OM 9.1.1 - Information Security Policy

Effective Date: January 2023
Last Updated: April 24, 2023
Responsible University Office: Office of Information Technology
Responsible University Administrator: Chief Information Officer

Policy Contact:

Office of Information Technology
helpdesk@clarkson.edu

1 Introduction

The purpose of this policy is to assist the organization in its eﬀorts to fulﬁll its ﬁduciary responsibilities related to the protection of information assets and comply with regulatory and contractual requirements involving information security and privacy. This policy framework consists of eighteen (18) separate policy statements, with supporting Standards documents, based on guidance provided by the National Institute of Standards and Technology (NIST) Special Publication 800-53 r4.

Although no set of policies can address every possible scenario, this framework, taken as a whole, provides a comprehensive governance structure that addresses key controls in all known areas needed to provide for the conﬁdentiality, integrity and availability of the organization’s information assets. This framework also provides administrators guidance necessary for making prioritized decisions, as well as justiﬁcation for implementing organizational change.

2 Purpose

The purpose of this Information Security Policy is to clearly establish Clarkson University's role in protecting its information assets and communicate minimum expectations for meeting these requirements. Fulﬁlling these objectives enables Clarkson University to implement a comprehensive system-wide Information Security Program.

3 Scope

The scope of this policy includes all information assets governed by the organization. All personnel and service providers who have access to or utilize assets of the organization, including data at rest, in transit or in process shall be subject to these requirements. This policy applies to:

All information assets and IT resources operated by the organization;
All information assets and IT resources provided by the organization through contracts, subject to the provisions and restrictions of the contracts; and
All authenticated users of Clarkson University information assets and IT

4 Implementation

Clarkson University needs to protect the availability, integrity and conﬁdentiality of data while providing information resources to fulﬁll the organization’s mission. The Information Security Program must be risk-based, and implementation decisions must be made based on addressing the highest risk ﬁrst.

Clarkson University's administration recognizes that fully implementing all controls within the NIST Standards is not possible due to organizational limitations and resource constraints. Administration must

implement the NIST standards whenever possible, and document exceptions in situations where doing so is not practicable.

5 Roles and Responsibilities

Clarkson University has assigned the following roles and responsibilities:

Chief Information Oﬃcer: The Chief Information Oﬃcer is accountable for the implementation of the Information Security Program including:
1. Security policies, standards, and procedures
2. Security compliance including managerial, administrative and technical controls
3. The CIO is responsible for the development, implementation, and maintenance of a comprehensive Information Security Program for Clarkson University. This includes security policies, standards, and procedures which reﬂect best practices in information
4. The CIO also functions as the HIPAA Privacy Oﬃcer

The Chief Information Oﬃcer is to be informed of information security implementations and ongoing development of the Information Security Program design.

Information Security Governance Committee: The group is responsible for the design, implementation, operations and compliance functions of the Information Security Program for all Clarkson University constituent units. The committee is comprised of senior staﬀ and functions as the Information Security Program Oﬃce.

6 Information and System Classiﬁcation

Clarkson University must establish and maintain security categories for both information and information systems. For more information, reference the Data Classiﬁcation Policy.

7 Provisions for Information Security Standards

The Clarkson University Security Program is framed on National Institute of Standards and Technology (NIST) and controls implemented based on SANS Critical Security Controls priorities. Clarkson University must develop appropriate control standards and procedures required to support the organization’s Information Security Policy. This policy is further deﬁned by control standards, procedures, control metrics and control tests to assure functional veriﬁcation.

The Clarkson University Security Program is based on NIST Special Publication 800-53. This publication is structured into 18 control groupings, herein referred to as Information Security Standards. These Standards must meet all statutory and contractual requirements.

7.1 Access Control (AC)

Clarkson University must limit information system access to authorized users, processes acting on behalf of authorized users or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise.

7.2 Awareness and Training (AT)

Clarkson University must: (i) ensure that managers and users of information systems are made aware of the security risks associated with their activities and of the applicable laws, directives, policies, standards, instructions, regulations, or procedures related to the security of organization information

systems; and (ii) ensure that personnel are adequately trained to carry out their assigned information security-related duties and responsibilities.

7.3 Audit and Accountability (AU)

Clarkson University must: (i) create, protect, and retain system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity on protective enclave systems, speciﬁc to conﬁdential data and conﬁdential networks, at a minimum; and (ii) ensure that the actions of individual information system users can be uniquely traced for all restricted systems.

7.4 Assessment and Authorization (CA)

Clarkson University must: (i) periodically assess the security controls in organization information systems to determine if the controls are eﬀective in their application; (ii) develop and implement plans of action designed to correct deﬁciencies and reduce or eliminate vulnerabilities in organization information systems; (iii) authorize the operation of the organization’s information systems and any associated information system connections; and (iv) monitor information system security controls on an ongoing basis to ensure the continued eﬀectiveness of the controls.

7.5 Conﬁguration Management (CM)

Clarkson University must: (i) establish and maintain baseline conﬁgurations and inventories of organizational information systems (including hardware, software, ﬁrmware, and documentation) throughout the respective system development life cycles; and (ii) establish and enforce security conﬁguration setti ngs for information technology products employed in organizational information systems.

7.6 Contingency Planning (CP)

Clarkson University must establish, maintain, and eﬀectively implement plans for emergency response, backup operations, and post-disaster recovery for the organization’s information systems to ensure the availability of critical information resources and continuity of operations in emergency situations.

7.7 Identiﬁcation and Authorization (IA)

Clarkson University must identify information system users, processes acting on behalf of users, or devices and authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to Clarkson University information systems.

7.8 Incident Response (IR)

Clarkson University must: (i) establish an operational incident handling capability for organization information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities; and (ii) track, document, and report incidents to appropriate organization oﬃcials and/or authorities.

7.9 Maintenance (MA)

Clarkson University must: (i) perform periodic and timely maintenance on organization information systems; and (ii) provide eﬀective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance.

7.10 Media Protection (MP)

Clarkson University must: (i) protect information system media, both paper and digital; (ii) limit access to information on information system media to authorized users; and (iii) encryption, where applicable, (iiii) sanitize or destroy information system media before disposal or release for reuse.

7.11 Physical and Environmental Protection (PE)

Clarkson University must: (i) limit physical access to information systems, equipment and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provide supporting utilities for information systems; (iv) protect information systems against environmental hazards; and (v) provide appropriate environmental controls in facilities containing information systems.

7.12 Planning (PL)

Clarkson University must develop, document, periodically update and implement security plans for organization information systems that describe the security controls in place or planned for the information systems as well as rules of behavior for individuals accessing the information systems.

7.13 Personnel Security (PS)

Clarkson University must: (i) ensure that individuals occupying positions of responsibility within organizations are trustworthy and meet established security criteria for those positions; (ii) ensure that organization information and information systems are protected during and after personnel actions such as terminations and transfers; and (iii) employ formal sanctions for personnel failing to comply with Clarkson University security policies and procedures.

7.14 Risk Assessment (RA)

Clarkson University must periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission of organizational information.

7.15 System and Services Acquisition (SA)

Clarkson University must: (i) allocate suﬃcient resources to adequately protect organization information systems; (ii) employ system development life cycle processes that incorporate information security considerations; (iii) employ software usage and installation restrictions; and (iv) ensure that third-party providers employ adequate security measures, through federal and state law and contract, to protect information, applications and/or services outsourced from the organization.

7.16 System and Communications Protection (SC)

Clarkson University must: (i) monitor, control and protect organization communications (i.e., information transmitted or received by organization information systems) at the external boundaries and key internal boundaries of the information systems for conﬁdential data transmissions; and (ii) employ architectural designs, software development techniques, encryption, and systems engineering principles that promote eﬀective information security within organization information systems.

7.17 System and Information Integrity (SI)

Clarkson University must: (i) identify, report and correct information and information system ﬂaws in a timely manner; (ii) provide protection from malicious code at appropriate locations within organization information systems; and (iii) monitor information system security alerts and advisories and take appropriate actions in response.

7.18 Program Management (PM)

Clarkson University must implement a formal security program. The program shall be based on an accepted, industry framework that is reviewed and updated as needed. Information Security controls shall be selected to provide a foundation for the organizational Information Security Program. Any controls from the framework that are not implemented shall be documented, along with the risk-based rationale for not implementing those controls. Written policy and procedures shall be maintained for the program. Such policies and procedures will be actively monitored and adhere to an annual review and approval process.

Clarkson University shall select an individual or dedicated team to manage the information security of the organization. The senior-level information security oﬃcial (ISO) shall coordinate, develop, and implement the program, assigning speciﬁc security roles and responsibilities that are formally documented and aligned with internal and external partners. Objectives for the program will be written, tracked, and regularly reported to senior management. All security plans must meet the applicable Federal or leading practices for information security. A security governance committee will oversee and steer/guide the program as well as making informed, risk-based decisions about the program. The ISO shall regularly report to the security governance committee.

Security testing, training, and monitoring plans shall be developed, implemented, maintained, and reviewed for consistency with the risk management strategy. Activities to implement these plans shall be coordinated across all parts of the organization.

Non-compliance with the Information Security Policies will be handled through Clarkson University's progressive discipline process.

7.19 Data Protection and Privacy

Clarkson University shall appoint a qualiﬁed Data Protection Oﬃcer. Retention plans are developed, and the retention plans include the PII/ePHI data, the notices provided to Customers, and the documents regarding speciﬁc security measures (Policies, Standards, Procedures).

Conﬁdentiality and non-disclosure agreements are in-place and reviewed at least annually. Business associate agreements shall be in place with all entities that receive access to Clarkson University HIPAA-scoped data. Storage of covered information is kept to a minimum and conﬁned to speciﬁcally authorized storage locations. Suitable encryption is applied for all information at rest and in-motion.

8 Enforcement

Clarkson University may temporarily suspend or block access to any individual or device when it appears necessary to do so in order to protect the integrity, security or functionality of organization and computer resources.

Any personnel found to have violated this procedure may be subject to disciplinary action, up to and including termination of employment.

9 Privacy

Clarkson University must make every reasonable eﬀort to respect a user's privacy. However, personnel do not acquire a right of privacy for communications transmitted or stored on organization resources.

Additionally, in response to a judicial order or any other action required by law or permitted by oﬃcial organization policy or as otherwise considered reasonably necessary to protect or promote the legitimate interests of the organization, the Chief Information Oﬃcer, or an authorized agent, may access, review, monitor and/or disclose computer ﬁles associated with an individual's account.

10 Exceptions

Exceptions to the policy may be granted by the Chief Information Oﬃcer, or his or her designee. To request an exception, submit an Information Security Exception request to the IT HelpDesk.

11 Disclaimer

Clarkson University disclaims any responsibility for and does not warrant information and materials residing on non-Clarkson University systems or available over publicly accessible networks. Such materials do not necessarily reﬂect the atti tudes, opinions, or values of Clarkson University.

12 References

NIST SP 800-53
HIPAA (45 CFR Part 160 and Subparts A and E of Part 164)
New York State Information Security Breach and Notiﬁcation Act
FIPS-199
PCI DSS 2

Clarkson University Data Classiﬁcation Policy
Data Classiﬁcation & Handling Procedure
Acceptable Use Policy
Privacy Policy
Information Security Awareness and Training Policy

14 Responsible Department

Oﬃce of Information Technology

15 Policy Authority

This policy is issued by the Chief Information Oﬃcer and approved by the University President for Clarkson University.

Revision History

Version	Date	Author	Revisions
1	1/27/2023	B. Huntley	Initial Draft - Information Security Policy
2	4/24/2023	L. Perry	Presidential Approval

Details

Revision #1

Created 9 months ago by Autumn MacWilliams

Updated 9 months ago by Autumn MacWilliams

Referenced on 1 page

Book Permissions Active

Actions

Revisions

OM 1.0.0 - History and Mission

OM 1.1.0 History

OM 1.2.0 Mission and Objectives

OM 2.00.0

OM 2.1.0 - Board of Trustees

OM 2.3.0 - Duties and Responsibilities of Provost, Vice Presidents, Deans and Other Officers of the University

OM 2.4.0 Duties and Responsibilities of Academic Department Chairs

OM 2.4.1 Appointment and Tenure of Department Chairs and Academic Program Directors Policy Statement

OM 2.5.0 Periods of Duty - Administrative Offices

OM 2.6.0 Clarkson University Policies Governing Organized Activity Units

OM 2.6.1 Duties and Responsibilities of Directors of Institutes and Centers

OM 2.6.2 Appointment and Tenure of Directors

OM 2.6.3 Director of Organized Activity Unit - Additional Operational/Management Guidance

OM 2.7.0 Operational Procedures for the Administrative Council

OM 2.8.0 Faculty Senate Constitution

OM 2.9.0 Paperflow for Senate and Administrative Council Actions

OM 2.10.0 Committees of the University

OM 2.10.1 Committees of the Faculty Senate

OM 2.10.2 Standing Administrative Committees

OM 2.10.3 University Committee Procedures

OM 2.11.0 Support Staff Policies and Procedures

OM 2.12.0 Professional and Supervisory Staff Policies and Procedures

OM 3.0.0 - Human Resources Policies

OM 3.1.0 Human Resources Policies - General

OM 3.1.1 Definition of Employee Groups

OM 3.1.2 Exempt and Non-Exempt Employee Categories

OM 3.1.3 - Affirmative Action and Equal Employment Opportunity Statement

OM 3.1.4 - Employment of Family Members at Clarkson

OM 3.1.5 - Harassment and Sexual Misconduct Policy

OM 3.1.6 - Employment of Minors

OM 3.1.7 Drug Abuse in the Workplace

OM 3.1.8 Orientation

OM 3.1.9 Change in Status

OM 3.1.10 Smoking Policy

OM 3.1.11 Nondiscrimination Policy

OM 3.1.12 Cultural Diversity Policy

OM 3.1.13 General Grievance Procedures

OM 3.1.14 Discrimination Grievance Procedure (Including Cases of Sexual Misconduct)

OM 3.1.15 Anti-Bullying Policy

OM 3.1.16 Clarkson University Exit Policy

OM 3.1.17 Recruitment and Selection Process

OM 3.1.18 Termination/Resignation Policy

OM 3.1.19 Flexible Work Schedule (flextime) and Working Remotely

OM 3.1.20 Background Check Policy

OM 3.1.21 No Contact Order Policy

OM 3.2.0 Human Resources Policies - Faculty

OM 3.2.1 Retirement Benefits

OM 3.3.0 Human Resources Policies - Administrative, Supervisory, and General Staff

OM 3.3.1 Job Posting

OM 3.3.2 Position Classification Procedures

OM 3.3.3 Disciplinary Procedure

OM 3.3.4 Termination of Employment

OM 3.3.5 Retirement Benefits

OM 3.4.0 Human Resources Policies - Employment and Working Conditions - General Staff

OM 3.4.1 The Four Types of Appointments

OM 3.4.2 Employment - Appointment of General Staff Personnel

OM 3.4.3 Probationary Period - General Staff (Non-Bargaining)

OM 3.4.4 Working Hours - General Staff

OM 3.4.5 Rest Periods - General Staff

OM 3.4.6 Promotions and Transfers - General Staff

OM 4.0.0 - Compensation Policies

OM 4.1.0 Compensation Policies - General

OM 4.1.1 Supplemental Compensation Procedures - Faculty

OM 4.2.0 Compensation Policies - Faculty

OM 4.2.1 Salary Plan

OM 4.2.2 Salary Continuance - Faculty

OM 4.3.0 Compensation Policies - Administrative, Supervisory, and General Staff

OM 4.3.1 Wage and Salary Administration

OM 4.3.2 Salary Plan - Administrative and Supervisory Staff

OM 4.3.3 Pay Periods and Payroll Deductions - General Staff

OM 4.3.4 Overtime Policy for Non-Exempt Employees

OM 4.3.5 Supplemental Compensation Procedures - Exempt Non-Faculty

OM 4.3.6 Policy on Compensation for Travel Time - Non-Exempt Employees

OM 5.0.0 - Faculty Definitions and Policies

OM 5.1.0 Titles, Status and Definitions

OM 5.2.0 Duties of a Faculty Member

OM 5.3.0 Standards for Faculty Evaluations

OM 5.4.0 Procedures and Documentation for the Appointment, Reappointment and Continuing Evaluation of Faculty

OM 5.5.0 Evaluation Procedures for Tenure - The Tenure Policy

OM 5.6.0 Evaluation Procedures for Promotion