OM 9.1.2 - Information Security Standards

Effective Date: January 2023
Last Updated: April 24, 2023
Responsible University Office: Office of Information Technology
Responsible University Administrator: Chief Information Officer

Policy Contact:

Office of Information Technology
helpdesk@clarkson.edu

1 Purpose

The Information Security Steering Committee of Clarkson University has adopted these information security Standards, which deﬁne the appropriate administrative, technical, and physical safeguards over sensitive information. These standards are designed to:

● Ensure that the safeguards adequately address the legal, regulatory, and mandatory requirements for information security;

● Provide adequate coverage of the recommended best practices spanning in the eighteen NIST Control Families; and

● Give a general assurance level that the conﬁdentiality, integrity, and availability of the University's assets will be upheld.

These Standards are based upon NIST 800-53 rev4 and they represent the What elements of information security that are speciﬁc to the University. Clarkson University will update these standards as need arises and will continue to review them annually. As these standards are not policy, updates shall not require Board approval, but will be reviewed and formally approved by the Information Security Steering Committee at least annually.

In addition to the Standards deﬁned here, Clarkson University also maintains a set of procedures, plans and processes that deﬁne the How, When, and Who elements of information security and the expected behavior of personnel as they work to carry out the Standards in an approved manner that upholds these Standards.

2 Scope

These standards are applicable to all information in the possession of the University, including its aﬃliates and its agents, which may be stored, processed, or transmitted by any means. This includes electronic information, information on paper, and information shared orally or visually (e.g., telephone and video conferencing). Also included is any information in storage or in electronic or physical transmission outside of the University's facilities (e.g., service providers).

3 Roles & Responsibilities

Ultimate accountability for the Information Security controls rests with the Director of Network Services and Information Security. The control owners are accountable to ensure that the controls assigned to them are in-place and eﬀective throughout the scope of the organization for which the controls apply.

● For administrative controls, the control owner will most likely oversee the execution of controls and possibly will be the implementor of the controls as well.

● For technical controls, the control owner is accountable, and may or may not choose to have IT implement the controls on their behalf.

● For physical controls, there will be a division of labor between the control owner and the facilities team.

4 Information Security Standards

4.1 Access Control Policy and Procedures

4.1.1 Standard Owner: Board, Senior Management, Information Technology

4.1.2 Standard References

NIST: AC-1

GLBA: Eﬀective

ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.9.1.1, A.12.1.1, A.18.1.1, A.18.2.2

HIPAA: 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.308(a)(4)(i), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.312(a)(1)

PCI-DSS: 12.1, 12.1.1

4.1.3 Standard

The organization will:

Develop, document, and disseminate standards that address purpose, scope, roles and responsibilities for managing access management activities;
Develop and document the roles and responsibilities for individuals who have access to information systems;
Document supporting procedures;
Disseminate the information to ensure coordination among the organization’s entities; and
Policy and procedure are approved and reviewed every
Review the standards

4.2 Access Control Policy and Procedures

4.2.1 Standard Owner: Information Technology

4.2.2 Standard References

NIST: AC-1

GLBA:

ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.9.1.1, A.12.1.1, A.18.1.1, A.18.2.2

HIPAA: 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.308(a)(4)(i), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.312(a)(1)

PCI-DSS: 7.1, 7.1.1, 7.1.2, 7.2

4.2.3 Standard

A formal, documented emergency access procedure (for system and facilities) for enabling authorized workforce members during an emergency.

4.3 Account Management

4.3.1 Standard Owner: Information Technology

4.3.2 Standard References

NIST: AC-2

GLBA:

ISO27001: A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.5, A.9.2.6

HIPAA: 164.308(a)(3)(ii)(B), 164.308(a)(4)(i), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(a)(2)(ii)

PCI-DSS: 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.2, 7.2.2

4.3.3 Standard

All user access to systems must be granted based on (1) valid access authorization, including business justiﬁcation, by [Whom], (2) intended system usage, and (3) other attributes as required by the organization or associated mission’s/business functions.

4.4 Account Management

4.4.1 Standard Owner: Information Technology

4.4.2 Standard References

NIST: AC-2

GLBA: Eﬀective

ISO27001: A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.5, A.9.2.6

HIPAA: 164.308(a)(3)(ii)(B), 164.308(a)(4)(i), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(a)(2)(ii)

PCI-DSS: 7.1, 7.1.2, 7.2

4.4.3 Standard

Accounts with special privileges will only be used for those tasks requiring it, not for day-to-day usage.

4.5 Account Management | Access Enforcement | Least Privilege

4.5.1 Standard Owner: Information Technology

4.5.2 Standard References

NIST: AC-2 AC-3 AC-6

GLBA: Eﬀective

ISO27001: A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.5, A.9.2.6 A.6.2.2, A.9.1.2, A.9.4.1, A.9.4.4, A.9.4.5, A.13.1.1, A.14.1.2, A.14.1.3, A.18.1.3

HIPAA: 164.308(a)(3)(ii)(A), 164.308(a)(3)(ii)(B), 164.308(a)(4)(i), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C),

164.308(a)(5)(ii)(C), 164.310(b), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iv)

PCI-DSS: 7.1, 7.1.1, 7.1.2, 7.1.4, 7.2, 7.2.1, 7.2.3, 8.1, 8.1.1, 8.1.2, 8.1.3, 8.1.5, 10.1

4.5.3 Standard

A formal, documented process for granting appropriate access to organization information systems will be documented. Only the most minimal access will be provisioned based on a need-to-know basis. All revisions to organization workforce member and software program access rights will be tracked and logged. Security groups and ACLs will be used to provide limited, role-based access to shared resources. For systems not relying on domain accounts, the account creation/removal process will also be documented. At a minimum, tracking and logging of all access requests will require the following information:

Data and time of revision
Identiﬁcation of workforce member or software program whose access is being revised
Brief description of revised access right(s)

Approval by system owner/stewards or their chosen delegate
Reason for revision

This information will be securely maintained.

4.6 Access Enforcement

4.6.1 Standard Owner: Information Technology

4.6.2 Standard References

NIST: AC-3

GLBA: Eﬀective

ISO27001: A.6.2.2, A.9.1.2, A.9.4.1, A.9.4.4, A.9.4.5, A.13.1.1, A.14.1.2, A.14.1.3, A.18.1.3

HIPAA: 164.308(a)(3)(ii)(A), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.310(a)(2)(iii), 164.310(b), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iv)

PCI-DSS: 1.2.1 7.2.3

4.6.3 Standard

Access to internal, nonpublic-facing systems from untrusted sites, by default, will be blocked at the organization perimeter ﬁrewall.

4.7 Access Enforcement | Least Privilege

4.7.1 Standard Owner: Information Technology

4.7.2 Standard References

NIST: AC-3 AC-6

GLBA: Draft

ISO27001: A.6.2.2, A.9.1.2, A.9.4.1, A.9.4.4, A.9.4.5, A.13.1.1, A.14.1.2, A.14.1.3, A.18.1.3 A.9.1.2, A.9.2.3, A.9.4.4, A.9.4.5

HIPAA: 164.308(a)(3)(ii)(A), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.310(a)(2)(iii), 164.310(b), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iv)

PCI-DSS: 7.1.1, 7.1.3, 8.1.4

4.7.3 Standard

All organization workforce members will have their information system privileges automatically disabled after their user ID or access method has had 90 days of inactivity. All such privileges that are disabled in this manner will be reviewed to ensure that the inactivity is not due to termination of employment. If termination is the reason for inactivity, there will be review of situation to ensure that all access to CONFIDENTIAL INFORMATION (or ability to physical access information) has been eliminated.

4.8 Access Enforcement | Least Privilege

4.8.1 Standard Owner: Information Technology

4.8.2 Standard References

NIST: AC-3 AC-6

GLBA: Draft

ISO27001: A.6.2.2, A.9.1.2, A.9.4.1, A.9.4.4, A.9.4.5, A.13.1.1, A.14.1.2, A.14.1.3, A.18.1.3 A.9.1.2, A.9.2.3, A.9.4.4, A.9.4.5

HIPAA: 164.308(a)(3)(ii)(A), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.310(a)(2)(iii), 164.310(b), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iv)

PCI-DSS: 7.1.2, 7.1.3

4.8.3 Standard

Access reviews for privileged and non-privileged accounts on systems storing restricted information will be conducted annually.

4.9 Information Flow Enforcement

4.9.1 Standard Owner: Information Technology

4.9.2 Standard References

NIST: AC-4

GLBA: On Hold

ISO27001: A.13.1.3, A.13.2.1, A.14.1.2, A.14.1.3

HIPAA: 164.308(a)(3)(ii)(A), 164.308(a)(4)(ii)(B), 164.310(b)

PCI-DSS:

4.9.3 Standard

The organization will deﬁne a Security Architecture Plan that addresses:

The ﬂow of information between inter-connected systems; and
Deﬁned security rules by network

4.13 Unsuccessful Logon Attempts

4.13.1 Standard Owner: Information Technology

4.13.2 Standard References

NIST: AC-7

GLBA: Eﬀective

ISO27001: A.9.4.2

HIPAA:

PCI-DSS: 2.2,2.2.4, 8.1.6, 8.1.7

4.13.3 Standard

Systems will lock accounts after no more than 5 failed login attempts.

4.14 System Use Notiﬁcation

4.14.1 Standard Owner: Information Technology

4.14.2 Standard References

NIST: AC-8

GLBA: On Hold

ISO27001: A.9.4.2

HIPAA:

PCI-DSS: 2.2.4

4.14.3 Standard

The organization displays an approved system use notiﬁcation message or banner before granting access to the system that provides privacy and security notices consistent with applicable laws, directives, policies, regulations, standards, and guidance and states that:

users are accessing organizational information systems;
system usage may be monitored, recorded, and subject to audit;

unauthorized use of the system is prohibited and subject to disciplinary action; and
use of the system indicates consent to monitoring and

4.15 Previous Logon (Access) Notiﬁcation

4.15.1 Standard Owner: Information Technology

4.15.2 Standard References

NIST: AC-9

GLBA: On Hold

ISO27001: A.9.4.2

HIPAA:

PCI-DSS: 2.2.4

4.15.3 Standard

Workstation, laptop, and server logon systems will suppress and/or not display the username of the previously logged on user.

4.16 Concurrent Session Control

4.16.1 Standard Owner: Information Technology

4.16.2 Standard References

NIST: AC-10

GLBA: On Hold

ISO27001: --

HIPAA:

PCI-DSS:

4.16.3 Standard

Critical applications will be conﬁgured to limit the number of concurrent sessions for each account and/or account type.

4.17 Session Lock

4.17.1 Standard Owner: Information Technology

4.17.2 Standard References

NIST: AC-11

GLBA: Eﬀective

ISO27001: A.11.2.8, A.11.2.9

HIPAA: 164.310(b), 164.312(a)(2)(iii)

PCI-DSS: 2.2,2.2.4, 8.1.8, 12.3.8

4.17.3 Standard

Endpoints must prevent further access to the information assets by initiating a session lock after 15 minutes of inactivity or upon receiving a request from a user. In addition, systems must retain the session lock until the user reestablishes access using established identiﬁcation and authentication procedures.

4.18 Session Termination

4.18.1 Standard Owner: Information Technology

4.18.2 Standard References

NIST: AC-12

GLBA: On Hold

ISO27001: --

HIPAA: 164.310(b), 164.312(a)(2)(iii)

PCI-DSS: 2.2,2.2.4, 8.1.8, 12.3.8

4.18.3 Standard

Systems will disconnect application and remote access sessions after 240 minutes of idle time.

4.19 Remote Access

4.19.1 Standard Owner: Information Technology

4.19.2 Standard References

NIST: AC-17

GLBA: Eﬀective

ISO27001: A.6.2.1, A.6.2.2, A.13.1.1, A.13.2.1, A.14.1.2

HIPAA: 164.310(b)

PCI-DSS: 8.1.5

4.19.3 Standard

Applications accessed through external facing webservers without appropriate SSL encryption will only be accessed via approved VPN.

4.20 Remote Access

4.20.1 Standard Owner: Information Technology

4.20.2 Standard References

NIST: AC-17

GLBA: Eﬀective

ISO27001: A.6.2.1, A.6.2.2, A.13.1.1, A.13.2.1, A.14.1.2

HIPAA: 164.310(b)

PCI-DSS: 8.1.5,12.3.9,12.3.10

4.20.3 Standard

Remote access technologies for vendors will only be enabled when needed, with immediate deactivation after use.

4.21 Wireless Access

4.21.1 Standard Owner: Information Technology

4.21.2 Standard References

NIST: AC-18

GLBA: Eﬀective

ISO27001: A.6.2.1, A.13.1.1, A.13.2.1

HIPAA:

PCI-DSS: 4.1, 4.1.1, 11.1

4.21.3 Standard

Public wireless networks will be considered open, insecure networks.

4.22 Wireless Access

4.22.1 Standard Owner: Information Technology

4.22.2 Standard References

NIST: AC-18

GLBA: Eﬀective

ISO27001: A.6.2.1, A.13.1.1, A.13.2.1

HIPAA:

PCI-DSS: 1.2.3, 2.1.1, 4.1, 9.1.3, 11.1, 11.1.1, 11.1.2, 12.3

4.22.3 Standard

Without prior authorization, departments or personnel will not setup their own wireless access-points or networks

4.23 Use of External Information Systems

4.23.1 Standard Owner: Information Technology

4.23.2 Standard References

NIST: AC-20

GLBA: On Hold

ISO27001: A.11.2.6, A.13.1.1, A.13.2.1

HIPAA:

PCI-DSS: 1.3.5

4.23.3 Standard

All connections between organization Information Systems and external systems will be approved and documented.

4.24 Use of External Information Systems

4.24.1 Standard Owner: Information Technology

4.24.2 Standard References

NIST: AC-20

GLBA: Eﬀective

ISO27001: A.11.2.6, A.13.1.1, A.13.2.1

HIPAA:

PCI-DSS: 1.3.5

4.24.3 Standard

The Director of Network Services & Information Security will approve any system which interfaces with systems that store or process information classiﬁed as 'Clarkson-Restricted'.

4.25 Publicly Accessible Content

4.25.1 Standard Owner: Information Technology, | Compliance

4.25.2 Standard References

NIST: AC-22

GLBA: Eﬀective

ISO27001: --

HIPAA:

PCI-DSS:

4.25.3 Standard

Information classiﬁed as Clarkson-Restricted will not be posted on the organization's publicly available website.

4.26 Access Control Decisions

4.26.1 Standard Owner: Information Technology

4.26.2 Standard References

NIST: AC-24

GLBA: Eﬀective

ISO27001: A.9.4.1*

HIPAA:

PCI-DSS:

4.26.3 Standard

All access requests will go through a managerial approval process prior to access enforcement.

4.27 Audit and Accountability Policy and Procedures

4.27.1 Standard Owner: IT

4.27.2 Standard References

NIST: AU-1

GLBA: Eﬀective

ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2

HIPAA: 164.312(b)

PCI-DSS: 12.1, 12.1.1

4.27.3 Standard

The organization will:

Develop, document, and disseminate audit and accountability standards that addresses purpose, scope, roles, responsibilities, and management commitment, coordination among organizational entities, and

Develop procedures to facilitate the implementation of these
Review and update these standards and associated procedures, at a minimum,

4.28 Audit Events | Non-repudiation

4.28.1 Standard Owner: IT

4.28.2 Standard References

NIST: AU-2 AU-10

GLBA: Eﬀective

ISO27001: --

HIPAA: 164.308(a)(5)(ii)(C), 164.312(b)

PCI-DSS: 8.1.5, 10.1, 10.2, 10.2.2, 10.2.3, 10.2.4, 10.2.5, 10.2.6, 10.2.7, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.4,

10.6.1

4.28.3 Standard

Security events for Active Directory, ﬁrewalls, servers, applications, and databases will be deﬁned. This includes:

Permission Altered Alerts (accounts/groups created, group membership modiﬁed, VPN groups modiﬁed)
Inappropriate Use & Login for Administrators (successful/failed logon attempts, application/operating system/network devices administrator accounts, service accounts, accounts used to provision access, local administrator accounts)
Inappropriate Use for Workforce (successful/failed logon attempts, multiple account locks/disabled/deleted)
System Events (logs cleared, virus/malware detected, NTP time change, rogue wireless devices)
System Health (active directory groups created/removed, application restarts/shutdowns, taxing active directory queries)
File Integrity (critical/sensitive ﬁle changes)
Network Intrusion Attempts
Application & Database (failed logon attempts, accounts created/modiﬁed)
Event types, date and time, origination of event, identity or name of aﬀected data, system component, or resource

4.31.3 Standard

The central logging server will be monitored for system disk capacity, availability, and running of the syslog process

4.32 Audit Review, Analysis, and Reporting

4.32.1 Standard Owner: IT

4.32.2 Standard References

NIST: AU-6

GLBA: On Hold

ISO27001: A.12.4.1, A.16.1.2, A.16.1.4

HIPAA: 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.312(b)

PCI-DSS:

4.32.3 Standard

Metrics reports for security events will be created and monitored on a periodic basis, based on the criticality of the logs. As well, an alerting process will be used.

4.33 Time Stamps

4.33.1 Standard Owner: IT

4.33.2 Standard References

NIST: AU-8

GLBA: Eﬀective

ISO27001: A.12.4.4

HIPAA:

PCI-DSS: 2.2,2.2.4, 10.3.3, 10.4, 10.4.1, 10.4.2, 10.4.3

4.33.3 Standard

All workstations and servers will receive their time via NTP from industry accepted time sources.

4.34 Protection of Audit Information

4.34.1 Standard Owner: IT

4.34.2 Standard References

NIST: AU-9

GLBA: Eﬀective

ISO27001: A.12.4.2, A.12.4.3, A.18.1.3

HIPAA:

PCI-DSS: 10.5, 10.5.1, 10.5.2

4.34.3 Standard

Audit logs will be secured so that cannot be altered:

Access limited to those with job-related needs
Protected via access control mechanisms, physical segregations

4.35 Audit Record Retention

4.35.1 Standard Owner: IT

4.35.2 Standard References

NIST: AU-11

GLBA: Draft

ISO27001: A.12.4.1, A.16.1.7

HIPAA:

PCI-DSS: 10.5.3, 10.5.4, 10.5.5

4.35.3 Standard

Logs will be sent to a central log server and retained for a minimum of 3 months online, 9 months oﬄine (total of 1 year available). Log ﬁles will be monitored for change.

4.36 Monitoring for Information Disclosure

4.36.1 Standard Owner: IT

4.36.2 Standard References

NIST: AU-13

GLBA: On Hold

ISO27001: --

HIPAA:

PCI-DSS: 10.6, 10.6.1, 10.6.2, 10.6.3

4.36.3 Standard

Logs will be monitored and security events investigated, at a minimum, daily. If a security incident has occurred, the incident response procedures will be executed and followed.

4.37 Security Awareness and Training Policy and Procedures

4.37.1 Standard Owner: Information Security

4.37.2 Standard References

NIST: AT-1

GLBA: Eﬀective

ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2

HIPAA: 164.308(a)(5)(i)

PCI-DSS: 12.6, 12.6.1

4.37.3 Standard

The organization will:

Develop, document, and disseminate security awareness and training standards that addresses purpose, scope, roles, responsibilities, and management commitment, coordination among organizational entities, and
Develop procedures to facilitate the implementation of the
Review and update Policies every year
Review and update the standards and associated procedures, as

4.38 Security Awareness Program

4.38.1 Standard Owner: Information Security

4.38.2 Standard References

NIST: AT-1

GLBA: Eﬀective

ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2

HIPAA: 164.308(a)(5)(i)

PCI-DSS: 12.6, 12.6.1

4.38.3 Standard

The organization will develop, implement, and regularly review a formal, documented program for providing, at a minimum on-hire and thereafter annually, appropriate security training and awareness to workforce members

4.39 Security Awareness Training

4.39.1 Standard Owner: Information Security

4.39.2 Standard References

NIST: AT-2

GLBA: Eﬀective

ISO27001: A.7.2.2, A.12.2.1

HIPAA: 164.308(a)(5)(i), 164.308(a)(5)(ii)(A), 164.308(a)(5)(ii)(B)

PCI-DSS: 3.7, 4.3, 8.4, 12.6, 12.6.1

4.39.3 Standard

Employees training and security reminder communications, at a minimum, will address:

The importance of keeping creating, using, and safeguarding authentication credentials

Ensuring that organization workforce members understand that all activities involving their user identiﬁcation and password will be attributed to
Security policies, procedures, and standards for protecting the conﬁdentiality, integrity, and availability of information and systems
Signiﬁcant risks to organization information systems and data
Information security legal and business responsibilities
How, and to whom an incident shall be reported
How to identify, report, and avoid malicious software, other forms of suspicious electronic communication and social engineering attempts

4.40 Role-Based Security Training

4.40.1 Standard Owner: Information Security

4.40.2 Standard References

NIST: AT-3

GLBA: Eﬀective

ISO27001: A.7.2.2* HIPAA: 164.308(a)(5)(i) PCI-DSS:

4.40.3 Standard

The organization provides role-based security training to personnel with assigned security roles and responsibilities:

Before authorizing access to the information system or performing assigned duties;
when required by information system changes; and
annually

Develop, document, and disseminate conﬁguration management standards that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities and
Develop procedures to facilitate the implementation of these
Review and update these standards and associated procedures, at a minimum,

4.44 Baseline Conﬁguration

4.44.1 Standard Owner: IT

4.44.2 Standard References

NIST: CM-2

GLBA: Draft

ISO27001: --

HIPAA:

PCI-DSS: 1.1.1, 1.1.5, 1.1.6, 1.2.2, 1.5, 2.2, 2.2.2, 2.2.4, 2.2.5, 2.5, 3.7, 4.3, 5.4, 6.7, 7.3, 8.1.4, 8.1.6, 8.1.7, 8.1.8,

10.4.3,12.1,12.1.1, 12.3

4.44.3 Standard

Management procedures will be created that address:

The documentation of Hardening Conﬁguration Standards, by operating system. These conﬁguration controls will be based industry accepted standards (e.g., Center for Internet Security or CIS).
System account conﬁgurations
Groups, roles, and responsibilities for management of network components
Documented business justiﬁcation for all ports, protocols, ports allowed/disallowed, and any security features implemented for those protocols considered insecure
For routers, securing and synchronization of conﬁguration ﬁles
Documentation of security parameters that prevent misuse

Secure coding techniques in the software development lifecycle
Synchronizations with industry accepted time sources

4.45 Baseline Conﬁguration

4.45.1 Standard Owner: IT

4.45.2 Standard References

NIST: CM-2 CM-6

GLBA: Eﬀective

ISO27001: --

HIPAA:

PCI-DSS: 1.4, 2.2

4.45.3 Standard

Organization owned laptops and employee owned user devices are prohibited from storing, processing, or transmitti ng credit cardholder data. Desktops and mobile devices (e.g., tablets, smartphones) may be used to process cardholder transactions only if equipped with P2PE-compliant devices and are authorized by IT.

4.46 Baseline Conﬁguration

4.46.1 Standard Owner: IT

4.46.2 Standard References

NIST: CM-2 CM-6

GLBA: Draft

ISO27001: --

HIPAA:

PCI-DSS: 2.2,2.2.4

4.46.3 Standard

All systems that access, store, process, or transmit non-Public Information will be conﬁgured to:

Not display information system or application identifying information until the log-in process has been successfully completed
Where supported, display a logon banner
Not provide help messages during the log-in procedure that would assist an unauthorized user If an error arises during authentication, the system will not indicate which part of the data is correct or incorrect

4.47 Conﬁguration Change Control | Security Impact Analysis

4.47.1 Standard Owner: IT

4.47.2 Standard References

NIST: CM-3 CM-4

GLBA: Eﬀective

ISO27001: A.12.1.2, A.14.2.2, A.14.2.3, A.14.2.4 A.14.2.3

HIPAA:

PCI-DSS: 1.5,2.2.4, 2.5, 3.7, 4.3, 5.4, 6.3.1, 6.3.2, 6.4, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.5.1, 6.4.5.2, 6.4.5.3, 6.4.5.4, 6.7,

7.3, 8.8, 9.10, 10.8, 11.6

4.47.3 Standard

The organization will develop, document, implement, and maintain a change management process for managing changes to production systems containing Clarkson-Restricted data.

This process will address:

Documentation of security impact analysis, functionality testing, back out procedures
The documentation and retention of change records
Review and authorization of changes with explicit consideration for security impact analyses
Coordination and communication of changes
Oversight for proposed conﬁguration-controlled changes
If a new application or changed application that stores non-Public Information, the system will store evidence of a vulnerability scan
The removal of development, test and/or custom application accounts, user IDs, and passwords before the application become active or are released into production
The removal of custom code prior to production release
Where possible, separate development, test, and production systems
Separation of duties between development/test and production systems
Credit cardholder data is not being stored
Removal of test data

4.48 Access Restrictions for Change

4.48.1 Standard Owner: IT

4.48.2 Standard References

NIST: CM-5

GLBA: Eﬀective

ISO27001: A.9.2.3, A.9.4.5, A.12.1.2, A.12.1.4, A.12.5.1

HIPAA:

PCI-DSS: 2.2.4

4.48.3 Standard

IT administrators or authorized vendors will be the only groups who have administrator access to servers

4.49 Conﬁguration Setti ngs

4.49.1 Standard Owner: IT

4.49.2 Standard References

NIST: CM-6

GLBA: Draft

ISO27001: --

HIPAA:

PCI-DSS: 2.2,2.2.4, 8.1.8

4.49.3 Standard

Where technically feasible, computing devices will be electronically locked when they are no longer in use:

Servers: 10 minutes
Laptops and Desktops: 15 minutes

Mobile Devices (smart phones, tablets): 3 minutes
Network Devices: 10 minutes

Exceptions to this standard will be granted and must be approved by the Director of Network Svcs and Information Security.

4.50 Conﬁguration Setti ngs

4.50.1 Standard Owner: IT

4.50.2 Standard References

NIST: CM-6

GLBA: On Hold

ISO27001: --

HIPAA:

PCI-DSS:

4.50.3 Standard

Conﬁguration-controlled computing devices will be sampled and scanned every 6 months to identify, document, implement, and approve any deviations to the conﬁguration setti ngs in accordance with the Hardening Conﬁguration Standards.

4.51 Least Functionality

4.51.1 Standard Owner: IT

4.51.2 Standard References

NIST: CM-7

GLBA: Eﬀective

ISO27001: A.12.5.1*

HIPAA:

PCI-DSS: 2.2.1

4.51.3 Standard

Where economically feasible, only one primary function can be assigned to a production server to prevent functions that require diﬀerent security levels from co-existing on the same server (For example, web servers, database servers, and DNS will be implemented on separate servers). This includes one primary function per virtualized system instance.

4.52 Information System Component Inventory

4.52.1 Standard Owner: IT

4.52.2 Standard References

NIST: CM-8

GLBA: On Hold

ISO27001: A.8.1.1, A.8.1.2

HIPAA: 164.310(d)(1), 164.310(d)(2)(iii)

PCI-DSS: 2.2.4,2.4, 7.2.1, 9.7.1, 9.9.1, 11.1.1, 12.2

4.52.3 Standard

In order to maintain an inventory of all information systems, approved technologies, and electronic media, and to ensure computing assets comply with conﬁguration standards, the Change Management process will identify and update asset inventories.

4.53 Software Usage Restrictions

4.53.1 Standard Owner: IT

4.53.2 Standard References

NIST: CM-10

GLBA: Eﬀective

ISO27001: A.18.1.2

HIPAA:

PCI-DSS:

4.53.3 Standard

All software usage will be tracked, and controlled in accordance with contract requirements and copyright laws.

4.54 Software Usage Restrictions

4.54.1 Standard Owner: IT

4.54.2 Standard References

NIST: CM-10

GLBA: Eﬀective

ISO27001: A.18.1.2

HIPAA:

PCI-DSS:

4.54.3 Standard

Peer to Peer software is prohibited.

4.55 User-Installed Software

4.55.1 Standard Owner: IT

4.55.2 Standard References

NIST: CM-11

GLBA: Eﬀective

ISO27001: A.12.5.1, A.12.6.2

HIPAA:

PCI-DSS: 12.3, 12.3.1, 12.3.2, 12.3.3, 12.3.4, 12.3.5, 12.3.6, 12.3.7

4.55.3 Standard

Software programs will not be installed on workstations or servers without prior authorizations. Only approved software will be installed on organizational assets.

4.56 Contingency Planning Policy and Procedures

4.56.1 Standard Owner: Operations

4.56.2 Standard References

NIST: CP-1

GLBA: Eﬀective

ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2

HIPAA: 164.308(a)(7)(i)

PCI-DSS: 12.1, 12.1.1

4.56.3 Standard

The organization will:

Develop, document, and disseminate standards and an emergency operations center (EOC) contingency plan that addresses the purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and
Develop procedures to facilitate the implementation of the
Review and update the standards and the EOC contingency plan and associated procedures, at a minimum,
Ensure that contingency plans have adequately addressed safeguarding critical information during a serious outage or

4.57 Contingency Plan

4.57.1 Standard Owner: Operations

4.57.2 Standard References

NIST: CP-2

GLBA: Eﬀective

ISO27001: A.6.1.1, A.17.1.1, A.17.2.1

HIPAA: 164.308(a)(7)(ii)(B), 164.308(a)(7)(ii)(C), 164.308(a)(7)(ii)(E), 164.310(a)(2)(i), 164.312(a)(2)(ii)

PCI-DSS:

4.57.3 Standard

4.61 Contingency Plan

4.61.1 Standard Owner: Operations

4.61.2 Standard References

NIST: CP-2

GLBA: Eﬀective

ISO27001: A.6.1.1, A.17.1.1, A.17.2.1

HIPAA: 164.308(a)(7)(ii)(B), 164.308(a)(7)(ii)(C), 164.308(a)(7)(ii)(E), 164.310(a)(2)(i), 164.312(a)(2)(ii)

PCI-DSS:

4.61.3 Standard

The organization’s contingency plans will be kept current. Examples of events that will result in an update of the plan include, but are not limited to:

Change in disaster recovery
Change in contact information for disaster recovery
Signiﬁcant change(s) to organization’s technical or physical
Change in key suppliers or
Signiﬁcant change in threats to organization facilities or information

4.62 Contingency Training

4.62.1 Standard Owner: Operations

4.62.2 Standard References

NIST: CP-3

GLBA: On Hold

ISO27001: A.7.2.2* HIPAA: 164.308(a)(7)(ii)(D) PCI-DSS:

4.62.3 Standard

Organization workforce members will receive training and awareness on organization’s disaster preparation and disaster and emergency response processes

4.63 Contingency Plan Testing

4.63.1 Standard Owner: IT

4.63.2 Standard References

NIST: CP-4

GLBA: Eﬀective

ISO27001: A.17.1.3 HIPAA: 164.308(a)(7)(ii)(D) PCI-DSS:

4.63.3 Standard

The Disaster Recovery plan will be tested for select systems, at a minimum, annually.

4.64 Contingency Plan Testing

4.64.1 Standard Owner: IT

4.64.2 Standard References

NIST: CP-4

GLBA: Eﬀective

ISO27001: A.17.1.3 HIPAA: 164.308(a)(7)(ii)(D) PCI-DSS:

4.64.3 Standard

Backup & Recovery Procedure will be tested at least annually.

4.65 Contingency Plan Testing

4.65.1 Standard Owner: IT

4.65.2 Standard References

NIST: CP-4

GLBA: On Hold

ISO27001: A.17.1.4 HIPAA: 164.308(a)(7)(ii)(D) PCI-DSS:

4.65.3 Standard

The results of the DRP test will be formally documented and presented to appropriate organization management. The contingency plan will be revised as necessary to address issues or gaps identiﬁed in the testing process

4.66 Alternate Storage Site

4.66.1 Standard Owner: IT

4.66.2 Standard References

NIST: CP-6

GLBA: Eﬀective

ISO27001: A.11.1.4, A.17.1.2, A.17.2.1 HIPAA: 164.308(a)(7)(ii)(B), 164.310(a)(2)(i) PCI-DSS: 9.5.1

4.66.3 Standard

Backup copies of Clarkson-Restricted Information will be stored at a secure, remote location at a minimum of 100 miles from the system of record for which the backups were made.

4.67 Alternate Processing Site

4.67.1 Standard Owner: IT

4.67.2 Standard References

NIST: CP-7

GLBA: Eﬀective

ISO27001: A.11.1.4, A.17.1.2, A.17.2.1 HIPAA: 164.308(a)(7)(ii)(B), 164.310(a)(2)(i) PCI-DSS:

4.67.3 Standard

The organization and/or its cloud-based vendors will provide at least one alternative processing site should the primary site become unavailable.

4.68 Information System Backup

4.68.1 Standard Owner: IT

4.68.2 Standard References

NIST: CP-9

GLBA: Eﬀective

ISO27001: A.12.3.1, A.17.1.2, A.18.1.3

HIPAA: 164.308(a)(7)(ii)(A), 164.308(a)(7)(ii)(B), 164.310(d)(2)(iv)

PCI-DSS:

4.68.3 Standard

The organization will have a formal, documented backup plan for its information systems. At a minimum, the plan will:

Identify information systems and electronic media to be backed
Provide a backup
Identify where backup media are stored and who may access
Outline restoration
Identify who is responsible for ensuring the backup of information systems and electronic media

4.69 Information System Backup

4.69.1 Standard Owner: IT

4.69.2 Standard References

NIST: CP-9

GLBA: Eﬀective

ISO27001: A.12.3.1, A.17.1.2, A.18.1.4

HIPAA: 164.308(a)(7)(ii)(B)

PCI-DSS:

4.69.3 Standard

Backup copies of all non-Clarkson-Public Information on organization electronic media and information systems will be made regularly. This includes both Non-Public Information received by organization and created within organization

4.70 Identiﬁcation and Authentication Policy and Procedures

4.70.1 Standard Owner: Tech Services

4.70.2 Standard References

NIST: IA-1

GLBA: Eﬀective

ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2

HIPAA:

PCI-DSS: 12.1, 12.1.1

4.70.3 Standard

The organization will:

Develop, document, and disseminate identiﬁcation and authentication standards that addresses the purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and
Develop procedures to facilitate the implementation of these
Review and update these standards and associated procedures, at a minimum,

4.71 Identiﬁcation and Authentication (Organizational Users)

4.71.1 Standard Owner: HR

4.71.2 Standard References

NIST: IA-2

GLBA: Draft

ISO27001: A.9.2.1

HIPAA: 164.308(a)(5)(ii)(D), 164.312(a)(2)(i), 164.312(d)

PCI-DSS: 8.8,12.6,12.6.1

4.71.3 Standard

All new organization employees will receive appropriate security training before being provided with account credentials that would allow access to organizational information systems.

4.72 Identiﬁcation and Authentication (Organizational Users)

4.72.1 Standard Owner: HR

4.72.2 Standard References

NIST: IA-2

GLBA: Eﬀective

ISO27001: A.9.2.1

HIPAA: 164.308(a)(5)(ii)(D), 164.312(a)(2)(i), 164.312(d)

PCI-DSS: 8.1.1, 8.2, 8.5,12.5.3

4.72.3 Standard

Each user and system account will have a unique user ID. Every account will be required to have a password. Shared accounts are prohibited. All exceptions must be approved by the Director of Network Services and Information Security.

4.73 Identiﬁcation and Authentication (Organizational Users)

4.73.1 Standard Owner: Tech Services

4.73.2 Standard References

NIST: IA-2

GLBA: On Hold

ISO27001: A.9.2.1

HIPAA: 164.308(a)(5)(ii)(D), 164.312(a)(2)(i), 164.312(d)

PCI-DSS: 8.5,12.5.3

4.73.3 Standard

Group accounts will not be used. All exceptions must be approved by the CSO.

4.74 Identiﬁcation and Authentication (Organizational Users)

4.74.1 Standard Owner: Tech Services

4.74.2 Standard References

NIST: IA-2

GLBA: Eﬀective

ISO27001: A.9.2.1

HIPAA: 164.308(a)(5)(ii)(D), 164.312(a)(2)(i), 164.312(d)

PCI-DSS: 8.2.6

4.74.3 Standard

To the extent practicable, all new user accounts will have a randomly generated ﬁrst time password.

4.75 Identiﬁcation and Authentication (Organizational Users)

4.75.1 Standard Owner: HR

4.75.2 Standard References

NIST: IA-2

GLBA: Eﬀective

ISO27001: A.9.2.1

HIPAA: 164.308(a)(5)(ii)(D), 164.312(a)(2)(i), 164.312(d)

PCI-DSS: 8.5.1,12.5.3

4.75.3 Standard

Authentication credentials and methods will not be shared or revealed to others. Sharing an authentication method means the authorized user assumes responsibility for actions that another party takes with the disclosed method.

4.76 Identiﬁer Management

4.76.1 Standard Owner: Tech Services

4.76.2 Standard References

NIST: IA-4

GLBA: Eﬀective

ISO27001: A.9.2.1

HIPAA: 164.308(a)(5)(ii)(D), 164.312(a)(2)(i), 164.312(d)

PCI-DSS: 12.5.3

4.76.3 Standard

User IDs will be unique to individuals.

4.77 Authenticator Management

4.77.1 Standard Owner: Tech Services

4.77.2 Standard References

NIST: IA-5

GLBA: Eﬀective

ISO27001: A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.3

HIPAA: 164.308(a)(5)(ii)(D)

PCI-DSS: 8.2.6

4.77.3 Standard

Where practicable, initial use of an account, a password reset will be required. For this password reset, the user will be authenticated by a combination of unique information provided by the individual and information provided by Clarkson University

4.78 Authenticator Management

4.78.1 Standard Owner: Tech Services

4.78.2 Standard References

NIST: IA-5

GLBA: Eﬀective

ISO27001: A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.3

HIPAA: 164.308(a)(5)(ii)(D)

PCI-DSS:

Standard

User IDs and passwords will never be distributed in the same communication

4.79 Authenticator Management

4.79.1 Standard Owner: Tech Services

4.79.2 Standard References

NIST: IA-5

GLBA: Eﬀective

ISO27001: A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.3

HIPAA: 164.308(a)(5)(ii)(D)

PCI-DSS: 8.2.2

4.79.3 Standard

A formal, documented process for authenticating identities will exist for users needing a password reset

4.80 Authenticator Management

4.80.1 Standard Owner: Tech Services

4.80.2 Standard References

NIST: IA-5

GLBA: On Hold

ISO27001: A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.3

HIPAA: 164.308(a)(5)(ii)(D)

PCI-DSS: 8.2.4

4.80.3 Standard

Passwords will be changed every 180 days. Accounts used to process, transmit, or store credit cardholder data will be changed every 60 days.

4.81 Authenticator Management

4.81.1 Standard Owner: Tech Services

4.81.2 Standard References

NIST: IA-5

GLBA: Draft

ISO27001: A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.3

HIPAA: 164.308(a)(5)(ii)(D)

PCI-DSS: 8.2.5

4.81.3 Standard

Passwords will not be allowed to be re-used based on the previous 20 passwords which were used prior to the password reset.

4.82 Authenticator Management

4.82.1 Standard Owner: Tech Services

4.82.2 Standard References

NIST: IA-5

GLBA: Eﬀective

ISO27001: A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.3

HIPAA: 164.308(a)(5)(ii)(D)

PCI-DSS: 8.2.3

4.82.3 Standard

Passwords will conform to a minimal complexity standard. That standard mandates a mix of numeric, alphabetical, and special characters. Passwords will be a minimum length of 10 characters

4.83 Authenticator Management

4.83.1 Standard Owner: Tech Services

4.83.2 Standard References

NIST: IA-5

GLBA: Eﬀective

ISO27001: A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.3

HIPAA: 164.308(a)(5)(ii)(D)

PCI-DSS: 8.2.3

4.83.3 Standard

Passwords will not be based on something that can be easily guessed or obtained using personal information (e.g., names, favorite sports team, etc.)

4.84 Authenticator Feedback

4.84.1 Standard Owner: Tech Services

4.84.2 Standard References

NIST: IA-6

GLBA: Eﬀective

ISO27001: A.9.4.2

HIPAA: 164.308(a)(5)(ii)(D)

PCI-DSS:

4.84.3 Standard

All password and PIN based authentication systems will be masked, suppressed, or otherwise obscured so that unauthorized persons are not able to observe them

4.85 Cryptographic Module Authentication

4.85.1 Standard Owner: Tech Services

4.85.2 Standard References

ISO27001: --

HIPAA:

PCI-DSS:

4.90.3 Standard

Service accounts will be requested and provisioned via the Access Control Procedure.

4.91 Adaptive Identiﬁcation and Authentication

4.91.1 Standard Owner: Tech Services

4.91.2 Standard References

NIST: IA-10

GLBA: Validate GDPR: ISO27001: -- HIPAA:

PCI-DSS: 8.1.5, 8.3

4.91.3 Standard

Two-factor authentication is required for:

Where supported by the system, all Privileged User access
All use of the VPN
All remote access to systems processing credit card information (PCI-DSS Requirement)

4.92 Policy & Procedures

4.92.1 Standard Owner: Information Security

4.92.2 Standard References

NIST: IR-1

GLBA: Eﬀective

ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1 A.18.1.1, A.18.2.2

HIPAA: 164.308(a)(6)(i)

PCI-DSS: 11.1.2,12.1,12.1.1,12.5.3 12.10.1

4.92.3 Standard

The organization will:

Develop, document, and disseminate incident response standards and an incident response plan that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities and
Develop and document a process for escalating reported incidents (e.g., automated, non-automated, service providers) in accordance with the Incident Response Plan
Develop procedures to facilitate the implementation of these
Review and update this policy and associated procedures, at a minimum,

4.93 Information Security

4.93.1 Standard Owner: Information Security

4.93.2 Standard References

NIST: IR-2

GLBA: On Hold

ISO27001: A.7.2.2* HIPAA: 164.308(a)(6)(i) PCI-DSS: 12.10.4

4.93.3 Standard

Regular training and awareness will be provided for organization workforce members who have been assigned a role in the Incident Response Plan or Incident Response Procedures

4.94 Incident Response Plan Testing

4.94.1 Standard Owner: Information Security

4.94.2 Standard References

NIST: IR-3

GLBA: Eﬀective

ISO27001: --

HIPAA: 164.308(a)(6)(i)

PCI-DSS: 12.10.2

4.94.3 Standard

The Incident Response Plan and Incident Response Procedures will be tested annually.

4.95 SIRT: authority to operate

4.95.1 Standard Owner: Information Security

4.95.2 Standard References

NIST: IR-4

GLBA: Eﬀective

ISO27001: A.16.1.4, A.16.1.5, A.16.1.6

HIPAA: 164.308(a)(6)(ii)

PCI-DSS: 11.1.2

4.95.3 Standard

When responding to an incident, the Security Incident Response Team (SIRT) will take all appropriate actions to ensure that the conﬁdentiality, integrity, and availability of organization information systems has not been compromised. Such actions can include, but are not limited to, temporarily removing an information system from the organization network, or blocking the building in which the incident occurred, requesting access to an information system or viewing data.

4.96 Monitoring & tracking incidents

4.96.1 Standard Owner: Information Security

4.96.2 Standard References

NIST: IR-5

GLBA: Eﬀective

ISO27001: --

HIPAA: 164.308(a)(1)(ii)(D), 164.308(a)(6)(ii)

PCI-DSS: 12.10.6

4.96.3 Standard

The organization will have mechanisms for quantifying and monitoring the types, volumes and costs of security incidents. This information should be used to identify the need for improved or additional security controls

4.97 Security event escalation

4.97.1 Standard Owner: Information Security

4.97.2 Standard References

NIST: IR-6

GLBA: Eﬀective

ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1 A.18.1.1, A.18.2.3

HIPAA: 164.308(a)(1)(ii)(D), 164.308(a)(6)(ii)

PCI-DSS: 11.1.2

4.97.3 Standard

Security events identiﬁed through logging and monitoring services will be escalated in accordance with Incident Response Procedures

4.98 Response to alarms

4.98.1 Standard Owner: Information Security

4.98.2 Standard References

NIST: IR-6

GLBA: Eﬀective

ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1 A.18.1.1, A.18.2.3

HIPAA: 164.308(a)(1)(ii)(D), 164.308(a)(6)(ii), 164.314(a)(2)(i)

PCI-DSS: 12.10.5

4.98.3 Standard

Incident Response Procedures will address the occurrence of alarms and appropriate escalation.

4.99 Compromised credentials

4.99.1 Standard Owner: Information Security

4.99.2 Standard References

NIST: IR-6

GLBA: Eﬀective

ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1 A.18.1.1, A.18.2.3

HIPAA: 164.308(a)(1)(ii)(D), 164.308(a)(6)(ii)

PCI-DSS: 12.10, 12.10.1

4.99.3 Standard

The loss, theft, or inappropriate use of organization access credentials (e.g., passwords, FOBs or security tokens), assets (e.g., laptop, cell phones), or information will be reported to the IT Help Desk

4.100 Security Incident Response Plan (SIRP)

4.100.1 Standard Owner: Information Security

4.100.2 Standard References

NIST: IR-8

GLBA: Eﬀective

ISO27001: A.16.1.1

HIPAA:

PCI-DSS: 11.1.2, 12.10, 12.10.1, 12.10.3

4.100.3 Standard

The organization will have a formal, documented process for quickly and eﬀectively detecting and responding to security incidents that may impact the conﬁdentiality, integrity, or availability of organization information systems. At a minimum, the process will include the following:

A security incident response team (SIRT), whose membership may vary depending on the security

Formal procedure enabling organization workforce members to report a security incident to appropriate persons including potential reporting to the organization Security Oﬃcer.
Formal process for analyzing and identifying the cause(s) of a security
References to emergency access procedures
Formal process for activation of the
Formal procedure for communication with all organization workforce members aﬀected by or responding to a security incident.
Formal procedure for collecting evidence of a security
Formal mechanisms for evaluating security incidents and implementing appropriate mitigations to prevent further recurrence.
Data breach protocols
Quantifying incident types and frequency
Designating speciﬁc personnel who receive alerts on a 24/7 basis

4.101 Information Security

4.101.1 Standard Owner: Information Security

4.101.2 Standard References

NIST: IR-9

GLBA: On Hold

ISO27001: --

HIPAA:

PCI-DSS:

4.101.3 Standard

Standard templates for breach notiﬁcation will be developed and maintained.

4.102 SIRT membership roster

4.102.1 Standard Owner: Information Security

4.102.2 Standard References

NIST: IR-10

GLBA: Eﬀective

ISO27001: --

HIPAA:

PCI-DSS: 12.1,12.1.1,12.10.1

4.102.3 Standard

The SIRT will be deﬁned in the Incident Response Plan, and updated at a minimum, annually.

4.103 System Maintenance Policy and Procedures

4.103.1 Standard Owner: IT

4.103.2 Standard References

NIST: MA-1

GLBA: Eﬀective

ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2

HIPAA: 164.310(a)(2)(iv)

PCI-DSS: 12.1, 12.1.1

4.103.3 Standard

The organization will:

Develop, document, and disseminate maintenance standards that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and
Develop procedures to facilitate the implementation of these
Review and update these standards and associated procedures, at a minimum,

4.109.2 Standard References

NIST: MP-1

GLBA: Eﬀective

ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2

HIPAA: 164.310(d)(1)

PCI-DSS: 12.1, 12.1.1

4.109.3 Standard

The organization will

Develop, document, and disseminate media protection standards that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and
Develop procedures to facilitate the implementation of these
Review and update these standards and associated procedures, at a minimum,

4.110 Media Access

4.110.1 Standard Owner: Information Technology

4.110.2 Standard References

NIST: MP-2

GLBA: Eﬀective

ISO27001: A.8.2.3, A.8.3.1, A.11.2.9

HIPAA: 164.308(a)(3)(ii)(A) , 164.310(c), 164.310(d)(1), 164.312(c)(1)

PCI-DSS: 3.1, 3.2, 3.2.1, 3.2.2, 3.2.3, 3.4, 3.4.1, 3.5, 9.5

4.110.3 Standard

It is prohibited to store any information that is not Clarkson-Public on home computers or personal devices.

4.111 Media Marking

4.111.1 Standard Owner: Information Technology

4.111.2 Standard References

NIST: MP-3

GLBA: On Hold

ISO27001: A.8.2.2

HIPAA: 164.310(c), 164.310(d)(1)

PCI-DSS: 9.6.1

4.111.3 Standard

All organization information will be classiﬁed and marked in accordance with the Data Classiﬁcation Policy

4.112 Media Storage

4.112.1 Standard Owner: Information Technology

4.112.2 Standard References

NIST: MP-4

GLBA: Eﬀective

ISO27001: A.8.2.3, A.8.3.1, A.11.2.9

HIPAA: 164.310(c), 164.310(d)(1), 164.310(d)(2)(iv)

PCI-DSS: 3.1,4.2

4.112.3 Standard

The writing or storage of information classiﬁed as 'Clarson Private' on personal-liable mobile devices (phones, tablets, USB drives) and removable media is prohibited.

4.113 Media Storage

4.113.1 Standard Owner: Information Technology

4.113.2 Standard References

NIST: MP-4

GLBA: On Hold

ISO27001: A.8.2.3, A.8.3.1, A.11.2.9

HIPAA: 164.310(c), 164.310(d)(1), 164.310(d)(2)(iv)

PCI-DSS:

4.113.3 Standard

4.117 Media Storage

4.117.1 Standard Owner: Information Technology |

4.117.2 Standard References

NIST: MP-4

GLBA: Eﬀective

ISO27001: A.8.2.3, A.8.3.1, A.11.2.9

HIPAA: 164.310(c), 164.310(d)(1), 164.310(d)(2)(iv)

PCI-DSS: 9.5,9.5.1

4.117.3 Standard

All backups of electronic Non-Public Information, in storage, will be encrypted. All backups of non-electronic Non-Public Information, in storage, will be physically secured.

4.118 Media Transport

4.118.1 Standard Owner: Information Technology |

4.118.2 Standard References

NIST: MP-5

GLBA: Eﬀective

ISO27001: A.8.2.3, A.8.3.1, A.8.3.3, A.11.2.5, A.11.2.6

HIPAA: 164.310(d)(1), 164.310(d)(2)(iii), 164.312(c)(1)

PCI-DSS: 4.2

4.118.3 Standard

Transmission of Non-Clarkson-Public Information by non-corporate messaging technologies (for example, personal e-mail, instant messaging, SMS, chat, etc.) is prohibited.

4.119 Media Transport

4.119.1 Standard Owner: Information Technology |

4.119.2 Standard References

NIST: MP-5

GLBA: Eﬀective

ISO27001: A.8.2.3, A.8.3.1, A.8.3.3, A.11.2.5, A.11.2.6

HIPAA: 164.310(d)(1), 164.310(d)(2)(iii), 164.312(c)(1)

PCI-DSS:

4.119.3 Standard

Removable media used for backups will be kept secure while in transit

4.120 Media Transport

4.120.1 Standard Owner: Information Technology |

4.120.2 Standard References

NIST: MP-5

GLBA: On Hold

ISO27001: A.8.2.3, A.8.3.1, A.8.3.3, A.11.2.5, A.11.2.6

HIPAA: 164.310(d)(1), 164.310(d)(2)(iii), 164.312(c)(1)

PCI-DSS: 9.6.3

4.120.3 Standard

All movement of organization information systems and media containing Non-Public Information into and out the facilities must be authorized

4.121 Media Transport

4.121.1 Standard Owner: Information Technology |

4.121.2 Standard References

NIST: MP-5

GLBA: Eﬀective

ISO27001: A.8.2.3, A.8.3.1, A.8.3.3, A.11.2.5, A.11.2.6

HIPAA: 164.310(d)(1), 164.310(d)(2)(iii), 164.312(c)(1)

PCI-DSS: 9.6.2

4.121.3 Standard

All media containing Non-Clarkson-Public Information that will be mailed oﬀsite will be transported using a secure carrier or via an encrypted device.

4.122 Media Transport

4.122.1 Standard Owner: Information Technology |

4.122.2 Standard References

NIST: MP-5

GLBA: On Hold

ISO27001: A.8.2.3, A.8.3.1, A.8.3.3, A.11.2.5, A.11.2.6

HIPAA: 164.310(d)(1), 164.310(d)(2)(iii), 164.312(c)(1)

PCI-DSS: 9.6.3

4.122.3 Standard

Only authorized roles may approve distribution, or receipt of any information system or media containing Non-Public Information outside organization’s premises. Such authorization will be tracked and logged. At a minimum, such tracking and logging will provide the following information:

Date and time of movement of system or media
Brief description of person using or sending Non-Public Information on system or media
Brief description of where Non-Public Information is to be sent or how used
Name of person authorizing such transaction

4.123 Media Sanitization

4.123.1 Standard Owner: Information Technology |

4.123.2 Standard References

NIST: MP-6

GLBA: Draft

ISO27001: A.8.2.3, A.8.3.1, A.8.3.2, A.11.2.7

HIPAA: 164.310(d)(1), 164.310(d)(2)(i), 164.310(d)(2)(ii)

PCI-DSS: 3.1, 9.8, 9.8.1, 9.8.2

4.123.3 Standard

All Non-Public Information must be destroyed in a manner compliant with NIST 800-88 or utilizing a NAID certiﬁed supplier. Documented procedures for destroying Non-Public Information must address:

The destruction of data when storage media is end-of-life or has failed
When retention schedules have been met

Develop, document, and disseminate personnel security standards that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and
Develop procedures to facilitate the implementation of these
Review and update these standards on a one-year
Review and update these procedures, as-needed.

4.131 Position Risk Designation

4.131.1 Standard Owner: HR

4.131.2 Standard References

NIST: PS-2

GLBA: Eﬀective

ISO27001: --

HIPAA: 164.308(a)(3)(ii)(B)

PCI-DSS:

4.131.3 Standard

The organization will assign a Risk Designation to all departments.

4.132 Position Risk Designation

4.132.1 Standard Owner: HR

4.132.2 Standard References

NIST: PS-2

GLBA: Eﬀective

ISO27001: --

HIPAA: 164.308(a)(3)(ii)(B)

PCI-DSS: 12.6.2, 12.7

4.132.3 Standard

When deﬁning a position, the organization human resources department and the hiring manager will assign a Risk Designation and identify the security responsibilities and supervision required for the position. Security responsibilities include general responsibilities for implementing or maintaining security, as well as any speciﬁc responsibilities for the protection of the conﬁdentiality, integrity, or availability of organization information systems or processes

4.133 Personnel Screening

4.133.1 Standard Owner: HR

4.133.2 Standard References

NIST: PS-3

GLBA: On Hold

ISO27001: A.7.1.1

HIPAA:

PCI-DSS: 12.6.2

4.133.3 Standard

Based on risk designation, workforce members will be properly screened, trained, and acknowledge compliance with policies, procedures, and agreements prior to obtaining access to organization Non-Public Information or organization secure areas.

4.134 Personnel Screening

4.134.1 Standard Owner: HR

4.134.2 Standard References

NIST: PS-3

GLBA: Eﬀective

ISO27001: A.7.1.1

HIPAA: 164.308(a)(3)(ii)(B)

PCI-DSS: 12.7

4.134.3 Standard

Background veriﬁcation checks will be performed on employees and contractors prior to accessing protected or sensitive information. Background checks will be carried out in accordance with relevant laws, regulations, company policies, and ethics. The extent and type of screening will be based on Risk Designation. This includes:

Veriﬁcation of legal authority to work in the United States,
Review of an individual record of criminal conviction history in all counties for all addresses provided in which the individual resided or worked for more than 30 days within the past seven years to ensure personnel have not been convicted of

a felony oﬀense within the past seven (7) years; or
any misdemeanor related to violent crimes, property oﬀense, substance abuse, or fraud. Criminal conviction history checks include a review of all federal, state and local criminal conviction records; and
- Veriﬁcation that no personnel are listed on the Oﬃce of Inspector General (OIG) sanction and disqualiﬁcation Background veriﬁcation checks will also be performed prior to employee change in status, when necessary.

(Note: For purposes of these guidelines, the term “Criminal Conviction” includes probation, deferred adjudication and no contest pleas.

4.135 Personnel Termination

4.135.1 Standard Owner: HR

4.135.2 Standard References

NIST: PS-4

GLBA: Validate

ISO27001: A.7.3.1, A.8.1.4

HIPAA: 164.308(a)(3)(ii)(C)

PCI-DSS: 8.1.3

4.135.3 Standard

When workforce members provide advance notice of their intention to leave organization employment, the human resources department and the immediate manager will give notice to the persons or departments responsible for organization information system privileges granted the departing workforce member. Receipt and response to such notices will be tracked and logged. At a minimum, such tracking and logging will provide the following information:

Date and time notice of employee departure received
Date of planned employee departure
Brief description of access to be terminated
Date, time, and description of actions taken

4.136 Personnel Termination

4.136.1 Standard Owner: HR

4.136.2 Standard References

NIST: PS-4

GLBA: Validate

ISO27001: A.7.3.1, A.8.1.4

HIPAA: 164.308(a)(3)(ii)(C)

PCI-DSS: 9.2

4.136.3 Standard

When workforce members depart from organization, they will return all organization supplied equipment by the time of departure. Such equipment includes, but is not limited to:

Assigned computing assets
Name tags or name identiﬁcation badges Building, desk or oﬃce keys
Access cards
Security tokens

4.137 Personnel Termination

4.137.1 Standard Owner: HR

4.137.2 Standard References

NIST: PS-4

GLBA: Validate

ISO27001: A.7.3.1, A.8.1.4

HIPAA: 164.308(a)(3)(ii)(C)

PCI-DSS:

4.137.3 Standard

The return of all equipment will be tracked and logged. At a minimum, such tracking and logging will provide the following information:

Date and time
Work force member’s name
Brief description of returned items

4.138 Personnel Termination

4.138.1 Standard Owner: HR

4.138.2 Standard References

NIST: PS-4

GLBA: Validate

ISO27001: A.7.3.1, A.8.1.4

HIPAA: 164.308(a)(3)(ii)(C)

PCI-DSS:

4.138.3 Standard

If a departing workforce member has used cryptography on organization data, they will make the cryptographic keys available to appropriate management

4.139 Personnel Termination

4.139.1 Standard Owner: HR

4.139.2 Standard References

NIST: PS-4

GLBA: Eﬀective

ISO27001: A.7.3.1, A.8.1.4

HIPAA: 164.308(a)(3)(ii)(C)

PCI-DSS: 7.1,7.1.2,7.1.3,8.1.3

4.139.3 Standard

When the employment of organization workforce members or service provider ends, accounts granting access to organization information will be disabled within 24 hours of leaving employment for staﬀ and 90 days of leaving employment for faculty.

4.140 Personnel Termination

4.140.1 Standard Owner: HR

4.140.2 Standard References

NIST: PS-4

GLBA: Validate

ISO27001: A.7.3.1, A.8.1.4

HIPAA: 164.308(a)(3)(ii)(C)

PCI-DSS:

4.140.3 Standard

Separation agreements, acknowledging a terminated workforce members responsibilities for not retaining, distributing, or removing from organization premises any organization information will be signed by terminated employees

4.141 Personnel Termination

4.141.1 Standard Owner: HR

4.141.2 Standard References

NIST: PS-4

GLBA: Validate

ISO27001: A.7.3.1, A.8.1.4

HIPAA: 164.308(a)(3)(ii)(C)

PCI-DSS:

4.141.3 Standard

When organization workforce members’ employment ends, their computers’ resident ﬁles will be promptly reviewed by their immediate supervisors to determine the appropriate transfer or disposal of any Non-Public Information

4.142 Personnel Transfer

4.142.1 Standard Owner: HR

4.142.2 Standard References

NIST: PS-5

GLBA: Eﬀective

ISO27001: A.7.3.1, A.8.1.4

HIPAA: 164.308(a)(3)(ii)(C)

PCI-DSS: 7.1,7.1.2,7.1.3,8.1.3

4.142.3 Standard

HR will notify IT and Facilities when workforce have transferred to new job roles or function. Access reviews will be performed to conﬁrm ongoing operational need for current logical and physical access.

4.143 Access Agreements

4.143.1 Standard Owner: HR

4.143.2 Standard References

NIST: PS-6

GLBA: Eﬀective

ISO27001: A.7.1.2, A.7.2.1, A.13.2.4

HIPAA: 164.308(a)(3)(ii)(A), 164.308(a)(3)(ii)(B), 164.308(a)(4)(ii)(B), 164.310(d)(2)(iii), 164.314(a)(1), 164.314(a)(2)(i), 164.314(a)(2)(ii)

PCI-DSS: 4.2

4.143.3 Standard

All users will agree to the Acceptable Use Policy as a condition for access to the organization's systems.

4.144 Access Agreements

4.144.1 Standard Owner: HR

4.144.2 Standard References

NIST: PS-6

GLBA: Eﬀective

ISO27001: A.7.1.2, A.7.2.1, A.13.2.4

HIPAA: 164.308(a)(3)(ii)(A), 164.308(a)(3)(ii)(B), 164.308(a)(4)(ii)(B), 164.310(d)(2)(iii), 164.314(a)(1), 164.314(a)(2)(i), 164.314(a)(2)(ii)

PCI-DSS: 4.2

4.144.3 Standard

Where deemed by management, all organization employees will sign a “conditions of employment” document that aﬃrms their responsibility for the protection of the conﬁdentiality, integrity, or availability of organization information systems and processes. The document will include the sanctions that may be applied if employees do not meet their responsibilities

4.145 Third-Party Personnel Security

4.145.1 Standard Owner: HR

4.145.2 Standard References

NIST: PS-7

GLBA: Eﬀective

ISO27001: A.6.1.1*, A.7.2.1*

HIPAA: 164.308(a)(3)(ii)(A), 164.308(a)(4)(ii)(B), 164.308(b)(1), 164.314(a)(1), 164.314(a)(2)(i), 164.314(a)(2)(ii)

PCI-DSS: 12.8.2,12.8.3,12.8.4,12.8.5

4.145.3 Standard

When job candidates are provided via an agency, organization contract with the agency will clearly state the agency’s responsibilities for reviewing the candidates’ backgrounds

4.146 Third-Party Personnel Security

4.146.1 Standard Owner: HR

4.146.2 Standard References

NIST: PS-7

GLBA: Eﬀective

ISO27001: A.6.1.1*, A.7.2.1*

HIPAA: 164.308(a)(3)(ii)(A), 164.308(a)(4)(ii)(B), 164.308(b)(1), 164.314(a)(1), 164.314(a)(2)(i), 164.314(a)(2)(ii)

PCI-DSS: 12.8.2,12.8.3,12.8.4,12.8.5

4.146.3 Standard

All contracts with staﬃng agencies who will access, process, or transmit Non-Public Information or have reasonable access to Non-Public Information will clearly state the service provider’s responsibilities for reviewing the candidates backgrounds

4.147 Third-Party Personnel Security

4.147.1 Standard Owner: HR

4.147.2 Standard References

NIST: PS-7

GLBA: Eﬀective

ISO27001: A.6.1.1*, A.7.2.1*

HIPAA: 164.308(a)(3)(ii)(A), 164.308(a)(4)(ii)(B), 164.308(b)(1), 164.314(a)(1), 164.314(a)(2)(i), 164.314(a)(2)(ii)

PCI-DSS: 4.2,12.8.2

4.147.3 Standard

All organization workforce members who access organization information systems containing Non-Public Information will sign a conﬁdentiality agreement in which they agree not to provide Non-Public Information or to discuss Non-Public Information to which they have access to unauthorized persons. Conﬁdentiality agreements will be reviewed and signed annually by organization workforce members who access organization information systems containing Non-Public Information.

4.148 Third-Party Personnel Security

4.148.1 Standard Owner: Compliance

4.148.2 Standard References

NIST: PS-7

GLBA: Draft

ISO27001: A.6.1.1*, A.7.2.1*

HIPAA: 164.308(a)(3)(ii)(A), 164.308(a)(4)(ii)(B), 164.308(b)(1), 164.314(a)(1), 164.314(a)(2)(i), 164.314(a)(2)(ii)

PCI-DSS: 12.8.2

4.148.3 Standard

If a service provider handles organization Non-Public Information and has any change to its policies and standards or cannot comply with organization policies and standards, that party will notify the organization.

4.149 Personnel Sanctions

4.149.1 Standard Owner: HR

4.149.2 Standard References

NIST: PS-8

GLBA: Eﬀective

ISO27001: A.7.2.3

HIPAA: 164.308(a)(1)(ii)

PCI-DSS: 4.2,12.8.2

4.149.3 Standard

Organization workforce members will comply with all applicable security standards and procedures. Failure to comply with these policies, may result in implementation of progressive discipline process.

4.150 Personnel Sanctions

4.150.1 Standard Owner: HR

4.150.2 Standard References

NIST: PS-8

GLBA: Eﬀective

ISO27001: A.7.2.3

HIPAA:

PCI-DSS: 4.2

4.150.3 Standard

The organization will have a formal, documented sanctions process for applying appropriate sanctions against workforce members who do not comply with its security policies and procedures. At a minimum, the process will include:

Procedures for detecting and reporting workforce members’ non-compliance with organization security policies and
Identiﬁcation and deﬁnition of levels of sanctions, including their relative
Identiﬁcation of cause and rationale for issuing of

A deﬁned, formal method for evaluating the severity of non-compliance with the organization’s security policies and procedures

4.151 Personnel Sanctions

4.151.1 Standard Owner: HR

4.151.2 Standard References

NIST: PS-8

GLBA: Eﬀective

ISO27001: A.7.2.3

HIPAA:

PCI-DSS: 4.2

4.151.3 Standard

Sanctions can include but are not limited to:

Suspension
Required retraining
Letter of reprimand
Termination

4.152 Physical and Environmental Protection Policy and Procedures

4.152.1 Standard Owner: IT; | Safety Team

4.152.2 Standard References

NIST: PE-1

GLBA: Eﬀective

ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2

HIPAA: 164.310(a)(1), 164.310(a)(2)(ii), 164.310(a)(2)(iii)

PCI-DSS: 12.1, 12.1.1

4.152.3 Standard

The organization will:

Develop, document, and disseminate physical and environmental protection standards that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and
Develop procedures to facilitate the implementation of this
Review and update this policy and associated procedures, at a minimum,
Implement appropriate property signage; placement will be in compliance with local

4.156 Physical Access Authorizations

4.156.1 Standard Owner: Information Security

4.156.2 Standard References

NIST: PE-2

GLBA: Eﬀective

ISO27001: A.11.1.2* HIPAA: 164.310(a)(1) PCI-DSS:

4.156.3 Standard

A list of those who have access to organization equipment (facilities that house information systems, or the systems themselves) will be developed and maintained internally and shared with FSI Committee. This list will be regularly reviewed, especially after any terminations.

4.157 Physical Access Authorizations

4.157.1 Standard Owner: Information Security

4.157.2 Standard References

NIST: PE-2

GLBA: Eﬀective

ISO27001: A.11.1.2*

HIPAA: 164.310(a)(1), 164.310(a)(2)(iii)

PCI-DSS: 9.1

4.157.3 Standard

All access to organization data centers will:

Be tracked and reviewed Director of Network Services and Information Security
Have access requests documented and retained for audit (1 year minimum)
Be revoked promptly upon termination, or on notice of lengthy absence

Locating workstations and peripheral devices (printer, modem, scanner, ) in secured areas not accessible to unauthorized persons.
Positioning monitors or shielding workstations so that data shown on the screen is not visible to unauthorized

Access to a holding area from outside of the building will be restricted to identiﬁed and authorized
The holding area will be designed so that supplies can be unloaded without delivery staﬀ gaining access to other parts of the building.
The external door(s) of a holding area will be secured when the internal door is

4.168 Access Control for Transmission Medium

4.168.1 Standard Owner: IT

4.168.2 Standard References

NIST: PE-4

GLBA: Eﬀective

ISO27001: A.11.1.2, A.11.2.3

HIPAA: 164.310(a)(1), 164.310(c)

PCI-DSS: 9.1.3

4.168.3 Standard

Where possible, data connections to the server rooms or communication closets will be secured as much as possible. Tap points will be keyed to minimize access.

4.169 Access Control for Output Devices

4.169.1 Standard Owner: IT

4.169.2 Standard References

NIST: PE-4

GLBA: Eﬀective

ISO27001: A.11.1.2, A.11.2.3

HIPAA: 164.310(a)(1), 164.310(c)

PCI-DSS: 9.1.2

4.169.3 Standard

Where possible, physical access to publicly accessible network jacks will be restricted.

4.170 Access Control for Output Devices

4.170.1 Standard Owner: IT

4.170.2 Standard References

NIST: PE-5

GLBA: Eﬀective

ISO27001: A.11.1.2, A.11.2.3

HIPAA: 164.310(a)(1), 164.310(b), 164.310(c)

PCI-DSS: 9.5, 9.6

4.170.3 Standard

Printers and other output devices which produce sensitive data will be located in secured or monitored areas and printed output will be picked up as soon as possible, to the extent practicable.

4.171 Monitoring Physical Access

4.171.1 Standard Owner: Information Security

4.171.2 Standard References

NIST: PE-6

GLBA: On Hold

ISO27001: --

HIPAA: 164.310(a)(2)(iii)

PCI-DSS: 9.5,9.6.3

4.171.3 Standard

Equipment used to store, process or transmit non-public information (not including mobile devices and removable media) will not be taken oﬀ site without prior authorization by Information Security. An authorization procedure will be developed by Information Security should an exception be required.

4.172 Monitoring Physical Access

4.172.1 Standard Owner: Facilities; | IT |

4.172.2 Standard References

NIST: PE-6

GLBA: Eﬀective

ISO27001: --

HIPAA: 164.310(a)(2)(iii)

PCI-DSS:

4.172.3 Standard

Any malfunction or break in an alarm connection will be automatically reported as a device trouble alarm. Alarms will be tested annually and the results of those tests documented and retained

4.173 Monitoring Physical Access

4.173.1 Standard Owner: Facilities; | IT |

4.173.2 Standard References

NIST: PE-6

GLBA: Eﬀective

ISO27001: --

HIPAA: 164.310(a)(2)(iii)

PCI-DSS: 9.1.1

4.173.3 Standard

Video cameras or access control mechanisms will be employed to record and review individual physical access to secure areas

4.174 Monitoring Physical Access

4.174.1 Standard Owner: Information Security

4.174.2 Standard References

NIST: PE-6

GLBA: Eﬀective

ISO27001: --

HIPAA: 164.310(a)(2)(iii)

PCI-DSS: 9.1.1

4.174.3 Standard

Where practicable, video collected on digital recorders will be retained for at least 30 days. When a security event that requires further investigation has been recorded, the video will be copied and secured while awaiting action by the CSO.

4.175 Monitoring Physical Access

4.175.1 Standard Owner: Information Security

4.175.2 Standard References

NIST: PE-6

GLBA: Eﬀective

ISO27001: --

HIPAA: 164.310(a)(2)(iii)

PCI-DSS:

4.175.3 Standard

Door-held-open alarms will be installed and monitored on all data center doors.

4.176 Monitoring Physical Access

4.176.1 Standard Owner: Information Security

4.176.2 Standard References

NIST: PE-6

GLBA: Eﬀective

ISO27001: --

HIPAA: 164.310(a)(2)(iii)

PCI-DSS:

4.176.3 Standard

All access to organization data centers will:

Be approved in writing by Director of Network Services and Information Security
Have access requests documented and retained for audit (1 year minimum)
Be reviewed annually by Director of Network Services and Information Security

Be required to sign in, noting date, time, primary organization contact, company they are with, who their primary contact is, and business justiﬁcation for the visit. This log will be retained for audit purposes
Provide proof of identity, which will be veriﬁed
Escorted in and out and monitored at all times
Required to wear a badge identifying them as a visitor (and not a workforce member)
Will have their access revoked once it is no longer needed
Be required to surrender their badge upon leaving the facility

4.194 Location of Information system components

4.194.1 Standard Owner: Facilities; | IT |

4.194.2 Standard References

NIST: PE-18

GLBA: Eﬀective

ISO27001: A.8.2.3, A.11.1.4, A.11.2.1

HIPAA: 164.310(c)

PCI-DSS:

4.194.3 Standard

Raised ﬂoor environments will have barriers designed to prevent someone from gaining access through spaces under the ﬂoor, including under ramps and stairs

4.195 Security Planning Policy and Procedures

4.195.1 Standard Owner: Information Security

4.195.2 Standard References

NIST: PL-1

GLBA: Eﬀective

ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2

HIPAA: 164.316(a)

PCI-DSS: 12.1, 12.1.1

4.195.3 Standard

The organization will:

Develop, document, and disseminate security planning standards that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and
Develop procedures to facilitate the implementation of these
Review and update these standards and associated procedures, at a minimum,

4.196 System Security Plan

4.196.1 Standard Owner: Information Security

4.196.2 Standard References

NIST: PL-2

GLBA: On Hold

ISO27001: A.14.1.1

HIPAA: 164.310(a)(2)(ii), 164.316(a), 164.316(b)(1)

PCI-DSS: 1.5, 2.5, 3.7, 4.3, 5.4, 6.7, 7.3, 8.8, 9.10, 10.8,11.1.2, 11.6, 12.1, 12.1.1,12.10.1, 12.4

4.202.3 Standard

The organization will:

Develop and disseminate information security program standards and a description of the security program management controls and common controls in place or planned for meeting those
Establish and maintain organizational policies, standards, and procedures to address all relevant statutory and regulatory requirements, and ensure and support the conﬁdentiality, integrity, and availability of its information
Make relevant policies, standards, and procedures readily available to all eﬀected
Conduct a periodic formal review of policies, standards, and procedures for security and update them, at a minimum, annually.

4.203 Senior Information Security Oﬃcer

4.203.1 Standard Owner: Information Security

4.203.2 Standard References

NIST: PM-2

GLBA: Eﬀective

ISO27001: A.6.1.1*

HIPAA:

PCI-DSS: 12.5, 12.5.1, 12.5.2, 12.5.3, 12.5.4, 12.5.5

4.203.3 Standard

The organization will appoint a Chief Security Oﬃcer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program. Responsibilities will include:

Development, maintenance, and distribution of policies and procedures
Ensuring responsibilities and assignment for monitoring alerts and responding to incidents is performed
Development, maintenance, and implementation of a security incident response
Ensure access control processes are deﬁned and implemented
Ensure all access control processes are monitored

4.204 Risk Management Strategy

4.204.1 Standard Owner: Information Security

4.204.2 Standard References

NIST: PM-9

GLBA: Eﬀective

ISO27001: --

HIPAA:

PCI-DSS: 2.4, 7.2.1,9.7 9.7.1, 9.9.1, 11.1.1, 12.2

4.204.3 Standard

The organization will conduct an organization-wide inventory to identify all of its information systems and electronic media that contain Non-public Information. Inventory results will be documented and stored in a secure manner, e.g., on a computer with appropriate ﬁle access permissions or in a locked drawer.

4.205 Risk Management Strategy

4.205.1 Standard Owner: Information Security

4.205.2 Standard References

NIST: PM-9

GLBA: Eﬀective

ISO27001: --

HIPAA:

PCI-DSS: 12.2

4.205.3 Standard

The organization will manage risk on a continuous basis and implement necessary security measures to ensure the conﬁdentiality, integrity, and availability of information systems containing Non-public Information. A risk assessment will be performed, at a minimum, annually. Strategies for managing risk should be commensurate with the risks to such systems. One or more of the following methods may be used to manage risk:

Risk acceptance
Risk avoidance
Risk mitigation
Risk transference

4.206 Risk Management Strategy

4.206.1 Standard Owner: Information Security

4.206.2 Standard References

NIST: PM-9

GLBA: Eﬀective

ISO27001: --

HIPAA:

PCI-DSS:

4.206.3 Standard

The organization will implement security measures that reduce the risks to its information systems containing Non-public Information to reasonable and appropriate levels. Selection and implementation of such security measures will be based on a formal, documented risk management process.

4.207 Risk Management Strategy

4.207.1 Standard Owner: Information Security

4.207.2 Standard References

NIST: PM-9

GLBA: Eﬀective

ISO27001: --

HIPAA:

PCI-DSS: 6.2, 11.3.3,11.3.2, 11.3.4

4.207.3 Standard

Non-compliance with any organization policy or standard will be documented (as an exception), reviewed, and addressed where possible. Documented exceptions will include:

The policy or standard where non-compliance may exist
The speciﬁc non-compliant situation, service, or process
The operational risk introduced by the gap
Any current controls which may partially mitigate the risk
If remediated, a corrective action plan (CAP) with a respective owner
The acceptance of the risk and remediation plans

4.208 Risk Management Strategy

4.208.1 Standard Owner: Information Security

4.208.2 Standard References

NIST: PM-9

GLBA: Eﬀective

ISO27001: --

HIPAA:

PCI-DSS: 12.3, 12.3.1, 12.3.2, 12.3.3, 12.3.4, 12.3.5, 12.3.6, 12.3.7, 12.8.3

4.208.3 Standard

The organization will manage the security state of organizational information systems and the environments in which those systems operate through the security authorization processes. The Information Security Oﬃcer will be responsible for ensuring the performance of a risk assessment when appropriate for new services/capabilities/technologies before they can be implemented into production.

4.209 Risk Assessment Policy and Procedures

4.209.1 Standard Owner: Information Security

4.209.2 Standard References

NIST: RA-1

GLBA: Eﬀective

ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2

HIPAA: 164.308(a)(1)(i), 164.316(a)

PCI-DSS: 12.1, 12.1.1,12.8,12.8.1,12.8.2,12.8.3,12.8.4

4.209.3 Standard

The organization will:

Develop, document, and disseminate risk assessment standards that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and
Develop procedures to facilitate the implementation of these
Review and update these standards and associated procedures, at a minimum,

Assessment and prioritization of risks to organization information systems containing Non-public
Selection and implementation of reasonable, appropriate, and cost-eﬀective security measures to manage, mitigate, or accept identiﬁed
Review, prior to implementation, of all critical systems or services
Review, prior to implementation, credit card processing capabilities to a new or existing system

Signiﬁcant security incidents to speciﬁc organization information systems containing Non-public
Signiﬁcant new threats or risks to speciﬁc organization information systems containing Non-public
Signiﬁcant changes to the organizational or technical infrastructure that aﬀect speciﬁc organization information systems containing Non-public
Signiﬁcant changes to information security requirements or responsibilities that aﬀect speciﬁc organization information systems containing Non-public

4.217 Vulnerability Scanning

4.217.1 Standard Owner: Information Security

4.217.2 Standard References

NIST: RA-5

GLBA: Eﬀective

ISO27001: A.12.6.1*

HIPAA:

PCI-DSS: 6.1, 6.3, 11.2, 11.2.3, 6.3.2, 6.5, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 11.2, 11.2.1,

11.2.2

4.217.3 Standard

4.220.3 Standard

Before a new system is brought online, a security scan will be performed. In addition to this security scan, any information that needs to be incorporated into DR/BCP will need to be created. Also, a backup plan for the data on the system will be created

4.221 Security Assessment and Authorization Policies and Procedures

4.221.1 Standard Owner: IT

4.221.2 Standard References

NIST: CA-1

GLBA: Eﬀective

ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2

HIPAA: 164.308(a)(8)

PCI-DSS: 12.1, 12.1.1

4.221.3 Standard

The organization will:

Develop, document, and disseminate security assessment and authorization standards that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and
Develop procedures to facilitate the implementation of these
Review and update these standards and associated procedures, at a minimum,

4.222 Penetration Testing

4.222.1 Standard Owner: IT

4.222.2 Standard References

NIST: CA-8

GLBA: Eﬀective

ISO27001: --

HIPAA:

PCI-DSS: 11.3, 11.3.2, 11.3.4

4.222.3 Standard

A network PEN test will be performed, at a minimum annually, on all external-facing systems. PEN tests must utilize industry-accepted standards (e.g., NIST SP800-115) and must be performed by qualiﬁed personnel.

4.223 Penetration Testing

4.223.1 Standard Owner: IT

4.223.2 Standard References

NIST: CA-8

GLBA: On Hold

ISO27001: --

HIPAA:

PCI-DSS:

4.223.3 Standard

An annual Physical PEN test will be performed for all datacenters. PEN tests must utilize industry-accepted standards (e.g., NIST SP800-115). The risk assessment report will place organization information systems containing non-Public Information into deﬁned categories of risk such as:

Highly Sensitive – areas where large amounts of non-Public Information are stored and Access to such areas requires security controls such as card keys, visitor escort, and login sheets.
Sensitive – areas that have a high concentration of patients and/or visitors and terminals that access non-Public Information.

4.224 Penetration Testing

4.224.1 Standard Owner: IT

4.224.2 Standard References

NIST: CA-8

GLBA: On Hold

ISO27001: --

HIPAA:

PCI-DSS: 6.6, 11.3.1

4.224.3 Standard

For public-facing web applications that are storing, processing, or transmitti ng non-Public Information, an application PEN test will be performed at least annually and after any signiﬁcant change. PEN tests must utilize industry-accepted standards (e.g., NIST SP800-115) and must be performed by qualiﬁed personnel.

4.225 System and Communications Protection Policy and Procedures

4.225.1 Standard Owner: IT

4.225.2 Standard References

NIST: SC-1

GLBA: Eﬀective

ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2

HIPAA:

PCI-DSS: 12.1, 12.1.1

4.225.3 Standard

The organization will:

Develop, document, and disseminate system and communications protection standards that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and
Develop procedures to facilitate the implementation of these
Review and update these standards and associated procedures, at a minimum,

4.226 Application Partitioning

4.226.1 Standard Owner: IT

4.226.2 Standard References

NIST: SC-2

GLBA: Eﬀective GDPR: ISO27001: -- HIPAA:

PCI-DSS: 1.1.7

4.233.3 Standard

Depending on PCI SAQ level, for PCI environments, a router and ﬁrewall review will be conducted, at a minimum, every 12 months. For non-PCI information, a router and ﬁrewall review will be conducted, at a minimum, annually.

4.234 Transmission Conﬁdentiality and Integrity

4.234.1 Standard Owner: IT

4.234.2 Standard References

NIST: SC-8

GLBA: Validate

ISO27001: A.8.2.3, A.13.1.1, A.13.2.1, A.13.2.3, A.14.1.2, A.14.1.3

HIPAA: 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i)

PCI-DSS: 1.1.2, 1.1.3

4.234.3 Standard

A network diagram that identiﬁes all connections between the cardholder data environment and other networks will be created and maintained. This diagram will include data ﬂow of credit cardholder data.

4.235 Transmission Conﬁdentiality and Integrity

4.235.1 Standard Owner: IT

4.235.2 Standard References

NIST: SC-8

GLBA: Eﬀective

ISO27001: A.8.2.3, A.13.1.1, A.13.2.1, A.13.2.3, A.14.1.2, A.14.1.3

HIPAA: 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i)

PCI-DSS: 1.3.8

4.235.3 Standard

Private IP addresses and routing information will not be disclosed to unauthorized parties. Such techniques as Network Address Translation (NAT), proxies, removal of route advertisements, etc. will be employed

4.236 Transmission Conﬁdentiality and Integrity

4.236.1 Standard Owner: IT

4.236.2 Standard References

NIST: SC-8

GLBA: Validate

ISO27001: A.8.2.3, A.13.1.1, A.13.2.1, A.13.2.3, A.14.1.2, A.14.1.3

HIPAA: 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i)

PCI-DSS: 1.3,1.3.3,1.3.6,1.3.7

4.236.3 Standard

Depending on the PCI SAQ level, system components that store cardholder data (such as a database or webserver) will be placed in an internal network zone, segregated from the DMZ and other untrusted networks.

4.237 Transmission Conﬁdentiality and Integrity

4.237.1 Standard Owner: IT

4.237.2 Standard References

NIST: SC-8

GLBA: Validate

ISO27001: A.8.2.3, A.13.1.1, A.13.2.1, A.13.2.3, A.14.1.2, A.14.1.3

HIPAA: 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i)

PCI-DSS: 1.2.3, 2.1.1, 4.1, 4.1.1

4.237.3 Standard

Wireless networks are prohibited from transmitti ng credit cardholder data.

Transmission Conﬁdentiality and Integrity

4.237.4 Standard Owner: IT

4.237.5 Standard References

NIST: SC-8

GLBA: Eﬀective

ISO27001: A.8.2.3, A.13.1.1, A.13.2.1, A.13.2.3, A.14.1.2, A.14.1.3

HIPAA: 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i)

PCI-DSS: 2.3, 8.2.1

4.237.6 Standard

Transmission of all non-console administrative access will be encrypted.

4.238 Cryptographic Key Establishment and Management

4.238.1 Standard Owner: IT

4.238.2 Standard References

NIST: SC-12

GLBA: Eﬀective

ISO27001: A.10.1.2

HIPAA: 164.312(e)(2)(ii)

PCI-DSS: 3.5, 3.5.1, 3.5.2, 3.5.3, 3.6, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.6, 3.6.7,4.1

4.238.3 Standard

Cryptographic key management procedures will be developed and maintained. The organization will protect all of its cryptographic keys against modiﬁcation and destruction; its secret and private keys will be protected against unauthorized disclosure. Cryptographic procedures will address, at a minimum:

A procedure for generating keys for diﬀerent cryptographic systems
A procedure for distributing keys to intended users and then activating them
A procedure for enabling authorized users to access stored keys
A procedure for changing and updating keys
A procedure for revoking keys
A procedure for recovering keys that are lost or corrupted
A procedure for archiving keys
Appropriate logging and auditing of cryptographic key management

4.241.3 Standard

Wherever possible, encrypted data paths will be used both to protect data in transmission and verify the remote hosts validity. All transmissions of authentication information and non-Public Information will be encrypted.

4.242 Cryptographic Protection

4.242.1 Standard Owner: IT

4.242.2 Standard References

NIST: SC-13

GLBA: Validate

ISO27001: A.10.1.1, A.14.1.2, A.14.1.3, A.18.1.5

HIPAA: 164.312(a)(2)(iv), 164.312(e)(2)(ii)

PCI-DSS: 2.2.3, 4.1

4.242.3 Standard

The organization does not use insecure protocols, where a replacement is available, is prohibited (e.g., Telnet, HTTP, FTP, NetBIOS).

4.243 Cryptographic Protection

4.243.1 Standard Owner: IT

4.243.2 Standard References

NIST: SC-13

GLBA: Eﬀective

ISO27001: A.10.1.1, A.14.1.2, A.14.1.3, A.18.1.5

HIPAA: 164.312(a)(2)(iv), 164.312(e)(2)(ii)

PCI-DSS: 4.1

4.243.3 Standard

Encryption and integrity controls will always be used when sending non-Public Information outside of the organization wide area network. This includes virtual private networks, wireless transmission and dial-up connectivity

4.244 Cryptographic Protection

4.244.1 Standard Owner: IT

4.244.2 Standard References

NIST: SC-13

GLBA: Validate

ISO27001: A.10.1.1, A.14.1.2, A.14.1.3, A.18.1.5

HIPAA: 164.312(a)(2)(iv), 164.312(e)(2)(ii)

PCI-DSS: 8.2.1

4.244.3 Standard

All non-Public Information stored on laptops and mobile devices will be encrypted. Storage of non-Public Information on unencrypted removable media is prohibited.

4.245 Public Key Infrastructure Certiﬁcates

4.245.1 Standard Owner: IT

4.245.2 Standard References

NIST: SC-17

GLBA: Validate

ISO27001: A.10.1.2

HIPAA:

PCI-DSS: 4.1

4.245.3 Standard

Certiﬁcates will be obtained via reputable vendors, such as DigiCert, Verisign, GeoTrust, etc..

4.246 Public Key Infrastructure Certiﬁcates

4.246.1 Standard Owner: IT

4.246.2 Standard References

NIST: SC-17

GLBA: Eﬀective

ISO27001: A.10.1.2

HIPAA:

PCI-DSS: 4.1

4.246.3 Standard

Self-signed certiﬁcates will not be used on public facing systems.

4.247 Public Key Infrastructure Certiﬁcates

4.247.1 Standard Owner: IT

4.247.2 Standard References

NIST: SC-17

GLBA: Eﬀective

ISO27001: A.10.1.2

HIPAA:

PCI-DSS: 4.1

4.247.3 Standard

For internal systems, the organization Certiﬁcate Authority is the only authority which will be recognized. Self-signed certiﬁcates will not be used on public facing systems.

4.248 Honeypots

4.248.1 Standard Owner: IT

4.248.2 Standard References

NIST: SC-26

GLBA: Eﬀective

ISO27001: --

HIPAA:

PCI-DSS:

4.248.3 Standard

Unauthorized honeypots shall not be setup on the organization's network. Honeypot installation will require CSO approval.

4.249 Concealment and Misdirection

4.249.1 Standard Owner: IT

4.249.2 Standard References

NIST: SC-30

GLBA: Eﬀective

ISO27001: --

HIPAA:

PCI-DSS: 2.2.4

4.249.3 Standard

4.250 System & Information Integrity Policy & Procedures

4.250.1 Standard Owner: IT

4.250.2 Standard References

NIST: SI-1

GLBA: Eﬀective

ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2

HIPAA: 164.312(c)(1)

PCI-DSS: 12.1, 12.1.1

4.250.3 Standard

The organization will:

Develop, document, and disseminate system and information integrity standards that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and
Develop procedures to facilitate the implementation of these
Review and update this policy and associated procedures, at a minimum,

Kept current, both the scanning engines and virus signature ﬁles
Perform periodic scans
Generate audit logs which will be retained

4.254 Malicious Code Protection

4.254.1 Standard Owner: IT

4.254.2 Standard References

NIST: SI-3

GLBA: Eﬀective

ISO27001: A.12.2.1

HIPAA: 164.308(a)(5)(ii)(B)

PCI-DSS: 5.1, 5.1.1, 5.1.2, 5.2, 5.3, 5.4

4.254.3 Standard

IT approved anti-malware software will be installed on all workstations and servers to prevent transmission of malicious software.

4.255 Information System Monitoring

4.255.1 Standard Owner: IT

4.255.2 Standard References

NIST: SI-4

GLBA: Draft

ISO27001: --

HIPAA: 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(B)

PCI-DSS: 10.6

4.255.3 Standard

Logs that have been collected by the central logging server will be notated for review; any events noted will be escalated, as appropriate, to the Incident Response Team.

4.256 Security Function Veriﬁcation

4.256.1 Standard Owner: IT

4.256.2 Standard References

ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2

HIPAA:

PCI-DSS: 12.1, 12.1.1

4.261.3 Standard

The organization will:

Develop, document, and disseminate system and services acquisition standards that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and
Develop procedures to facilitate the implementation of these
Review of Standards will be on an annual cadence
Review and update the associated procedures will be done as changes occur, and on an annual

4.262 Allocation of Resources

4.262.1 Standard Owner: Information Security

4.262.2 Standard References

NIST: SA-2

GLBA: Draft

ISO27001: --

HIPAA:

PCI-DSS:

4.262.3 Standard

4.266 Acquisition Process

4.266.1 Standard Owner: Finance

4.266.2 Standard References

NIST: SA-4

GLBA: Eﬀective

ISO27001: A.14.1.1, A.14.2.7, A.14.2.9, A.15.1.2

HIPAA: 164.314(a)(2)(i)

PCI-DSS: 7.2.1, 12.8.1, 12.8.4, 12.8.5

4.266.3 Standard

The organization will maintain an inventory of critical service providers and associated accessed information:

All written agreements with service providers
Risk assessments performed
Associated incident response plans

4.267 Acquisition Process

4.267.1 Standard Owner: Finance

4.267.2 Standard References

NIST: SA-4

GLBA: On Hold

ISO27001: A.14.1.1, A.14.2.7, A.14.2.9, A.15.1.2

HIPAA: 164.314(a)(2)(i)

PCI-DSS: 12.8

4.267.3 Standard

Service providers or business associates will be informed of changes to organization security standards and procedures on a regular basis.

4.268 Acquisition Process

4.268.1 Standard Owner: Finance

4.268.2 Standard References

NIST: SA-4

GLBA: Draft

ISO27001: A.14.1.1, A.14.2.7, A.14.2.9, A.15.1.2

HIPAA: 164.314(a)(2)(i)

PCI-DSS: 12.8

4.268.3 Standard

It is the responsibility of each organization employee who authorizes the services of a service provider to ensure standards, procedure, and contractual compliance.

4.269 External Information System Services

4.269.1 Standard Owner: Finance

4.269.2 Standard References

NIST: SA-9

GLBA: Eﬀective

ISO27001: A.6.1.1, A.6.1.5, A.7.2.1, A.13.1.2, A.13.2.2, A.15.2.1, A.15.2.2

HIPAA: 164.308(b)(1), 164.308(b)(4), 164.314(a)(1), 164.314(a)(2)(i), 164.314(a)(2)(ii)

PCI-DSS:

4.269.3 Standard

All contract arrangements with service providers must comply with organizational information security requirements, federal and State laws, regulations, standards and guidelines.

4.274 Privacy Policy and Procedures

4.274.1 Standard Owner: Legal

4.274.2 Standard References

NIST: PT-1

GLBA:

ISO27001:

HIPAA:

PCI-DSS:

4.274.3 Standard

The organization will:

Develop, document, and disseminate a personally identiﬁable information processing and transparency policy that:

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

Develop, document, and disseminate Procedures to facilitate the implementation of the personally identiﬁable information processing and transparency policy and the associated personally identiﬁable information processing and transparency

4.275 Privacy Policy and Procedures

4.275.1 Standard Owner: Legal

4.275.2 Standard References

NIST: PT-1

GLBA:

4.284.3 Standard

Attach data tags containing the following purposes to [Assignment: organization-deﬁned elements of personally identiﬁable information]: [Assignment: organization-deﬁned processing purposes].

4.285 Personally Identiﬁable Information Processing Purposes - Automation

4.290 Privacy Notice

4.290.1 Standard Owner: Legal

4.290.2 Standard References

NIST: PT-5

GLBA:

ISO27001:

HIPAA:

PCI-DSS:

4.290.3 Standard

Notice is provided to individuals about the processing of personally identiﬁable information that:

Is available to individuals upon ﬁrst interacting with an organization, and subsequently at [deﬁned frequency];
Is clear and easy-to-understand, expressing information about personally identiﬁable information processing in plain language;
Identiﬁes the authority that authorizes the processing of personally identiﬁable information; and
Identiﬁes the purposes for which personally identiﬁable information is to be

Will draft system of records notices in accordance with OMB guidance and submit new and signiﬁcantly modiﬁed system of records notices to the OMB and appropriate congressional committees for advance review;
Will publish system of records notices in the Federal Register; and
Keep system of records notices accurate, up-to-date, and scoped in accordance with

Eliminate unnecessary collection, maintenance, and use of Social Security numbers, and explore alternatives to their use as a personal identiﬁer;
Not deny any individual any right, beneﬁt, or privilege provided by law because of such individual’s refusal to disclose his or her Social Security number; and
Inform any individual who is asked to disclose his or her Social Security number whether that disclosure is mandatory or voluntary, by what statutory or other authority such number is solicited, and what uses will be made of

4.298 Speciﬁc Categories of Personally Identiﬁable Information - First Amendment Information

4.298.1 Standard Owner: Legal

4.298.2 Standard References

NIST: PT-7

GLBA:

ISO27001:

HIPAA:

PCI-DSS:

4.298.3 Standard

The processing of information describing how any individual exercises rights guaranteed by the First Amendment unless expressly authorized by statute or by the individual or unless pertinent to and within the scope of an authorized law enforcement activity is prohibited.

4.299 Computer Matching Requirements

4.299.1 Standard Owner: Legal

4.299.2 Standard References

NIST: PT-8 GLBA: GDPR: ISO27001: HIPAA: PCI-DSS:

4.299.3 Standard

When processing information for the purpose of conducting a matching program, the organization will:

Obtain approval from the Data Integrity Board to conduct the matching program;
Develop and enter into a computer matching agreement;
Publish a matching notice in the Federal Register;
Independently verify the information produced by the matching program before taking adverse action against an individual, if required; and
Provide individuals with notice and an opportunity to contest the ﬁndings before taking adverse action against an individual.

4.300 Information Protection Program

4.300.1 Standard Owner: InfoSec

4.300.2 Standard References

NIST: PM-1 PM-2 PM-3 PM-4 PM-6 PM-9 PM-13

GLBA:

ISO27001:

HIPAA: § 164.308(a)(1)(i) § 164.308(a)(1)(ii)(A) § 164.308(a)(1)(ii)(B) § 164.308(a)(8) § 164.316(b)(1) § 164.316(b)(2)(iii)

PCI-DSS:

4.300.3 Standard

The organization has a formal information protection program based on an accepted industry framework that is reviewed and updated as needed.

4.301 Written, managed, monitored, and improved

4.301.1 Standard Owner: InfoSec

4.301.2 Standard References

NIST: PM-1 PM-2 PM-3 PM-4 PM-6 PM-9 PM-13

GLBA:

ISO27001:

HIPAA: § 164.308(a)(1)(i) § 164.308(a)(1)(ii)(A) § 164.308(a)(1)(ii)(B) § 164.308(a)(8) § 164.316(b)(1) § 164.316(b)(2)(iii)

PCI-DSS:

4.301.3 Standard

The information protection program is formally documented (with written policy & procedures) and actively monitored, reviewed and updated to ensure program objectives continue to be met.

4.302 Assigned security team

4.302.1 Standard Owner: InfoSec

4.302.2 Standard References

NIST: AT-3 PL-4 PM-13 PM-14 PM-15 PM-2 PS-7

GLBA: GDPR: ISO27001:

HIPAA: § 164.308(a)(3)(ii)(A) § 164.308(a)(4)(ii)(B) § 164.308(b)(1) § 164.314(a)(1) § 164.314(a)(2)(i) § 164.314(a)(2)(ii)

PCI-DSS: 12.3 12.3.5

4.302.3 Standard

An individual or dedicated team is assigned to manage the information security of the organization.

4.303 Information Security Oﬃcer

4.303.1 Standard Owner: InfoSec

Standard References NIST: AT-3 IR-2 PM-10 PM-2 SA-3 GLBA:

ISO27001:

HIPAA: § 164.308(a)(2) § 164.308(a)(5)(i)

PCI-DSS: 12.4 12.5 12.5.1 12.5.2 12.5.3 12.5.4 12.5.5

4.303.3 Standard

The organization's senior-level information security oﬃcial (ISO) coordinates, develops, implements, and maintains an organization-wide information security program, and assigns speciﬁc roles and responsibilities, which are coordinated and aligned with internal and external partners.

4.304 Assigned Security Roles

4.304.1 Standard Owner: InfoSec

4.304.2 Standard References

NIST: PL-4 PS-1 PS-2

GLBA:

ISO27001:

HIPAA: § 164.308(a)(1)(i) § 164.308(a)(3)(i) § 164.308(a)(3)(ii)(A) § 164.308(a)(3)(ii)(B) § 164.308(a)(3)(ii)(C)

PCI-DSS: 12.4.1

4.304.3 Standard

User security roles and responsibilities are clearly deﬁned and communicated.

4.305 Security objectives, metrics, and measurement

4.305.1 Standard Owner: InfoSec

4.305.2 Standard References

NIST: AC-1 AT-1 AU-1 CA-1 CM-1 CP-1 IA-1 IR-1 MA-1 PE-1 PL-1 PM-1 PS-1 RA-1 SA-1 SC-1 SI-1

GLBA:

ISO27001:

HIPAA: § 164.414(a) § 164.530(i) § 164.312(c)(1) § 164.316(a) § 164.316(b)(2)(i) § 164.316(b)(2)(ii)

PCI-DSS: 1.5 10.9 11.6 12.3 2.5 3.7 4.3 5.4 6.7 7.3 8.8 9.10

4.305.3 Standard

4.314.3 Standard

The organization ensures plans for security testing, training and monitoring activities are developed, implemented, maintained and reviewed for consistency with the risk management strategy and response priorities.

4.315 Independent Audits

4.315.1 Standard Owner: InfoSec

Standard References NIST: AR-4 CA-2 CA-2(1) CA-7 CA-7(1) GLBA:

HIPAA: § 164.308(a)(1)(ii)(B) § 164.308(a)(8) § 164.310(a)(2)(ii) § 164.316(a) § 164.316(b)(1) § 164.316(b)(2)(iii)

PCI-DSS: 12.5.2

4.323.3 Standard

A business associate must report to the covered entity any security incident of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410.

4.324 Data Privacy Oﬃcer

4.324.1 Standard Owner: Legal

4.324.2 Standard References

NIST: AR-1 AR-2 SC-12(1) SC-28 SC-28(1) SI-12

GLBA:

Article 37(5) Article 37(7) Article 38(1) Article 38(2) Article 38(3) Article 39(1) Article 39(2)

ISO27001:

HIPAA: § 164.530(a) § 164.530(a)(2)(i) § 164.530(b) § 164.530(c)(1)

PCI-DSS: 3.1 3.4 3.4.1

4.324.3 Standard

The organization has formally appointed a qualiﬁed data protection oﬃcer, reporting to senior management, and who is directly and fully responsible for the privacy of covered information.

4.325 Customer Consent

4.325.1 Standard Owner: Legal

4.325.2 Standard References

NIST: AR-1 AR-2 SC-12(1) SC-28 SC-28(1) SI-12

GLBA:

GLBA:

Article 37(5) Article 37(7) Article 38(1) Article 38(2) Article 38(3) Article 39(1) Article 39(2)

ISO27001:

HIPAA: § 164.530(a) § 164.530(a)(2)(i) § 164.530(b) § 164.530(c)(1)

PCI-DSS: 3.1 3.4 3.4.1

4.328.3 Standard

Records with sensitive personal information are protected during transfer to organizations lawfully collecting such information.

4.329 Encryption of Data-at-rest

4.329.1 Standard Owner: Legal

4.329.2 Standard References

NIST: AR-1 AR-2 SC-12(1) SC-28 SC-28(1) SI-12

GLBA:

Article 37(5) Article 37(7) Article 38(1) Article 38(2) Article 38(3) Article 39(1) Article 39(2)

ISO27001:

HIPAA: § 164.530(a) § 164.530(a)(2)(i) § 164.530(b) § 164.530(c)(1)

PCI-DSS: 3.1 3.4 3.4.1

4.329.3 Standard

The conﬁdentiality and integrity of covered information at rest is protected using an encryption method appropriate to the medium where it is stored; where the organization chooses not to encrypt covered information, a documented rationale

for not doing so is maintained or alternative compensating controls are used if the method is approved and reviewed annually by the CISO.

4.330 Data Retention

4.330.1 Standard Owner: Legal

4.330.2 Standard References

NIST: AR-1 AR-2 SC-12(1) SC-28 SC-28(1) SI-12

GLBA:

Article 37(5) Article 37(7) Article 38(1) Article 38(2) Article 38(3) Article 39(1) Article 39(2)

ISO27001:

HIPAA: § 164.530(a) § 164.530(a)(2)(i) § 164.530(b) § 164.530(c)(1)

PCI-DSS: 3.1 3.4 3.4.1

4.330.3 Standard

Covered information is retained only for as long as required.

4.331 Data retention for policies & ePHI

4.331.1 Standard Owner: Legal

4.331.2 Standard References

NIST: AU-11 AU-9 DM-2 DM-2(1) RA-2 SI-12

GLBA:

ISO27001:

HIPAA: § 164.414(a) § 160.103 § 160.203 § 164.502(f) § 164.520(e) § 164.522(a)(3) § 164.524(e) § 164.528(d) § 164.530(j)

164.530(j)(2)

PCI-DSS: 3.1

4.331.3 Standard

The organization's formal policies and procedures, other critical records and disclosures of individuals' protected health information made are retained for a minimum of six (6) years.

5 Revision History

Revision	Date	Initiator	Nature of Change
1	1/27/2023	B. Huntley	Initial Draft - Information Security Standards
2	4/24/2023	L. Perry	Presidential approval

OM 1.0.0 - History and Mission

OM 1.1.0 History

OM 1.2.0 Mission and Objectives

OM 2.00.0

OM 2.1.0 - Board of Trustees

OM 2.3.0 - Duties and Responsibilities of Provost, Vice Presidents, Deans and Other Officers of the University

OM 2.4.0 Duties and Responsibilities of Academic Department Chairs

OM 2.4.1 Appointment and Tenure of Department Chairs and Academic Program Directors Policy Statement

OM 2.5.0 Periods of Duty - Administrative Offices

OM 2.6.0 Clarkson University Policies Governing Organized Activity Units

OM 2.6.1 Duties and Responsibilities of Directors of Institutes and Centers

OM 2.6.2 Appointment and Tenure of Directors

OM 2.6.3 Director of Organized Activity Unit - Additional Operational/Management Guidance

OM 2.7.0 Operational Procedures for the Administrative Council

OM 2.8.0 Faculty Senate Constitution

OM 2.9.0 Paperflow for Senate and Administrative Council Actions

OM 2.10.0 Committees of the University

OM 2.10.1 Committees of the Faculty Senate

OM 2.10.2 Standing Administrative Committees

OM 2.10.3 University Committee Procedures

OM 2.11.0 Support Staff Policies and Procedures

OM 2.12.0 Professional and Supervisory Staff Policies and Procedures

OM 3.0.0 - Human Resources Policies

OM 3.1.0 Human Resources Policies - General

OM 3.1.1 Definition of Employee Groups

OM 3.1.2 Exempt and Non-Exempt Employee Categories

OM 3.1.3 - Affirmative Action and Equal Employment Opportunity Statement

OM 3.1.4 - Employment of Family Members at Clarkson

OM 3.1.5 - Harassment and Sexual Misconduct Policy

OM 3.1.6 - Employment of Minors

OM 3.1.7 Drug Abuse in the Workplace

OM 3.1.8 Orientation

OM 3.1.9 Change in Status

OM 3.1.10 Smoking Policy

OM 3.1.11 Nondiscrimination Policy

OM 3.1.12 Cultural Diversity Policy

OM 3.1.13 General Grievance Procedures

OM 3.1.14 Discrimination Grievance Procedure (Including Cases of Sexual Misconduct)

OM 3.1.15 Anti-Bullying Policy

OM 3.1.16 Clarkson University Exit Policy

OM 3.1.17 Recruitment and Selection Process

OM 3.1.18 Termination/Resignation Policy

OM 3.1.19 Flexible Work Schedule (flextime) and Working Remotely

OM 3.1.20 Background Check Policy

OM 3.1.21 No Contact Order Policy

OM 3.2.0 Human Resources Policies - Faculty

OM 3.2.1 Retirement Benefits

OM 3.3.0 Human Resources Policies - Administrative, Supervisory, and General Staff

OM 3.3.1 Job Posting

OM 3.3.2 Position Classification Procedures

OM 3.3.3 Disciplinary Procedure

OM 3.3.4 Termination of Employment

OM 3.3.5 Retirement Benefits

OM 3.4.0 Human Resources Policies - Employment and Working Conditions - General Staff

OM 3.4.1 The Four Types of Appointments

OM 3.4.2 Employment - Appointment of General Staff Personnel

OM 3.4.3 Probationary Period - General Staff (Non-Bargaining)

OM 3.4.4 Working Hours - General Staff

OM 3.4.5 Rest Periods - General Staff

OM 3.4.6 Promotions and Transfers - General Staff

OM 4.0.0 - Compensation Policies

OM 4.1.0 Compensation Policies - General

OM 4.1.1 Supplemental Compensation Procedures - Faculty

OM 4.2.0 Compensation Policies - Faculty

OM 4.2.1 Salary Plan

OM 4.2.2 Salary Continuance - Faculty

OM 4.3.0 Compensation Policies - Administrative, Supervisory, and General Staff

OM 4.3.1 Wage and Salary Administration

OM 4.3.2 Salary Plan - Administrative and Supervisory Staff

OM 4.3.3 Pay Periods and Payroll Deductions - General Staff

OM 4.3.4 Overtime Policy for Non-Exempt Employees

OM 4.3.5 Supplemental Compensation Procedures - Exempt Non-Faculty

OM 4.3.6 Policy on Compensation for Travel Time - Non-Exempt Employees

OM 5.0.0 - Faculty Definitions and Policies

OM 5.1.0 Titles, Status and Definitions

OM 5.2.0 Duties of a Faculty Member

OM 5.3.0 Standards for Faculty Evaluations

OM 5.4.0 Procedures and Documentation for the Appointment, Reappointment and Continuing Evaluation of Faculty

OM 5.5.0 Evaluation Procedures for Tenure - The Tenure Policy

OM 5.6.0 Evaluation Procedures for Promotion