DIXIE STATE COLLEGE OF UTAH
POLICIES AND PROCEDURES MANUAL
Policy No: 50
Policy: INFORMATION TECHNOLOGY SECURITY
6-50 INFORMATION TECHNOLOGY SECURITY
Consistent with Board of Regents Policy 345, this policy will govern the protection of information and computer systems, networks and other core IT resources. Roles and responsibilities for information security will be assigned to ensure that decisions concerning the use, protection and acceptance of risk for information assets and core IT resources are made at the appropriate levels.
This policy will apply to all Dixie State College constituents who use, maintain, store or otherwise deal with confidential personal information or other information deemed sensitive or proprietary. This policy also applies to all College constituents who use or access central, departmental, personal or third-party IT resources to conduct College business or functions.
Information Asset – Information or data collected, processed, maintained, stored or otherwise used by Dixie State College in electronic form to conduct core college functions. Information assets vary in criticality and sensitivity. Loss, damage, tampering, unavailability or inappropriate disclosure of information assets may result in significant loss of critical college functions, financial costs, reputation damage, legal liability, etc.
Confidential Personal Information – Information collected from or maintained about students, faculty, staff, alumni or other college constituents that is confidential or private in nature. Examples of confidential personal information include, but are not limited to: names, addresses, date of birth, Social Security number, medical records or financial data including bank account and credit card numbers. Access, use, protection and disclosure of confidential personal data are typically governed by Federal and State law and other applicable policies developed by Dixie State College.
Internal Information – Information collected, processed, stored, or otherwise used by the College that is sensitive, proprietary, or otherwise expected to be disclosed or used internally or be disclosed publicly only through specific channels, but does not contain confidential personal information. Examples of internal data may include but are not limited to: financial account transaction data, IT systems configuration files or vendor contracts and pricing. Access, use and disclosure of internal information may be governed by Federal and State law, contractual obligation or other applicable policies developed by Dixie State College.
Public Information – Information collected, processed, stored or otherwise used by the College for which there is no expectation that it be kept private or confidential.
Critical Information Assets – An information asset that is required for continuing operation of the College and its critical functions. Failures or loss of critical IT resources could result in loss of critical college functions, create public safety issues, cause significant fiscal losses or incur legal liability.
Information Technology Resource (IT Resource) – IT systems, infrastructure or media that provide essential services to core college functions or that display, process, transmit, store or otherwise utilize Information Assets.
Critical IT Resource – An IT resource that is required for continuing operation of the College and its critical functions. Failures or loss of critical IT resources could result in loss of critical college functions, create public safety issues, cause significant fiscal losses or incur legal liability.
Central IT Resources – IT Resources provided by the central College IT services group for broad institutional use. Examples include the campus network, Banner system, email system, electronic directories, Dixie State College Web site and various other servers and infrastructure.
Removable Devices and Media – Typically an IT resource used to display, process, transmit or store data that is easily portable. Examples include but are not limited to laptop computers, smartphones, optical media, magnetic tapes, removable hard drives, flash memory devices (USB thumb drives, memory cards) and personal devices with storage capabilities such as iPod/MP3 players.
Information Security Office: The Information Security Office (ISO) is responsible for developing and coordinating institutional Information Security strategies.
Data Steward: The recognized senior administrative position (typically a Vice President, Dean or Executive Director) within a College unit or department, or an appropriate deputy designated by the senior administrator to act in that capacity. Within each College unit or organization, the Data Steward is the principal IT security decision-maker and is responsible for the acceptance of risk and other matters regarding Information Security.
Data Custodians: Employees with administrative or operational responsibilities for Information Assets and/or IT Resources. Typically Data Custodians are managers within a department or unit. Dedicated IT staff, in most cases, are considered Data Custodians.
Users: Any College employee or other affiliate who accesses and uses College information assets and IT resources. Typically users work under the direction of a Data Custodian and/or Data Steward.
Incident Response Team – The Incident Response Team is a group convened when ISO determines the scope, size, or nature of an Information Security incident warrants additional response resources. The Incident Response Team is coordinated by ISO and may be comprised of Data Custodians, institutional and/or third-party subject-matter experts and other stakeholders as deemed appropriate for the incident.
Disaster – Any unexpected event or occurrence that prevents the normal operation or causes the loss of one or more Critical IT Resources.
Disaster Recovery Plan – A written plan covering provisions for implementing and running critical IT resources or equivalent alternative processing in the event of a disaster.
Unauthorized access – Access to confidential personal or internal information, or an IT resource by an individuals or automated agents that are not authorized for access to perform job duties or college functions.
Roles and Responsibilities
The following roles and responsibilities are attached to various College positions. These roles are designed to clearly outline responsibilities for the security of information assets.
ISO – The Information Security Office (ISO)shall fill the responsibilities included, but not limited to:
In coordination with Data Stewards and Custodians, develop and maintain IT security policies, rules, minimum requirements and best practices.
Educate and provide assistance in complying with this policy to Data Stewards, Data Custodians and Users.
Implement and enforce baseline perimeter security measures and practices appropriate for the college as endorsed by federal and state agencies and national information security organizations such as EDUCAUSE, the SANS Institute and NIST.
Monitor and analyze campus network traffic information to ensure compliance with institutional security policies and rules, and identify, evaluate and mitigate information security threats, vulnerabilities and incidents to College Information Assets and IT Resources.
Conduct periodic security assessments to evaluate compliance with security policies and rules and to identify evolving threats and vulnerabilities to College Information Assets and Resources.
Direct the College Information Security Incident Response Team, incident response activities, and incident resolution at the College, departmental and individual levels. Take appropriate and reasonable remedial action to resolve security incidents.
Assist institutional or third-party auditors in the analysis of College Information Assets and IT resources to further ensure policy compliance.
Monitor compliance with College security policies and rules and report violations to College Administration, Data Stewards or other appropriate authority.
Data Steward – The Data Steward shall, within his/her respective College units or organizations, fill the responsibilities included but not limited to the following:
Determine the purpose and function of Information Assets and IT Resources.
Determine the sensitivity of Information Assets and IT Resources, and based on the sensitivity level, determine the appropriate security measures.
Determine the criticality of Information Assets and IT Resources, and based on the criticality level, determine appropriate business continuity measures.
Authorize access to Information Assets and IT Resources within his/her department or unit, or delegate authorization responsibilities to an appropriate deputy.
Be familiar with information issues, laws, regulations, policies relevant to the use and retention of information assets and IT Resources.
Authorize and own exceptions to this policy and other applicable policies, rules and practices related to Information Security.
Data Custodian – Under the direction of the Data Steward, Data Custodians shall fill the responsibilities included but not limited to the following:
Apply and follow security policies and rules to Information Assets and IT Resources as directed by Data Stewards and ISO.
Each Data Custodian should be reasonably familiar with known threats and vulnerabilities to Information Assets and IT Resources which they are administratively or operationally responsible. Data Custodians should also be familiar with best practices and remedies for IT resources and systems for which they are administratively or operationally responsible.
Coordinate with the Data Steward and ISO to develop reasonable security rules, procedures and training material for users. Ensure that the users they supervise are aware of College information security policies and rules and follow them.
Report network traffic, system event logs and other events, as indicated by policy, rules and best practices that may reasonably indicate a potential or actual threat to College Information Assets and IT resources to ISO in a timely manner.
Users – Under the direction of the Data Steward and/or Data Custodian, Users shall fill the responsibilities included but not limited to the following:
Understand and follow College security policies and rules governing the use of information assets and IT resources.
Report security breaches and other suspected threats to College information assets and IT resources to ISO in a timely manner.
The Incident Response Team, when convened, shall fill responsibilities included but not limited to the following:
Contain and resolve active threats to College IT resources or information assets resulting from the incident.
Conduct post-incident investigation .
Report findings and recommendations regarding the incident to Data Stewards and College Administration.
IT Governance Committee – The IT Governance Committee will be comprised of Data Stewards and other relevant IT stakeholders. The IT governance committee shall review and recommend to College Council new Information Security policies and rules and changes to existing policies and rules. In the event that conflict arises over security matters regarding shared IT resources or information assets, The IT governance committee shall act as a forum for conflict resolution.
Information security or protection of confidential personal and internal information – Departments and other College units must take measures to protect confidential personal information and internal information that is used, processed, transmitted or stored on IT resources in accordance with this policy and any additional Information Security rules developed by Data Stewards and/or ISO.
Reasonable and appropriate IT Security procedures must be developed to prevent unauthorized access to IT resources which use, process, transmit or store confidential personal information or internal information.
IT Security procedures must also be developed for IT resources that do not directly view, process, transmit or store confidential personal or internal information if unauthorized access to that IT resource could be construed as a security breach.
College IT staff provide centralized databases, storage repositories, access mechanisms and other IT resources for the use, transmittal and storage of personal confidential and internal information assets. Information assets should be used and stored within the framework of centralized IT resources. Users of confidential personal or internal information assets must not engage in the following practices:
Use, transfer and/or storage of assets to mobile computing or storage devices;
Use, transfer and/or storage of assets to personal computing or storage devices;
Transfer and/or storage of assets from centralized IT resources and repositories to non-centralized repositories on desktop computers;
unless the following conditions are met:
The user must have possession of confidential personal or internal information to perform his/her job function in conducting the business of the College;
The Data Steward must grant permission to the user to use and/or store confidential personal or internal information;
The user must take reasonable and appropriate precautions as outlined by departmental and institutional Information Security Rules to secure the confidential personal or internal information that is processed, stored or transmitted.
Permission is not required to retain student grades, letters of recommendation, research findings, directory information and other non-sensitive information, etc., that are used in the regular performance of faculty and staff duties, unless those documents also contain sensitive information such as confidential personal or internal information. Reasonable precautions should be taken, by the user, to prevent unauthorized access to non-sensitive data maintained by the user.
Departments and college units who entrust confidential personal and internal information assets to third party contractors, vendors and service providers to perform functions or services on behalf of the College must ensure that the external entity will implement reasonable and appropriate protection measures for the information assets they are authorized to use, process, transmit or store.
Security protection measure requirements and responsibilities should be clearly outlined in contracts, service-level agreements and memorandums of understanding with external contractors, vendors, service providers and other entities that are entrusted with College information assets.
Business continuity or loss prevention due to disaster or system failure of institutional or departmental Critical IT Resources or Information Assets – Departments and other College units must take measures to identify threats to, and prevent the loss of, critical Information Assets and IT Resources under their control, and to include critical Information Assets and IT Resources in College and departmental disaster recovery plans.
Backup procedures for critical information assets must be developed by the Data Custodian(s) responsible for the assets.
Users who have been granted permission to use or store College information assets outside of centralized IT resources must develop procedures to backup or otherwise protect those assets from loss.
Departments and college units who entrust confidential personal and internal information assets to third party contractors, vendors and service providers to perform functions or services on behalf of the College must ensure that the external entity will implement reasonable and appropriate loss prevention measures for the information assets they are authorized to use, process, transmit or store.
Loss prevention measure requirements and responsibilities should be clearly outlined in contracts, service-level agreements and memorandums of understanding with external contractors, vendors, service providers and other entities that are entrusted with College information assets.
Identification of information assets and critical IT resources – If uncertain whether or not information is classified as confidential personal or internal information, or if an information asset or IT resource is considered critical to college functions, users must seek direction from the appropriate Data Steward, Data Custodian or the Information Security Office.
Reporting of IT Security Incidents – All suspected or actual IT security incidents involving institutional or departmental information assets must immediately be reported to the Information Security Office.
ISO will coordinate response, investigation and reporting of information security incidents. If necessary, ISO will convene the Incident Response Team to investigate the incident and work to contain or mitigate any unresolved threat stemming from the incident to IT resources or information assets. ISO and/or the Incident Response Team may report findings and recommendations regarding the incident to College administration and appropriate Data Stewards.
If it is determined that College constituents must be notified of disclosure or loss of confidential personal information, efforts must be coordinated between responsible Data Stewards, ISO, College legal counsel, College public relations and other stakeholders as necessary to ensure that notification is performed in a uniform fashion in accordance with Federal and State notification laws and regulations.
Reporting loss of critical IT Resources – If critical IT resources or information assets are lost or inaccessible due to disaster or system failure, the Data Steward and/or Data Custodian(s) responsible must notify those individuals and organizations within the College that are affected by the loss of the resource.
Physical Information Security – Departments and College units are responsible for assuring that all electronic information, hard copy information and hardware devices comprising IT resources are physically protected at all times in accordance with their level of criticality and sensitivity. Departments and College units must assure that the physical information security controls for work area are followed and that access restrictions, sensitive data handling procedures and physical security practices for each area are adhered to.
Destruction or sanitization of electronic media – Departments and College units shall destroy or otherwise sanitize confidential personal and internal information stored on a college or personally-owned IT resource when the information is no longer necessary to conduct the business of the College or meet regulatory requirements, or when the IT resource hardware or media is retired or repurposed. ISO and Data Stewards shall develop institutional procedures for information destruction which shall be maintained as part of Dixie State College Information Security Rules.
This policy authorizes Data Stewards, Data Custodians, the IT Governance Committee and ISO to develop additional Information Security rules in accordance with the requirements and intent of this policy. Institutional Information Security rules shall be reviewed and recommended by the IT governance committee for approval by College Council and, upon approval, shall be binding upon College faculty, staff, students and other constituents. Institutional Information Security rules shall be published and maintained by ISO. Data Stewards may implement rules for the departments or units they are responsible for.
Sanctions and Remedies
Revocation of Access – Dixie State College shall reserve the right to revoke access to the DSC network or any IT resource for any internal or external user, device, network segment or system which presents a direct and imminent threat to College IT resources or information assets, violates this policy, Information Security rules or for any other reason in accordance with applicable institutional policies.
Restoration of Access – Access for a revoked user, device, network segment or system may be restored as soon as the direct and imminent security threat or policy violation has been remedied.
Policy Violations – Violation of this policy may result in action in accordance with College disciplinary policies.
Appeals – College constituents may appeal revocation of access to IT resources or disciplinary actions taken against them pursuant to College grievance policies.
Utah System of Higher Education, Policy R345, Information Technology Resource Security
Dixie State College of Utah Policy 4.26, Corrective and Disciplinary Action
Dixie State College of Utah Policy 4.28, Grievance Procedure
Remote Network Access Security Rule