University Policies

Page tree

Versions Compared

Old Version 2

changes.mady.by.user Rowan, James J.

Saved on

compared with

New Version 3

changes.mady.by.user Unknown User (kanchia1)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This policy applies to all University departments, administrative units, and affiliated organizations that use University information technology resources to create, access, store or manage University Data to perform their business functions. The requirement applies to enterprise information systems or systems that require special attention to security due to the risk of harm resulting from loss, misuse, or unauthorized access to or modification of the information therein.

IV.  DEFINITIONS

...

  1. "Confidential data" - Highly sensitive data intended for limited, specific use by a workgroup, department, or group of individuals with a legitimate need-to-know.

...

  1. "Enterprise information system" - An information system and/or server providing services commonly needed by the University community and typically provided by the IERP and or the IRT units. Departmental information systems provide services specific to the mission and focus of individual departments, administrative units, or affiliated organizations.

...

  1. "Information Resources and Technology" (IRT) – the Rowan University department responsible for the governance of all information and technology.

...

  1. "Institutional Effectiveness, Research & Planning" (IERP) - The Office of Institutional Effectiveness, Research & Planning (IERP) is Rowan University's official source for all data and statistics used for assessment, state and federal reporting.

...

  1. "Information Technology Infrastructure Library" (ITIL) - Provides a cohesive set of best practice to Information Technology Service Management.

...

  1. "Live data" - Data accessible to users through systems that are in production environment (i.e., live)

...

  1. "National Institute of Standard Technology" (NIST) - NIST is the federal technology agency that works with industry to develop and apply technology, measurements, and standards.

...

  1. "Sanitized" - Is the process of removing sensitive information from a document or other medium, so that it may be distributed to a broader audience.

...

  1. "System Administration and Network Security" (SANS) - SANS is a private U.S. company that specializes in information security and cybersecurity training, and security design and implementation best practices.

...

  1. "Sensitive" - Any information that can be used for the purpose of identification.

...

  1. "University Data" - Any data related to Rowan University functions that are a) stored on University information technology systems, b) maintained by Rowan faculty, staff, or students, or c) related to institutional processes on or off campus. This applies to any format or media (in other words, it is not limited to electronic data).

...

  1. "Vulnerability" - A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system's security policy.

V.   REFERENCES

A.  Information Security Policy

...

    1. Test data - Testing of enterprise information systems should be done with fabricated data that mimics the characteristics of the real data, or on copies of real data with any confidential data appropriately sanitized. Testing should not be done on live data due to the threat to its confidentiality and/or integrity. Testing that requires the use of live data or confidential data must have appropriate security controls employed.
    2. Vulnerability management - An assessment of the system's security controls and a vulnerability assessment that seeks to identify weaknesses that may be exploited must be performed on all new enterprise information systems or ones undergoing significant change before moving them into production. Periodic vulnerability assessments must also be performed on production enterprise information systems and appropriate measures taken to address the risk associated with identified vulnerabilities. Vulnerability notifications from vendors and other appropriate sources should be monitored and assessed for all systems and applications associated with enterprise information system.

F.  Responsibilities:

    1. Information Security Office (ISO) - Coordinates the development, review, and approval of system security plans as well as the identification, implementation, and assessment of common security controls; oversees periodic vulnerability assessments for enterprise information systems; and coordinates implementation of other assessments as needed with information system security administrators.
    2. System Administrator - Ensures the implementation of appropriate operational security controls for an information system; coordinates with the ISO in the identification, implementation, and assessment of common security controls; plays an active role in developing and updating a system security plan and coordinating with an information system owner any changes to the system and assessing the security impact of those changes. This role may be filled by someone directly involved with the development, maintenance, and/or operation of the information system.

...