OM 9.0.0 - Information Technology Policies
Effective Date: March 2023 |
Policy Contact: Office of Information Technology |
Scope
All Clarkson University units and employees.
Reason for Policy
To protect information that is non-public in nature, including personal information about individuals, institutional information, financial information and intellectual property, the University has established this Information Security Plan. This Plan is intended to incorporate compliance with all relevant laws and regulations and applies to all areas of the University and all third party contractors having access to University owned data, including IaaS/PaaS/SaaS providers, food services and the book store. Referenced laws and other regulation include but are not limited to:
1 Introduction
1.1 Objective
- The objectives of this Written Information Security Program (WISP) are to define, document and support the implementation and maintenance of the administrative, technical and physical safeguards Clarkson University has selected to protect the information it collects, creates, uses and maintains. This WISP has been developed in accordance with the following security best practices and regulations:
- NIST Special Publication 800-53 – The NIST Special Publication 800-53 standard specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of the organization's overall business It specifies requirements for the implementation of security controls, customized to the needs of individual organization, or parts thereof.
- Payment Card Industry Data Security Standards (PCI DSS) 2 - Contractual obligations addressing the administrative, technical and physical standards required by payment brands (Visa, AMEX, MasterCard, Discover) for organizations processing payment card transactions.
- Gramm-Leach-Bliley Act (GLB Act or GLBA) - Federal law enacted in 1999 which requires organizations that loan money to take measures to protect the financial information of
- Family Educational Rights and Privacy Act (FERPA) - Federal law enacted in 1974 requiring any school receiving federal funds to protect the privacy of educational
- Health Insurance Portability and Accountability Act (HIPAA) – Enacted by the S. Congress in 1996 that mandates covered entities to implement reasonable and appropriate security measures to protect all electronic protected health information (ePHI) against reasonably anticipated threats or hazards.
This document is intended to satisfy NIST standards for maintaining a Critical Infrastructure Plan (CIP).
2 Vision, Mission and Goals
2.1 Vision
A robust NIST-based security program supported by policies, standards and procedures that address the eighteen (18) NIST security domains.
2.2 Mission
Strengthen the security of Clarkson University’s environment by implementing a structured security program and ensuring that the relationship between information security and the business objectives of Clarkson University exists and is effective.
2.3 Goals
Deploy security controls to reduce risk for information assets, as defined by specific goals. Achieving these goals requires that Clarkson University:
- Align information security initiatives with business strategy;
- Assign ownership and accountability for information security initiatives;
- Monitor the status and efficacy of information security initiatives; and
- Institute a process of continuous assessment and
3 Core Tenants
Clarkson University's WISP establishes five (5) core tenants, representing the values and assumptions that will be considered when implementing the information security program.
- Risks are identified and managed in a coordinated and comprehensive way across the Clarkson University environment to enable effective allocation of information security This involves promoting efficient and effective use of resources by taking a comprehensive and strategic approach to risk management.
- Understanding and accounting for dependencies within the Clarkson University environment when managing risks is critical to enhancing information
- Information sharing among Clarkson University's environment is paramount to gaining knowledge of information security
- Partnership in implementing Clarkson University's information security program allows for unique perspectives in understanding information security gaps, challenges and
- Information security will be factored into all decisions regarding Clarkson University assets, systems and
4 Roles and Responsibilities
4.1 Information Security Leadership
To successfully manage risk across Clarkson University, senior leaders and executives must be committed to making information security a fundamental mission. This top-level, executive commitment ensures that sufficient resources are available to develop and implement an effective, organization-wide security program. Effectively managing information security risk organization-wide requires the following key elements:
- Assignment of risk management responsibilities to senior leaders and executives;
- Ongoing recognition and understanding by senior leaders and executives of the information security risks to organizational information assets, operations and personnel;
- Establishment of the tolerance for risk and communicating the risk tolerance throughout the organization, including guidance on how risk tolerance impacts ongoing decision-making activities; and
- Providing accountability for senior leaders and executives for their risk management
4.2 Information Security Officer
An information security officer will be appointed with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program. Responsibilities will include:
- Development, maintenance, and distribution of policies and procedures
- Ensuring responsibilities and assignments for monitoring alerts and incident response processes are understood and performed
- Development, maintenance, and implementation of a security incident response plan
- Ensure access control processes are defined and implemented
- Ensure all access control processes are monitored
4.3 Information Security Steering Committee
The Information Security Steering Committee provides a number of “soft” benefits, including those gained by the active participation of business leaders in information security decision-making. The Information Security Steering Committee often participates in the following:
- Establishing goals for the Information Security program;
- Reviewing and approving Information Security policies and standards;
- Recommending, reviewing and prioritizing information security initiatives;
- Communicating information security needs; and
- Reviewing the effectiveness of the Information Security program and resources; and
- Ensuring corrective action plans have been developed and implemented to address risks that are unacceptable to Clarkson
The WISP will establish the Information Security Steering Committee and ensure its ongoing operation.
4.4 Resource Optimization
Clarkson University dedicates resources to information security initiatives in an effort to reduce risk, and subsequently meet business objectives. It is understood that these resources are finite and specific, and of the following types:
- Budget – Funds for information security initiatives will be allocated on an annual Allocated funds are determined by business need, which will be determined by organizational risk.
- Personnel – The information security team consists of both physical and virtual members, full-time employees, partners and subcontractors. The number of personnel allocated to information security initiatives is determined by business need, which will be determined by organizational These are allocated and leveraged optimally based on capabilities and availability.
- Time – The information security team is granted time to complete security initiatives. Schedules for security initiatives are determined by business need, which will be determined by organizational
5 Strategy
5.1 Overview
The key to ensuring that Clarkson University ’s Security program is reasonable and useable is to develop a suite of policy documents that match the intended audience’s business goals and culture. Policies must
be practical and realistic. In order to achieve this, it is essential to involve and obtain support from senior management and other stakeholders, as well as from the people who will use the policy as part of their daily work.
The organization will:
- Develop and disseminate information security program standards and an information security plan that provides an overview of the requirements for the security program, a description of the security program management controls and common controls in place or planned for meeting those requirements.
- Establish and maintain organizational policies, standards, and procedures to address all relevant statutory and regulatory requirements, and ensure and support the confidentiality, integrity, and availability of its information
- Make relevant policies, standards, and procedures readily available to all affected
- Conduct a periodic formal review of policies, standards, and procedures and update them, at a minimum,
5.2 Policy Implementation
Clarkson University has the following three Security Policies formalized or in development stages:
- Acceptable Use Policy – Advises all members of Clarkson University on acceptable and unacceptable behavior involving the organization’s
- Data Classification Policy – Describes the process for classification and handling of the organization’s
- Information Security Policy – Creates provisional compliance requirements for the Clarkson University Information Security Standards. Requires that all Clarkson University administrative and business functions meet minimum requirements for
5.3 Standards Implementation
Clarkson University has developed appropriate control standards, herein referred to as Information Security Standards, to support the Organization’s Information Security policies. These standards are based on NIST Special Publication 800-53 “Security and Privacy Controls for Federal Information Systems and Organizations”. The Information Security Standards define all Clarkson University directives for safeguarding information and ensuring that each organization complies with applicable laws, regulations, and commercial standards. Appropriate procedures have been documented that describe the tools, processes, and resources used to implement the Information Security Standards. The Clarkson University Information Security Standards are structured into eighteen (18) control groups.
Wherever appropriate, information security controls will comply with, reference and implement the above standards. This position will be stated and reinforced in the security policy.
5.4 Regulatory and Security Best Practice Compliance
While not currently mapped to Clarkson University Information Security Standards, Clarkson University must also comply with the following:
- Electronic Communications Privacy Act (ECPA) - Federal law which specifies the standards by which law enforcement is permitted to access electronic communications and associated data, affording important privacy protections to subscribers of emerging wireless and Internet
- S. Patriot Act - An antiterrorism law enacted by the U.S. Congress in October 2001, which gave certain additional new powers to the U.S. Department of Justice, the National Security Agency and other federal agencies for surveillance of electronic communications.
- Technology Education and Copyright Harmonization Act (TEACH) - Amendments to sections 110(2) and 112(f) of the U.S. Copyright Act., which was enacted to balance the perspectives of both copyright owners and content users for academic
- Executive Order 13224 - Federal Executive Order which provides a means to disrupt the financial support network for terrorists and terrorist organizations by authorizing the S. Government to designate and block the assets of foreign individuals.
- NYS Information Security Breach and Notification Act - Law 4254-A, State Technology Law Section 208 and General Business Law Section 899-aa - New York State Laws requiring notification to individuals and State agencies after a security incident has occurred involving the loss or unauthorized access to certain private non-public
- Higher Education Opportunity Act (HEOA) - Federal law which, among other requirements, addresses colleges and universities responsibilities relating to copyrighted
It is the goal and intent of the WISP to ensure compliance with all known regulations and mandates as they are understood, and to make them an appropriate priority.
6 Risk Management
6.1 Set Goals and Objectives
Goals and objectives for Clarkson University's information security program will be established and corrective action plans (CAPs) will be documented and prioritized according to risk to the organization.
6.2 Identify Infrastructure
Clarkson University will identify all assets, systems and networks critical to continued operation, as well as the dependencies between these essential resources. Effective risk management requires an understanding of the criticality of these resources to the organization.
6.3 Assess and Analyze Risks
Identifying risks is the single-most important step an organization can take to ensure the confidentiality, integrity and availability of information assets. It is also an important component for achieving regulatory, commercial and legal compliance.
The determination of Global Risk Tolerance, a number between 1 and 100 (where 1 is entirely risk-averse and 100 is entirely risk-tolerant), will be performed through an informal survey of organization executives and stakeholders. The Global Risk Tolerance will be used as a suggested remediation threshold during risk management – any risk that exceeds this level will, and should be used to prioritize remediation and define corrective action plans.
Risk Reduction involves prioritizing, evaluating and implementing the appropriate risk-reducing controls recommended from the risk assessment process. The organization will implement security measures that reduce the risks to its information systems containing confidential information to reasonable and appropriate levels. Selection and implementation of such security measures will be based on a formal, documented risk management process.
6.4 Implement Risk Management Activities
The organization will manage risk on a continuous basis and implement necessary security measures to ensure the confidentiality, integrity, and availability of information systems containing confidential information. A risk assessment will be performed, at a minimum, annually. This involves identifying the risks to information assets and determining the probability of occurrence, the resulting impact and additional safeguards to mitigate this impact. Strategies for managing risk should be commensurate with the risks to such systems. One or more of the following methods may be used to manage risk:
- Risk acceptance
- Risk avoidance
- Risk limitation
- Risk transference
The organization will manage the security state of organizational information systems and the environments in which those systems operate through the security authorization processes by:
- The Chief Information Officer will be responsible for ensuring a risk assessment is conducted for all new services/capabilities/technologies being implemented before they can be implemented into production.
This position on risk management will be stated and reinforced in the security policy.
6.5 Measure Effectiveness
Clarkson University will regularly evaluate progress of security program implementation and risk management by reviewing and updating CAPs. Progress will be communicated to necessary stakeholders.
For detailed information regarding risk management, reference Clarkson University Risk Management procedure.
7 Computer and Technology Operations
7.1 General
Computer systems and networks, communications systems and other equipment belonging to or otherwise in the possession of Clarkson University are the property of Clarkson University and will be maintained solely by Clarkson University. These systems are provided for use in conducting Clarkson University business, although reasonable personal use by workforce is permitted. Only Clarkson University owned assets will be used to process, store or transmit Clarkson University owned data or information. The use of any Clarkson University system for commercial purposes other than that of Clarkson University is prohibited. There is no expectation of privacy when using any Clarkson University computers, systems, networks or other equipment and Clarkson University reserves the right to obtain access to any and all communications and data or information stored, processed or transmitted by these systems at any time and without prior notice.
7.2 Network Security
Clarkson University’s network will be maintained in such a way that risk of corruption of data and unauthorized internal and external access is minimized. Vulnerabilities that arise in Clarkson University's network will be addressed according to Clarkson University's Vulnerability Management procedure. For
more information on network security, reference Clarkson University Acceptable Use policy and Clarkson University Configurations.
7.3 Endpoint and Removable Media Protection
Controls will be implemented on Clarkson University laptops and removable media in order to protect the confidentiality and integrity of information contained therein.
- Clarkson University laptops and removable media will be
- Clarkson University computing devices will be configured to time out and log out setti
- End users will protect all Clarkson University owned computing devices and removable
- Virus detection and protection solutions will be implemented on Clarkson University owned computing
- Clarkson University workforce will report any issues, including theft immediately to the IT For more information on endpoint and removable media protection, reference Clarkson University Acceptable Use Policy and Clarkson University Configurations.
7.4 User IDs and Passwords
All workforce will be provided with a unique username and password to access any Clarkson University-owned system or application. Clarkson University workforce passwords will be required to meet minimum length, complexity and reuse requirements in an attempt to protect confidential or
sensitive data. All workforce will protect and not misuse user ID’s and passwords. For more information on user ID’s and passwords, reference Clarkson University Access Control procedure.
7.5 Access Rights
Only approved workforce will have access to Clarkson University systems and information and will be provided with the minimum level of access necessary to complete job duties. Network controls will be applied to prevent unauthorized network access. Any devices logged onto Clarkson University's network will be configured to time out.
Remote access to Clarkson University's environment will be granted only to those workforce with a legitimate documented business need.
Access to Clarkson University information, regardless of the form of information will only be performed for legitimate business purposes. No user is permitted to access, read, edit, print, copy, transfer or delete information maintained by any other user unless given permission by the Chief Information Officer and another cabinet-level University official to do so. Access to systems owned or operated by Clarkson University's third-party vendors is not permitted without proper authorization.
For more information on access rights, reference Clarkson University Access Control procedure.
7.6 System Monitoring
At the discretion of the Chief Information Officer or their designee, Clarkson University reserves the right to monitor or review activity on any organization-owned system and without notice. Banners explaining Clarkson University's position on system monitoring will be implemented on all assets where logins happen. For more information on system monitoring, reference Clarkson University Logging and Monitoring procedure.
7.7 Data Classification and Handling
Clarkson University workforce will classify and label all information and data. Clarkson University workforce will make all efforts to redact any information classified as confidential or sensitive when appropriate to do so. Clarkson University data and information will be retained according to applicable local and federal guidelines. All Clarkson University data and information will be destroyed when no longer needed. Clarkson University workforce will be responsible for appropriately processing, storing and transmitti ng Clarkson University information or data. For more information on data classification and handling, reference Clarkson University Data Classification and Handling and Clarkson University Data and Information Destruction procedures.
7.8 Acceptable Use
All workforce will appropriately use Clarkson University computer systems and networks, communications systems and other equipment belonging to Clarkson University, and in such a way that does not violate any law or regulation. Examples include, but are not limited to:
- Voicemail
- Software
- Internet
For more information on acceptable use, reference Clarkson University's Acceptable Use policy.
7.9 Personnel Security
All Clarkson University workforce will be provided with all relevant and necessary policies, standards and procedures necessary to perform job duties upon hire and annually. Clarkson University workforce will be provided with relevant training on these topics and will be expected to attest to having read and understood all materials provided. Clarkson University will assign a risk designation to each position and screen, transfer and terminate workforce appropriately. For more information on personnel security, reference Clarkson University Personnel Security procedure.
7.10 Vendor Management
Clarkson University enters into contracts with third-party vendors for essential services. Clarkson University will conduct reasonable due diligence on vendors. Clarkson University will ensure all reasonable and appropriate agreements are in place to protect any Clarkson University data or information processed, stored or transmitted by third-party vendors. For more information on vendor management, reference Clarkson University Vendor Management procedure.
8 Exception Process
Compliance with the Clarkson University WISP, along with related policies, standards and procedures are necessary to ensure the confidentiality, integrity and availability of organizational information assets.
Clarkson University leadership recognizes, however, that full compliance with the WISP may not be possible, due to operational constraints. Non-compliance with any organization standard will be documented as an exception, reviewed, approved and addressed. Documented exceptions will include:
- The standard where non-compliance may exist;
- The specific non-compliant situation, service, or process;
- The operational risk introduced by the gap;
- Any current controls which may partially mitigate the risk;
- If the decision is to remediate the gap, a corrective action plan (CAP) must be developed and assigned to an owner;
- The acceptance of the risk and remediation
9 Information Security Road Map
9.1 Overview
The Information Security Roadmap describes the current and planned security priorities of the organization. For more information regarding current and planned security priorities, reference Clarkson University Security Roadmap.
10 Related Documentation
10.1 Written Information Security Program (WISP)
- Regulation
This written information security program is intended to satisfy the WISP requirements for all applicable regulation and legislation to which Clarkson University is subject. This includes but is not limited to the New York State SHIELD act, https://ag.ny.gov/internet/data-breach
11 Plan Authority
This Plan is issued by the Chief Information Officer for Clarkson University.
12 Revision History
Revision |
Date |
Initiator |
Nature of Change |
1 |
01/27/2023 |
B. Huntley |
Initial Draft - Written Information Security Program |
- Approvals
- Appendix A - Process Review
The diagram below is an overview that depicts the flow and scope of the WISP program: