Information Security

Information Security

Information Security Program

The Information Security Program establishes and maintains a risk-based program for the protection of information commensurate with the size, complexity, nature and scope of the university’s activities and the sensitivity of customer information, while still enabling the safe creation, storage, and sharing of information as appropriate.

Information Security Program Objectives

  • Ensure and enforce suitable policies, practices, and safeguards are in place to identify, assess, and mitigate risks to information and information technology assets.
  • Protect from unauthorized access, disclosure or identity theft, changes, or destruction of information and systems.
  • Ensure the privacy of student, parent, faculty, staff, and other information.
  • Ensure compliance with federal and state laws and regulations.
  • Protect brand reputation.
  • Establish policies, standards, procedures, guidelines, and awareness that enable the community of authorized users to appropriately protect data.
  • Ensure the availability and reliability of the university information technology systems and data.

Information Security Program Management

The Chief Information Security Officer role and its assigns have officially delegated authority for assessing risks, external and internal threats, recommending mitigating controls, implementing appropriate policies, and conducting program reviews to assess effectiveness of existing policies, processes, and controls to protect university information and technology resources.

The Chief Information Security Officer role and its assigns are also responsible for forming an incident response team for investigating suspected and actual information security incidents.

Information Security Policies

The Chief Information Security Officer role directs the issuance of information security policies, standards, procedures, and guidelines to address:

  • Applicable laws and regulations for compliance
  • Acceptable use of information and information technology for faculty, staff, students, and other users from the campus community  
  • Acceptable safeguards for protection of information technology systems, resources, and information from unauthorized access, disclosure or identity theft, changes, or destruction
  • Acceptable information technology department operations
  • Business requirements

The Chief Information Security Officer role directs periodic reassessments of the program for new risks, threats, processes, technologies, business requirements, and regulatory requirements for risk mitigation and for updating policies and controls.

Confidential Information

Data may be classified as Confidential Information because:

  • it is regulated by law or contract, like FERPA, GLBA, HIPAA, PCI, or other privacy laws,
  • because unauthorized disclosure may lead to identity theft (Social Security Numbers, financial account numbers, or personally identifiable information related to academics, medical information, or address),
  • or the university considers the information confidential (university financial data).

Confidential Information may be subject to special procedures and safeguards.

Asset Management

Information Technology Services maintains an electronic inventory of key computer assets, including desktops, printers, and networking equipment.

All computer equipment containing storage media will be disposed of in a manner that ensures the secure destruction of all regulated and Confidential Information.

Physical Security

The centralized server and network infrastructure equipment are restricted and secured in locked rooms with surveillance cameras at the doors, emergency power-off switches, uninterruptable power supplies, and temperature and humidity sensors.

The building housing the centralized information technology equipment requires card key access outside of normal business hours.  Campus Police and Safety are co-located in the same building with 24-hour surveillance camera monitoring.

Change Management

Information Technology Services Change Management Committee meets at least weekly to review, assess, and approve proposed infrastructure changes.

Information Security and Privacy Incident Response

An information security and/or privacy incident may involve suspected, attempted, or actual unauthorized access to a system or data, unauthorized use of a system, unwanted disruption or denial of service, unauthorized changes to system hardware, firmware, software, or data, or unauthorized disclosure of regulated or Confidential Information. The incident response policy defines information security and privacy incident notification requirements for the community and responses required of the Incident Response Team for timely investigation, remediation, and documentation of incidents.

Access Controls

All systems are restricted to authorized users using unique user IDs and passwords that meet university password standards (length, complexity, history, aging, and removal of vendor default passwords).

Users requesting Information Technology Services Help Desk assistance with resetting or changing passwords must provide sufficient credentials or information for verification of identity.

User access credentials (ID, password) must never be stored or transmitted in clear text.  This also means that some network protocols which do not encrypt credentials, like telnet and ftp, are prohibited.

Some systems containing Confidential Information may require signed agreements or acceptance of an online logon banner policy before being granted access.

Data owners are responsible for reviewing data access requests and approving those that should be authorized, applying the principles of need to know, least privilege, and separation of duties.

Likewise, system administrators, network administrators, database administrators, and others with elevated privileges should be assigned access rights by applying the principles of need to know, least privilege, and separation of duties. Access for employees whose employment has ended must have applicable access rights removed as soon as possible, per the supervisor’s notice.

System Integrity

System integrity standards, using a combination of system patching, anti-malware, event logging, time synchronization, spam protection, firewalls, system backups, off-site storage of backups, etc., must be followed for all applicable computer and network equipment.