Marshall University Interim Information Security
Policy
EFFECTIVE DATE:
DATE OF LAST REVISION:
1.
PURPOSE
1.1.
This policy establishes guidelines and responsibilities
for information security and the protection of university information resources.
Effective security management programs must
be employed to appropriately eliminate or mitigate the risks posed by potential
threats to the University's information resources. Measures shall be taken to
protect these resources against unauthorized access, disclosure, modification
or destruction whether accidental or deliberate.
2.
SCOPE
2.1.
This policy applies to all university employees
(faculty, staff, student, contract employee, or contract partner) who have
access to university information and to systems that store, access, or process
the information.
3.
POLICY
3.1.
Principles
3.1.1.
Responsibility for controlling access and the
development and implementation of appropriate security policies, standards,
guidelines, practices, and educational programs rests with the information owners
or their designees who are responsible for collecting and maintaining
information as well as those charged with operating the University's
information technology environments (includes all central and decentralized IT
providers / Information custodians). The University is committed to the
principle of appropriate access. For all information, owners and custodians should make informed decisions
regarding the appropriate access that will be provided. Stewardship of the
information may depend on its nature and be governed by federal laws, state
laws, requirements of external regulatory organizations, and/or University
policy.
3.2.
Administration
3.2.1.
An ISO (Information Security Officer) role must be
assigned. This individual must perform, contract, or delegate the necessary
functions and responsibilities of the position. (GOT ISG - sections 3.2 and
4.1)
3.2.2.
All information resources, regardless of medium, will
be used, maintained, disclosed, and disposed of according to law, regulation,
or policy. (GOT ISG - section 7.3)
3.2.3.
All employees and others who access computer systems
will be provided with sufficient training in policies and procedures, including
security requirements, correct use of information resources, and other
organizational controls. (GOT ISG - sections 4.1 and 11.0)
3.2.4.
A documented risk analysis program will be implemented
and a risk analysis will be conducted periodically. (GOT ISG - sections 4.1 and
6.0)
3.2.5.
A cost effective incident response/business recovery
plan will be maintained providing for prompt and effective continuation of
critical missions in the event of a security incident. (GOT ISG - sections 4.1
and 9.0)
3.2.5.1.
Procedures, guidelines, and mechanisms that are
utilized during a security incident, along with the roles and responsibilities
of the incident management teams, must be established and reviewed regularly.
3.3.
Access Controls
(GOT ISG - sections 4.2 and 5.0 -5.5)
3.3.1.
Access controls must be consistent with all state,
federal, and local laws and statutes and will be implemented in accordance with
this policy.
3.3.2.
Procedures must be implemented to protect information
resources from accidental, inadvertent, unauthorized, or malicious disclosure,
modification, or destruction.
3.3.3.
Appropriate controls must be established and maintained
to protect the confidentiality of passwords used for authentication.
3.3.4.
Individual users must have unique userids
and passwords.
3.3.5.
All employees must be accountable for their computer
and userids and for any actions that can be identified
to have originated from them.
3.3.6.
When employees are transferred or their employment is
terminated, access, userids and authorizations will
be immediately modified or terminated as required.
3.3.7.
Confidential or sensitive data (i.e., credit card
numbers, calling card numbers, log on passwords, etc.) must be encrypted before
being transmitted through the Internet.
3.3.7.1.
The network access firewall and/or secure gateway must
be configured to deny all incoming
services unless explicitly permitted.
3.3.8.
Data and supporting software necessary for the
continuation of university functions will be backed up periodically at a
frequency determined by risk analysis.
3.3.9.
All information assets must be accounted for and will
have an assigned owner. (GOT ISG - section 7.0)
3.3.9.1.
Owners, custodians, and users of information resources
must be identified and their responsibilities defined and documented.
3.3.9.2.
All access to computing resources will be granted on a
need-to-use basis.
3.3.10.
Each owner or custodian of information will determine
its classification based on the circumstances and the nature of the
information.
3.3.11.
The owner or custodian will determine the protective
guidelines that apply for each level of information. They include the following:
Access
Distribution within the university
Distribution outside the university
Electronic distribution
Disposal/Destruction
3.3.12.
All programmable computing devices must be equipped
with up-to-date virus protection software.
3.3.12.1.
Virus protection procedures will be developed to
address system protection.
3.4.
Personnel
Practices (GOT ISG - sections 4.3 and 10.0 -10.8)
3.4.1.
All IT assets, including hardware, software, and data
are owned by
3.4.2.
Information resources are designated for authorized
purposes only. The university reserves
the right to monitor and review employee use as required for legal, audit, or
legitimate authorized State operational or management purposes.
3.4.3.
All employees must receive an appropriate background
check.
3.4.4.
All employees must sign a confidentiality statement
indicating that they have read, understand, and will abide by university
policies and procedures regarding IT security.
3.4.5.
All vendors and contractors must sign and abide by a
contract/confidentiality statement to ensure compliance with state and university
information security policies and procedures. (GOT ISG - section 8.0)
3.4.6.
All employees must abide by rules regarding acceptable
and unacceptable uses of IT resources (please refer to the current Marshal
University
3.5.
Physical and
Environmental Security (GOT ISG - sections 4.4 and 12.0 -12.6)
3.5.1.
Information resource facilities will be physically
secured by measures appropriate to their critical importance.
3.5.2.
Security vulnerabilities will be determined and
controls will be established to detect and respond to threats to facilities and
physical resources.
3.5.3.
Critical or sensitive data handled outside of secure
areas will receive the level of protection necessary to ensure integrity and
confidentiality.
3.5.4.
Equipment will be secured and protected from physical
and environmental damage.
3.5.5.
Equipment used outside State premises should be given
the same degree of security protection as that of on-site information resource
equipment.
4. ENFORCEMENT
4.1.
Enforcement of this policy is the responsibility of the
Vice President for Information Technology and Chief Information Officer or
their designate.
4.2.
Any employee found to have violated this policy will be
subject to disciplinary or corrective actions based upon the policies, rules,
and procedures of the relevant group to which the employee belongs, and may
include sanctions including, but not limited to, revocation of employee or
student privileges up to and including expulsion or termination of employment
or contract. Certain violations, misuse,
or disclosures of confidential information may include civil and/or criminal
penalties.
5.
RESPONSIBILITIES
5.1. The Vice President for Information Technology
has designated the Information Security Officer of Computing Services as the
entity responsible for administering the provisions of this policy and the State
of
5.2. The director of a department shall be responsible
for ensuring that an appropriate security program is in effect and that
compliance with this policy and State of
5.3. The director of a department which provides
operational support (information custodian) for information systems owned by
another Marshall University department (information owner) shall have joint
responsibility for ensuring that an appropriate security program is in effect
and that compliance with State of West Virginia Information Security Guidelines
is maintained for the supported information systems.
5.4. Mission Critical or Confidential Information
maintained on an individual workstation or personal computer must be afforded
the appropriate safeguards stated in this policy and the State of
5.5. Operational responsibility for compliance
with this policy and State of
6.
DEFINITIONS
6.1.
Access - to approach or use an information
resource.
6.1.1.
Unauthorized Access –
6.1.1.1.
Access to employee, student, patient, donor, or patron
information not necessary to carry out your job responsibilities.
6.1.1.2.
Access to the records of a student, employee, patient,
donor, or patron for which you are not legally responsible or for which you do
not have signed authorization. This
includes spouse, parents, and other relatives not under your guardianship.
6.1.1.3.
Release of employee, student, patient, or donor
information to unauthorized internal users.
6.1.1.4.
Release of more employee, student, patient, donor, or
patron information to an authorized individual than is essential to meeting the
stated purpose of an approved request.
6.1.1.5.
Release of information to any external agency unless
you are designated as the owner of the information requested.
6.1.1.6.
Release of information protected by University, State,
and Federal guidelines, policies, regulations, statutes, and procedures
pertaining to confidentiality and privacy, including, but not limited to, the
Family Educational Rights and Privacy Act of 1974 (FERPA), and WV Code §18-2-5f
(see http://www.marshall.edu/banner/policy/
).
6.2.
Access Control - the enforcement of specified
authorization rules based on positive identification of users and the systems
or data they are permitted to access.
6.3.
Authentication - the process of verifying the
identity of a user.
6.4.
Chief Information Officer - the person
responsible for the university’s information resources
6.5.
Confidentiality Agreement –
6.5.1.
I acknowledge the
confidential nature of non-public information held by me regarding our
employees, students, patients, donors, patrons, and other members of the
If in the course of
executing my job responsibilities, I accidentally access information that
others might consider inappropriate for me to access, I will not disseminate
any such information without proper authorization.
I will not use another’s
computer sign-on or computer access code or provide another the use of an individual’s
sign-on code to gain access to confidential information without proper
authorization. I will not disclose confidential information to those who are
not authorized to receive it. In
addition, I will not, without proper authorization, copy or preserve confidential
information by manual,
electronic, or any other means, nor will I disseminate any such information
without proper authorization. If I am in doubt about whether the authorization
provided is “proper”, I will consult the defined Information Owner for guidance
(see
http://www.marshall.edu/banner/policy/
).
I acknowledge that should I
receive Account Names (userids) and Passwords that
the passwords are the equivalent of my signature. I understand that I will only access
information that is required for me to perform my assigned tasks. I acknowledge that if I disclose passwords to
any other person, I will be fully accountable and responsible for any use or
misuse by that individual to the same extent as if I had performed the act or
omission. If I have any reason to
believe that the confidentiality of my passwords has been violated, I will
notify my department head or supervisor immediately and ensure that the
passwords are promptly changed. If I
believe I have been asked to access or release information that lies outside my defined job responsibilities, I will notify
the University Information Security Officer and request guidance.
I
understand that if I move to another department on campus, I will retain the
same account name and password, although my security access may change. I understand that if my relationship with the
University is terminated for any reason, I will no longer have access to
University equipment and data.
I understand and agree that
a violation of any portion of the confidentiality policy renders me subject to
disciplinary or corrective actions that may result in sanctions including, but
not limited to revocation of employee or student privileges up to and including
expulsion, or termination of employment or contract..
Under certain circumstances, disclosure of confidential information may include
civil and/or criminal penalties.
___________________________________ ___________________
SIGNATURE DATE
_______________________________________________________
PRINT
FULL NAME
6.6.
Employee – Individuals employed on a temporary
or permanent basis by Marshall University or its associated organizations; as
well as contractors, contractor’s employees, volunteers, and individuals who
are determined by the university to be subject to this policy.
6.7.
Encryption - process of encoding electronic data
that makes it unintelligible to anyone except the intended recipient.
6.8.
Firewall - specialized computers and programs,
residing in a virtual area between an organization’s network and outside
networks, which are designed to check the origin and type of incoming data in
order to control access, and block suspicious behavior or high-risk activity.
6.9.
Information Assets - Any of the data, hardware, software, network, documentation,
and personnel used to manage and process information.
6.10.
Information Custodian - the person or unit
assigned to supply services associated with the data e.g., database
administration, systems administration.
6.11.
Information Owner - the person(s) ultimately
responsible for an application and its data viability.
6.12.
Information User - a person authorized to access
an information resource.
6.13.
Information Security - those measures,
procedures, and controls that provide an acceptable degree of safety for
information resources, protecting them from accidental or intentional
disclosure, modification, or destruction.
6.14.
Information Security Officer (ISO) - the person
designated by the university head to administer the university’s information
security program. The ISO is the university’s internal and external point of
contact for all information security matters.
6.15.
Password - a string of characters known to a
computer system or network and to a user who must enter the password in order
to gain access to an information resource.
6.16.
Risk Analysis - the evaluation of system assets
and their vulnerabilities to threats in order to identify what safeguards are
needed.
6.17.
Security Incident - an event that results in
unauthorized access, loss, disclosure, modification, or destruction of
information resources, whether deliberate or accidental.
6.18.
Threat - includes any person, condition or
circumstance that endangers the security of information, or information
systems, in the context of Information Security.