OM 9.1.2 - Information Security Standards

Effective Date: January 2023
Last Updated: April 24, 2023
Responsible University Office: Office of Information Technology
Responsible University Administrator: Chief Information Officer

Policy Contact:

Office of Information Technology
helpdesk@clarkson.edu

1 Purpose

The Information Security Steering Committee of Clarkson University has adopted these information security Standards, which deﬁne the appropriate administrative, technical, and physical safeguards over sensitive information. These standards are designed to:

● Ensure that the safeguards adequately address the legal, regulatory, and mandatory requirements for information security;

● Provide adequate coverage of the recommended best practices spanning in the eighteen NIST Control Families; and

● Give a general assurance level that the conﬁdentiality, integrity, and availability of the University's assets will be upheld.

These Standards are based upon NIST 800-53 rev4 and they represent the What elements of information security that are speciﬁc to the University. Clarkson University will update these standards as need arises and will continue to review them annually. As these standards are not policy, updates shall not require Board approval, but will be reviewed and formally approved by the Information Security Steering Committee at least annually.

In addition to the Standards deﬁned here, Clarkson University also maintains a set of procedures, plans and processes that deﬁne the How, When, and Who elements of information security and the expected behavior of personnel as they work to carry out the Standards in an approved manner that upholds these Standards.

2 Scope

These standards are applicable to all information in the possession of the University, including its aﬃliates and its agents, which may be stored, processed, or transmitted by any means. This includes electronic information, information on paper, and information shared orally or visually (e.g., telephone and video conferencing). Also included is any information in storage or in electronic or physical transmission outside of the University's facilities (e.g., service providers).

3 Roles & Responsibilities

Ultimate accountability for the Information Security controls rests with the Director of Network Services and Information Security. The control owners are accountable to ensure that the controls assigned to them are in-place and eﬀective throughout the scope of the organization for which the controls apply.

● For administrative controls, the control owner will most likely oversee the execution of controls and possibly will be the implementor of the controls as well.

● For technical controls, the control owner is accountable, and may or may not choose to have IT implement the controls on their behalf.

● For physical controls, there will be a division of labor between the control owner and the facilities team.

4 Information Security Standards

4.1 Access Control Policy and Procedures

4.1.1 Standard Owner: Board, Senior Management, Information Technology

4.1.2 Standard References

NIST: AC-1

GLBA: Eﬀective

ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.9.1.1, A.12.1.1, A.18.1.1, A.18.2.2

HIPAA: 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.308(a)(4)(i), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.312(a)(1)

PCI-DSS: 12.1, 12.1.1

4.1.3 Standard

The organization will:

Develop, document, and disseminate standards that address purpose, scope, roles and responsibilities for managing access management activities;
Develop and document the roles and responsibilities for individuals who have access to information systems;
Document supporting procedures;
Disseminate the information to ensure coordination among the organization’s entities; and
Policy and procedure are approved and reviewed every
Review the standards

4.2 Access Control Policy and Procedures

4.2.1 Standard Owner: Information Technology

4.2.2 Standard References

NIST: AC-1

GLBA:

ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.9.1.1, A.12.1.1, A.18.1.1, A.18.2.2

HIPAA: 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.308(a)(4)(i), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.312(a)(1)

PCI-DSS: 7.1, 7.1.1, 7.1.2, 7.2

4.2.3 Standard

A formal, documented emergency access procedure (for system and facilities) for enabling authorized workforce members during an emergency.

4.3 Account Management

4.3.1 Standard Owner: Information Technology

4.3.2 Standard References

NIST: AC-2

GLBA:

ISO27001: A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.5, A.9.2.6

HIPAA: 164.308(a)(3)(ii)(B), 164.308(a)(4)(i), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(a)(2)(ii)

PCI-DSS: 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.2, 7.2.2

4.3.3 Standard

All user access to systems must be granted based on (1) valid access authorization, including business justiﬁcation, by [Whom], (2) intended system usage, and (3) other attributes as required by the organization or associated mission’s/business functions.

4.4 Account Management

4.4.1 Standard Owner: Information Technology

4.4.2 Standard References

NIST: AC-2

GLBA: Eﬀective

ISO27001: A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.5, A.9.2.6

HIPAA: 164.308(a)(3)(ii)(B), 164.308(a)(4)(i), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(a)(2)(ii)

PCI-DSS: 7.1, 7.1.2, 7.2

4.4.3 Standard

Accounts with special privileges will only be used for those tasks requiring it, not for day-to-day usage.

4.5 Account Management | Access Enforcement | Least Privilege

4.5.1 Standard Owner: Information Technology

4.5.2 Standard References

NIST: AC-2 AC-3 AC-6

GLBA: Eﬀective

ISO27001: A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.5, A.9.2.6 A.6.2.2, A.9.1.2, A.9.4.1, A.9.4.4, A.9.4.5, A.13.1.1, A.14.1.2, A.14.1.3, A.18.1.3

HIPAA: 164.308(a)(3)(ii)(A), 164.308(a)(3)(ii)(B), 164.308(a)(4)(i), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C),

164.308(a)(5)(ii)(C), 164.310(b), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iv)

PCI-DSS: 7.1, 7.1.1, 7.1.2, 7.1.4, 7.2, 7.2.1, 7.2.3, 8.1, 8.1.1, 8.1.2, 8.1.3, 8.1.5, 10.1

4.5.3 Standard

A formal, documented process for granting appropriate access to organization information systems will be documented. Only the most minimal access will be provisioned based on a need-to-know basis. All revisions to organization workforce member and software program access rights will be tracked and logged. Security groups and ACLs will be used to provide limited, role-based access to shared resources. For systems not relying on domain accounts, the account creation/removal process will also be documented. At a minimum, tracking and logging of all access requests will require the following information:

Data and time of revision
Identiﬁcation of workforce member or software program whose access is being revised
Brief description of revised access right(s)

Approval by system owner/stewards or their chosen delegate
Reason for revision

This information will be securely maintained.

4.6 Access Enforcement

4.6.1 Standard Owner: Information Technology

4.6.2 Standard References

NIST: AC-3

GLBA: Eﬀective

ISO27001: A.6.2.2, A.9.1.2, A.9.4.1, A.9.4.4, A.9.4.5, A.13.1.1, A.14.1.2, A.14.1.3, A.18.1.3

HIPAA: 164.308(a)(3)(ii)(A), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.310(a)(2)(iii), 164.310(b), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iv)

PCI-DSS: 1.2.1 7.2.3

4.6.3 Standard

Access to internal, nonpublic-facing systems from untrusted sites, by default, will be blocked at the organization perimeter ﬁrewall.

4.7 Access Enforcement | Least Privilege

4.7.1 Standard Owner: Information Technology

4.7.2 Standard References

NIST: AC-3 AC-6

GLBA: Draft

ISO27001: A.6.2.2, A.9.1.2, A.9.4.1, A.9.4.4, A.9.4.5, A.13.1.1, A.14.1.2, A.14.1.3, A.18.1.3 A.9.1.2, A.9.2.3, A.9.4.4, A.9.4.5

HIPAA: 164.308(a)(3)(ii)(A), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.310(a)(2)(iii), 164.310(b), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iv)

PCI-DSS: 7.1.1, 7.1.3, 8.1.4

4.7.3 Standard

All organization workforce members will have their information system privileges automatically disabled after their user ID or access method has had 90 days of inactivity. All such privileges that are disabled in this manner will be reviewed to ensure that the inactivity is not due to termination of employment. If termination is the reason for inactivity, there will be review of situation to ensure that all access to CONFIDENTIAL INFORMATION (or ability to physical access information) has been eliminated.

4.8 Access Enforcement | Least Privilege

4.8.1 Standard Owner: Information Technology

4.8.2 Standard References

NIST: AC-3 AC-6

GLBA: Draft

ISO27001: A.6.2.2, A.9.1.2, A.9.4.1, A.9.4.4, A.9.4.5, A.13.1.1, A.14.1.2, A.14.1.3, A.18.1.3 A.9.1.2, A.9.2.3, A.9.4.4, A.9.4.5

HIPAA: 164.308(a)(3)(ii)(A), 164.308(a)(4)(ii)(B), 164.308(a)(4)(ii)(C), 164.310(a)(2)(iii), 164.310(b), 164.312(a)(1), 164.312(a)(2)(i), 164.312(a)(2)(ii), 164.312(a)(2)(iv)

PCI-DSS: 7.1.2, 7.1.3

4.8.3 Standard

Access reviews for privileged and non-privileged accounts on systems storing restricted information will be conducted annually.

4.9 Information Flow Enforcement

4.9.1 Standard Owner: Information Technology

4.9.2 Standard References

NIST: AC-4

GLBA: On Hold

ISO27001: A.13.1.3, A.13.2.1, A.14.1.2, A.14.1.3

HIPAA: 164.308(a)(3)(ii)(A), 164.308(a)(4)(ii)(B), 164.310(b)

PCI-DSS:

4.9.3 Standard

The organization will deﬁne a Security Architecture Plan that addresses:

The ﬂow of information between inter-connected systems; and
Deﬁned security rules by network

4.10 Separation of Duties

4.10.1 Standard Owner: Information Technology

4.10.2 Standard References

NIST: AC-5

GLBA: Eﬀective

ISO27001: A.6.1.2

HIPAA: 164.308(a)(3)(i), 164.308(a)(4)(i), 164.308(a)(4)(ii)(A), 164.312(a)(1)

PCI-DSS:

4.10.3 Standard

Where possible, software developers will not utilize elevated access to production systems.

4.11 Least Privilege

4.11.1 Standard Owner: Information Technology

4.11.2 Standard References

NIST: AC-6

GLBA: Eﬀective

ISO27001: A.9.1.2, A.9.2.3, A.9.4.4, A.9.4.5

HIPAA: 164.308(a)(3)(i), 164.308(a)(4)(i), 164.308(a)(4)(ii)(A), 164.312(a)(1)

PCI-DSS: 7.1.2, 7.1.3

4.11.3 Standard

Only the most minimal access will be provisioned based on a need-to-know basis.

4.12 Unsuccessful Logon Attempts

4.12.1 Standard Owner: Information Technology

4.12.2 Standard References

NIST: AC-7

GLBA: Eﬀective

ISO27001: A.9.4.2

HIPAA:

PCI-DSS:

4.12.3 Standard

Organization workforce members shall not attempt to gain access to organization information systems containing restricted information for which they have not been given proper authorization.

4.13 Unsuccessful Logon Attempts

4.13.1 Standard Owner: Information Technology

4.13.2 Standard References

NIST: AC-7

GLBA: Eﬀective

ISO27001: A.9.4.2

HIPAA:

PCI-DSS: 2.2,2.2.4, 8.1.6, 8.1.7

4.13.3 Standard

Systems will lock accounts after no more than 5 failed login attempts.

4.14 System Use Notiﬁcation

4.14.1 Standard Owner: Information Technology

4.14.2 Standard References

NIST: AC-8

GLBA: On Hold

ISO27001: A.9.4.2

HIPAA:

PCI-DSS: 2.2.4

4.14.3 Standard

The organization displays an approved system use notiﬁcation message or banner before granting access to the system that provides privacy and security notices consistent with applicable laws, directives, policies, regulations, standards, and guidance and states that:

users are accessing organizational information systems;
system usage may be monitored, recorded, and subject to audit;

unauthorized use of the system is prohibited and subject to disciplinary action; and
use of the system indicates consent to monitoring and

4.15 Previous Logon (Access) Notiﬁcation

4.15.1 Standard Owner: Information Technology

4.15.2 Standard References

NIST: AC-9

GLBA: On Hold

ISO27001: A.9.4.2

HIPAA:

PCI-DSS: 2.2.4

4.15.3 Standard

Workstation, laptop, and server logon systems will suppress and/or not display the username of the previously logged on user.

4.16 Concurrent Session Control

4.16.1 Standard Owner: Information Technology

4.16.2 Standard References

NIST: AC-10

GLBA: On Hold

ISO27001: --

HIPAA:

PCI-DSS:

4.16.3 Standard

Critical applications will be conﬁgured to limit the number of concurrent sessions for each account and/or account type.

4.17 Session Lock

4.17.1 Standard Owner: Information Technology

4.17.2 Standard References

NIST: AC-11

GLBA: Eﬀective

ISO27001: A.11.2.8, A.11.2.9

HIPAA: 164.310(b), 164.312(a)(2)(iii)

PCI-DSS: 2.2,2.2.4, 8.1.8, 12.3.8

4.17.3 Standard

Endpoints must prevent further access to the information assets by initiating a session lock after 15 minutes of inactivity or upon receiving a request from a user. In addition, systems must retain the session lock until the user reestablishes access using established identiﬁcation and authentication procedures.

4.18 Session Termination

4.18.1 Standard Owner: Information Technology

4.18.2 Standard References

NIST: AC-12

GLBA: On Hold

ISO27001: --

HIPAA: 164.310(b), 164.312(a)(2)(iii)

PCI-DSS: 2.2,2.2.4, 8.1.8, 12.3.8

4.18.3 Standard

Systems will disconnect application and remote access sessions after 240 minutes of idle time.

4.19 Remote Access

4.19.1 Standard Owner: Information Technology

4.19.2 Standard References

NIST: AC-17

GLBA: Eﬀective

ISO27001: A.6.2.1, A.6.2.2, A.13.1.1, A.13.2.1, A.14.1.2

HIPAA: 164.310(b)

PCI-DSS: 8.1.5

4.19.3 Standard

Applications accessed through external facing webservers without appropriate SSL encryption will only be accessed via approved VPN.

4.20 Remote Access

4.20.1 Standard Owner: Information Technology

4.20.2 Standard References

NIST: AC-17

GLBA: Eﬀective

ISO27001: A.6.2.1, A.6.2.2, A.13.1.1, A.13.2.1, A.14.1.2

HIPAA: 164.310(b)

PCI-DSS: 8.1.5,12.3.9,12.3.10

4.20.3 Standard

Remote access technologies for vendors will only be enabled when needed, with immediate deactivation after use.

4.21 Wireless Access

4.21.1 Standard Owner: Information Technology

4.21.2 Standard References

NIST: AC-18

GLBA: Eﬀective

ISO27001: A.6.2.1, A.13.1.1, A.13.2.1

HIPAA:

PCI-DSS: 4.1, 4.1.1, 11.1

4.21.3 Standard

Public wireless networks will be considered open, insecure networks.

4.22 Wireless Access

4.22.1 Standard Owner: Information Technology

4.22.2 Standard References

NIST: AC-18

GLBA: Eﬀective

ISO27001: A.6.2.1, A.13.1.1, A.13.2.1

HIPAA:

PCI-DSS: 1.2.3, 2.1.1, 4.1, 9.1.3, 11.1, 11.1.1, 11.1.2, 12.3

4.22.3 Standard

Without prior authorization, departments or personnel will not setup their own wireless access-points or networks

4.23 Use of External Information Systems

4.23.1 Standard Owner: Information Technology

4.23.2 Standard References

NIST: AC-20

GLBA: On Hold

ISO27001: A.11.2.6, A.13.1.1, A.13.2.1

HIPAA:

PCI-DSS: 1.3.5

4.23.3 Standard

All connections between organization Information Systems and external systems will be approved and documented.

4.24 Use of External Information Systems

4.24.1 Standard Owner: Information Technology

4.24.2 Standard References

NIST: AC-20

GLBA: Eﬀective

ISO27001: A.11.2.6, A.13.1.1, A.13.2.1

HIPAA:

PCI-DSS: 1.3.5

4.24.3 Standard

The Director of Network Services & Information Security will approve any system which interfaces with systems that store or process information classiﬁed as 'Clarkson-Restricted'.

4.25 Publicly Accessible Content

4.25.1 Standard Owner: Information Technology, | Compliance

4.25.2 Standard References

NIST: AC-22

GLBA: Eﬀective

ISO27001: --

HIPAA:

PCI-DSS:

4.25.3 Standard

Information classiﬁed as Clarkson-Restricted will not be posted on the organization's publicly available website.

4.26 Access Control Decisions

4.26.1 Standard Owner: Information Technology

4.26.2 Standard References

NIST: AC-24

GLBA: Eﬀective

ISO27001: A.9.4.1*

HIPAA:

PCI-DSS:

4.26.3 Standard

All access requests will go through a managerial approval process prior to access enforcement.

4.27 Audit and Accountability Policy and Procedures

4.27.1 Standard Owner: IT

4.27.2 Standard References

NIST: AU-1

GLBA: Eﬀective

ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2

HIPAA: 164.312(b)

PCI-DSS: 12.1, 12.1.1

4.27.3 Standard

The organization will:

Develop, document, and disseminate audit and accountability standards that addresses purpose, scope, roles, responsibilities, and management commitment, coordination among organizational entities, and

Develop procedures to facilitate the implementation of these
Review and update these standards and associated procedures, at a minimum,

4.28 Audit Events | Non-repudiation

4.28.1 Standard Owner: IT

4.28.2 Standard References

NIST: AU-2 AU-10

GLBA: Eﬀective

ISO27001: --

HIPAA: 164.308(a)(5)(ii)(C), 164.312(b)

PCI-DSS: 8.1.5, 10.1, 10.2, 10.2.2, 10.2.3, 10.2.4, 10.2.5, 10.2.6, 10.2.7, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.4,

10.6.1

4.28.3 Standard

Security events for Active Directory, ﬁrewalls, servers, applications, and databases will be deﬁned. This includes:

Permission Altered Alerts (accounts/groups created, group membership modiﬁed, VPN groups modiﬁed)
Inappropriate Use & Login for Administrators (successful/failed logon attempts, application/operating system/network devices administrator accounts, service accounts, accounts used to provision access, local administrator accounts)
Inappropriate Use for Workforce (successful/failed logon attempts, multiple account locks/disabled/deleted)
System Events (logs cleared, virus/malware detected, NTP time change, rogue wireless devices)
System Health (active directory groups created/removed, application restarts/shutdowns, taxing active directory queries)
File Integrity (critical/sensitive ﬁle changes)
Network Intrusion Attempts
Application & Database (failed logon attempts, accounts created/modiﬁed)
Event types, date and time, origination of event, identity or name of aﬀected data, system component, or resource

4.29 Content of Audit Records

4.29.1 Standard Owner: IT

4.29.2 Standard References

NIST: AU-3

GLBA: Eﬀective

ISO27001: A.12.4.1* HIPAA: 164.312(b) PCI-DSS: 10.5.3, 10.7

4.29.3 Standard

Logs from Active Directory, ﬁrewalls (both internal and external), servers, and DNS will be sent to the central logging server.

4.30 Audit Storage Capacity

4.30.1 Standard Owner: IT

4.30.2 Standard References

NIST: AU-4

GLBA: Eﬀective

ISO27001: A.12.1.3 HIPAA: 164.312(b) PCI-DSS: 10.5.3, 10.7

4.30.3 Standard

Logs will be moved to a centralized logging system within 24 hours of being recorded.

4.31 Response to Audit Processing Failures

4.31.1 Standard Owner: IT

4.31.2 Standard References

NIST: AU-5

GLBA: Eﬀective

ISO27001: --

HIPAA:

PCI-DSS:

4.31.3 Standard

The central logging server will be monitored for system disk capacity, availability, and running of the syslog process

4.32 Audit Review, Analysis, and Reporting

4.32.1 Standard Owner: IT

4.32.2 Standard References

NIST: AU-6

GLBA: On Hold

ISO27001: A.12.4.1, A.16.1.2, A.16.1.4

HIPAA: 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.312(b)

PCI-DSS:

4.32.3 Standard

Metrics reports for security events will be created and monitored on a periodic basis, based on the criticality of the logs. As well, an alerting process will be used.

4.33 Time Stamps

4.33.1 Standard Owner: IT

4.33.2 Standard References

NIST: AU-8

GLBA: Eﬀective

ISO27001: A.12.4.4

HIPAA:

PCI-DSS: 2.2,2.2.4, 10.3.3, 10.4, 10.4.1, 10.4.2, 10.4.3

4.33.3 Standard

All workstations and servers will receive their time via NTP from industry accepted time sources.

4.34 Protection of Audit Information

4.34.1 Standard Owner: IT

4.34.2 Standard References

NIST: AU-9

GLBA: Eﬀective

ISO27001: A.12.4.2, A.12.4.3, A.18.1.3

HIPAA:

PCI-DSS: 10.5, 10.5.1, 10.5.2

4.34.3 Standard

Audit logs will be secured so that cannot be altered:

Access limited to those with job-related needs
Protected via access control mechanisms, physical segregations

4.35 Audit Record Retention

4.35.1 Standard Owner: IT

4.35.2 Standard References

NIST: AU-11

GLBA: Draft

ISO27001: A.12.4.1, A.16.1.7

HIPAA:

PCI-DSS: 10.5.3, 10.5.4, 10.5.5

4.35.3 Standard

Logs will be sent to a central log server and retained for a minimum of 3 months online, 9 months oﬄine (total of 1 year available). Log ﬁles will be monitored for change.

4.36 Monitoring for Information Disclosure

4.36.1 Standard Owner: IT

4.36.2 Standard References

NIST: AU-13

GLBA: On Hold

ISO27001: --

HIPAA:

PCI-DSS: 10.6, 10.6.1, 10.6.2, 10.6.3

4.36.3 Standard

Logs will be monitored and security events investigated, at a minimum, daily. If a security incident has occurred, the incident response procedures will be executed and followed.

4.37 Security Awareness and Training Policy and Procedures

4.37.1 Standard Owner: Information Security

4.37.2 Standard References

NIST: AT-1

GLBA: Eﬀective

ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2

HIPAA: 164.308(a)(5)(i)

PCI-DSS: 12.6, 12.6.1

4.37.3 Standard

The organization will:

Develop, document, and disseminate security awareness and training standards that addresses purpose, scope, roles, responsibilities, and management commitment, coordination among organizational entities, and
Develop procedures to facilitate the implementation of the
Review and update Policies every year
Review and update the standards and associated procedures, as

4.38 Security Awareness Program

4.38.1 Standard Owner: Information Security

4.38.2 Standard References

NIST: AT-1

GLBA: Eﬀective

ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2

HIPAA: 164.308(a)(5)(i)

PCI-DSS: 12.6, 12.6.1

4.38.3 Standard

The organization will develop, implement, and regularly review a formal, documented program for providing, at a minimum on-hire and thereafter annually, appropriate security training and awareness to workforce members

4.39 Security Awareness Training

4.39.1 Standard Owner: Information Security

4.39.2 Standard References

NIST: AT-2

GLBA: Eﬀective

ISO27001: A.7.2.2, A.12.2.1

HIPAA: 164.308(a)(5)(i), 164.308(a)(5)(ii)(A), 164.308(a)(5)(ii)(B)

PCI-DSS: 3.7, 4.3, 8.4, 12.6, 12.6.1

4.39.3 Standard

Employees training and security reminder communications, at a minimum, will address:

The importance of keeping creating, using, and safeguarding authentication credentials

Ensuring that organization workforce members understand that all activities involving their user identiﬁcation and password will be attributed to
Security policies, procedures, and standards for protecting the conﬁdentiality, integrity, and availability of information and systems
Signiﬁcant risks to organization information systems and data
Information security legal and business responsibilities
How, and to whom an incident shall be reported
How to identify, report, and avoid malicious software, other forms of suspicious electronic communication and social engineering attempts

4.40 Role-Based Security Training

4.40.1 Standard Owner: Information Security

4.40.2 Standard References

NIST: AT-3

GLBA: Eﬀective

ISO27001: A.7.2.2* HIPAA: 164.308(a)(5)(i) PCI-DSS:

4.40.3 Standard

The organization provides role-based security training to personnel with assigned security roles and responsibilities:

Before authorizing access to the information system or performing assigned duties;
when required by information system changes; and
annually

4.41 Role-Based Security Training

4.41.1 Standard Owner: Information Security | Finance* | Compliance*

4.41.2 Standard References

NIST: AT-3

GLBA: Eﬀective

ISO27001: A.7.2.2*

HIPAA: 164.308(a)(5)(i)

PCI-DSS: 3.7, 4.3, 8.4, 9.9, 9.9.3, 12.6, 12.6.1

4.41.3 Standard

Employees who access, store, process, or protect credit cardholder data will receive, at a minimum on-hire and thereafter annually, training on appropriate procedures for safeguarding credit cardholder data

4.42 Security Training Records

4.42.1 Standard Owner: Information Security

4.42.2 Standard References

NIST: AT-4

GLBA: Eﬀective

ISO27001: --

HIPAA: 164.308(a)(5)(i)

PCI-DSS: 12.6.1 12.6.2

4.42.3 Standard

After training has been conducted, each organization workforce member will verify that he or she has received the training, understood the material presented, and agrees to comply with it

4.43 Conﬁguration Management Policy and Procedures

4.43.1 Standard Owner: IT

4.43.2 Standard References

NIST: CM-1

GLBA: Eﬀective

ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2

HIPAA:

PCI-DSS: 12.1, 12.1.1

4.43.3 Standard

The organization will:

Develop, document, and disseminate conﬁguration management standards that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities and
Develop procedures to facilitate the implementation of these
Review and update these standards and associated procedures, at a minimum,

4.44 Baseline Conﬁguration

4.44.1 Standard Owner: IT

4.44.2 Standard References

NIST: CM-2

GLBA: Draft

ISO27001: --

HIPAA:

PCI-DSS: 1.1.1, 1.1.5, 1.1.6, 1.2.2, 1.5, 2.2, 2.2.2, 2.2.4, 2.2.5, 2.5, 3.7, 4.3, 5.4, 6.7, 7.3, 8.1.4, 8.1.6, 8.1.7, 8.1.8,

10.4.3,12.1,12.1.1, 12.3

4.44.3 Standard

Management procedures will be created that address:

The documentation of Hardening Conﬁguration Standards, by operating system. These conﬁguration controls will be based industry accepted standards (e.g., Center for Internet Security or CIS).
System account conﬁgurations
Groups, roles, and responsibilities for management of network components
Documented business justiﬁcation for all ports, protocols, ports allowed/disallowed, and any security features implemented for those protocols considered insecure
For routers, securing and synchronization of conﬁguration ﬁles
Documentation of security parameters that prevent misuse

Secure coding techniques in the software development lifecycle
Synchronizations with industry accepted time sources

4.45 Baseline Conﬁguration

4.45.1 Standard Owner: IT

4.45.2 Standard References

NIST: CM-2 CM-6

GLBA: Eﬀective

ISO27001: --

HIPAA:

PCI-DSS: 1.4, 2.2

4.45.3 Standard

Organization owned laptops and employee owned user devices are prohibited from storing, processing, or transmitti ng credit cardholder data. Desktops and mobile devices (e.g., tablets, smartphones) may be used to process cardholder transactions only if equipped with P2PE-compliant devices and are authorized by IT.

4.46 Baseline Conﬁguration

4.46.1 Standard Owner: IT

4.46.2 Standard References

NIST: CM-2 CM-6

GLBA: Draft

ISO27001: --

HIPAA:

PCI-DSS: 2.2,2.2.4

4.46.3 Standard

All systems that access, store, process, or transmit non-Public Information will be conﬁgured to:

Not display information system or application identifying information until the log-in process has been successfully completed
Where supported, display a logon banner
Not provide help messages during the log-in procedure that would assist an unauthorized user If an error arises during authentication, the system will not indicate which part of the data is correct or incorrect

4.47 Conﬁguration Change Control | Security Impact Analysis

4.47.1 Standard Owner: IT

4.47.2 Standard References

NIST: CM-3 CM-4

GLBA: Eﬀective

ISO27001: A.12.1.2, A.14.2.2, A.14.2.3, A.14.2.4 A.14.2.3

HIPAA:

PCI-DSS: 1.5,2.2.4, 2.5, 3.7, 4.3, 5.4, 6.3.1, 6.3.2, 6.4, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.5.1, 6.4.5.2, 6.4.5.3, 6.4.5.4, 6.7,

7.3, 8.8, 9.10, 10.8, 11.6

4.47.3 Standard

The organization will develop, document, implement, and maintain a change management process for managing changes to production systems containing Clarkson-Restricted data.

This process will address:

Documentation of security impact analysis, functionality testing, back out procedures
The documentation and retention of change records
Review and authorization of changes with explicit consideration for security impact analyses
Coordination and communication of changes
Oversight for proposed conﬁguration-controlled changes
If a new application or changed application that stores non-Public Information, the system will store evidence of a vulnerability scan
The removal of development, test and/or custom application accounts, user IDs, and passwords before the application become active or are released into production
The removal of custom code prior to production release
Where possible, separate development, test, and production systems
Separation of duties between development/test and production systems
Credit cardholder data is not being stored
Removal of test data

4.48 Access Restrictions for Change

4.48.1 Standard Owner: IT

4.48.2 Standard References

NIST: CM-5

GLBA: Eﬀective

ISO27001: A.9.2.3, A.9.4.5, A.12.1.2, A.12.1.4, A.12.5.1

HIPAA:

PCI-DSS: 2.2.4

4.48.3 Standard

IT administrators or authorized vendors will be the only groups who have administrator access to servers

4.49 Conﬁguration Setti ngs

4.49.1 Standard Owner: IT

4.49.2 Standard References

NIST: CM-6

GLBA: Draft

ISO27001: --

HIPAA:

PCI-DSS: 2.2,2.2.4, 8.1.8

4.49.3 Standard

Where technically feasible, computing devices will be electronically locked when they are no longer in use:

Servers: 10 minutes
Laptops and Desktops: 15 minutes

Mobile Devices (smart phones, tablets): 3 minutes
Network Devices: 10 minutes

Exceptions to this standard will be granted and must be approved by the Director of Network Svcs and Information Security.

4.50 Conﬁguration Setti ngs

4.50.1 Standard Owner: IT

4.50.2 Standard References

NIST: CM-6

GLBA: On Hold

ISO27001: --

HIPAA:

PCI-DSS:

4.50.3 Standard

Conﬁguration-controlled computing devices will be sampled and scanned every 6 months to identify, document, implement, and approve any deviations to the conﬁguration setti ngs in accordance with the Hardening Conﬁguration Standards.

4.51 Least Functionality

4.51.1 Standard Owner: IT

4.51.2 Standard References

NIST: CM-7

GLBA: Eﬀective

ISO27001: A.12.5.1*

HIPAA:

PCI-DSS: 2.2.1

4.51.3 Standard

Where economically feasible, only one primary function can be assigned to a production server to prevent functions that require diﬀerent security levels from co-existing on the same server (For example, web servers, database servers, and DNS will be implemented on separate servers). This includes one primary function per virtualized system instance.

4.52 Information System Component Inventory

4.52.1 Standard Owner: IT

4.52.2 Standard References

NIST: CM-8

GLBA: On Hold

ISO27001: A.8.1.1, A.8.1.2

HIPAA: 164.310(d)(1), 164.310(d)(2)(iii)

PCI-DSS: 2.2.4,2.4, 7.2.1, 9.7.1, 9.9.1, 11.1.1, 12.2

4.52.3 Standard

In order to maintain an inventory of all information systems, approved technologies, and electronic media, and to ensure computing assets comply with conﬁguration standards, the Change Management process will identify and update asset inventories.

4.53 Software Usage Restrictions

4.53.1 Standard Owner: IT

4.53.2 Standard References

NIST: CM-10

GLBA: Eﬀective

ISO27001: A.18.1.2

HIPAA:

PCI-DSS:

4.53.3 Standard

All software usage will be tracked, and controlled in accordance with contract requirements and copyright laws.

4.54 Software Usage Restrictions

4.54.1 Standard Owner: IT

4.54.2 Standard References

NIST: CM-10

GLBA: Eﬀective

ISO27001: A.18.1.2

HIPAA:

PCI-DSS:

4.54.3 Standard

Peer to Peer software is prohibited.

4.55 User-Installed Software

4.55.1 Standard Owner: IT

4.55.2 Standard References

NIST: CM-11

GLBA: Eﬀective

ISO27001: A.12.5.1, A.12.6.2

HIPAA:

PCI-DSS: 12.3, 12.3.1, 12.3.2, 12.3.3, 12.3.4, 12.3.5, 12.3.6, 12.3.7

4.55.3 Standard

Software programs will not be installed on workstations or servers without prior authorizations. Only approved software will be installed on organizational assets.

4.56 Contingency Planning Policy and Procedures

4.56.1 Standard Owner: Operations

4.56.2 Standard References

NIST: CP-1

GLBA: Eﬀective

ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2

HIPAA: 164.308(a)(7)(i)

PCI-DSS: 12.1, 12.1.1

4.56.3 Standard

The organization will:

Develop, document, and disseminate standards and an emergency operations center (EOC) contingency plan that addresses the purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and
Develop procedures to facilitate the implementation of the
Review and update the standards and the EOC contingency plan and associated procedures, at a minimum,
Ensure that contingency plans have adequately addressed safeguarding critical information during a serious outage or

4.57 Contingency Plan

4.57.1 Standard Owner: Operations

4.57.2 Standard References

NIST: CP-2

GLBA: Eﬀective

ISO27001: A.6.1.1, A.17.1.1, A.17.2.1

HIPAA: 164.308(a)(7)(ii)(B), 164.308(a)(7)(ii)(C), 164.308(a)(7)(ii)(E), 164.310(a)(2)(i), 164.312(a)(2)(ii)

PCI-DSS:

4.57.3 Standard

The organization develops and maintains a Business Impact Assessment process to identify and regularly analyze the criticality of organization information systems.

4.58 Contingency Plan

4.58.1 Standard Owner: Operations

4.58.2 Standard References

NIST: CP-2

GLBA: Eﬀective

ISO27001: A.6.1.1, A.17.1.1, A.17.2.1

HIPAA: 164.308(a)(7)(ii)(B), 164.308(a)(7)(ii)(C), 164.308(a)(7)(ii)(E), 164.310(a)(2)(i), 164.312(a)(2)(ii)

PCI-DSS:

4.58.3 Standard

The organization will have a Continuity Plan both preparing for and eﬀectively responding to emergencies and disasters that may damage the conﬁdentiality, integrity, or availability of its information systems. At a minimum, the plan will address:

Identiﬁcation of signiﬁcant processes and controls that protect the conﬁdentiality, integrity, and availability of Non-Public Information on organization information
Identiﬁcation and prioritization of emergencies that may impact organization information systems containing Non-Public Information.
Documenting procedures for how organization will respond to speciﬁc emergencies that impact information systems containing Non-Public
Deﬁne procedures for how organization, during and immediately after a crisis situation, will maintain the processes and controls that ensure the availability, integrity and conﬁdentiality of Non-Public Information on organization information systems.
Deﬁne a procedure that ensures that authorized employees can enter organization facilities to enable continuation of processes and controls that protect Non-Public Information while organization is operating in emergency
Return to normal procedures

4.59 Contingency Plan

4.59.1 Standard Owner: Operations

4.59.2 Standard References

NIST: CP-2

GLBA: Eﬀective

ISO27001: A.6.1.1, A.17.1.1, A.17.2.1

HIPAA: 164.308(a)(7)(ii)(B), 164.308(a)(7)(ii)(C), 164.308(a)(7)(ii)(E), 164.310(a)(2)(i), 164.312(a)(2)(ii)

PCI-DSS:

4.59.3 Standard

IT will create and document a disaster recovery plan to support the BCP. The plan will be reviewed regularly and revised as necessary. At a minimum, the recovery plan will include:

The conditions for activating the
Identiﬁcation and deﬁnition of organization workforce member
Resumption procedures (manual and automated) which describe the actions to be taken to return organization information systems to normal operations within required time
Notiﬁcation and reporting
Procedure(s) for allowing appropriate employees physical access to organization facilities so that they can implement recovery procedures in the event of a

4.60 Contingency Plan

4.60.1 Standard Owner: Operations

4.60.2 Standard References

NIST: CP-2

GLBA: Eﬀective

ISO27001: A.6.1.1, A.17.1.1, A.17.2.1

HIPAA: 164.308(a)(7)(ii)(B), 164.308(a)(7)(ii)(C), 164.308(a)(7)(ii)(E), 164.310(a)(2)(i), 164.312(a)(2)(ii)

PCI-DSS:

4.60.3 Standard

Authorized organization workforce members will have access to the current BCP and DR plans and an appropriate number of current copies of the plan will be kept oﬀ-site.

4.61 Contingency Plan

4.61.1 Standard Owner: Operations

4.61.2 Standard References

NIST: CP-2

GLBA: Eﬀective

ISO27001: A.6.1.1, A.17.1.1, A.17.2.1

HIPAA: 164.308(a)(7)(ii)(B), 164.308(a)(7)(ii)(C), 164.308(a)(7)(ii)(E), 164.310(a)(2)(i), 164.312(a)(2)(ii)

PCI-DSS:

4.61.3 Standard

The organization’s contingency plans will be kept current. Examples of events that will result in an update of the plan include, but are not limited to:

Change in disaster recovery
Change in contact information for disaster recovery
Signiﬁcant change(s) to organization’s technical or physical
Change in key suppliers or
Signiﬁcant change in threats to organization facilities or information

4.62 Contingency Training

4.62.1 Standard Owner: Operations

4.62.2 Standard References

NIST: CP-3

GLBA: On Hold

ISO27001: A.7.2.2* HIPAA: 164.308(a)(7)(ii)(D) PCI-DSS:

4.62.3 Standard

Organization workforce members will receive training and awareness on organization’s disaster preparation and disaster and emergency response processes

4.63 Contingency Plan Testing

4.63.1 Standard Owner: IT

4.63.2 Standard References

NIST: CP-4

GLBA: Eﬀective

ISO27001: A.17.1.3 HIPAA: 164.308(a)(7)(ii)(D) PCI-DSS:

4.63.3 Standard

The Disaster Recovery plan will be tested for select systems, at a minimum, annually.

4.64 Contingency Plan Testing

4.64.1 Standard Owner: IT

4.64.2 Standard References

NIST: CP-4

GLBA: Eﬀective

ISO27001: A.17.1.3 HIPAA: 164.308(a)(7)(ii)(D) PCI-DSS:

4.64.3 Standard

Backup & Recovery Procedure will be tested at least annually.

4.65 Contingency Plan Testing

4.65.1 Standard Owner: IT

4.65.2 Standard References

NIST: CP-4

GLBA: On Hold

ISO27001: A.17.1.4 HIPAA: 164.308(a)(7)(ii)(D) PCI-DSS:

4.65.3 Standard

The results of the DRP test will be formally documented and presented to appropriate organization management. The contingency plan will be revised as necessary to address issues or gaps identiﬁed in the testing process

4.66 Alternate Storage Site

4.66.1 Standard Owner: IT

4.66.2 Standard References

NIST: CP-6

GLBA: Eﬀective

ISO27001: A.11.1.4, A.17.1.2, A.17.2.1 HIPAA: 164.308(a)(7)(ii)(B), 164.310(a)(2)(i) PCI-DSS: 9.5.1

4.66.3 Standard

Backup copies of Clarkson-Restricted Information will be stored at a secure, remote location at a minimum of 100 miles from the system of record for which the backups were made.

4.67 Alternate Processing Site

4.67.1 Standard Owner: IT

4.67.2 Standard References

NIST: CP-7

GLBA: Eﬀective

ISO27001: A.11.1.4, A.17.1.2, A.17.2.1 HIPAA: 164.308(a)(7)(ii)(B), 164.310(a)(2)(i) PCI-DSS:

4.67.3 Standard

The organization and/or its cloud-based vendors will provide at least one alternative processing site should the primary site become unavailable.

4.68 Information System Backup

4.68.1 Standard Owner: IT

4.68.2 Standard References

NIST: CP-9

GLBA: Eﬀective

ISO27001: A.12.3.1, A.17.1.2, A.18.1.3

HIPAA: 164.308(a)(7)(ii)(A), 164.308(a)(7)(ii)(B), 164.310(d)(2)(iv)

PCI-DSS:

4.68.3 Standard

The organization will have a formal, documented backup plan for its information systems. At a minimum, the plan will:

Identify information systems and electronic media to be backed
Provide a backup
Identify where backup media are stored and who may access
Outline restoration
Identify who is responsible for ensuring the backup of information systems and electronic media

4.69 Information System Backup

4.69.1 Standard Owner: IT

4.69.2 Standard References

NIST: CP-9

GLBA: Eﬀective

ISO27001: A.12.3.1, A.17.1.2, A.18.1.4

HIPAA: 164.308(a)(7)(ii)(B)

PCI-DSS:

4.69.3 Standard

Backup copies of all non-Clarkson-Public Information on organization electronic media and information systems will be made regularly. This includes both Non-Public Information received by organization and created within organization

4.70 Identiﬁcation and Authentication Policy and Procedures

4.70.1 Standard Owner: Tech Services

4.70.2 Standard References

NIST: IA-1

GLBA: Eﬀective

ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2

HIPAA:

PCI-DSS: 12.1, 12.1.1

4.70.3 Standard

The organization will:

Develop, document, and disseminate identiﬁcation and authentication standards that addresses the purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and
Develop procedures to facilitate the implementation of these
Review and update these standards and associated procedures, at a minimum,

4.71 Identiﬁcation and Authentication (Organizational Users)

4.71.1 Standard Owner: HR

4.71.2 Standard References

NIST: IA-2

GLBA: Draft

ISO27001: A.9.2.1

HIPAA: 164.308(a)(5)(ii)(D), 164.312(a)(2)(i), 164.312(d)

PCI-DSS: 8.8,12.6,12.6.1

4.71.3 Standard

All new organization employees will receive appropriate security training before being provided with account credentials that would allow access to organizational information systems.

4.72 Identiﬁcation and Authentication (Organizational Users)

4.72.1 Standard Owner: HR

4.72.2 Standard References

NIST: IA-2

GLBA: Eﬀective

ISO27001: A.9.2.1

HIPAA: 164.308(a)(5)(ii)(D), 164.312(a)(2)(i), 164.312(d)

PCI-DSS: 8.1.1, 8.2, 8.5,12.5.3

4.72.3 Standard

Each user and system account will have a unique user ID. Every account will be required to have a password. Shared accounts are prohibited. All exceptions must be approved by the Director of Network Services and Information Security.

4.73 Identiﬁcation and Authentication (Organizational Users)

4.73.1 Standard Owner: Tech Services

4.73.2 Standard References

NIST: IA-2

GLBA: On Hold

ISO27001: A.9.2.1

HIPAA: 164.308(a)(5)(ii)(D), 164.312(a)(2)(i), 164.312(d)

PCI-DSS: 8.5,12.5.3

4.73.3 Standard

Group accounts will not be used. All exceptions must be approved by the CSO.

4.74 Identiﬁcation and Authentication (Organizational Users)

4.74.1 Standard Owner: Tech Services

4.74.2 Standard References

NIST: IA-2

GLBA: Eﬀective

ISO27001: A.9.2.1

HIPAA: 164.308(a)(5)(ii)(D), 164.312(a)(2)(i), 164.312(d)

PCI-DSS: 8.2.6

4.74.3 Standard

To the extent practicable, all new user accounts will have a randomly generated ﬁrst time password.

4.75 Identiﬁcation and Authentication (Organizational Users)

4.75.1 Standard Owner: HR

4.75.2 Standard References

NIST: IA-2

GLBA: Eﬀective

ISO27001: A.9.2.1

HIPAA: 164.308(a)(5)(ii)(D), 164.312(a)(2)(i), 164.312(d)

PCI-DSS: 8.5.1,12.5.3

4.75.3 Standard

Authentication credentials and methods will not be shared or revealed to others. Sharing an authentication method means the authorized user assumes responsibility for actions that another party takes with the disclosed method.

4.76 Identiﬁer Management

4.76.1 Standard Owner: Tech Services

4.76.2 Standard References

NIST: IA-4

GLBA: Eﬀective

ISO27001: A.9.2.1

HIPAA: 164.308(a)(5)(ii)(D), 164.312(a)(2)(i), 164.312(d)

PCI-DSS: 12.5.3

4.76.3 Standard

User IDs will be unique to individuals.

4.77 Authenticator Management

4.77.1 Standard Owner: Tech Services

4.77.2 Standard References

NIST: IA-5

GLBA: Eﬀective

ISO27001: A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.3

HIPAA: 164.308(a)(5)(ii)(D)

PCI-DSS: 8.2.6

4.77.3 Standard

Where practicable, initial use of an account, a password reset will be required. For this password reset, the user will be authenticated by a combination of unique information provided by the individual and information provided by Clarkson University

4.78 Authenticator Management

4.78.1 Standard Owner: Tech Services

4.78.2 Standard References

NIST: IA-5

GLBA: Eﬀective

ISO27001: A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.3

HIPAA: 164.308(a)(5)(ii)(D)

PCI-DSS:

Standard

User IDs and passwords will never be distributed in the same communication

4.79 Authenticator Management

4.79.1 Standard Owner: Tech Services

4.79.2 Standard References

NIST: IA-5

GLBA: Eﬀective

ISO27001: A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.3

HIPAA: 164.308(a)(5)(ii)(D)

PCI-DSS: 8.2.2

4.79.3 Standard

A formal, documented process for authenticating identities will exist for users needing a password reset

4.80 Authenticator Management

4.80.1 Standard Owner: Tech Services

4.80.2 Standard References

NIST: IA-5

GLBA: On Hold

ISO27001: A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.3

HIPAA: 164.308(a)(5)(ii)(D)

PCI-DSS: 8.2.4

4.80.3 Standard

Passwords will be changed every 180 days. Accounts used to process, transmit, or store credit cardholder data will be changed every 60 days.

4.81 Authenticator Management

4.81.1 Standard Owner: Tech Services

4.81.2 Standard References

NIST: IA-5

GLBA: Draft

ISO27001: A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.3

HIPAA: 164.308(a)(5)(ii)(D)

PCI-DSS: 8.2.5

4.81.3 Standard

Passwords will not be allowed to be re-used based on the previous 20 passwords which were used prior to the password reset.

4.82 Authenticator Management

4.82.1 Standard Owner: Tech Services

4.82.2 Standard References

NIST: IA-5

GLBA: Eﬀective

ISO27001: A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.3

HIPAA: 164.308(a)(5)(ii)(D)

PCI-DSS: 8.2.3

4.82.3 Standard

Passwords will conform to a minimal complexity standard. That standard mandates a mix of numeric, alphabetical, and special characters. Passwords will be a minimum length of 10 characters

4.83 Authenticator Management

4.83.1 Standard Owner: Tech Services

4.83.2 Standard References

NIST: IA-5

GLBA: Eﬀective

ISO27001: A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.3

HIPAA: 164.308(a)(5)(ii)(D)

PCI-DSS: 8.2.3

4.83.3 Standard

Passwords will not be based on something that can be easily guessed or obtained using personal information (e.g., names, favorite sports team, etc.)

4.84 Authenticator Feedback

4.84.1 Standard Owner: Tech Services

4.84.2 Standard References

NIST: IA-6

GLBA: Eﬀective

ISO27001: A.9.4.2

HIPAA: 164.308(a)(5)(ii)(D)

PCI-DSS:

4.84.3 Standard

All password and PIN based authentication systems will be masked, suppressed, or otherwise obscured so that unauthorized persons are not able to observe them

4.85 Cryptographic Module Authentication

4.85.1 Standard Owner: Tech Services

4.85.2 Standard References

NIST: IA-7

GLBA: Eﬀective

ISO27001: A.18.1.5 HIPAA: 164.308(a)(5)(ii)(D) PCI-DSS: 8.2.1

4.85.3 Standard

Passwords will be encrypted, in storage, using a one-way encryption algorithm.

4.86 Identiﬁcation and Authentication (Non- Organizational Users)

4.86.1 Standard Owner: Tech Services

4.86.2 Standard References

NIST: IA-8

GLBA: Eﬀective

ISO27001: A.9.2.1

HIPAA:

PCI-DSS: 8.2.1

4.86.3 Standard

Methods (e.g., password or PIN) for authentication to organization information systems will not be built into logon scripts.

4.87 Identiﬁcation and Authentication (Non- Organizational Users)

4.87.1 Standard Owner: Tech Services

4.87.2 Standard References

NIST: IA-8

GLBA: Eﬀective

ISO27001: A.9.2.1

HIPAA:

PCI-DSS: 2.1, 2.5

4.87.3 Standard

Vendor provided default accounts will be changed.

4.88 Identiﬁcation and Authentication (Non- Organizational Users)

4.88.1 Standard Owner: Tech Services

4.88.2 Standard References

NIST: IA-8

GLBA: Eﬀective

ISO27001: A.9.2.1

HIPAA:

PCI-DSS: 8.1.5

4.88.3 Standard

Guest access will be limited to minimal functions to bridge the need for a secure environment with the need to provide courtesy services to visitors.

4.89 Identiﬁcation and Authentication (Non- Organizational Users)

4.89.1 Standard Owner: Tech Services

4.89.2 Standard References

NIST: IA-8

GLBA: Eﬀective

ISO27001: A.9.2.1

HIPAA:

PCI-DSS: 8.1.5.12.5.3

4.89.3 Standard

Where possible, guest accounts will not be created.

4.90 Service Identiﬁcation and Authentication

4.90.1 Standard Owner: Tech Services

4.90.2 Standard References

NIST: IA-9

GLBA: Eﬀective

ISO27001: --

HIPAA:

PCI-DSS:

4.90.3 Standard

Service accounts will be requested and provisioned via the Access Control Procedure.

4.91 Adaptive Identiﬁcation and Authentication

4.91.1 Standard Owner: Tech Services

4.91.2 Standard References

NIST: IA-10

GLBA: Validate GDPR: ISO27001: -- HIPAA:

PCI-DSS: 8.1.5, 8.3

4.91.3 Standard

Two-factor authentication is required for:

Where supported by the system, all Privileged User access
All use of the VPN
All remote access to systems processing credit card information (PCI-DSS Requirement)

4.92 Policy & Procedures

4.92.1 Standard Owner: Information Security

4.92.2 Standard References

NIST: IR-1

GLBA: Eﬀective

ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1 A.18.1.1, A.18.2.2

HIPAA: 164.308(a)(6)(i)

PCI-DSS: 11.1.2,12.1,12.1.1,12.5.3 12.10.1

4.92.3 Standard

The organization will:

Develop, document, and disseminate incident response standards and an incident response plan that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities and
Develop and document a process for escalating reported incidents (e.g., automated, non-automated, service providers) in accordance with the Incident Response Plan
Develop procedures to facilitate the implementation of these
Review and update this policy and associated procedures, at a minimum,

4.93 Information Security

4.93.1 Standard Owner: Information Security

4.93.2 Standard References

NIST: IR-2

GLBA: On Hold

ISO27001: A.7.2.2* HIPAA: 164.308(a)(6)(i) PCI-DSS: 12.10.4

4.93.3 Standard

Regular training and awareness will be provided for organization workforce members who have been assigned a role in the Incident Response Plan or Incident Response Procedures

4.94 Incident Response Plan Testing

4.94.1 Standard Owner: Information Security

4.94.2 Standard References

NIST: IR-3

GLBA: Eﬀective

ISO27001: --

HIPAA: 164.308(a)(6)(i)

PCI-DSS: 12.10.2

4.94.3 Standard

The Incident Response Plan and Incident Response Procedures will be tested annually.

4.95 SIRT: authority to operate

4.95.1 Standard Owner: Information Security

4.95.2 Standard References

NIST: IR-4

GLBA: Eﬀective

ISO27001: A.16.1.4, A.16.1.5, A.16.1.6

HIPAA: 164.308(a)(6)(ii)

PCI-DSS: 11.1.2

4.95.3 Standard

When responding to an incident, the Security Incident Response Team (SIRT) will take all appropriate actions to ensure that the conﬁdentiality, integrity, and availability of organization information systems has not been compromised. Such actions can include, but are not limited to, temporarily removing an information system from the organization network, or blocking the building in which the incident occurred, requesting access to an information system or viewing data.

4.96 Monitoring & tracking incidents

4.96.1 Standard Owner: Information Security

4.96.2 Standard References

NIST: IR-5

GLBA: Eﬀective

ISO27001: --

HIPAA: 164.308(a)(1)(ii)(D), 164.308(a)(6)(ii)

PCI-DSS: 12.10.6

4.96.3 Standard

The organization will have mechanisms for quantifying and monitoring the types, volumes and costs of security incidents. This information should be used to identify the need for improved or additional security controls

4.97 Security event escalation

4.97.1 Standard Owner: Information Security

4.97.2 Standard References

NIST: IR-6

GLBA: Eﬀective

ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1 A.18.1.1, A.18.2.3

HIPAA: 164.308(a)(1)(ii)(D), 164.308(a)(6)(ii)

PCI-DSS: 11.1.2

4.97.3 Standard

Security events identiﬁed through logging and monitoring services will be escalated in accordance with Incident Response Procedures

4.98 Response to alarms

4.98.1 Standard Owner: Information Security

4.98.2 Standard References

NIST: IR-6

GLBA: Eﬀective

ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1 A.18.1.1, A.18.2.3

HIPAA: 164.308(a)(1)(ii)(D), 164.308(a)(6)(ii), 164.314(a)(2)(i)

PCI-DSS: 12.10.5

4.98.3 Standard

Incident Response Procedures will address the occurrence of alarms and appropriate escalation.

4.99 Compromised credentials

4.99.1 Standard Owner: Information Security

4.99.2 Standard References

NIST: IR-6

GLBA: Eﬀective

ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1 A.18.1.1, A.18.2.3

HIPAA: 164.308(a)(1)(ii)(D), 164.308(a)(6)(ii)

PCI-DSS: 12.10, 12.10.1

4.99.3 Standard

The loss, theft, or inappropriate use of organization access credentials (e.g., passwords, FOBs or security tokens), assets (e.g., laptop, cell phones), or information will be reported to the IT Help Desk

4.100 Security Incident Response Plan (SIRP)

4.100.1 Standard Owner: Information Security

4.100.2 Standard References

NIST: IR-8

GLBA: Eﬀective

ISO27001: A.16.1.1

HIPAA:

PCI-DSS: 11.1.2, 12.10, 12.10.1, 12.10.3

4.100.3 Standard

The organization will have a formal, documented process for quickly and eﬀectively detecting and responding to security incidents that may impact the conﬁdentiality, integrity, or availability of organization information systems. At a minimum, the process will include the following:

A security incident response team (SIRT), whose membership may vary depending on the security

Formal procedure enabling organization workforce members to report a security incident to appropriate persons including potential reporting to the organization Security Oﬃcer.
Formal process for analyzing and identifying the cause(s) of a security
References to emergency access procedures
Formal process for activation of the
Formal procedure for communication with all organization workforce members aﬀected by or responding to a security incident.
Formal procedure for collecting evidence of a security
Formal mechanisms for evaluating security incidents and implementing appropriate mitigations to prevent further recurrence.
Data breach protocols
Quantifying incident types and frequency
Designating speciﬁc personnel who receive alerts on a 24/7 basis

4.101 Information Security

4.101.1 Standard Owner: Information Security

4.101.2 Standard References

NIST: IR-9

GLBA: On Hold

ISO27001: --

HIPAA:

PCI-DSS:

4.101.3 Standard

Standard templates for breach notiﬁcation will be developed and maintained.

4.102 SIRT membership roster

4.102.1 Standard Owner: Information Security

4.102.2 Standard References

NIST: IR-10

GLBA: Eﬀective

ISO27001: --

HIPAA:

PCI-DSS: 12.1,12.1.1,12.10.1

4.102.3 Standard

The SIRT will be deﬁned in the Incident Response Plan, and updated at a minimum, annually.

4.103 System Maintenance Policy and Procedures

4.103.1 Standard Owner: IT

4.103.2 Standard References

NIST: MA-1

GLBA: Eﬀective

ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2

HIPAA: 164.310(a)(2)(iv)

PCI-DSS: 12.1, 12.1.1

4.103.3 Standard

The organization will:

Develop, document, and disseminate maintenance standards that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and
Develop procedures to facilitate the implementation of these
Review and update these standards and associated procedures, at a minimum,

4.104 Controlled Maintenance

4.104.1 Standard Owner: IT

4.104.2 Standard References

NIST: MA-2

GLBA: Eﬀective

ISO27001: A.11.2.4*, A.11.2.5*

HIPAA: 164.310(a)(2)(iv)

PCI-DSS:

4.104.3 Standard

System Maintenance will be done in the safest method possible. If it requires bringing a system down to avoid an accidental crash, that is the method which will be used

4.105 Controlled Maintenance

4.105.1 Standard Owner: Facilities; | IT |

4.105.2 Standard References

NIST: MA-2

GLBA: Eﬀective

ISO27001: A.11.2.4*, A.11.2.5*

HIPAA: 164.310(a)(2)(iv)

PCI-DSS:

4.105.3 Standard

The organization will document all repairs and modiﬁcations to the physical components of its facilities that are related to security of Non-public Information. Physical components include, but are not limited to, automated physical access systems, locks, doors and walls.

4.106 Maintenance Personnel

4.106.1 Standard Owner: IT

4.106.2 Standard References

NIST: MA-5

GLBA: Eﬀective

ISO27001: --

HIPAA: 164.308(a)(3)(ii)(A)

PCI-DSS: 9.4.1

4.106.3 Standard

When being performed by external vendors, maintenance personnel will be escorted into the location where the work is to be performed and monitored while the work is being performed

4.107 Timely Maintenance

4.107.1 Standard Owner: IT

4.107.2 Standard References

NIST: MA-6

GLBA: Eﬀective

ISO27001: A.11.2.4 HIPAA: 164.310(a)(2)(iv) PCI-DSS:

4.107.3 Standard

Where possible and cost-eﬀective, replacement parts will be kept on site for faster remediation (such as hard drives)

4.108 Timely Maintenance

4.108.1 Standard Owner: Facilities; | IT |

4.108.2 Standard References

NIST: MA-6

GLBA: Eﬀective

ISO27001: A.11.2.4 HIPAA: 164.310(a)(2)(iv) PCI-DSS:

4.108.3 Standard

Malfunctioning alarms will be repaired within 5 business days or as soon as possible, based on the determination of their malfunction.

4.109 Media Protection Policy and Procedures

4.109.1 Standard Owner: Information Technology

4.109.2 Standard References

NIST: MP-1

GLBA: Eﬀective

ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2

HIPAA: 164.310(d)(1)

PCI-DSS: 12.1, 12.1.1

4.109.3 Standard

The organization will

Develop, document, and disseminate media protection standards that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and
Develop procedures to facilitate the implementation of these
Review and update these standards and associated procedures, at a minimum,

4.110 Media Access

4.110.1 Standard Owner: Information Technology

4.110.2 Standard References

NIST: MP-2

GLBA: Eﬀective

ISO27001: A.8.2.3, A.8.3.1, A.11.2.9

HIPAA: 164.308(a)(3)(ii)(A) , 164.310(c), 164.310(d)(1), 164.312(c)(1)

PCI-DSS: 3.1, 3.2, 3.2.1, 3.2.2, 3.2.3, 3.4, 3.4.1, 3.5, 9.5

4.110.3 Standard

It is prohibited to store any information that is not Clarkson-Public on home computers or personal devices.

4.111 Media Marking

4.111.1 Standard Owner: Information Technology

4.111.2 Standard References

NIST: MP-3

GLBA: On Hold

ISO27001: A.8.2.2

HIPAA: 164.310(c), 164.310(d)(1)

PCI-DSS: 9.6.1

4.111.3 Standard

All organization information will be classiﬁed and marked in accordance with the Data Classiﬁcation Policy

4.112 Media Storage

4.112.1 Standard Owner: Information Technology

4.112.2 Standard References

NIST: MP-4

GLBA: Eﬀective

ISO27001: A.8.2.3, A.8.3.1, A.11.2.9

HIPAA: 164.310(c), 164.310(d)(1), 164.310(d)(2)(iv)

PCI-DSS: 3.1,4.2

4.112.3 Standard

The writing or storage of information classiﬁed as 'Clarson Private' on personal-liable mobile devices (phones, tablets, USB drives) and removable media is prohibited.

4.113 Media Storage

4.113.1 Standard Owner: Information Technology

4.113.2 Standard References

NIST: MP-4

GLBA: On Hold

ISO27001: A.8.2.3, A.8.3.1, A.11.2.9

HIPAA: 164.310(c), 164.310(d)(1), 164.310(d)(2)(iv)

PCI-DSS:

4.113.3 Standard

Workstations (laptops and desktops) that store Non-Public Information will be encrypted using a pre-boot, full disk conﬁguration

4.114 Media Storage

4.114.1 Standard Owner: Finance | Compliance

4.114.2 Standard References

NIST: MP-4

GLBA: Validate

ISO27001: A.8.2.3, A.8.3.1, A.11.2.9

HIPAA: 164.310(c), 164.310(d)(1), 164.310(d)(2)(iv)

PCI-DSS: 3.1, 3.2, 3.2.1, 3.2.2, 3.2.3, 3.4, 3.4.1, 3.5, 9.5

4.114.3 Standard

Storing electronic cardholder information is prohibited. This includes:

Any information on the front of the credit card (or PAN)
Sensitive authentication data (during credit cardholder processing)
Any contents of any track on a credit card (the magnetic stripe)
The card veriﬁcation code (CVV/CID)
Personal Identiﬁcation Numbers (PINs)

4.115 Media Storage

4.115.1 Standard Owner: Finance

4.115.2 Standard References

NIST: MP-4

GLBA: Validate

ISO27001: A.8.2.3, A.8.3.1, A.11.2.9

HIPAA: 164.310(c), 164.310(d)(1), 164.310(d)(2)(iv)

PCI-DSS: 3.1, 3.2, 3.2.1, 3.2.2, 3.2.3, 9.5, 9.6, 9.8, 9.8.1

4.115.3 Standard

Storing of non-electronic cardholder data is permissible, provided the following exist:

Only the information on the front of the credit card (or PAN) is retained
The card veriﬁcation code on the back of the card is not retained (CVV/CID)
Personal Identiﬁcation Numbers (PINs) are not retained
Retention schedules have been deﬁned and documented
A documented process for destroying non-electronic information is being followed and compliant with Data Destruction Procedures
Information has appropriate physical safeguards in place

4.116 Media Storage

4.116.1 Standard Owner: Information Technology |

4.116.2 Standard References

NIST: MP-4

GLBA: Eﬀective

ISO27001: A.8.2.3, A.8.3.1, A.11.2.9

HIPAA: 164.310(c), 164.310(d)(1), 164.310(d)(2)(iv)

PCI-DSS: 3.1

4.116.3 Standard

The retention period for backups of Non-Clarkson-Public Information will be deﬁned and documented in accordance with state, federal, and other regulatory requirements

4.117 Media Storage

4.117.1 Standard Owner: Information Technology |

4.117.2 Standard References

NIST: MP-4

GLBA: Eﬀective

ISO27001: A.8.2.3, A.8.3.1, A.11.2.9

HIPAA: 164.310(c), 164.310(d)(1), 164.310(d)(2)(iv)

PCI-DSS: 9.5,9.5.1

4.117.3 Standard

All backups of electronic Non-Public Information, in storage, will be encrypted. All backups of non-electronic Non-Public Information, in storage, will be physically secured.

4.118 Media Transport

4.118.1 Standard Owner: Information Technology |

4.118.2 Standard References

NIST: MP-5

GLBA: Eﬀective

ISO27001: A.8.2.3, A.8.3.1, A.8.3.3, A.11.2.5, A.11.2.6

HIPAA: 164.310(d)(1), 164.310(d)(2)(iii), 164.312(c)(1)

PCI-DSS: 4.2

4.118.3 Standard

Transmission of Non-Clarkson-Public Information by non-corporate messaging technologies (for example, personal e-mail, instant messaging, SMS, chat, etc.) is prohibited.

4.119 Media Transport

4.119.1 Standard Owner: Information Technology |

4.119.2 Standard References

NIST: MP-5

GLBA: Eﬀective

ISO27001: A.8.2.3, A.8.3.1, A.8.3.3, A.11.2.5, A.11.2.6

HIPAA: 164.310(d)(1), 164.310(d)(2)(iii), 164.312(c)(1)

PCI-DSS:

4.119.3 Standard

Removable media used for backups will be kept secure while in transit

4.120 Media Transport

4.120.1 Standard Owner: Information Technology |

4.120.2 Standard References

NIST: MP-5

GLBA: On Hold

ISO27001: A.8.2.3, A.8.3.1, A.8.3.3, A.11.2.5, A.11.2.6

HIPAA: 164.310(d)(1), 164.310(d)(2)(iii), 164.312(c)(1)

PCI-DSS: 9.6.3

4.120.3 Standard

All movement of organization information systems and media containing Non-Public Information into and out the facilities must be authorized

4.121 Media Transport

4.121.1 Standard Owner: Information Technology |

4.121.2 Standard References

NIST: MP-5

GLBA: Eﬀective

ISO27001: A.8.2.3, A.8.3.1, A.8.3.3, A.11.2.5, A.11.2.6

HIPAA: 164.310(d)(1), 164.310(d)(2)(iii), 164.312(c)(1)

PCI-DSS: 9.6.2

4.121.3 Standard

All media containing Non-Clarkson-Public Information that will be mailed oﬀsite will be transported using a secure carrier or via an encrypted device.

4.122 Media Transport

4.122.1 Standard Owner: Information Technology |

4.122.2 Standard References

NIST: MP-5

GLBA: On Hold

ISO27001: A.8.2.3, A.8.3.1, A.8.3.3, A.11.2.5, A.11.2.6

HIPAA: 164.310(d)(1), 164.310(d)(2)(iii), 164.312(c)(1)

PCI-DSS: 9.6.3

4.122.3 Standard

Only authorized roles may approve distribution, or receipt of any information system or media containing Non-Public Information outside organization’s premises. Such authorization will be tracked and logged. At a minimum, such tracking and logging will provide the following information:

Date and time of movement of system or media
Brief description of person using or sending Non-Public Information on system or media
Brief description of where Non-Public Information is to be sent or how used
Name of person authorizing such transaction

4.123 Media Sanitization

4.123.1 Standard Owner: Information Technology |

4.123.2 Standard References

NIST: MP-6

GLBA: Draft

ISO27001: A.8.2.3, A.8.3.1, A.8.3.2, A.11.2.7

HIPAA: 164.310(d)(1), 164.310(d)(2)(i), 164.310(d)(2)(ii)

PCI-DSS: 3.1, 9.8, 9.8.1, 9.8.2

4.123.3 Standard

All Non-Public Information must be destroyed in a manner compliant with NIST 800-88 or utilizing a NAID certiﬁed supplier. Documented procedures for destroying Non-Public Information must address:

The destruction of data when storage media is end-of-life or has failed
When retention schedules have been met

4.124 Media Use

4.124.1 Standard Owner: Information Technology |

4.124.2 Standard References

NIST: MP-7

GLBA: Eﬀective

ISO27001: A.8.2.3, A.8.3.1

HIPAA:

PCI-DSS: 3.1, 3.2, 3.2.1, 3.2.2, 3.2.3, 3.4, 3.4.1, 3.5, 9.5

4.124.3 Standard

Whenever practical, all workforce members and service providers will use approved workstations or devices to access organizational data, systems, or networks.

4.125 Media Use

4.125.1 Standard Owner: Information Technology |

4.125.2 Standard References

NIST: MP-7

GLBA: Eﬀective

ISO27001: A.8.2.3, A.8.3.1

HIPAA:

PCI-DSS:

4.125.3 Standard

All workforce members who use organization workstations will take all reasonable precautions to protect the conﬁdentiality, integrity, and availability of Non-Public Information contained on the workstations

4.126 Media Use

4.126.1 Standard Owner: Information Technology |

4.126.2 Standard References

NIST: MP-7

GLBA: Eﬀective

ISO27001: A.8.2.3, A.8.3.1

HIPAA:

PCI-DSS:

4.126.3 Standard

Workforce members will not use organization workstations to engage in any activity that is either illegal under local, state, federal, or international law or is in violation of organization policy

4.127 Media Use

4.127.1 Standard Owner: Information Technology |

4.127.2 Standard References

NIST: MP-7

GLBA: On Hold

ISO27001: A.8.2.3, A.8.3.1

HIPAA:

PCI-DSS:

4.127.3 Standard

Organization employees and aﬃliates who authorize the movement of electronic media, non-public information, or information systems containing Non-Public Information are responsible for the subsequent use of such items and will take all appropriate and reasonable actions to protect them against damage, theft, and unauthorized access

4.128 Media Use

4.128.1 Standard Owner: Information Technology |

4.128.2 Standard References

NIST: MP-7

GLBA: On Hold

ISO27001: A.8.2.3, A.8.3.1

HIPAA:

PCI-DSS:

4.128.3 Standard

Organization workstations will be used only for authorized business purposes. Such use demonstrates respect for intellectual property, ownership of data, security controls, and individuals' rights to privacy.

4.129 Media Use

4.129.1 Standard Owner: Finance

4.129.2 Standard References

NIST: MP-7

GLBA: Eﬀective

ISO27001: A.8.2.3, A.8.3.1

HIPAA:

PCI-DSS: 3.3

4.129.3 Standard

Credit cardholder data (the PAN) must be masked when displayed (the ﬁrst six and last four digits are all that can be displayed).

4.130 Personnel Security Policy and Procedures

4.130.1 Standard Owner: HR

4.130.2 Standard References

NIST: PS-1

GLBA: Eﬀective

ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2

HIPAA: 164.308(a)(3)(ii)(A), 164.308(a)(3)(ii)(B), 164.308(a)(3)(ii)(C)

PCI-DSS: 12.1, 12.1.1

4.130.3 Standard

The organization will:

Develop, document, and disseminate personnel security standards that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and
Develop procedures to facilitate the implementation of these
Review and update these standards on a one-year
Review and update these procedures, as-needed.

4.131 Position Risk Designation

4.131.1 Standard Owner: HR

4.131.2 Standard References

NIST: PS-2

GLBA: Eﬀective

ISO27001: --

HIPAA: 164.308(a)(3)(ii)(B)

PCI-DSS:

4.131.3 Standard

The organization will assign a Risk Designation to all departments.

4.132 Position Risk Designation

4.132.1 Standard Owner: HR

4.132.2 Standard References

NIST: PS-2

GLBA: Eﬀective

ISO27001: --

HIPAA: 164.308(a)(3)(ii)(B)

PCI-DSS: 12.6.2, 12.7

4.132.3 Standard

When deﬁning a position, the organization human resources department and the hiring manager will assign a Risk Designation and identify the security responsibilities and supervision required for the position. Security responsibilities include general responsibilities for implementing or maintaining security, as well as any speciﬁc responsibilities for the protection of the conﬁdentiality, integrity, or availability of organization information systems or processes

4.133 Personnel Screening

4.133.1 Standard Owner: HR

4.133.2 Standard References

NIST: PS-3

GLBA: On Hold

ISO27001: A.7.1.1

HIPAA:

PCI-DSS: 12.6.2

4.133.3 Standard

Based on risk designation, workforce members will be properly screened, trained, and acknowledge compliance with policies, procedures, and agreements prior to obtaining access to organization Non-Public Information or organization secure areas.

4.134 Personnel Screening

4.134.1 Standard Owner: HR

4.134.2 Standard References

NIST: PS-3

GLBA: Eﬀective

ISO27001: A.7.1.1

HIPAA: 164.308(a)(3)(ii)(B)

PCI-DSS: 12.7

4.134.3 Standard

Background veriﬁcation checks will be performed on employees and contractors prior to accessing protected or sensitive information. Background checks will be carried out in accordance with relevant laws, regulations, company policies, and ethics. The extent and type of screening will be based on Risk Designation. This includes:

Veriﬁcation of legal authority to work in the United States,
Review of an individual record of criminal conviction history in all counties for all addresses provided in which the individual resided or worked for more than 30 days within the past seven years to ensure personnel have not been convicted of

a felony oﬀense within the past seven (7) years; or
any misdemeanor related to violent crimes, property oﬀense, substance abuse, or fraud. Criminal conviction history checks include a review of all federal, state and local criminal conviction records; and
- Veriﬁcation that no personnel are listed on the Oﬃce of Inspector General (OIG) sanction and disqualiﬁcation Background veriﬁcation checks will also be performed prior to employee change in status, when necessary.

(Note: For purposes of these guidelines, the term “Criminal Conviction” includes probation, deferred adjudication and no contest pleas.

4.135 Personnel Termination

4.135.1 Standard Owner: HR

4.135.2 Standard References

NIST: PS-4

GLBA: Validate

ISO27001: A.7.3.1, A.8.1.4

HIPAA: 164.308(a)(3)(ii)(C)

PCI-DSS: 8.1.3

4.135.3 Standard

When workforce members provide advance notice of their intention to leave organization employment, the human resources department and the immediate manager will give notice to the persons or departments responsible for organization information system privileges granted the departing workforce member. Receipt and response to such notices will be tracked and logged. At a minimum, such tracking and logging will provide the following information:

Date and time notice of employee departure received
Date of planned employee departure
Brief description of access to be terminated
Date, time, and description of actions taken

4.136 Personnel Termination

4.136.1 Standard Owner: HR

4.136.2 Standard References

NIST: PS-4

GLBA: Validate

ISO27001: A.7.3.1, A.8.1.4

HIPAA: 164.308(a)(3)(ii)(C)

PCI-DSS: 9.2

4.136.3 Standard

When workforce members depart from organization, they will return all organization supplied equipment by the time of departure. Such equipment includes, but is not limited to:

Assigned computing assets
Name tags or name identiﬁcation badges Building, desk or oﬃce keys
Access cards
Security tokens

4.137 Personnel Termination

4.137.1 Standard Owner: HR

4.137.2 Standard References

NIST: PS-4

GLBA: Validate

ISO27001: A.7.3.1, A.8.1.4

HIPAA: 164.308(a)(3)(ii)(C)

PCI-DSS:

4.137.3 Standard

The return of all equipment will be tracked and logged. At a minimum, such tracking and logging will provide the following information:

Date and time
Work force member’s name
Brief description of returned items

4.138 Personnel Termination

4.138.1 Standard Owner: HR

4.138.2 Standard References

NIST: PS-4

GLBA: Validate

ISO27001: A.7.3.1, A.8.1.4

HIPAA: 164.308(a)(3)(ii)(C)

PCI-DSS:

4.138.3 Standard

If a departing workforce member has used cryptography on organization data, they will make the cryptographic keys available to appropriate management

4.139 Personnel Termination

4.139.1 Standard Owner: HR

4.139.2 Standard References

NIST: PS-4

GLBA: Eﬀective

ISO27001: A.7.3.1, A.8.1.4

HIPAA: 164.308(a)(3)(ii)(C)

PCI-DSS: 7.1,7.1.2,7.1.3,8.1.3

4.139.3 Standard

When the employment of organization workforce members or service provider ends, accounts granting access to organization information will be disabled within 24 hours of leaving employment for staﬀ and 90 days of leaving employment for faculty.

4.140 Personnel Termination

4.140.1 Standard Owner: HR

4.140.2 Standard References

NIST: PS-4

GLBA: Validate

ISO27001: A.7.3.1, A.8.1.4

HIPAA: 164.308(a)(3)(ii)(C)

PCI-DSS:

4.140.3 Standard

Separation agreements, acknowledging a terminated workforce members responsibilities for not retaining, distributing, or removing from organization premises any organization information will be signed by terminated employees

4.141 Personnel Termination

4.141.1 Standard Owner: HR

4.141.2 Standard References

NIST: PS-4

GLBA: Validate

ISO27001: A.7.3.1, A.8.1.4

HIPAA: 164.308(a)(3)(ii)(C)

PCI-DSS:

4.141.3 Standard

When organization workforce members’ employment ends, their computers’ resident ﬁles will be promptly reviewed by their immediate supervisors to determine the appropriate transfer or disposal of any Non-Public Information

4.142 Personnel Transfer

4.142.1 Standard Owner: HR

4.142.2 Standard References

NIST: PS-5

GLBA: Eﬀective

ISO27001: A.7.3.1, A.8.1.4

HIPAA: 164.308(a)(3)(ii)(C)

PCI-DSS: 7.1,7.1.2,7.1.3,8.1.3

4.142.3 Standard

HR will notify IT and Facilities when workforce have transferred to new job roles or function. Access reviews will be performed to conﬁrm ongoing operational need for current logical and physical access.

4.143 Access Agreements

4.143.1 Standard Owner: HR

4.143.2 Standard References

NIST: PS-6

GLBA: Eﬀective

ISO27001: A.7.1.2, A.7.2.1, A.13.2.4

HIPAA: 164.308(a)(3)(ii)(A), 164.308(a)(3)(ii)(B), 164.308(a)(4)(ii)(B), 164.310(d)(2)(iii), 164.314(a)(1), 164.314(a)(2)(i), 164.314(a)(2)(ii)

PCI-DSS: 4.2

4.143.3 Standard

All users will agree to the Acceptable Use Policy as a condition for access to the organization's systems.

4.144 Access Agreements

4.144.1 Standard Owner: HR

4.144.2 Standard References

NIST: PS-6

GLBA: Eﬀective

ISO27001: A.7.1.2, A.7.2.1, A.13.2.4

HIPAA: 164.308(a)(3)(ii)(A), 164.308(a)(3)(ii)(B), 164.308(a)(4)(ii)(B), 164.310(d)(2)(iii), 164.314(a)(1), 164.314(a)(2)(i), 164.314(a)(2)(ii)

PCI-DSS: 4.2

4.144.3 Standard

Where deemed by management, all organization employees will sign a “conditions of employment” document that aﬃrms their responsibility for the protection of the conﬁdentiality, integrity, or availability of organization information systems and processes. The document will include the sanctions that may be applied if employees do not meet their responsibilities

4.145 Third-Party Personnel Security

4.145.1 Standard Owner: HR

4.145.2 Standard References

NIST: PS-7

GLBA: Eﬀective

ISO27001: A.6.1.1*, A.7.2.1*

HIPAA: 164.308(a)(3)(ii)(A), 164.308(a)(4)(ii)(B), 164.308(b)(1), 164.314(a)(1), 164.314(a)(2)(i), 164.314(a)(2)(ii)

PCI-DSS: 12.8.2,12.8.3,12.8.4,12.8.5

4.145.3 Standard

When job candidates are provided via an agency, organization contract with the agency will clearly state the agency’s responsibilities for reviewing the candidates’ backgrounds

4.146 Third-Party Personnel Security

4.146.1 Standard Owner: HR

4.146.2 Standard References

NIST: PS-7

GLBA: Eﬀective

ISO27001: A.6.1.1*, A.7.2.1*

HIPAA: 164.308(a)(3)(ii)(A), 164.308(a)(4)(ii)(B), 164.308(b)(1), 164.314(a)(1), 164.314(a)(2)(i), 164.314(a)(2)(ii)

PCI-DSS: 12.8.2,12.8.3,12.8.4,12.8.5

4.146.3 Standard

All contracts with staﬃng agencies who will access, process, or transmit Non-Public Information or have reasonable access to Non-Public Information will clearly state the service provider’s responsibilities for reviewing the candidates backgrounds

4.147 Third-Party Personnel Security

4.147.1 Standard Owner: HR

4.147.2 Standard References

NIST: PS-7

GLBA: Eﬀective

ISO27001: A.6.1.1*, A.7.2.1*

HIPAA: 164.308(a)(3)(ii)(A), 164.308(a)(4)(ii)(B), 164.308(b)(1), 164.314(a)(1), 164.314(a)(2)(i), 164.314(a)(2)(ii)

PCI-DSS: 4.2,12.8.2

4.147.3 Standard

All organization workforce members who access organization information systems containing Non-Public Information will sign a conﬁdentiality agreement in which they agree not to provide Non-Public Information or to discuss Non-Public Information to which they have access to unauthorized persons. Conﬁdentiality agreements will be reviewed and signed annually by organization workforce members who access organization information systems containing Non-Public Information.

4.148 Third-Party Personnel Security

4.148.1 Standard Owner: Compliance

4.148.2 Standard References

NIST: PS-7

GLBA: Draft

ISO27001: A.6.1.1*, A.7.2.1*

HIPAA: 164.308(a)(3)(ii)(A), 164.308(a)(4)(ii)(B), 164.308(b)(1), 164.314(a)(1), 164.314(a)(2)(i), 164.314(a)(2)(ii)

PCI-DSS: 12.8.2

4.148.3 Standard

If a service provider handles organization Non-Public Information and has any change to its policies and standards or cannot comply with organization policies and standards, that party will notify the organization.

4.149 Personnel Sanctions

4.149.1 Standard Owner: HR

4.149.2 Standard References

NIST: PS-8

GLBA: Eﬀective

ISO27001: A.7.2.3

HIPAA: 164.308(a)(1)(ii)

PCI-DSS: 4.2,12.8.2

4.149.3 Standard

Organization workforce members will comply with all applicable security standards and procedures. Failure to comply with these policies, may result in implementation of progressive discipline process.

4.150 Personnel Sanctions

4.150.1 Standard Owner: HR

4.150.2 Standard References

NIST: PS-8

GLBA: Eﬀective

ISO27001: A.7.2.3

HIPAA:

PCI-DSS: 4.2

4.150.3 Standard

The organization will have a formal, documented sanctions process for applying appropriate sanctions against workforce members who do not comply with its security policies and procedures. At a minimum, the process will include:

Procedures for detecting and reporting workforce members’ non-compliance with organization security policies and
Identiﬁcation and deﬁnition of levels of sanctions, including their relative
Identiﬁcation of cause and rationale for issuing of

A deﬁned, formal method for evaluating the severity of non-compliance with the organization’s security policies and procedures

4.151 Personnel Sanctions

4.151.1 Standard Owner: HR

4.151.2 Standard References

NIST: PS-8

GLBA: Eﬀective

ISO27001: A.7.2.3

HIPAA:

PCI-DSS: 4.2

4.151.3 Standard

Sanctions can include but are not limited to:

Suspension
Required retraining
Letter of reprimand
Termination

4.152 Physical and Environmental Protection Policy and Procedures

4.152.1 Standard Owner: IT; | Safety Team

4.152.2 Standard References

NIST: PE-1

GLBA: Eﬀective

ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2

HIPAA: 164.310(a)(1), 164.310(a)(2)(ii), 164.310(a)(2)(iii)

PCI-DSS: 12.1, 12.1.1

4.152.3 Standard

The organization will:

Develop, document, and disseminate physical and environmental protection standards that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and
Develop procedures to facilitate the implementation of this
Review and update this policy and associated procedures, at a minimum,
Implement appropriate property signage; placement will be in compliance with local

4.153 Physical and Environmental Protection Policy and Procedures

4.153.1 Standard Owner: Facilities

4.153.2 Standard References

NIST: PE-1

GLBA: Eﬀective

ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2

HIPAA: 164.310(a)(1), 164.310(a)(2)(ii), 164.310(a)(2)(iii)

PCI-DSS:

4.153.3 Standard

The level of physical protection provided for organization information systems containing Non-public Information will be commensurate with that of identiﬁed risks

4.154 Physical and Environmental Protection Policy and Procedures

4.154.1 Standard Owner: Facilities

4.154.2 Standard References

NIST: PE-1

GLBA: Eﬀective

ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2

HIPAA: 164.310(a)(1), 164.310(a)(2)(ii), 164.310(a)(2)(iii)

PCI-DSS:

4.154.3 Standard

Fire escapes and ladders will be accessible for exit during an emergency where applicable.

4.155 Physical and Environmental Protection Policy and Procedures

4.155.1 Standard Owner: Information Security

4.155.2 Standard References

NIST: PE-1

GLBA: Eﬀective

ISO27001: A.5.1.1, A.5.1.2, A.6.1.1, A.12.1.1, A.18.1.1, A.18.2.2

HIPAA: 164.310(a)(1), 164.310(a)(2)(ii), 164.310(a)(2)(iii)

PCI-DSS:

4.155.3 Standard

Doors connected to the access control system and all emergency exits will be equipped with automatic closers, designed so the door will secure itself after being opened. Doors will not be propped open or equipped with a device, such as a doorstop, that would enable the door to be propped open

4.156 Physical Access Authorizations

4.156.1 Standard Owner: Information Security

4.156.2 Standard References

NIST: PE-2

GLBA: Eﬀective

ISO27001: A.11.1.2* HIPAA: 164.310(a)(1) PCI-DSS:

4.156.3 Standard

A list of those who have access to organization equipment (facilities that house information systems, or the systems themselves) will be developed and maintained internally and shared with FSI Committee. This list will be regularly reviewed, especially after any terminations.

4.157 Physical Access Authorizations

4.157.1 Standard Owner: Information Security

4.157.2 Standard References

NIST: PE-2

GLBA: Eﬀective

ISO27001: A.11.1.2*

HIPAA: 164.310(a)(1), 164.310(a)(2)(iii)

PCI-DSS: 9.1

4.157.3 Standard

All access to organization data centers will:

Be tracked and reviewed Director of Network Services and Information Security
Have access requests documented and retained for audit (1 year minimum)
Be revoked promptly upon termination, or on notice of lengthy absence

4.158 Physical Access Control

4.158.1 Standard Owner: IT

4.158.2 Standard References

NIST: PE-3

GLBA: Eﬀective

ISO27001: A.11.1.1, A.11.1.2, A.11.1.3

HIPAA: 164.310(a)(1), 164.310(a)(2)(iii), 164.310(b), 164.310(c)

PCI-DSS: 8.6, 9.2, 9.3

4.158.3 Standard

Organization workforce members will be issued ID cards compatible with the campus access security system. These ID cards will be deactivated upon termination or as necessary.

4.159 Physical Access Control

4.159.1 Standard Owner: IT

4.159.2 Standard References

NIST: PE-3

GLBA: Eﬀective

ISO27001: A.11.1.1, A.11.1.2, A.11.1.3

HIPAA: 164.310(a)(1), 164.310(a)(2)(iii), 164.310(b), 164.310(c)

PCI-DSS:

4.159.3 Standard

Organization workforce members will activate their workstation locking software whenever they leave their workstation unattended. Organization workforce members will log oﬀ from or lock their workstation(s).

4.160 Physical Access Control

4.160.1 Standard Owner: IT

4.160.2 Standard References

NIST: PE-3

GLBA: Eﬀective

ISO27001: A.11.1.1, A.11.1.2, A.11.1.3

HIPAA: 164.310(a)(1), 164.310(a)(2)(iii), 164.310(b), 164.310(c)

PCI-DSS:

4.160.3 Standard

Mobile devices that access Non-public Information will be physically secured when not in use and located to minimize the risk of unauthorized access.

4.161 Physical Access Control

4.161.1 Standard Owner: IT

4.161.2 Standard References

NIST: PE-3

GLBA: On Hold

ISO27001: A.11.1.1, A.11.1.2, A.11.1.3

HIPAA: 164.310(a)(1), 164.310(a)(2)(iii), 164.310(b), 164.310(c)

PCI-DSS:

4.161.3 Standard

Reasonable measures to prevent viewing Non-public Information on workstations by unauthorized persons will be employed commensurate with identiﬁed risks. Such measures include but are not limited to:

Locating workstations and peripheral devices (printer, modem, scanner, ) in secured areas not accessible to unauthorized persons.
Positioning monitors or shielding workstations so that data shown on the screen is not visible to unauthorized

4.162 Physical Access Control

4.162.1 Standard Owner: IT

4.162.2 Standard References

NIST: PE-3

GLBA: Eﬀective

ISO27001: A.11.1.1, A.11.1.2, A.11.1.3

HIPAA: 164.310(a)(1), 164.310(a)(2)(iii), 164.310(b), 164.310(c)

PCI-DSS: 9.1

4.162.3 Standard

All information systems that store Non-public Information or information that is critical to the organization will be located in the organization’s data centers, or other approved location.

4.163 Physical Access Control

4.163.1 Standard Owner: IT

4.163.2 Standard References

NIST: PE-3

GLBA: Eﬀective

ISO27001: A.11.1.1, A.11.1.2, A.11.1.3

HIPAA: 164.310(a)(1), 164.310(a)(2)(iii), 164.310(b), 164.310(c)

PCI-DSS:

4.163.3 Standard

All organization-provided portable workstations will be securely maintained when in the possession of workforce members. Where possible, such workstations will be handled as carry-on (hand) baggage on public transport. They will be concealed and/or locked when in private transport (e.g., locked in the trunk of an automobile) when not in use.

4.164 Physical Access Control

4.164.1 Standard Owner: Facilities; | IT |

4.164.2 Standard References

NIST: PE-3

GLBA: Eﬀective

ISO27001: A.11.1.1, A.11.1.2, A.11.1.3

HIPAA: 164.310(a)(1), 164.310(a)(2)(iii), 164.310(b), 164.310(c)

PCI-DSS:

4.164.3 Standard

Individuals will inform the issuer when a key or ClarksonID card is lost or stolen. Individuals will return all keys to the issuer when the keys are no longer needed

4.165 Physical Access Control

4.165.1 Standard Owner: IT

4.165.2 Standard References

NIST: PE-3

GLBA: Eﬀective

ISO27001: A.11.1.1, A.11.1.2, A.11.1.3

HIPAA: 164.310(a)(1), 164.310(a)(2)(iii), 164.310(b), 164.310(c)

PCI-DSS: 9.1

4.165.3 Standard

Physical access to datacenters will have limited and controlled access and will be enforced by authorized proximity (Clarkson ID) cards.

4.166 Physical Access Control

4.166.1 Standard Owner: Information Security

4.166.2 Standard References

NIST: PE-3

GLBA: On Hold

ISO27001: A.11.1.1, A.11.1.2, A.11.1.3

HIPAA: 164.310(a)(1), 164.310(a)(2)(iii), 164.310(b), 164.310(c)

PCI-DSS:

4.166.3 Standard

A hardcopy diagram or chart of the facility will be prepared and kept up to date. The diagram will show the various alarm points and their locations throughout the facility

4.167 Physical Access Control

4.167.1 Standard Owner: Facilities

4.167.2 Standard References

NIST: PE-3

GLBA: Eﬀective

ISO27001: A.11.1.1, A.11.1.2, A.11.1.3

HIPAA: 164.310(a)(1), 164.310(a)(2)(iii), 164.310(b), 164.310(c)

PCI-DSS:

4.167.3 Standard

Organization delivery and loading areas will be controlled to prevent unauthorized access. Where possible, the following controls will be used:

Access to a holding area from outside of the building will be restricted to identiﬁed and authorized
The holding area will be designed so that supplies can be unloaded without delivery staﬀ gaining access to other parts of the building.
The external door(s) of a holding area will be secured when the internal door is

4.168 Access Control for Transmission Medium

4.168.1 Standard Owner: IT

4.168.2 Standard References

NIST: PE-4

GLBA: Eﬀective

ISO27001: A.11.1.2, A.11.2.3

HIPAA: 164.310(a)(1), 164.310(c)

PCI-DSS: 9.1.3

4.168.3 Standard

Where possible, data connections to the server rooms or communication closets will be secured as much as possible. Tap points will be keyed to minimize access.

4.169 Access Control for Output Devices

4.169.1 Standard Owner: IT

4.169.2 Standard References

NIST: PE-4

GLBA: Eﬀective

ISO27001: A.11.1.2, A.11.2.3

HIPAA: 164.310(a)(1), 164.310(c)

PCI-DSS: 9.1.2

4.169.3 Standard

Where possible, physical access to publicly accessible network jacks will be restricted.

4.170 Access Control for Output Devices

4.170.1 Standard Owner: IT

4.170.2 Standard References

NIST: PE-5

GLBA: Eﬀective

ISO27001: A.11.1.2, A.11.2.3

HIPAA: 164.310(a)(1), 164.310(b), 164.310(c)

PCI-DSS: 9.5, 9.6

4.170.3 Standard

Printers and other output devices which produce sensitive data will be located in secured or monitored areas and printed output will be picked up as soon as possible, to the extent practicable.

4.171 Monitoring Physical Access

4.171.1 Standard Owner: Information Security

4.171.2 Standard References

NIST: PE-6

GLBA: On Hold

ISO27001: --

HIPAA: 164.310(a)(2)(iii)

PCI-DSS: 9.5,9.6.3

4.171.3 Standard

Equipment used to store, process or transmit non-public information (not including mobile devices and removable media) will not be taken oﬀ site without prior authorization by Information Security. An authorization procedure will be developed by Information Security should an exception be required.

4.172 Monitoring Physical Access

4.172.1 Standard Owner: Facilities; | IT |

4.172.2 Standard References

NIST: PE-6

GLBA: Eﬀective

ISO27001: --

HIPAA: 164.310(a)(2)(iii)

PCI-DSS:

4.172.3 Standard

Any malfunction or break in an alarm connection will be automatically reported as a device trouble alarm. Alarms will be tested annually and the results of those tests documented and retained

4.173 Monitoring Physical Access

4.173.1 Standard Owner: Facilities; | IT |

4.173.2 Standard References

NIST: PE-6

GLBA: Eﬀective

ISO27001: --

HIPAA: 164.310(a)(2)(iii)

PCI-DSS: 9.1.1

4.173.3 Standard

Video cameras or access control mechanisms will be employed to record and review individual physical access to secure areas

4.174 Monitoring Physical Access

4.174.1 Standard Owner: Information Security

4.174.2 Standard References

NIST: PE-6

GLBA: Eﬀective

ISO27001: --

HIPAA: 164.310(a)(2)(iii)

PCI-DSS: 9.1.1

4.174.3 Standard

Where practicable, video collected on digital recorders will be retained for at least 30 days. When a security event that requires further investigation has been recorded, the video will be copied and secured while awaiting action by the CSO.

4.175 Monitoring Physical Access

4.175.1 Standard Owner: Information Security

4.175.2 Standard References

NIST: PE-6

GLBA: Eﬀective

ISO27001: --

HIPAA: 164.310(a)(2)(iii)

PCI-DSS:

4.175.3 Standard

Door-held-open alarms will be installed and monitored on all data center doors.

4.176 Monitoring Physical Access

4.176.1 Standard Owner: Information Security

4.176.2 Standard References

NIST: PE-6

GLBA: Eﬀective

ISO27001: --

HIPAA: 164.310(a)(2)(iii)

PCI-DSS:

4.176.3 Standard

All access to organization data centers will:

Be approved in writing by Director of Network Services and Information Security
Have access requests documented and retained for audit (1 year minimum)
Be reviewed annually by Director of Network Services and Information Security

4.177 Monitoring Physical Access

4.177.1 Standard Owner: Facilities

4.177.2 Standard References

NIST: PE-6

GLBA: Eﬀective

ISO27001: --

HIPAA: 164.310(a)(2)(iii)

PCI-DSS:

4.177.3 Standard

Vacant secure areas will be physically locked and periodically checked

4.178 Monitoring Physical Access

4.178.1 Standard Owner: Facilities

4.178.2 Standard References

NIST: PE-6

GLBA: Eﬀective

ISO27001: --

HIPAA: 164.310(a)(2)(iii)

PCI-DSS:

4.178.3 Standard

Where possible, workforce members will be informed if their work area is being monitored by security cameras. Cameras will not be used in areas where a reasonable expectation of privacy exists, such as locker rooms and rest rooms

4.179 Monitoring Physical Access

4.179.1 Standard Owner: Facilities

4.179.2 Standard References

NIST: PE-6

GLBA: Eﬀective

ISO27001: --

HIPAA: 164.310(a)(2)(iii)

PCI-DSS:

4.179.3 Standard

Director of Campus Safety and Security and Director of Network Services and Information Security are authorized to perform the initial review of video recordings of any suspected security event involving non-security personnel. Further review of this recording will be authorized by the Director of Network Services and Information Security, as necessary.

4.180 Monitoring Physical Access

4.180.1 Standard Owner: Information Security; | Facilities

4.180.2 Standard References

NIST: PE-6

GLBA: Eﬀective

ISO27001: --

HIPAA: 164.310(a)(2)(iii)

OM 9.1.2 - Information Security Standards

1 Purpose

The Information Security Steering Committee of Clarkson University has adopted these information security Standards, which deﬁne the appropriate administrative, technical, and physical safeguards over sensitive information. These standards are designed to:

● Ensure that the safeguards adequately address the legal, regulatory, and mandatory requirements for information security;

● Provide adequate coverage of the recommended best practices spanning in the eighteen NIST Control Families; and

● Give a general assurance level that the conﬁdentiality, integrity, and availability of the University's assets will be upheld.

2 Scope

3 Roles & Responsibilities

● For administrative controls, the control owner will most likely oversee the execution of controls and possibly will be the implementor of the controls as well.

● For technical controls, the control owner is accountable, and may or may not choose to have IT implement the controls on their behalf.

● For physical controls, there will be a division of labor between the control owner and the facilities team.

4 Information Security Standards

4.1 Access Control Policy and Procedures

4.1.1 Standard Owner: Board, Senior Management, Information Technology

4.1.2 Standard References

GDPR:

4.1.3 Standard

4.2 Access Control Policy and Procedures

4.2.1 Standard Owner: Information Technology

4.2.2 Standard References

GLBA:

GDPR:

4.2.3 Standard

4.3 Account Management

4.3.1 Standard Owner: Information Technology

4.3.2 Standard References

GLBA:

GDPR:

4.3.3 Standard

4.4 Account Management

4.4.1 Standard Owner: Information Technology

4.4.2 Standard References

GDPR:

4.4.3 Standard

4.5 Account Management | Access Enforcement | Least Privilege

4.5.1 Standard Owner: Information Technology

4.5.2 Standard References

GDPR:

4.5.3 Standard

4.6 Access Enforcement

4.6.1 Standard Owner: Information Technology

4.6.2 Standard References

GDPR:

4.6.3 Standard

4.7 Access Enforcement | Least Privilege

4.7.1 Standard Owner: Information Technology

4.7.2 Standard References

GDPR:

4.7.3 Standard

4.8 Access Enforcement | Least Privilege

4.8.1 Standard Owner: Information Technology

4.8.2 Standard References

GDPR:

4.8.3 Standard

4.9 Information Flow Enforcement

4.9.1 Standard Owner: Information Technology

4.9.2 Standard References

GDPR:

PCI-DSS:

4.9.3 Standard

4.10 Separation of Duties

4.10.1 Standard Owner: Information Technology

4.10.2 Standard References

GDPR:

PCI-DSS:

4.10.3 Standard

4.11 Least Privilege

4.11.1 Standard Owner: Information Technology

4.11.2 Standard References

GDPR:

4.11.3 Standard

4.12 Unsuccessful Logon Attempts

4.12.1 Standard Owner: Information Technology

4.12.2 Standard References

GDPR:

HIPAA:

PCI-DSS:

4.12.3 Standard

4.13 Unsuccessful Logon Attempts

4.13.1 Standard Owner: Information Technology