OM 9.1.1 - Information Security Policy
Effective Date: January 2023 |
Policy Contact: Office of Information Technology |
1 Introduction
The purpose of this policy is to assist the organization in its efforts to fulfill its fiduciary responsibilities related to the protection of information assets and comply with regulatory and contractual requirements involving information security and privacy. This policy framework consists of eighteen (18) separate policy statements, with supporting Standards documents, based on guidance provided by the National Institute of Standards and Technology (NIST) Special Publication 800-53 r4.
Although no set of policies can address every possible scenario, this framework, taken as a whole, provides a comprehensive governance structure that addresses key controls in all known areas needed to provide for the confidentiality, integrity and availability of the organization’s information assets. This framework also provides administrators guidance necessary for making prioritized decisions, as well as justification for implementing organizational change.
2 Purpose
The purpose of this Information Security Policy is to clearly establish Clarkson University's role in protecting its information assets and communicate minimum expectations for meeting these requirements. Fulfilling these objectives enables Clarkson University to implement a comprehensive system-wide Information Security Program.
3 Scope
The scope of this policy includes all information assets governed by the organization. All personnel and service providers who have access to or utilize assets of the organization, including data at rest, in transit or in process shall be subject to these requirements. This policy applies to:
- All information assets and IT resources operated by the organization;
- All information assets and IT resources provided by the organization through contracts, subject to the provisions and restrictions of the contracts; and
- All authenticated users of Clarkson University information assets and IT
4 Implementation
Clarkson University needs to protect the availability, integrity and confidentiality of data while providing information resources to fulfill the organization’s mission. The Information Security Program must be risk-based, and implementation decisions must be made based on addressing the highest risk first.
Clarkson University's administration recognizes that fully implementing all controls within the NIST Standards is not possible due to organizational limitations and resource constraints. Administration must
implement the NIST standards whenever possible, and document exceptions in situations where doing so is not practicable.
5 Roles and Responsibilities
Clarkson University has assigned the following roles and responsibilities:
- Chief Information Officer: The Chief Information Officer is accountable for the implementation of the Information Security Program including:
- Security policies, standards, and procedures
- Security compliance including managerial, administrative and technical controls
- The CIO is responsible for the development, implementation, and maintenance of a comprehensive Information Security Program for Clarkson University. This includes security policies, standards, and procedures which reflect best practices in information
- The CIO also functions as the HIPAA Privacy Officer
The Chief Information Officer is to be informed of information security implementations and ongoing development of the Information Security Program design.
- Information Security Governance Committee: The group is responsible for the design, implementation, operations and compliance functions of the Information Security Program for all Clarkson University constituent units. The committee is comprised of senior staff and functions as the Information Security Program Office.
6 Information and System Classification
Clarkson University must establish and maintain security categories for both information and information systems. For more information, reference the Data Classification Policy.
7 Provisions for Information Security Standards
The Clarkson University Security Program is framed on National Institute of Standards and Technology (NIST) and controls implemented based on SANS Critical Security Controls priorities. Clarkson University must develop appropriate control standards and procedures required to support the organization’s Information Security Policy. This policy is further defined by control standards, procedures, control metrics and control tests to assure functional verification.
The Clarkson University Security Program is based on NIST Special Publication 800-53. This publication is structured into 18 control groupings, herein referred to as Information Security Standards. These Standards must meet all statutory and contractual requirements.
7.1 Access Control (AC)
Clarkson University must limit information system access to authorized users, processes acting on behalf of authorized users or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise.
7.2 Awareness and Training (AT)
Clarkson University must: (i) ensure that managers and users of information systems are made aware of the security risks associated with their activities and of the applicable laws, directives, policies, standards, instructions, regulations, or procedures related to the security of organization information
systems; and (ii) ensure that personnel are adequately trained to carry out their assigned information security-related duties and responsibilities.
7.3 Audit and Accountability (AU)
Clarkson University must: (i) create, protect, and retain system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity on protective enclave systems, specific to confidential data and confidential networks, at a minimum; and (ii) ensure that the actions of individual information system users can be uniquely traced for all restricted systems.
7.4 Assessment and Authorization (CA)
Clarkson University must: (i) periodically assess the security controls in organization information systems to determine if the controls are effective in their application; (ii) develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organization information systems; (iii) authorize the operation of the organization’s information systems and any associated information system connections; and (iv) monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls.
7.5 Configuration Management (CM)
Clarkson University must: (i) establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles; and (ii) establish and enforce security configuration setti ngs for information technology products employed in organizational information systems.
7.6 Contingency Planning (CP)
Clarkson University must establish, maintain, and effectively implement plans for emergency response, backup operations, and post-disaster recovery for the organization’s information systems to ensure the availability of critical information resources and continuity of operations in emergency situations.
7.7 Identification and Authorization (IA)
Clarkson University must identify information system users, processes acting on behalf of users, or devices and authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to Clarkson University information systems.
7.8 Incident Response (IR)
Clarkson University must: (i) establish an operational incident handling capability for organization information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities; and (ii) track, document, and report incidents to appropriate organization officials and/or authorities.
7.9 Maintenance (MA)
Clarkson University must: (i) perform periodic and timely maintenance on organization information systems; and (ii) provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance.
7.10 Media Protection (MP)
Clarkson University must: (i) protect information system media, both paper and digital; (ii) limit access to information on information system media to authorized users; and (iii) encryption, where applicable, (iiii) sanitize or destroy information system media before disposal or release for reuse.
7.11 Physical and Environmental Protection (PE)
Clarkson University must: (i) limit physical access to information systems, equipment and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provide supporting utilities for information systems; (iv) protect information systems against environmental hazards; and (v) provide appropriate environmental controls in facilities containing information systems.
7.12 Planning (PL)
Clarkson University must develop, document, periodically update and implement security plans for organization information systems that describe the security controls in place or planned for the information systems as well as rules of behavior for individuals accessing the information systems.
7.13 Personnel Security (PS)
Clarkson University must: (i) ensure that individuals occupying positions of responsibility within organizations are trustworthy and meet established security criteria for those positions; (ii) ensure that organization information and information systems are protected during and after personnel actions such as terminations and transfers; and (iii) employ formal sanctions for personnel failing to comply with Clarkson University security policies and procedures.
7.14 Risk Assessment (RA)
Clarkson University must periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission of organizational information.
7.15 System and Services Acquisition (SA)
Clarkson University must: (i) allocate sufficient resources to adequately protect organization information systems; (ii) employ system development life cycle processes that incorporate information security considerations; (iii) employ software usage and installation restrictions; and (iv) ensure that third-party providers employ adequate security measures, through federal and state law and contract, to protect information, applications and/or services outsourced from the organization.
7.16 System and Communications Protection (SC)
Clarkson University must: (i) monitor, control and protect organization communications (i.e., information transmitted or received by organization information systems) at the external boundaries and key internal boundaries of the information systems for confidential data transmissions; and (ii) employ architectural designs, software development techniques, encryption, and systems engineering principles that promote effective information security within organization information systems.
7.17 System and Information Integrity (SI)
Clarkson University must: (i) identify, report and correct information and information system flaws in a timely manner; (ii) provide protection from malicious code at appropriate locations within organization information systems; and (iii) monitor information system security alerts and advisories and take appropriate actions in response.
7.18 Program Management (PM)
Clarkson University must implement a formal security program. The program shall be based on an accepted, industry framework that is reviewed and updated as needed. Information Security controls shall be selected to provide a foundation for the organizational Information Security Program. Any controls from the framework that are not implemented shall be documented, along with the risk-based rationale for not implementing those controls. Written policy and procedures shall be maintained for the program. Such policies and procedures will be actively monitored and adhere to an annual review and approval process.
Clarkson University shall select an individual or dedicated team to manage the information security of the organization. The senior-level information security official (ISO) shall coordinate, develop, and implement the program, assigning specific security roles and responsibilities that are formally documented and aligned with internal and external partners. Objectives for the program will be written, tracked, and regularly reported to senior management. All security plans must meet the applicable Federal or leading practices for information security. A security governance committee will oversee and steer/guide the program as well as making informed, risk-based decisions about the program. The ISO shall regularly report to the security governance committee.
Security testing, training, and monitoring plans shall be developed, implemented, maintained, and reviewed for consistency with the risk management strategy. Activities to implement these plans shall be coordinated across all parts of the organization.
Non-compliance with the Information Security Policies will be handled through Clarkson University's progressive discipline process.
7.19 Data Protection and Privacy
Clarkson University shall appoint a qualified Data Protection Officer. Retention plans are developed, and the retention plans include the PII/ePHI data, the notices provided to Customers, and the documents regarding specific security measures (Policies, Standards, Procedures).
Confidentiality and non-disclosure agreements are in-place and reviewed at least annually. Business associate agreements shall be in place with all entities that receive access to Clarkson University HIPAA-scoped data. Storage of covered information is kept to a minimum and confined to specifically authorized storage locations. Suitable encryption is applied for all information at rest and in-motion.
8 Enforcement
Clarkson University may temporarily suspend or block access to any individual or device when it appears necessary to do so in order to protect the integrity, security or functionality of organization and computer resources.
Any personnel found to have violated this procedure may be subject to disciplinary action, up to and including termination of employment.
9 Privacy
Clarkson University must make every reasonable effort to respect a user's privacy. However, personnel do not acquire a right of privacy for communications transmitted or stored on organization resources.
Additionally, in response to a judicial order or any other action required by law or permitted by official organization policy or as otherwise considered reasonably necessary to protect or promote the legitimate interests of the organization, the Chief Information Officer, or an authorized agent, may access, review, monitor and/or disclose computer files associated with an individual's account.
10 Exceptions
Exceptions to the policy may be granted by the Chief Information Officer, or his or her designee. To request an exception, submit an Information Security Exception request to the IT HelpDesk.
11 Disclaimer
Clarkson University disclaims any responsibility for and does not warrant information and materials residing on non-Clarkson University systems or available over publicly accessible networks. Such materials do not necessarily reflect the atti tudes, opinions, or values of Clarkson University.
12 References
- NIST SP 800-53
- HIPAA (45 CFR Part 160 and Subparts A and E of Part 164)
- New York State Information Security Breach and Notification Act
- FIPS-199
- PCI DSS 2
13 Related Policies
- Clarkson University Data Classification Policy
- Data Classification & Handling Procedure
- Acceptable Use Policy
- Privacy Policy
- Information Security Awareness and Training Policy
14 Responsible Department
Office of Information Technology
15 Policy Authority
This policy is issued by the Chief Information Officer and approved by the University President for Clarkson University.
Revision History
Version |
Date |
Author |
Revisions |
1 |
1/27/2023 |
B. Huntley |
Initial Draft - Information Security Policy |
2 | 4/24/2023 | L. Perry | Presidential Approval |