EFFECTIVE DATE:
February 7, 2003
DATE OF LAST REVISION:
1. PURPOSE
1.1.
This policy establishes guidelines and responsibilities for information
security and the protection of university information resources.
Effective security management programs must
be employed to appropriately eliminate or mitigate the risks posed by potential
threats to the University's information resources. Measures shall be taken to
protect these resources against unauthorized access, disclosure, modification
or destruction whether accidental or deliberate.
2. SCOPE
2.1. This policy applies to all university employees (faculty, staff, student, contract employee, or contract partner) who have access to university information and to systems that store, access, or process the information.
3. POLICY
3.1.
Principles
3.1.1. Responsibility for controlling access and the development and implementation of appropriate security policies, standards, guidelines, practices, and educational programs rests with the information owners or their designees who are responsible for collecting and maintaining information as well as those charged with operating the University's information technology environments (includes all central and decentralized IT providers / Information custodians). The University is committed to the principle of appropriate access. For all information, owners and custodians should make informed decisions regarding the appropriate access that will be provided. Stewardship of the information may depend on its nature and be governed by federal laws, state laws, requirements of external regulatory organizations, and/or University policy.
3.2.
Administration
3.2.1. An ISO (Information Security Officer) role must be assigned. This individual must perform, contract, or delegate the necessary functions and responsibilities of the position. (GOT ISG - sections 3.2 and 4.1)
3.2.2. All information resources, regardless of medium, will be used, maintained, disclosed, and disposed of according to law, regulation, or policy. (GOT ISG - section 7.3)
3.2.3. All employees and others who access computer systems will be provided with sufficient training in policies and procedures, including security requirements, correct use of information resources, and other organizational controls. (GOT ISG - sections 4.1 and 11.0)
3.2.4. A documented risk analysis program will be implemented and a risk analysis will be conducted periodically. (GOT ISG - sections 4.1 and 6.0)
3.2.5. A cost effective incident response/business recovery plan will be maintained providing for prompt and effective continuation of critical missions in the event of a security incident. (GOT ISG - sections 4.1 and 9.0)
3.2.5.1. Procedures, guidelines, and mechanisms that are utilized during a security incident, along with the roles and responsibilities of the incident management teams, must be established and reviewed regularly.
3.3.
Access Controls (GOT ISG -
sections 4.2 and 5.0 -5.5)
3.3.1. Access controls must be consistent with all state, federal, and local laws and statutes and will be implemented in accordance with this policy.
3.3.2. Procedures must be implemented to protect information resources from accidental, inadvertent, unauthorized, or malicious disclosure, modification, or destruction.
3.3.3. Appropriate controls must be established and maintained to protect the confidentiality of passwords used for authentication.
3.3.4. Individual users must have unique userids and passwords.
3.3.5. All employees must be accountable for their computer and userids and for any actions that can be identified to have originated from them.
3.3.6. When employees are transferred or their employment is terminated, access, userids and authorizations will be immediately modified or terminated as required.
3.3.7. Confidential or sensitive data (i.e., credit card numbers, calling card numbers, log on passwords, etc.) must be encrypted before being transmitted through the Internet.
3.3.7.1. The network access firewall and/or secure gateway must be configured to deny all incoming services unless explicitly permitted.
3.3.8. Data and supporting software necessary for the continuation of university functions will be backed up periodically at a frequency determined by risk analysis.
3.3.9. All information assets must be accounted for and will have an assigned owner. (GOT ISG - section 7.0)
3.3.9.1. Owners, custodians, and users of information resources must be identified and their responsibilities defined and documented.
3.3.9.2. All access to computing resources will be granted on a need-to-use basis.
3.3.10. Each owner or custodian of information will determine its classification based on the circumstances and the nature of the information.
3.3.11. The owner or custodian will determine the protective guidelines that apply for each level of information. They include the following:
Access
Distribution within the university
Distribution outside the university
Electronic distribution
Disposal/Destruction
3.3.12. All programmable computing devices must be equipped with up-to-date virus protection software.
3.3.12.1. Virus protection procedures will be developed to address system protection.
3.4.
Personnel Practices (GOT ISG -
sections 4.3 and 10.0 -10.8)
3.4.1.
All IT assets, including hardware, software, and data are owned by
3.4.2. Information resources are designated for authorized purposes only. The university reserves the right to monitor and review employee use as required for legal, audit, or legitimate authorized State operational or management purposes.
3.4.3. All employees must receive an appropriate background check.
3.4.4. All employees must sign a confidentiality statement indicating that they have read, understand, and will abide by university policies and procedures regarding IT security.
3.4.5. All vendors and contractors must sign and abide by a contract/confidentiality statement to ensure compliance with state and university information security policies and procedures. (GOT ISG - section 8.0)
3.4.6. All employees must abide by rules regarding acceptable and unacceptable uses of IT resources (please refer to the current Marshall University Information Technology Environment Acceptable Use Policy http://www.marshall.edu/computing/policies/itepol.htm ).
3.5. Physical and Environmental Security (GOT ISG - sections 4.4 and 12.0 -12.6)
3.5.1. Information resource facilities will be physically secured by measures appropriate to their critical importance.
3.5.2. Security vulnerabilities will be determined and controls will be established to detect and respond to threats to facilities and physical resources.
3.5.3. Critical or sensitive data handled outside of secure areas will receive the level of protection necessary to ensure integrity and confidentiality.
3.5.4. Equipment will be secured and protected from physical and environmental damage.
3.5.5. Equipment used outside State premises should be given the same degree of security protection as that of on-site information resource equipment.
4. ENFORCEMENT
4.1.
Enforcement of this policy is the responsibility of the Vice President
for Information Technology and Chief Information Officer or their designate.
4.2.
Any employee found to have violated this policy will be subject to
disciplinary or corrective actions based upon the policies, rules, and
procedures of the relevant group to which the employee belongs, and may include
sanctions including, but not limited to, revocation of employee or student
privileges up to and including expulsion or termination of employment or
contract. Certain violations, misuse, or
disclosures of confidential information may include civil and/or criminal
penalties.
5. RESPONSIBILITIES
5.1. The Vice President for Information Technology
has designated the Information Security Officer of Computing Services as the
entity responsible for administering the provisions of this policy and the State
of
5.2. The director of a department shall be
responsible for ensuring that an appropriate security program is in effect and
that compliance with this policy and State of
5.3. The director of a department which provides
operational support (information custodian) for information systems owned by another
Marshall University department (information owner) shall have joint
responsibility for ensuring that an appropriate security program is in effect
and that compliance with State of West Virginia Information Security Guidelines
is maintained for the supported information systems.
5.4. Mission Critical or Confidential Information
maintained on an individual workstation or personal computer must be afforded
the appropriate safeguards stated in this policy and the State of
5.5. Operational responsibility for compliance
with this policy and State of
6. DEFINITIONS
6.1. Access - to approach or use an information resource.
6.1.1. Unauthorized Access –
6.1.1.1. Access to employee, student, patient, donor, or patron information not necessary to carry out your job responsibilities.
6.1.1.2. Access to the records of a student, employee, patient, donor, or patron for which you are not legally responsible or for which you do not have signed authorization. This includes spouse, parents, and other relatives not under your guardianship.
6.1.1.3. Release of employee, student, patient, or donor information to unauthorized internal users.
6.1.1.4. Release of more employee, student, patient, donor, or patron information to an authorized individual than is essential to meeting the stated purpose of an approved request.
6.1.1.5. Release of information to any external agency unless you are designated as the owner of the information requested.
6.1.1.6. Release of information protected by University, State, and Federal guidelines, policies, regulations, statutes, and procedures pertaining to confidentiality and privacy, including, but not limited to, the Family Educational Rights and Privacy Act of 1974 (FERPA), and WV Code §18-2-5f (see http://www.marshall.edu/banner/policy/BOCPandP.doc).
6.2. Access Control - the enforcement of specified authorization rules based on positive identification of users and the systems or data they are permitted to access.
6.3. Authentication - the process of verifying the identity of a user.
6.4. Chief Information Officer - the person responsible for the university’s information resources
6.5. Confidentiality Agreement –
6.5.1.
I acknowledge the confidential nature of
non-public information held by me regarding our employees, students, patients,
donors, patrons, and other members of the
If in the course of executing my job
responsibilities, I accidentally access information that others might consider
inappropriate for me to access, I will not disseminate any such information
without proper authorization.
I will not use another’s computer sign-on or
computer access code or provide another the use of an individual’s sign-on code
to gain access to confidential information without proper authorization. I will
not disclose confidential information to those who are not authorized to
receive it. In addition, I will not,
without proper authorization, copy or preserve confidential information by manual, electronic, or any other means,
nor will I disseminate any such information without proper authorization. If I
am in doubt about whether the authorization provided is “proper”, I will
consult the defined Information Owner for guidance (see http://www.marshall.edu/banner/policy/
).
I acknowledge that should I receive Account
Names (userids) and Passwords that the passwords are the equivalent of my
signature. I understand that I will only
access information that is required for me to perform my assigned tasks. I acknowledge that if I disclose passwords to
any other person, I will be fully accountable and responsible for any use or
misuse by that individual to the same extent as if I had performed the act or
omission. If I have any reason to
believe that the confidentiality of my passwords has been violated, I will
notify my department head or supervisor immediately and ensure that the
passwords are promptly changed. If I
believe I have been asked to access or release information that lies outside my
defined job responsibilities, I will notify the University Information Security
Officer and request guidance.
I understand that if I move to another department on campus, I will retain the same account name and password, although my security access may change. I understand that if my relationship with the University is terminated for any reason, I will no longer have access to University equipment and data.
I understand and agree that a violation of any
portion of the confidentiality policy renders me subject to disciplinary or
corrective actions that may result in sanctions including, but not limited to
revocation of employee or student privileges up to and including expulsion, or
termination of employment or contract.. Under certain circumstances, disclosure
of confidential information may include civil and/or criminal penalties.
___________________________________ ___________________
SIGNATURE DATE
_______________________________________________________
PRINT FULL NAME
6.6. Employee – Individuals employed on a temporary or permanent basis by Marshall University or its associated organizations; as well as contractors, contractor’s employees, volunteers, and individuals who are determined by the university to be subject to this policy.
6.7. Encryption - process of encoding electronic data that makes it unintelligible to anyone except the intended recipient.
6.8. Firewall - specialized computers and programs, residing in a virtual area between an organization’s network and outside networks, which are designed to check the origin and type of incoming data in order to control access, and block suspicious behavior or high-risk activity.
6.9. Information Assets - Any of the data, hardware, software, network, documentation, and personnel used to manage and process information.
6.10. Information Custodian - the person or unit assigned to supply services associated with the data e.g., database administration, systems administration.
6.11.
Information Owner - the
person(s) ultimately responsible for the collection, maintenance, distribution, and integrity of data
associated with a major information component or module.
6.12. Information User - a person authorized to access an information resource.
6.13. Information Security - those measures, procedures, and controls that provide an acceptable degree of safety for information resources, protecting them from accidental or intentional disclosure, modification, or destruction.
6.14. Information Security Officer (ISO) - the person designated by the university head to administer the university’s information security program. The ISO is the university’s internal and external point of contact for all information security matters.
6.15. Password - a string of characters known to a computer system or network and to a user who must enter the password in order to gain access to an information resource.
6.16. Risk Analysis - the evaluation of system assets and their vulnerabilities to threats in order to identify what safeguards are needed.
6.17. Security Incident - an event that results in unauthorized access, loss, disclosure, modification, or destruction of information resources, whether deliberate or accidental.
6.18. Threat - includes any person, condition or circumstance that endangers the security of information, or information systems, in the context of Information Security.