Information Security Policy - 2D2
Storage of University data on computers and its transfer across the network eases use and expands functionality. Commensurate with that expansion is the need for the appropriate security measures. Security is not distinct from the functionality.
The Information Security Policy (Policy) recognizes that not all departments within the University are the same and that various departments within the University use data differently. The principles of academic freedom and free exchange of ideas apply to this policy, and this policy is not intended to limit or restrict those principles. These policies apply to all departments within the University.
The Policy is written to incorporate current technological advances. The technology installed at some units may limit immediate compliance with the Policy. Instances of non-compliance must be reviewed and approved by the Chief Information Officer.
Throughout the document the term must and should are used carefully. "Musts" are not negotiable; "shoulds" are goals for the university. The terms data and information are used interchangeably in the document.
The terms system and network administrator are used in this document. These terms are generic and pertain to any person who performs those duties, not just those with that title or primary job duty. Many students, faculty and staff members are the system administrators for their own machines.
PURPOSE OF THIS POLICY
By information security we mean protection of the University's data, applications, networks, mobile devices, and computer systems from unauthorized access, alteration, or destruction.
The purpose of the information security policy is:
- To establish a University-wide approach to information security.
- To prescribe mechanisms that help identify and prevent the compromise of information security and the misuse of University data, applications, networks and computer systems.
- To define mechanisms that protect the reputation of the University and allow the University to satisfy its legal and ethical responsibilities with regard to its networks' and computer systems' connectivity to worldwide networks.
- To prescribe an effective mechanism for responding to external complaints and queries about real or perceived non-compliance with this policy.
The Chief Information Officer (CIO) and Chief Information Security Officer (CISO) are responsible for establishing and enforcing the policy.
The CIO and CISO must see to it that:
- The information security policy is updated on a regular basis and published as appropriate.
- Each academic school or administrative division appoints a person or people to act as a liaison to Information Technology Services (ITS) for security implementation, incident response, periodic user access reviews, and education of information security policies including, for example, information about virus infection risks. It is the unit's responsibility to notify the office of the CIO of the identity of this person or people. The office of the CIO will maintain a comprehensive list of security liaisons.
- The CISO will chair the University's IT Security Committee, which consists of members from each Division as well as ex-officio members from ITS. This group will meet on a quarterly basis to: receive and review reports from auditors and IT staff; review security policies and procedures, including ITS disaster recovery plans; recommend new and amended policies and procedures; make security recommendations to the IT Executive Committee; review and share security developments in the global IT community; and develop IT security-related education for the SIUE community.
- The University will use a layered approach of overlapping controls, monitoring and authentication to ensure overall security of the University's data, network and system resources.
- Security reviews of servers, firewalls, routers and monitoring platforms must be conducted on a regular basis. These reviews must include monitoring access logs and results of intrusion detection software, where it has been installed.
- Vulnerability and risk assessment tests of external network connections should be conducted on a regular basis. At a minimum, testing should be performed annually, but the sensitivity of the information secured may require that these tests be done more often.
- Education should be implemented to ensure that users understand data sensitivity issues, levels of confidentiality, and the mechanisms to protect the data.
- Violation of the Information Security Policy may result in disciplinary actions as authorized by the University in accordance with University and campus disciplinary policies, procedures, and codes of conduct.
DATA CLASSIFICATION POLICY
It is essential that all University data be protected. There are, however, gradations that require different levels of security. All data should be reviewed on a periodic basis and classified according to its use, sensitivity, and importance. We have specified four classes below:
High-Risk: Information assets for which there are legal requirements for preventing disclosure or financial penalties for disclosure. Data covered by federal and state legislation, such as the Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act (HIPAA) or the Data Protection Act, are in this class. Payroll, personnel, and financial information are also in this class because of privacy requirements.
This policy recognizes that other data may need to be treated as high-risk because it would cause damage or loss to the University if disclosed or modified. The data owner and the Information Technology Security Committee should make this determination. It is the data owner's and the IT Security Committee's responsibility to implement the necessary security requirements.
Confidential: Data that would not expose the University to loss if disclosed, but that the data owner and/or the IT Security Committee feels should be protected to prevent unauthorized disclosure. It is the data owner's and the IT Security Committee's responsibility to implement the necessary security requirements.
Personal: Data created by individuals in the course of their work for the University. This may include emails, spreadsheets, word processing documents, and other such files normally stored in an individual's personal storage space, such as a computer's hard drive, flash drive, or shared drive.
Public: Information that is freely available.
All information resources should be categorized and protected according to the requirements set for each classification. The data classification and its corresponding level of protection should be consistent when the data is replicated and as it flows through the University.
- Data owners must determine the data classification and must ensure that the data custodian is protecting the data in a manner appropriate to its classification.
- No University-owned system or network subnet can have a connection to the Internet without the means to protect the information on those systems consistent with its confidentiality classification.
- High-risk data must be encrypted during transmission over insecure channels.
- Confidential data should be encrypted during transmission over insecure channels.
- All appropriate data should be backed up, and the backups tested periodically, as part of a documented, regular process.
- Backups of data must be handled with the same security precautions as the data itself. When systems are disposed of, or repurposed, data must be certified deleted or disks destroyed consistent with industry best practices for the security level of the data.
ACCESS CONTROL POLICY
- Data access controls must have sufficient granularity to allow the appropriate authorized access. There is a delicate balance between protecting the data and permitting access to those who need to use the data for authorized purposes. This balance should be recognized.
- Where possible and financially feasible, more than one person must have full rights to any university owned server storing or transmitting high-risk data. The University must have a standard policy that applies to user access rights. This will suffice for most instances. Data owners or custodians may enact more restrictive policies for end-user access to their data.
- Access to the network and servers and systems should be achieved by individual and unique logins, and require authentication. Authentication includes the use of passwords, smart cards, biometrics, or other recognized forms of authentication.
- As stated in the current campus policies on appropriate and acceptable use, users must not share usernames and passwords, nor should they be written down or recorded in unencrypted electronic files or documents. All users must secure their username or account, password, and system access from unauthorized use.
- All users of systems that contain high-risk or confidential data must have a strong password - the definition of which will be established and documented by Information Technology Services (ITS). Empowered accounts, such as administrator, root or supervisor accounts, must be changed frequently, consistent with guidelines established by ITS.
- Passwords must not be placed in emails unless they have been encrypted.
- Default passwords on all systems must be changed after installation. All administrator or root accounts must be given a password that conforms to the password selection criteria when a system is installed, rebuilt, or reconfigured.
- Logins and passwords should not be coded into programs or queries unless they are encrypted or otherwise secure.
- Users are responsible for safe handling and storage of all University authentication devices. Authentication tokens (such as a SecureID card) should not be stored with a computer that will be used to access the University's network or system resources. If an authentication device is lost or stolen, the loss much be immediately reported to the appropriate individual in the issuing unit so that the device can be disabled.
- Terminated employees should have their accounts disabled upon transfer or termination. Since there could be delays in reporting changes in user responsibilities, periodic user access reviews should be conducted by the IT Security Committee.
- Transferred employee access must be reviewed and adjusted as found necessary.
- Monitoring must be implemented on all systems including recording logon attempts and failures, successful logons and date and time of logon and logoff.
- Activities performed as administrator or super-user must be logged where it is feasible to do so.
- Personnel who have administrative system access should use other less powerful accounts for performing non-administrative tasks. There should be a documented procedure for reviewing system logs.
VIRUS PREVENTION POLICY
- The willful introduction of computer viruses or disruptive/destructive programs into the University environment is prohibited, and violators may be subject to prosecution.
- All desktop systems that connect to the network must be protected with an ITS-approved, licensed anti-virus software product that is kept updated according to the vendor's recommendations.
- All servers and workstations that connect to the network and that are vulnerable to virus or worm attack must be protected with an ITS-approved, licensed anti-virus software product that is kept updated according to the vendor's recommendations.
- All incoming data, including electronic mail, must be scanned for viruses by the email server. Outgoing electronic mail should be scanned where such capabilities exist.
- Where feasible, system or network administrators should inform users when a virus has been detected.
- Virus scanning logs must be maintained whenever email is centrally scanned for viruses.
INTRUSION DETECTION POLICY
- Intruder detection must be implemented on all servers and workstations containing data classified as high-risk or confidential.
- Operating system and application software logging processes must be enabled on all host and server systems. Where possible, alarm and alert functions, as well as logging and monitoring systems must be enabled.
- Server, firewall, and critical system logs should be reviewed frequently. Where possible, automated review should be enabled and alerts should be transmitted to the administrator when a serious security intrusion is detected.
- Intrusion tools should be installed where appropriate and checked on a regular basis.
INTERNET SECURITY POLICY
- All connections to the Internet must go through a properly secured connection point to ensure the network is protected when the data is classified high-risk and/or confidential.
SYSTEM SECURITY POLICY
- All systems connected to the Internet should have a supported version of the operating system installed.
- All systems connected to the Internet must be current with security patches.
- System integrity checks of host and server systems housing high-risk University data should be performed.
ACCEPTABLE USE POLICY
- University computer resources must be used in a manner that complies with University policies and State and Federal laws and regulations. It is against University policy to install or run software requiring a license on any University computer without a valid license.
- Use of the University's computing and networking infrastructure by University employees unrelated to their University positions must be limited in both time and resources and must not interfere in any way with University functions or the employee's duties. It is the responsibility of employees to consult their supervisors, if they have any questions in this respect.
- Uses that interfere with the proper functioning or the ability of others to make use of the University's networks, computer systems, applications and data resources are not permitted.
- Use of University computer resources for personal profit is not permitted except as addressed under other University policies.
- Decryption of passwords is not permitted, except by authorized staff performing security reviews or investigations. Use of network sniffers must be restricted to system administrators who must use such tools to solve network problems. Auditors or security officers in the performance of their duties may also use them. They must not be used to monitor or track any individual's network activity except under special authorization as defined by campus policy that protects the privacy of information in electronic form.
MOBILE DEVICE POLICY
- This policy applies to all electronic computing and storage devices that are considered high likelihood risk factors for loss or theft (examples include laptop computers, smartphones, and tablet computers) and used by the Southern Illinois University Edwardsville (SIUE) faculty and staff in the performance of their duties, and to all SIUE data classified as high risk and confidential (see Data Classification Policy section in this document) when accessed through electronic computing, storage devices, or mobile devices, regardless of the device's ownership. SIUE data classified as high risk and confidential may not be released for access by devices that do not meet these requirements and should not be stored on these devices without approved justification.
- All electronic computing, storage devices, and mobile devices considered a high likelihood risk factor for loss or theft that access the SIUE network and are possibly exposed to SIUE high risk and confidential data must be compliant with SIUE Information Security Policies and Standards. All electronic computing, storage devices, and mobile devices considered a high likelihood risk factor for loss or theft that are exposed to SIUE data classified as high risk and confidential must be protected using encryption or with approved compensating controls to include but not limited to a passcode and a timeout to ensure that if the device is stolen or lost, no SIUE data classified as high risk or confidential can be accessed by an unauthorized user.
TECHNOLOGY (HARDWARE AND SOFTWARE) PURCHASES/ACQUISITIONS
- All technology acquisitions (whether purchases or obtained by other means) must be reviewed and approved by ITS.
- All Software as a Service (SaaS) purchases must undergo a security review process, which is outlined on the ITS Information Security website (http://www.siue.edu/its/is/cloudsoftware.shtml).
In certain cases, compliance with specific policy requirements may not be immediately possible. Reasons include, but are not limited to, the following:
- Required commercial or other software in use is not currently able to support the required features;
- Legacy systems are in use which do not comply, but near-term future systems will, and are planned for;
- Costs for reasonable compliance are disproportionate relative to the potential damage.
- In such cases, units must develop a written explanation of the compliance issue and a plan for coming into compliance with the University's Information Security Policy in a reasonable amount of time. Explanations and plans must be submitted to the CIO.
Adapted with permission from the University of Illinois Information Security Policy, March 2009.
Approved by Chancellor effective 5/26/16
This policy was issued on May 31, 2016, replacing the June 22, 2015 version.
Document Reference: 2D2
Origin: OC 9/30/09; OC 6/22/15; OC 5/26/16