OM 9.0.0 - Information Technology Policies

Effective Date: March 2023
Last Updated: March 2023
Responsible University Office: Office of Information Technology
Responsible University Administrator: Chief Information Officer

Policy Contact:

Office of Information Technology
helpdesk@clarkson.edu

Scope

All Clarkson University units and employees.

Reason for Policy

To protect information that is non-public in nature, including personal information about individuals, institutional information, financial information and intellectual property, the University has established this Information Security Plan. This Plan is intended to incorporate compliance with all relevant laws and regulations and applies to all areas of the University and all third party contractors having access to University owned data, including IaaS/PaaS/SaaS providers, food services and the book store. Referenced laws and other regulation include but are not limited to:

1 Introduction

1.1 Objective

The objectives of this Written Information Security Program (WISP) are to deﬁne, document and support the implementation and maintenance of the administrative, technical and physical safeguards Clarkson University has selected to protect the information it collects, creates, uses and maintains. This WISP has been developed in accordance with the following security best practices and regulations:
NIST Special Publication 800-53 – The NIST Special Publication 800-53 standard speciﬁes the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of the organization's overall business It speciﬁes requirements for the implementation of security controls, customized to the needs of individual organization, or parts thereof.
Payment Card Industry Data Security Standards (PCI DSS) 2 - Contractual obligations addressing the administrative, technical and physical standards required by payment brands (Visa, AMEX, MasterCard, Discover) for organizations processing payment card transactions.
Gramm-Leach-Bliley Act (GLB Act or GLBA) - Federal law enacted in 1999 which requires organizations that loan money to take measures to protect the ﬁnancial information of
Family Educational Rights and Privacy Act (FERPA) - Federal law enacted in 1974 requiring any school receiving federal funds to protect the privacy of educational
Health Insurance Portability and Accountability Act (HIPAA) – Enacted by the S. Congress in 1996 that mandates covered entities to implement reasonable and appropriate security measures to protect all electronic protected health information (ePHI) against reasonably anticipated threats or hazards.

This document is intended to satisfy NIST standards for maintaining a Critical Infrastructure Plan (CIP).

2 Vision, Mission and Goals

2.1 Vision

A robust NIST-based security program supported by policies, standards and procedures that address the eighteen (18) NIST security domains.

2.2 Mission

Strengthen the security of Clarkson University’s environment by implementing a structured security program and ensuring that the relationship between information security and the business objectives of Clarkson University exists and is eﬀective.

2.3 Goals

Deploy security controls to reduce risk for information assets, as deﬁned by speciﬁc goals. Achieving these goals requires that Clarkson University:

Align information security initiatives with business strategy;
Assign ownership and accountability for information security initiatives;
Monitor the status and eﬃcacy of information security initiatives; and
Institute a process of continuous assessment and

3 Core Tenants

Clarkson University's WISP establishes ﬁve (5) core tenants, representing the values and assumptions that will be considered when implementing the information security program.

Risks are identiﬁed and managed in a coordinated and comprehensive way across the Clarkson University environment to enable eﬀective allocation of information security This involves promoting eﬃcient and eﬀective use of resources by taking a comprehensive and strategic approach to risk management.
Understanding and accounting for dependencies within the Clarkson University environment when managing risks is critical to enhancing information
Information sharing among Clarkson University's environment is paramount to gaining knowledge of information security
Partnership in implementing Clarkson University's information security program allows for unique perspectives in understanding information security gaps, challenges and
Information security will be factored into all decisions regarding Clarkson University assets, systems and

4 Roles and Responsibilities

4.1 Information Security Leadership

To successfully manage risk across Clarkson University, senior leaders and executives must be committed to making information security a fundamental mission. This top-level, executive commitment ensures that suﬃcient resources are available to develop and implement an eﬀective, organization-wide security program. Eﬀectively managing information security risk organization-wide requires the following key elements:

Assignment of risk management responsibilities to senior leaders and executives;
Ongoing recognition and understanding by senior leaders and executives of the information security risks to organizational information assets, operations and personnel;
Establishment of the tolerance for risk and communicating the risk tolerance throughout the organization, including guidance on how risk tolerance impacts ongoing decision-making activities; and

Providing accountability for senior leaders and executives for their risk management

4.2 Information Security Oﬃcer

An information security oﬃcer will be appointed with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program. Responsibilities will include:

Development, maintenance, and distribution of policies and procedures
Ensuring responsibilities and assignments for monitoring alerts and incident response processes are understood and performed
Development, maintenance, and implementation of a security incident response plan
Ensure access control processes are deﬁned and implemented
Ensure all access control processes are monitored

4.3 Information Security Steering Committee

The Information Security Steering Committee provides a number of “soft” beneﬁts, including those gained by the active participation of business leaders in information security decision-making. The Information Security Steering Committee often participates in the following:

Establishing goals for the Information Security program;
Reviewing and approving Information Security policies and standards;
Recommending, reviewing and prioritizing information security initiatives;
Communicating information security needs; and
Reviewing the eﬀectiveness of the Information Security program and resources; and
Ensuring corrective action plans have been developed and implemented to address risks that are unacceptable to Clarkson

The WISP will establish the Information Security Steering Committee and ensure its ongoing operation.

4.4 Resource Optimization

Clarkson University dedicates resources to information security initiatives in an eﬀort to reduce risk, and subsequently meet business objectives. It is understood that these resources are ﬁnite and speciﬁc, and of the following types:

Budget – Funds for information security initiatives will be allocated on an annual Allocated funds are determined by business need, which will be determined by organizational risk.
Personnel – The information security team consists of both physical and virtual members, full-time employees, partners and subcontractors. The number of personnel allocated to information security initiatives is determined by business need, which will be determined by organizational These are allocated and leveraged optimally based on capabilities and availability.
Time – The information security team is granted time to complete security initiatives. Schedules for security initiatives are determined by business need, which will be determined by organizational

5 Strategy

5.1 Overview

The key to ensuring that Clarkson University ’s Security program is reasonable and useable is to develop a suite of policy documents that match the intended audience’s business goals and culture. Policies must

be practical and realistic. In order to achieve this, it is essential to involve and obtain support from senior management and other stakeholders, as well as from the people who will use the policy as part of their daily work.

The organization will:

Develop and disseminate information security program standards and an information security plan that provides an overview of the requirements for the security program, a description of the security program management controls and common controls in place or planned for meeting those requirements.
Establish and maintain organizational policies, standards, and procedures to address all relevant statutory and regulatory requirements, and ensure and support the conﬁdentiality, integrity, and availability of its information
Make relevant policies, standards, and procedures readily available to all aﬀected
Conduct a periodic formal review of policies, standards, and procedures and update them, at a minimum,

5.2 Policy Implementation

Clarkson University has the following three Security Policies formalized or in development stages:

Acceptable Use Policy – Advises all members of Clarkson University on acceptable and unacceptable behavior involving the organization’s
Data Classiﬁcation Policy – Describes the process for classiﬁcation and handling of the organization’s
Information Security Policy – Creates provisional compliance requirements for the Clarkson University Information Security Standards. Requires that all Clarkson University administrative and business functions meet minimum requirements for

5.3 Standards Implementation

Clarkson University has developed appropriate control standards, herein referred to as Information Security Standards, to support the Organization’s Information Security policies. These standards are based on NIST Special Publication 800-53 “Security and Privacy Controls for Federal Information Systems and Organizations”. The Information Security Standards deﬁne all Clarkson University directives for safeguarding information and ensuring that each organization complies with applicable laws, regulations, and commercial standards. Appropriate procedures have been documented that describe the tools, processes, and resources used to implement the Information Security Standards. The Clarkson University Information Security Standards are structured into eighteen (18) control groups.

Wherever appropriate, information security controls will comply with, reference and implement the above standards. This position will be stated and reinforced in the security policy.

5.4 Regulatory and Security Best Practice Compliance

While not currently mapped to Clarkson University Information Security Standards, Clarkson University must also comply with the following:

Electronic Communications Privacy Act (ECPA) - Federal law which speciﬁes the standards by which law enforcement is permitted to access electronic communications and associated data, aﬀording important privacy protections to subscribers of emerging wireless and Internet
S. Patriot Act - An antiterrorism law enacted by the U.S. Congress in October 2001, which gave certain additional new powers to the U.S. Department of Justice, the National Security Agency and other federal agencies for surveillance of electronic communications.
Technology Education and Copyright Harmonization Act (TEACH) - Amendments to sections 110(2) and 112(f) of the U.S. Copyright Act., which was enacted to balance the perspectives of both copyright owners and content users for academic
Executive Order 13224 - Federal Executive Order which provides a means to disrupt the ﬁnancial support network for terrorists and terrorist organizations by authorizing the S. Government to designate and block the assets of foreign individuals.
NYS Information Security Breach and Notiﬁcation Act - Law 4254-A, State Technology Law Section 208 and General Business Law Section 899-aa - New York State Laws requiring notiﬁcation to individuals and State agencies after a security incident has occurred involving the loss or unauthorized access to certain private non-public
Higher Education Opportunity Act (HEOA) - Federal law which, among other requirements, addresses colleges and universities responsibilities relating to copyrighted

It is the goal and intent of the WISP to ensure compliance with all known regulations and mandates as they are understood, and to make them an appropriate priority.

6 Risk Management

6.1 Set Goals and Objectives

Goals and objectives for Clarkson University's information security program will be established and corrective action plans (CAPs) will be documented and prioritized according to risk to the organization.

6.2 Identify Infrastructure

Clarkson University will identify all assets, systems and networks critical to continued operation, as well as the dependencies between these essential resources. Eﬀective risk management requires an understanding of the criticality of these resources to the organization.

6.3 Assess and Analyze Risks

Identifying risks is the single-most important step an organization can take to ensure the conﬁdentiality, integrity and availability of information assets. It is also an important component for achieving regulatory, commercial and legal compliance.

The determination of Global Risk Tolerance, a number between 1 and 100 (where 1 is entirely risk-averse and 100 is entirely risk-tolerant), will be performed through an informal survey of organization executives and stakeholders. The Global Risk Tolerance will be used as a suggested remediation threshold during risk management – any risk that exceeds this level will, and should be used to prioritize remediation and deﬁne corrective action plans.

Risk Reduction involves prioritizing, evaluating and implementing the appropriate risk-reducing controls recommended from the risk assessment process. The organization will implement security measures that reduce the risks to its information systems containing conﬁdential information to reasonable and appropriate levels. Selection and implementation of such security measures will be based on a formal, documented risk management process.

6.4 Implement Risk Management Activities

The organization will manage risk on a continuous basis and implement necessary security measures to ensure the conﬁdentiality, integrity, and availability of information systems containing conﬁdential information. A risk assessment will be performed, at a minimum, annually. This involves identifying the risks to information assets and determining the probability of occurrence, the resulting impact and additional safeguards to mitigate this impact. Strategies for managing risk should be commensurate with the risks to such systems. One or more of the following methods may be used to manage risk:

Risk acceptance
Risk avoidance
Risk limitation
Risk transference

The organization will manage the security state of organizational information systems and the environments in which those systems operate through the security authorization processes by:

The Chief Information Oﬃcer will be responsible for ensuring a risk assessment is conducted for all new services/capabilities/technologies being implemented before they can be implemented into production.

This position on risk management will be stated and reinforced in the security policy.

6.5 Measure Eﬀectiveness

Clarkson University will regularly evaluate progress of security program implementation and risk management by reviewing and updating CAPs. Progress will be communicated to necessary stakeholders.

For detailed information regarding risk management, reference Clarkson University Risk Management procedure.

7 Computer and Technology Operations

7.1 General

Computer systems and networks, communications systems and other equipment belonging to or otherwise in the possession of Clarkson University are the property of Clarkson University and will be maintained solely by Clarkson University. These systems are provided for use in conducting Clarkson University business, although reasonable personal use by workforce is permitted. Only Clarkson University owned assets will be used to process, store or transmit Clarkson University owned data or information. The use of any Clarkson University system for commercial purposes other than that of Clarkson University is prohibited. There is no expectation of privacy when using any Clarkson University computers, systems, networks or other equipment and Clarkson University reserves the right to obtain access to any and all communications and data or information stored, processed or transmitted by these systems at any time and without prior notice.

7.2 Network Security

Clarkson University’s network will be maintained in such a way that risk of corruption of data and unauthorized internal and external access is minimized. Vulnerabilities that arise in Clarkson University's network will be addressed according to Clarkson University's Vulnerability Management procedure. For

more information on network security, reference Clarkson University Acceptable Use policy and Clarkson University Conﬁgurations.

7.3 Endpoint and Removable Media Protection

Controls will be implemented on Clarkson University laptops and removable media in order to protect the conﬁdentiality and integrity of information contained therein.

Clarkson University laptops and removable media will be
Clarkson University computing devices will be conﬁgured to time out and log out setti
End users will protect all Clarkson University owned computing devices and removable
Virus detection and protection solutions will be implemented on Clarkson University owned computing
Clarkson University workforce will report any issues, including theft immediately to the IT For more information on endpoint and removable media protection, reference Clarkson University Acceptable Use Policy and Clarkson University Conﬁgurations.

7.4 User IDs and Passwords

All workforce will be provided with a unique username and password to access any Clarkson University-owned system or application. Clarkson University workforce passwords will be required to meet minimum length, complexity and reuse requirements in an attempt to protect conﬁdential or

sensitive data. All workforce will protect and not misuse user ID’s and passwords. For more information on user ID’s and passwords, reference Clarkson University Access Control procedure.

7.5 Access Rights

Only approved workforce will have access to Clarkson University systems and information and will be provided with the minimum level of access necessary to complete job duties. Network controls will be applied to prevent unauthorized network access. Any devices logged onto Clarkson University's network will be conﬁgured to time out.

Remote access to Clarkson University's environment will be granted only to those workforce with a legitimate documented business need.

Access to Clarkson University information, regardless of the form of information will only be performed for legitimate business purposes. No user is permitted to access, read, edit, print, copy, transfer or delete information maintained by any other user unless given permission by the Chief Information Oﬃcer and another cabinet-level University oﬃcial to do so. Access to systems owned or operated by Clarkson University's third-party vendors is not permitted without proper authorization.

For more information on access rights, reference Clarkson University Access Control procedure.

7.6 System Monitoring

At the discretion of the Chief Information Oﬃcer or their designee, Clarkson University reserves the right to monitor or review activity on any organization-owned system and without notice. Banners explaining Clarkson University's position on system monitoring will be implemented on all assets where logins happen. For more information on system monitoring, reference Clarkson University Logging and Monitoring procedure.

7.7 Data Classiﬁcation and Handling

Clarkson University workforce will classify and label all information and data. Clarkson University workforce will make all eﬀorts to redact any information classiﬁed as conﬁdential or sensitive when appropriate to do so. Clarkson University data and information will be retained according to applicable local and federal guidelines. All Clarkson University data and information will be destroyed when no longer needed. Clarkson University workforce will be responsible for appropriately processing, storing and transmitti ng Clarkson University information or data. For more information on data classiﬁcation and handling, reference Clarkson University Data Classiﬁcation and Handling and Clarkson University Data and Information Destruction procedures.

7.8 Acceptable Use

All workforce will appropriately use Clarkson University computer systems and networks, communications systems and other equipment belonging to Clarkson University, and in such a way that does not violate any law or regulation. Examples include, but are not limited to:

Voicemail
Software
Email
Internet

For more information on acceptable use, reference Clarkson University's Acceptable Use policy.

7.9 Personnel Security

All Clarkson University workforce will be provided with all relevant and necessary policies, standards and procedures necessary to perform job duties upon hire and annually. Clarkson University workforce will be provided with relevant training on these topics and will be expected to attest to having read and understood all materials provided. Clarkson University will assign a risk designation to each position and screen, transfer and terminate workforce appropriately. For more information on personnel security, reference Clarkson University Personnel Security procedure.

7.10 Vendor Management

Clarkson University enters into contracts with third-party vendors for essential services. Clarkson University will conduct reasonable due diligence on vendors. Clarkson University will ensure all reasonable and appropriate agreements are in place to protect any Clarkson University data or information processed, stored or transmitted by third-party vendors. For more information on vendor management, reference Clarkson University Vendor Management procedure.

8 Exception Process

Compliance with the Clarkson University WISP, along with related policies, standards and procedures are necessary to ensure the conﬁdentiality, integrity and availability of organizational information assets.

Clarkson University leadership recognizes, however, that full compliance with the WISP may not be possible, due to operational constraints. Non-compliance with any organization standard will be documented as an exception, reviewed, approved and addressed. Documented exceptions will include:

The standard where non-compliance may exist;
The speciﬁc non-compliant situation, service, or process;

The operational risk introduced by the gap;
Any current controls which may partially mitigate the risk;
If the decision is to remediate the gap, a corrective action plan (CAP) must be developed and assigned to an owner;
The acceptance of the risk and remediation

9 Information Security Road Map

9.1 Overview

The Information Security Roadmap describes the current and planned security priorities of the organization. For more information regarding current and planned security priorities, reference Clarkson University Security Roadmap.

10.1 Written Information Security Program (WISP)

Regulation

This written information security program is intended to satisfy the WISP requirements for all applicable regulation and legislation to which Clarkson University is subject. This includes but is not limited to the New York State SHIELD act, https://ag.ny.gov/internet/data-breach

11 Plan Authority

This Plan is issued by the Chief Information Oﬃcer for Clarkson University.

12 Revision History

Revision

Date

Initiator

Nature of Change

01/27/2023

B. Huntley

Initial Draft - Written Information Security

Program

Approvals
Appendix A - Process Review

The diagram below is an overview that depicts the ﬂow and scope of the WISP program:

Appendix A - Process Review - Depicts the flow and scope of the WISP program.

Details

Revision #1

Created 10 months ago by Autumn MacWilliams

Updated 10 months ago by Autumn MacWilliams

Book Permissions Active

Actions

Revisions

OM 1.0.0 - History and Mission

OM 1.1.0 History

OM 1.2.0 Mission and Objectives

OM 2.00.0

OM 2.1.0 - Board of Trustees

OM 2.3.0 - Duties and Responsibilities of Provost, Vice Presidents, Deans and Other Officers of the University

OM 2.4.0 Duties and Responsibilities of Academic Department Chairs

OM 2.4.1 Appointment and Tenure of Department Chairs and Academic Program Directors Policy Statement

OM 2.5.0 Periods of Duty - Administrative Offices

OM 2.6.0 Clarkson University Policies Governing Organized Activity Units

OM 2.6.1 Duties and Responsibilities of Directors of Institutes and Centers

OM 2.6.2 Appointment and Tenure of Directors

OM 2.6.3 Director of Organized Activity Unit - Additional Operational/Management Guidance

OM 2.7.0 Operational Procedures for the Administrative Council

OM 2.8.0 Faculty Senate Constitution

OM 2.9.0 Paperflow for Senate and Administrative Council Actions

OM 2.10.0 Committees of the University

OM 2.10.1 Committees of the Faculty Senate

OM 2.10.2 Standing Administrative Committees

OM 2.10.3 University Committee Procedures

OM 2.11.0 Support Staff Policies and Procedures

OM 2.12.0 Professional and Supervisory Staff Policies and Procedures

OM 3.0.0 - Human Resources Policies

OM 3.1.0 Human Resources Policies - General

OM 3.1.1 Definition of Employee Groups

OM 3.1.2 Exempt and Non-Exempt Employee Categories

OM 3.1.3 - Affirmative Action and Equal Employment Opportunity Statement

OM 3.1.4 - Employment of Family Members at Clarkson

OM 3.1.5 - Harassment and Sexual Misconduct Policy

OM 3.1.6 - Employment of Minors

OM 3.1.7 Drug Abuse in the Workplace

OM 3.1.8 Orientation

OM 3.1.9 Change in Status

OM 3.1.10 Smoking Policy

OM 3.1.11 Nondiscrimination Policy

OM 3.1.12 Cultural Diversity Policy

OM 3.1.13 General Grievance Procedures

OM 3.1.14 Discrimination Grievance Procedure (Including Cases of Sexual Misconduct)

OM 3.1.15 Anti-Bullying Policy

OM 3.1.16 Clarkson University Exit Policy

OM 3.1.17 Recruitment and Selection Process

OM 3.1.18 Termination/Resignation Policy

OM 3.1.19 Flexible Work Schedule (flextime) and Working Remotely

OM 3.1.20 Background Check Policy

OM 3.1.21 No Contact Order Policy

OM 3.2.0 Human Resources Policies - Faculty

OM 3.2.1 Retirement Benefits

OM 3.3.0 Human Resources Policies - Administrative, Supervisory, and General Staff

OM 3.3.1 Job Posting

OM 3.3.2 Position Classification Procedures

OM 3.3.3 Disciplinary Procedure

OM 3.3.4 Termination of Employment

OM 3.3.5 Retirement Benefits

OM 3.4.0 Human Resources Policies - Employment and Working Conditions - General Staff

OM 3.4.1 The Four Types of Appointments

OM 3.4.2 Employment - Appointment of General Staff Personnel

OM 3.4.3 Probationary Period - General Staff (Non-Bargaining)

OM 3.4.4 Working Hours - General Staff

OM 3.4.5 Rest Periods - General Staff

OM 3.4.6 Promotions and Transfers - General Staff

OM 4.0.0 - Compensation Policies

OM 4.1.0 Compensation Policies - General

OM 4.1.1 Supplemental Compensation Procedures - Faculty

OM 4.2.0 Compensation Policies - Faculty

OM 4.2.1 Salary Plan

OM 4.2.2 Salary Continuance - Faculty

OM 4.3.0 Compensation Policies - Administrative, Supervisory, and General Staff

OM 4.3.1 Wage and Salary Administration

OM 4.3.2 Salary Plan - Administrative and Supervisory Staff

OM 4.3.3 Pay Periods and Payroll Deductions - General Staff

OM 4.3.4 Overtime Policy for Non-Exempt Employees

OM 4.3.5 Supplemental Compensation Procedures - Exempt Non-Faculty

OM 4.3.6 Policy on Compensation for Travel Time - Non-Exempt Employees

OM 5.0.0 - Faculty Definitions and Policies

OM 5.1.0 Titles, Status and Definitions

OM 5.2.0 Duties of a Faculty Member

OM 5.3.0 Standards for Faculty Evaluations

OM 5.4.0 Procedures and Documentation for the Appointment, Reappointment and Continuing Evaluation of Faculty

OM 5.5.0 Evaluation Procedures for Tenure - The Tenure Policy

OM 5.6.0 Evaluation Procedures for Promotion