policy
- Incident Management Policy
- Mobile Computing and Removable Media Policy
- Remote Access Policy
- Workstation Use Policy
- General User Password Policy
- Policy and Standards for Electronic Media Disposal
- Policy on the Transmission of Sensitive Information (including PHI or PII)
- Protocol for Responding to Security Breaches of Sensitive Information (including PHI and PII)
E. Users who are third-party contractors and vendors must be made aware of this policy and their responsibilities for safeguarding the University’s Sensitive Information. ?
F. Information Classification
All Users must be aware of the classification of the various types of University information to which they have access in order to determine the proper controls for safeguarding the information. Regardless of classification, the integrity and accuracy of all information must be protected. Information must be classified according to the most sensitive detail it includes. Information recorded in several formats (e.g., source document, electronic record, printed report) must have the same classification regardless of format. Only two levels are to be used when classifying information:
- Sensitive Information: “Sensitive Information” is defined above. It is important to note that the unauthorized disclosure of Sensitive Information to individuals without a business need for access may violate laws or University policies and may have significant ramifications for the University, its employees, its students, or its business associates.
Decisions about the provision of access to Sensitive Information must always be made by the Steward (as defined below) of that Sensitive Information. - Public Information: Public Information includes all information made or received by the University that does not constitute Sensitive Information. Sensitive Information that is disclosed without proper authorization does not, by virtue of its disclosure, become Public Information.
Many Users will find that some of the information to which they have access has been classified as Sensitive Information (e.g., employment records, student records) and some of it as Public Information (e.g., most purchase contracts, most accounting records).
...
- Steward of Information or Data: The Steward is the University employee responsible for the approval of the creation of a collection of information or data or the primary user of that information or data. For example, the Registrar is the Steward for much of the University’s student information. The Vice President for Human Resources is the Steward for much of the University’s employee information.
- Custodian of Information or Data: The Custodian is responsible for the processing and storage of information or data on behalf of the Steward of that information or data.
- Consumer/User: A Consumer/User is any person authorized to read, enter, copy, query, download, or update information.
- User Managers: A User Manager is any University administrator, faculty member, or staff member who supervises Consumer/Users or who handles University business unit administrative responsibilities. User Managers are responsible for overseeing their Consumer/Users’ access to Sensitive Information, including:
- Reviewing and approving all requests for access authorizations and ensuring it accurately reflect each Consumer/User’s role and required access.
- Ensuring that the approved procedures are followed for employee ?suspensions, terminations, and transfers, and that appropriate measures are ?taken to revoke access privileges.
- Revoking access privileges from students, vendors, consultants, and others ?when access is no longer necessary or appropriate.
- Providing the opportunity for training needed to properly use computer ?systems.
- Reporting promptly to the Executive Director and Information Security Officer ?and to the Office of University Counsel any potential or actual unauthorized access of University Sensitive Information (security breach) in accordance with the University’s Protocol for Responding to Security Breaches of Certain Identifying Information.
- Initiating appropriate actions when Information Security Incidents are identified in accordance with the Incident Management Policy.
- Ensuring that any Information Security requirements are followed for any acquisitions, transfers, and surplus of equipment that processes or stores electronic information, such as computers, servers, smartphones/PDAs, and certain copiers.
- Information Security Liaison: Each University business unit that is responsible for maintaining its own information technology services must have a designated Information Security Liaison as well as a designated backup Information Security Liaison. The duties and responsibilities of the Security Liaison are described in detail in the Security Liaison Policy.
Key responsibilities for the individuals serving in each of the above roles are discussed in the Information Security Procedures and Standards, which are attached. In addition, the University’s Executive Director and Information Security Officer will work with Stewards, Custodians, User Managers, Consumer/Users, and Information Security Liaisons to develop and implement prudent security policies, procedures, and controls, in consultation with the Office of University Counsel. - Chief Information Security Officer: The responsibilities of the Chief Information Security Officer and the staff of the Information Security Office include:
- Developing an Information Security Strategy approved by the Chief Information Officer and Data Governance Committee.
- Developing and maintaining a University Information Security Program to provide University services for:
- Security Governance and Oversight
- Network Security Protection
- Endpoint Security Protection
- Vulnerability Management
- Incident Management
- Annual Security Risk Assessments
- Information Security Consulting
- Information Security Policies, Procedures, and Standards
- Information Security Awareness
- Information Security Design and Architecture
- Technology Risk Management
- 3rd Party Security Reviews
- Serving as the University Security Officer for HIPAA, FERBA, GLBA, and PCI
- Service as the University Security Liaison to all Local, State, and Federal Government Agencies and Law Enforcement
G. Mission-Critical Resources
Mission-Critical Resources, as defined below, must be protected from accidental or intentional unauthorized modification, destruction, or disclosure.
The University expects members of its faculty, staff, and student body to understand and mitigate the risks to privacy inherent in digital technologies. The University also requires members of its faculty, staff, and student body to protect the University’s Mission-Critical Resources by adhering to the Information Security Procedures and Standards attached. Users who are third-party contractors and vendors must also be made aware of this policy and their responsibilities for safeguarding the University’s Mission-Critical Resources.
- Definition of A Mission Critical Resource: A Mission-Critical Resource includes any resource that is critical to the mission of the University and any device that is running a mission-critical service for the University or a device that is considered mission critical based on the dependency of users or other processes. Mission-critical services must be available. Typical mission-critical services have a maximum downtime of three consecutive hours or less. Mission-Critical resources for Information Security purposes include information assets, software, hardware, and facilities. The payroll system, for example, is a Mission-Critical Resource.
Mission-critical computer systems and the infrastructure required to support them must be installed in access-controlled areas. In addition, the area in and around a computer facility housing Mission-Critical Resources must afford protection against fire, water damage, and other environmental hazards, such as power outages and extreme temperature situations.
Each University business unit housing Mission Critical Resources is required to establish procedures to provide emergency access to those Resources in the event that the assigned Custodians or Stewards are unavailable, or when operating in an emergency.
Additional responsibilities for individuals working with Mission-Critical Resources are discussed in the Information Security Procedures and Standards, which are attached.
- Definition of A Mission Critical Resource: A Mission-Critical Resource includes any resource that is critical to the mission of the University and any device that is running a mission-critical service for the University or a device that is considered mission critical based on the dependency of users or other processes. Mission-critical services must be available. Typical mission-critical services have a maximum downtime of three consecutive hours or less. Mission-Critical resources for Information Security purposes include information assets, software, hardware, and facilities. The payroll system, for example, is a Mission-Critical Resource.
H. Information Security Related Policies, Procedures, and Standards
For additional information on the University’s information security policies, procedures, standards, and practices, please see:
- Information Security Procedures
- Information Security Standards
- Data Governance Policy
- Software Acquisition Policy
- Acceptable Use Policy
- Access Control Policy
- Data Classification Policy
- Incident Management Policy
- Vulnerability Management Policy
- Remote Access Policy
- Workstation Use Policy
- General User Password Policy
- Policy and Standards for Electronic Media Disposal
- Policy on the Transmission of PHI or PII
- Protocol for Responding to Security Breaches of PHI and PII
- Security Awareness and Training Policy
- Security Liaison Policy
I. Policy Review and Adoption
This policy has been reviewed and adopted under the direction of Rowan’s Data Governance Committee and Chief Information Officer (CIO):
V. COMPLIANCE
A. Failure to adhere to this Policy and the Procedures and Standards may put University information assets at risk and may have disciplinary consequences for employees up to and including termination of employment. Students who fail to adhere to this Policy or the Procedures and Standards will be referred to the Office of Student Affairs and may be expelled. Contractors and vendors who fail to adhere to this Policy and the Procedures and Standards may face termination of their business relationships with the University.
...