Information Systems Security Policy

Information Systems Security Policy

Background

This policy establishes the requirements, roles, and responsibilities for ensuring the confidentiality, integrity, and availability of 桃瘾社区 IT Services accessed, managed, or controlled by 桃瘾社区 (鈥溙荫缜).  

Purpose

The purpose of this policy is to ensure the protection of 桃瘾社区鈥檚 information technology services, including applications, computing equipment, networks, servers, licensed third party software and systems, telecommunications systems, other technology or communications platforms, and other resources and the data stored in or on any such technology (collectively, 鈥溙荫缜 IT Services鈥 or 鈥淚T Services鈥) from unauthorized access or alteration, as well as damage, intrusion, and misuse. 

By implementing this policy, 桃瘾社区 will:

  • Establish standards for ensuring the security and confidentiality of 桃瘾社区鈥檚 IT Services.
  • Establish administrative, technical, and physical safeguards to protect against unauthorized access or use of 桃瘾社区鈥檚 IT Services.
  • Assign responsibility for the security of departmental, administrative, and other critical 桃瘾社区 IT Services.

This policy applies to all employees (faculty and staff) or, as relevant, students who create or are responsible for 桃瘾社区 IT Services or which collect, process, transact or transmit 桃瘾社区 data as defined in the Data Security Policy. All such individuals must maintain the IT Services for which they are responsible in accordance with this policy and other 桃瘾社区 policies and regulations.

Policy

1. Framework for Institutional Information Security Decisions 

Establishment of Ownership

鈥淚nformation Security鈥 for the purpose of this policy means the protection of information against unauthorized disclosure, transfer, modification, or destruction, whether accidental or intentional. 桃瘾社区鈥檚 Information Security Program Manager (ISPM), reporting to the Chief Information Officer (CIO) or his or her designee, has the principal obligation for Information Security.  This includes, but is not limited to, the execution of 桃瘾社区 college鈥檚 Information Security Plan.

The ISPM will develop policies, standards, procedures, and guidelines with input and review from campus stakeholders, based upon best practices in information security, and in accordance with applicable laws and regulations.

Policies, standards, procedures, and guidelines set minimum requirements and expectations under which 桃瘾社区 operates and protects the Services.  These will be regularly reviewed and updated to properly reflect changing risk conditions and mitigation techniques.  At a minimum, information security policies, standards, procedures, and guidelines will be reviewed annually and updated as required.  

The ISPM will collaborate with campus leadership and department management to develop information security policies that appropriately address 桃瘾社区鈥檚 needs.  Departments must notify the ISPM of issues requiring attention through policy, as well as any needed policy changes.

Approval

桃瘾社区鈥檚 information security policies, standards, procedures, and guidelines shall be consistent with existing laws, regulations, 桃瘾社区 culture, and support the 桃瘾社区 mission to develop, educate, and serve its community. Policies will be reviewed and approved according to 桃瘾社区鈥檚  (桃瘾社区 login required) prior to implementation. As part of implementation, faculty, staff, and students will be notified of the policies.

Exceptions

Individuals or units within 桃瘾社区 that cannot comply with the requirements of the information systems security program established pursuant to this policy or related security policies must submit a written exception request to the ISPM for review and consideration.  Exception requests must include the scope and duration of the exception, business justification, and for exceptions that are temporary, a committed remediation plan to achieve compliance. The ISPM will review the request to ensure proper consideration has been given to the business needs and benefits, and weighed against the security risk to the institution.  Requests for policy exceptions must be submitted to and approved by the ISPM or the CIO prior to implementation of the requested exception. 

In the event of an emergency, the CIO acting with input from members of 桃瘾社区鈥檚 Senior Leadership Team has the authority to temporarily suspend a specific information security policy in order to recover from a service outage or incident.  The ISPM should be notified of the temporary policy suspension so that  efforts can be considered and undertaken, as necessary, to mitigate the risks of any increased security threat.

2. Information Security Roles and Responsibilities

Information Security Program Manager (ISPM)

桃瘾社区鈥檚 Information Security Program Manager is responsible for coordinating and overseeing compliance with this policy including investigating and evaluating any incident that may violate this or other policies or information security best practices and, with input from the Vice President and General Counsel, outside counsel, consultants and other resources, determining if a security breach occurred under applicable law.

Technology & Innovation (T&I)

The Technology & Innovation division (T&I) has the primary operational responsibility for 桃瘾社区 IT Services that receive, create, store, handle, or discard information. T&I shall be responsible for:

  • Implementing information security technologies, controls, and services to protect IT Services and data as required by the Information Systems Security Program.
  • Granting and revoking user rights and privileged access to IT Services as directed by the ISPM or Product Owners.
  • Ensuring availability and recovery of IT Services.
  • Abiding by the requirements of the Information Systems Security Program.

Product Owners

Each information technology system, application, server or other service used at 桃瘾社区 (鈥淚T Service鈥)  must have a designated Product Owner, a named individual maintained on file in the Technology & Innovation division. This individual is responsible for ensuring that each such IT Services comply with this policy, and the Product Owner must report any discovered non-compliance or possible security events promptly to the Information Security Program Manager. Product Owner designations are determined at the Vice President or division head level, and VPs/division heads must promptly name a new Product Owner upon reassignment or the departure of a Product Owner from 桃瘾社区 employment.

All information and data at 桃瘾社区, including that which is stored, processed or transmitted by IT Services, is regulated by the College鈥檚 Data Security Policy. Product Owners are responsible for ensuring their IT Services are compliant with the Data Security Policy.

For student-developed IT Services in use at 桃瘾社区, a student may be the Product Owner under the supervision of an authorized faculty or staff member, but the faculty or staff member or relevant department or division must name a Product Owner upon the student鈥檚 graduation or termination of enrollment from 桃瘾社区. The supervising faculty or staff member will become the Product Owner by default if a new Product Owner is not named.

End Users of IT Services (Faculty, Staff, Students)

End Users shall be responsible for abiding by the 桃瘾社区 Technology Terms of Service when using IT Services at 桃瘾社区.

Third-Party (Vendor) Access

Third parties executing business on behalf of 桃瘾社区, in lieu of or in addition to 桃瘾社区 employees, must agree to follow the information systems security policies.  Third parties are expected to be contractually obligated to protect 桃瘾社区 IT Services to the same degree expected from 桃瘾社区 employees.

Third parties may only access 桃瘾社区 IT Services where there is a business need, only with approval of Product Owners, and only with the minimum access needed to accomplish the business objective. A copy of the relevant information security policies and the third party鈥檚 role in ensuring compliance must be formally delivered to the third party prior to access being granted, with provisions made to grant the access in a secure manner. In these cases, third parties shall be subject to the same policies and practices as other members of the 桃瘾社区 community, unless an exception is granted by the ISPM.

Security Obligations in Contracts for Outsourced Services

Contracts with third parties for outsourced information technology services (e.g. SaaS solutions) must include provisions that govern the handling and proper security of all 桃瘾社区 IT Services. These provisions should clearly define requirements of the third party for protection of 桃瘾社区 information, and where possible, should provide 桃瘾社区 the ability to audit the third party as needed in order to ensure information is appropriately protected. Use of the 桃瘾社区 Technology Contact Addendum is recommended for this purpose.  

桃瘾社区 offices and departments must provide oversight of all outsourced information technology service providers to ensure their policies and practices regarding information security are consistent with 桃瘾社区鈥檚 policies. 

Third parties may be audited as needed in order to ensure compliance.  桃瘾社区 data must be protected whether used, housed, or supported by 桃瘾社区 employees or by third parties. 

The policy provisions will be addressed on a go-forward basis for new and renewed contracts.  There is no expectation that existing contracts will be renegotiated ahead of their renewal dates to comply with these requirements.

3. Human Resources Security

All employees of 桃瘾社区, whether regular or temporary, full or part-time, and any third parties, contractors, volunteers, or vendors who receive access to IT Services must be aware of, understand, and fulfill their information security responsibilities and requirements for any IT Services that they access.

桃瘾社区鈥檚 Human Resources division completes a criminal background check on all prospective employees that must be completed before the first day worked and access to IT Services begins. Faculty/staff sponsoring any access by third parties, contractors, volunteers, or vendors who will access Restricted or Confidential data, as defined in the Data Security Policy, in 桃瘾社区 IT Services must contact Human Resources to request a criminal background check prior to access to such data being granted.

All employees, students, and third parties sponsored for account access are required to review and accept the 桃瘾社区 Technology Terms of Service before completing the self-service account registration process. 

The manager or supervisor of employees and third parties (e.g., authorized or approved vendors or contractors) who have access to 桃瘾社区 IT Services is responsible for ensuring that all such individuals are aware of and fulfill their information security responsibilities. Employee disciplinary processes will include provisions addressing violations of information security policies.

4. Information Systems Access Control

Access to 桃瘾社区 IT Services that store, process or transmit Restricted or Confidential data as defined in the Data Security Policy will only be provided to End Users based on business requirements, job function, responsibilities, or need-to-know, and such access must be approved by the manager/supervisor, Product Owner, or data steward, as appropriate.

To the greatest extent technically possible, Product Owners will use group membership data derived from Human Resources systems data (such as department or division affiliation or role) to automatically grant and revoke access to IT Services.

All IT Services must use 桃瘾社区-authorized single-sign on (SSO) and multifactor authentication, unless an exception has been approved by the Chief Information Officer.

Access to 桃瘾社区 IT Services will be revoked, and assets, including assigned laptop or desktop and peripherals, must be returned upon termination of employment with the College. If an employee accepts a new position at the College, the outgoing division鈥檚 manager is responsible for deactivating access to IT Services no longer needed in the employee鈥檚 new role.

Authorized T&I divisional staff with superuser/root level to high-risk systems (such as domain administrator roles) are required to use a unique, separate account from their regular campus account to perform such roles, and must only use it for such system administration tasks. Any service accounts, root level passwords, or equivalent that cannot be disabled due to the nature of the relevant system must be stored in T&I鈥檚 secure credential enclave or a privileged account management system.

5. Information Security Awareness and Training

The ISPM will develop, implement and manage an information security awareness program to be delivered periodically to 桃瘾社区 faculty, staff, and certain other authorized users of 桃瘾社区 IT Services. 

To demonstrate basic competency in information security best practices, designated faculty and staff must complete this training as part of the onboarding process, approximately annually thereafter, or as required by the ISPM. Training requirements for 桃瘾社区 employees are based on job role, division of employment, and scope of data and IT Services access, among other factors; as such, employee information security awareness training needs must be reassessed by managers and supervisors following any change in employee job role or responsibilities.

The Information Security Program Manager will:

  • Develop or acquire information security training and test materials.
  • Update and revise training and test materials at least annually to reflect current threats and information security best practices.
  • Provide the ability to collect feedback regarding the content and efficacy of the training program.
  • Track, record, and report training/testing completion rates and other program statistics.
  • Ensure compliance with training mandates across the College.

The information security awareness program will review security awareness best practices including information classification and handling and how to identify different forms of social engineering attacks (e.g. phishing, phone scams, impersonation calls); it will also include simulated non-malicious phishing email to assess End User readiness and identify knowledge gaps and areas for continuous improvement.

Training in information security threats and safeguards for T&I staff and Product Owners is mandatory, with the extent of technical training to reflect the individual鈥檚 responsibility for configuring and maintaining information security safeguards.

6. IT Service Acquisition, Development, and Maintenance

Acquisition of IT Services, including all technology devices, equipment and peripherals, must be either approved by the Chief Information Officer or purchased by T&I, as specified in the 桃瘾社区 Technology Terms of Service.

The Product Owner is responsible for any IT Services written, coded, built or otherwise developed by 桃瘾社区 staff, including ensuring that the IT Products and their subcomponents (including application stack elements) are free from known security vulnerabilities and follow best practices. Product Owners should be aware that virtually all homegrown/developed software and IT Services will require review and updates on a periodic basis, potentially as frequently as monthly or weekly.

7. Information Systems Operations Security

All Product Owners must coordinate and cooperate with the Information Security Program Manager and other T&I staff to ensure that 桃瘾社区 IT Services are operationally secure. This includes:

  • Ensuring all IT Services meet information security standards for approval at acquisition and on an ongoing basis (for  (桃瘾社区 login required), this typically involves review of the EDUCAUSE HECVAT questionnaire submitted by the vendor and ongoing review of vendor security reports);
  •  (桃瘾社区 login required) hosted by 桃瘾社区 on-campus or in the cloud are configured for routine network and application vulnerability scans and are public accessed only through appropriate security measures (such as the web application firewall);
  • Resolving any vulnerabilities or risks associated with an IT Product when reported by vulnerability scans, vendor notices, industry or government warnings, etc., including evaluating IT Services for the presence of risky code, modules or components;
  • For 桃瘾社区-hosted IT Services, using servers and other infrastructure components that are subject to standard configuration and management by T&I to ensure ongoing updates, patches and maintenance;
  • Resolving IT Product errors or problems caused by required updates to supporting infrastructure (such as a server operating system security patch causing a problem with the operation of an IT Product);
  • Ensuring that IT Services implement data retention schedules for Restricted and Confidential data to ensure that Restricted and Confidential data are not maintained for longer than the business need requires;
  • Ensuring that backups of business critical data are captured and maintained in accordance with industry best practices;
  • Verifying that 桃瘾社区 IT Services utilize industry  (桃瘾社区 login required), where appropriate, in order to protect the confidentiality and integrity of information, both in transit and at rest;
  • Understanding relevant data security and privacy legal requirements such as those of the Gramm-Leach-Bliley Act, the Federal Educational Rights and Privacy Act, the North Carolina Identity Theft Act, the European Union General Data Protection Directive, and other applicable laws and regulations, sufficient to know whether their IT Product(s) must comply with such regulations and ensuring that they do comply if required;
  • For any IT Product that collects, processes or transmits credit card information as regulated by Payment Card Industry (PCI) standards, ensuring that only 桃瘾社区-authorized security technologies (typically P2PE) are used to avoid bringing other 桃瘾社区 IT services and the network into compliance scope, and coordinating with third-party vendors to ensure they complete a PCI Attestation of Compliance (AoC) annually.

8. Passwords and Multi-factor Authentication

To protect the confidentiality and integrity of 桃瘾社区 data, all 桃瘾社区 account passwords should follow industry best practices for length, complexity, age, password history, dictionary checks, etc. Additionally, to further strengthen the 桃瘾社区 environment, multi-factor authentication should be used where possible in line with industry standards and best practices (e.g., following National Institute of Standards and Technology recommendations), and must be used for administrator and superuser access except by approval of the ISPM.

9. Risk Assessment and Management 

To ensure information security is implemented and operated as required in 桃瘾社区鈥檚 policies, standards, procedures, and guidelines, T&I will perform a risk assessment, or other industry standard practices, at planned intervals to assess the institution鈥檚 security posture as stated in the Information Security Plan. T&I additionally routinely performs regular automated security vulnerability assessments and participates in processes such as penetration testing as needed to assess possible risks and current remediations, and participates in the College鈥檚 financial audits and related processes. Updates on cybersecurity including the ISPM or CIO鈥檚 assessment of known risks shall be reported to the College鈥檚 Senior Leadership Team, or as appropriate or upon request, to the 桃瘾社区 Board of Trustees.

10. Incident Response

The response to information security incidents that threaten the confidentiality, integrity, and availability of 桃瘾社区 IT Services are managed by 桃瘾社区's Incident Response Plan.  This internal document identifies the Incident Response Team, roles and responsibilities, and appropriate steps needed to detect, contain, eradicate, and recover from a security incident.

11. Physical and Environment Security

To protect 桃瘾社区 IT Services from physical threats, access to facilities housing servers and or network equipment is limited to authorized personnel only. Visitors must be escorted at all times while accessing these areas. Reasonable safeguards should be implemented to protect 桃瘾社区 equipment from environmental threats, including, but not limited to water, fire, power failures, and surges.

All technology equipment that is end of life (servers, network equipment, laptops/desktops, etc.) should be disposed of in accordance to the latest industry standard recommendations depending on the potential data elements present.

12. Network Management Security

All networking equipment must be properly configured and maintained at all times.  All relevant security updates must be applied in a timely manner to prevent exploitation or compromise. All default user accounts and passwords on network equipment must be changed prior to implementation.  Network devices should have a hardened system configuration that includes disabling all unnecessary services.  Management interfaces should only be accessible from the 桃瘾社区 network or with the use of a virtual private network (VPN). 

13. Business Continuity and Disaster Recovery

To ensure adequate plans and procedures are in place to enable 桃瘾社区 to avoid or minimize interruption to any critical functions during and after major failures or disasters, 桃瘾社区 will develop and document an appropriate and resilient Business Continuity and Disaster Recovery Plan.  This plan will address interruptions to 桃瘾社区 business activities and to protect critical business processes from the effects of major failures or disasters. This plan should be tested periodically based on industry best practices and reviewed at least annually.

Administration of Policy

The CIO shall oversee this policy and review it at least once every two years. Changes to this policy shall be made in accordance with the college鈥檚 Policy on Policies.

Last Revised: April 2022

Appendix: Definitions

Each term listed below shall carry the associated meaning in the policy unless otherwise defined.  

  • access - The ability to view, use, or change information in 桃瘾社区 IT Services.
  • availability - The degree to which information and critical 桃瘾社区 IT Services are accessible for use when required.
  • confidentiality - The degree to which confidential 桃瘾社区 information is protected from unauthorized disclosure.
  • control -  Safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets.  Controls help to reduce the risk of damage or loss by stopping, deterring, or slowing down an attack against an asset.
  • End User - The person that a software program or hardware device is designed for and who uses the software or hardware after it has been fully developed, marketed, and installed.  End Users include students, faculty, staff, contractors, consultants, and temporary employees.
  • IT Services - 桃瘾社区鈥檚 information technology services, including applications, computing equipment, networks, servers, licensed third party software and systems, telecommunications systems, other technology or communications platforms, and other resources and the data stored in or on any such technology
  • Information Security -  The protection of information against unauthorized disclosure, transfer, modification, or destruction, whether accidental or intentional.  The focus is on the confidentiality, integrity, and availability of data.
  • integrity - The degree to which the accuracy, completeness, and consistency of information is safeguarded to protect the business of the Institution.
  • Product Owner -  Individual with primary responsibility for overseeing the collection, storage, use, and security of a particular IT Service.
  • risk -  A probability or threat of damage, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through preemptive action.
  • security breach -  An unauthorized intrusion into a 桃瘾社区 IT Service where unauthorized disclosure, modification, or destruction of confidential information may have occurred.
  • security incident -  An attempted or successful unauthorized access, use, disclosure, modification, or destruction of information; interference with IT Service operation; or violation of information security policy.
  • threat - An event or condition that has the potential for causing the loss of confidentiality, integrity, and accessibility of 桃瘾社区 IT Services or data.