The purpose of this policy is to define requirements for system security planning and management to improve protection of university information system resources.
Under the direction of the President, the Chief Information Officer and the Chief Information Security Officer shall implement and ensure compliance with this policy.
This policy applies to all University departments, administrative units, and affiliated organizations that use University information technology resources to create, access, store or manage University Data to perform their business functions. The requirement applies to enterprise information systems or systems that require special attention to security due to the risk of harm resulting from loss, misuse, or unauthorized access to or modification of the information therein.
"Confidential data" - Highly sensitive data intended for limited, specific use by a workgroup, department, or group of individuals with a legitimate need-to-know.
B. "Enterprise information system" - An information system and/or server providing services commonly needed by the University community and typically provided by the IERP and or the IRT units. Departmental information systems provide services specific to the mission and focus of individual departments, administrative units, or affiliated organizations.
C. "Information Resources and Technology" (IRT) – the Rowan University department responsible for the governance of all information and technology.
D. "Institutional Effectiveness, Research & Planning" (IERP) - The Office of Institutional Effectiveness, Research & Planning (IERP) is Rowan University's official source for all data and statistics used for assessment, state and federal reporting.
E. "Information Technology Infrastructure Library" (ITIL) - Provides a cohesive set of best practice to Information Technology Service Management.
F. "Live data" - Data accessible to users through systems that are in production environment (i.e., live)
G. "National Institute of Standard Technology" (NIST) - NIST is the federal technology agency that works with industry to develop and apply technology, measurements, and standards.
H. "Sanitized" - Is the process of removing sensitive information from a document or other medium, so that it may be distributed to a broader audience.
I. "System Administration and Network Security" (SANS) - SANS is a private U.S. company that specializes in information security and cybersecurity training, and security design and implementation best practices.
J. "Sensitive" - Any information that can be used for the purpose of identification.
K. "University Data" - Any data related to Rowan University functions that are a) stored on University information technology systems, b) maintained by Rowan faculty, staff, or students, or c) related to institutional processes on or off campus. This applies to any format or media (in other words, it is not limited to electronic data).
L. "Vulnerability" - A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system's security policy.
A. Information Security Policy
A. Security has to be considered at all stages of the life cycle of an information system (i.e., feasibility, planning, development, implementation, maintenance, and retirement) in order to:
B. The Chief Information Security Officer (CISO) defines the strategy for the appropriate security of all software and web applications, as well as to monitor, establish and enforce remediation timelines and sanctions for non-compliant systems campus-wide. The Information Security Office (ISO) will establish security standards for the acquisition, development, deployment and maintenance of all software and web applications handling sensitive information or that are accessible from off campus. These standards will ensure that fundamental security principles are incorporated, such as those generally incorporated into the National Institute of Standard Technology (NIST), Information Technology Infrastructure Library (ITIL) and System Administration and Network Security (SANS) frameworks.
C. Acquisition - All campus software and web application acquisitions or upgrades involving handling of information and/or access from off campus must be reviewed and approved by the CISO or his/her designee(s) in writing prior to purchase or implementation. All contracts for work involving handling of information and/or access from off campus must also be reviewed and approved by the CISO or his/her designee(s) in writing prior to acquisition.
D. Development - All application and web developers must familiarize themselves and follow the campus Application Development Standards to ensure they are employing secure procedures for any application or web development involving University data. All application code for such applications must be reviewed and approved in writing by the ISO prior to deployment. All significant changes in application code must also be reviewed for vulnerabilities prior to deployment. All applications or web processes handling, processing or storing critical or sensitive University information must be housed only within secured data centers approved by the CISO and run on secured systems meeting all applicable security policies and standards approved by the ISO.
E. Maintenance and Testing - Access to source code and other critical system resources during testing, development, or production must be limited to only authorized personnel with an authorized work-related need.
F. Responsibilities:
Violations of this policy may require the removal of any unapproved IT Resources at the department's or school's expense, and may subject the violator to disciplinary actions, up to or including termination of employment or dismissal from a school.
By Direction of the CIO:
__________________________________
Mira Lalovic-Hand,
VP and Chief Information Officer