Governor's State University
Apply Now

Information Security Policy (Policy 92)

Approved By:

President Cheryl Green

Issued:

Revised:

Last Reviewed:

Related Policies:

Data Classification

Policy Owner / Contact Person:

Information Technology Services

Additional References:

Policy Categories:

Information Technology Policies

  1. Purpose

    Governors State University (“GovState” or the “University”) understands the value of information and data to its continued success. 

    GovState understands its responsibility to its students, faculty, staff, and community members to secure the data that it collects, stores, and processes. 

    GovState understands that fostering a security-minded culture and implementing sound, risk-informed controls will minimize risks from both internal and external threats that could cause operational, financial, and reputational harm to the University and ultimately compromise its ability to fulfill its mission. 

    GovState understands its responsibility to comply with regulatory, legal, and industry requirements concerning information security. 

    As such, this Policy establishes the University’s Information Security Program and outlines the security principles that demonstrate how it ensures the confidentiality, integrity, and availability of information and data that it stores, maintains, processes, or for which it is otherwise responsible. 

    The Information Security Program is comprised of the policies, standards, and procedures that describe the requirements and supporting controls needed to protect University data and systems and satisfy applicable regulatory and legal obligations. Information security requirements and controls shall be chosen based on the expertise of technical and security staff, information security best practices, appropriate frameworks such as the NIST Cybersecurity Framework, legal and regulatory mandates, and the mission, needs, resources, and risk tolerance of the University. 

    The Information Security Policy reflects GovState’s acknowledgement of the threats to information security and the importance of protecting the data and information of the University community. This Policy is effective the date of approval but will be implemented in phases given the scope and complexity of the required efforts and continually changing security landscape.

  2. Definitions
    1. Individuals - Any person that accesses or consumes technology services (data, systems, printers, and other resources) provided by the University.
    2. Technical controls – A type of security control primarily implemented and executed by an information technology or system through mechanisms contained in hardware, software, or firmware components. 
    3. Administrative controls – Administrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security countermeasures to protect sensitive information and manage the conduct of an individual’s actions with the use of data or technology. 
    4. Physical controls – Physical measures to protect an information asset and related buildings and equipment from both natural and environmental hazards and unauthorized access. 
    5. National Institute of Standards and Technology (NIST) – Science laboratory and non-regulatory agency of the United States Department of Commerce, which develops and promotes standards and best practices to be used by private and public sectors. 
    6. Asset – Hardware, software, service, platform, or any other IT resource that requires controls for the enforcement of confidentiality, integrity, and availability. 
    7. Security Incident - A specific event or correlated set of events that has either compromised or has the potential to compromise the confidentiality, integrity, or availability of GSU’s information, systems, or data.
  3. Information Security Policy

    1. Scope

      This policy applies to the entire GovState community, including President, Vice Presidents, Deans, Directors, and Department Heads along with students, faculty, staff, administrators, alumni, trustees, temporary employees, contractors, volunteers, and guests who have access to University data and who use information technology services provided by GSU unless expressly excepted.

    2. Responsibilities
      1. The Director of Information Security and Compliance leads University Information Security and Compliance efforts as part of the Information Technology Services (“ITS”) department and shall:
        1. Exercise authority and responsibility delegated by the Chief Information Officer (“CIO”) for the Information Security Program. 
        2. Recommend information security policies, procedures, and standards to protect data and technology resources. 
        3. Review and approve information security standards. 
        4. Establish a process to submit requests for and review exception requests to this Policy and related standards.
        5. Review and approve exceptions to information security policies and standards. 
        6. Review and manage University information security incidents, including but not limited to providing notice thereof to all appropriate parties. 
        7. Provide reasonable assistance or guidance to units and individuals in their efforts to comply with this Policy and other University information security efforts.
      2. Information Security relies on the collective efforts of all University community members.
        1. Individuals shall:
          1. Ensure that their actions with respect to University data and systems adhere to this Policy, as well as any applicable standards, laws, regulations, and contractual obligations. 
          2. Report known or reasonably suspected non-compliance to the Director of Information Security and Compliance or Chief Information Officer as soon as practicable.
        2. Unit leaders and administrators shall, in addition to their responsibilities as individuals:
          1. Exercise responsibility for their unit’s adherence to this Policy, as well as any applicable standards, laws, regulations, and contractual obligations as applicable their unit and the data, systems, and applications under the control of their unit.
        3. Application and system owners shall, in addition to their responsibilities as individuals:
          1. Exercise responsibility for adherence to this Policy, as well as any applicable standards, laws, regulations, and contractual obligations as applicable to the data, systems, and applications under their control.

      3. Information Security Program

        The Information Security Program is divided into the following functional categories.

        1. Governance, Risk, Compliance 

          1. Information Security Program management

            The Information Security Program is managed by the Director of Information Security and Compliance as part of the ITS department.

          2. Risk Management

            All information security decisions and actions are intended to address risks and the University understands the importance of identifying and managing risks in order to make informed decisions and take appropriate action. ITS engages in risk management activities and shall adopt a formal Risk Management Process to further guide robust risk management activities.

          3. Internal Security and Compliance Audit

            To help ensure compliance with and effectiveness of established security policies, standards, and procedures, an Internal Security and Compliance Audit process shall be adopted.

          4. Data Classification

            The classification of information is essential to derive the sensitivity and criticality of information that is transmitted, stored, or processed by GovState. The classification system provides the basis for defining appropriate protection methods. The Data Classification Policy and Data Handling Policy shall establish criteria necessary for appropriate data security.

          5. Compliance

            The University is required to comply with certain regulations and accreditation standards. Controls, policies, standards, and processes shall be adopted for each regulation as required.

          6. Change Control

            ITS conforms to an established change control process to maintain system and data integrity and availability. This process ensures that any changes to a production system are formally approved to minimize problematic or unauthorized changes. A formal policy shall be adopted to accompany the established process.

        2. Operational Security

          1. Identity and Access Management

            Identity and Access Management (“IAM”) ensures the proper identification, authentication, and authorization of individuals that are granted access to the technology resources of the University based on the following core principles:

            1. Ensure that each individual is uniquely identified for proper management of access privileges and appropriate level of activity monitoring. 
            2. Grant access to technology resources based on the Principle of Least Privilege. 
            3. Build a process for periodic compliance reviews to validate access is appropriate and acceptable according to University policies.
            4. Extend the current authorization capabilities across current and future service platforms. 
            5. Build and document an account lifecycle management program, ensuring user accounts are created, suspended, and removed according to a defined ruleset.

            The goal of access control is to manage access to technology resources based on need in order to maintain the confidentiality, integrity, and availability of those resources. The process to manage access control is reflective of the core foundational requirements that include identification, authentication, and authorization. An IAM Policy shall be adopted to prescribe consistent practices across all systems, and will additionally include provisions for remote access, privileged access, and segregation of duties.

          2. System and Network Security 

            Technology assets require network connectivity to communicate with other systems internal and external to GovState. Attacks against the network and connected systems have the potential to cause significant harm to the University including by compromising information, limiting system availability, and subjecting the University to ransomware. To mitigate and limit the effectiveness of such attacks, security controls shall be deployed throughout the environment, which may include monitoring and blocking technologies such as firewalls and intrusion detection systems. 

            Furthermore, GovState shall build and maintain configuration standards for all technology assets with networking capabilities, and/or which otherwise may store or process data.

          3. Vulnerability and Patch Management

            Vulnerabilities are known and unknown weaknesses or deficiencies within a server, platform, or application that have the potential to be exploited by malicious actors. The exploitation of such vulnerabilities could create significant financial and reputational harm to the University through the scenarios such as ransomware attacks or the exfiltration or compromise of sensitive information. 

            To limit the potential exposures as outlined above, ITS shall develop processes that outline routine vulnerability scans of all applicable servers, platforms, and applications in order to provide a comprehensive list of the known vulnerabilities throughout the operating environment. The vulnerabilities identified shall be ranked based on the criticality of the potential exposure and/or susceptibility of potential compromise.

            As vulnerabilities are discovered, they are often remediated or mitigated by patches and updates released by the vendor or manufacturer. Timely installation of such security patches is critical to ensuring the security of GSU’s systems, and the University shall develop and comply with a formal update and patch management process for each of the following areas:

            1. Servers; 
            2. Desktops and laptops; 
            3. Mobile devices; 
            4. Network infrastructure devices; 
            5. Applications; and 
            6. All other Network-connected devices that do not fall into an existing category (security cameras, IP phones, HVAC and lighting, etc.).

          4. Application Security 

            Although the University does not currently develop its own applications, modifications to existing systems may still present an opportunity for increased risk. Additionally, as automation becomes increasingly important and commonplace, scripts present similar opportunities for increased risk. 

            To help prevent unnecessary risk, the University shall develop and implement a code review process. All code implemented by the University shall be subject to this process. 

            Addressing the security of an information system or application within all stages its lifecycle is critical to ensure that:

            1. All security requirements are compliant with the University’s governance policies. 
            2. Information that is sensitive is properly protected throughout its lifecycle. 
            3. The deployment of consistent and appropriate level of controls (i) limit the introduction of new risks during system maintenance and (ii) ensure proper removal of the system and residual data upon decommission of the application.

            To ensure security is considered throughout the lifecycle of an application, the University shall adhere to the seven phases of the System-Development Life Cycle (“SDLC”). The minimum level of security requirements must be followed within each stage to ensure a proper level of due diligence:

            1. Planning – Define the scope of the application and service. Level of security commitments required are identified and documented. 
            2. Systems Analysis and Requirements – Define functional requirements of the application or service. Type of information consumed is identified and evaluated. 
            3. Systems Design – Details the specifications, features, and operations that satisfy the functional requirements. Security control requirements are discussed and addressed. 
            4. Development – Development efforts begin. Applications are developed to secure the data identified in the phases above. In the case of cloud-based solutions, verification of how the provider maintains the security is validated and documented. 
            5. Integration and Testing – Systems integration and system testing is conducted. Security is capabilities are confirmed and quality assurance is completed. 
            6. Implementation – Application or service is used in production. Security control monitoring mechanisms are deployed. 
            7. Operations and Maintenance – Fine-tuning activities – performance improvements, upgrades, patches. All activities conducted in this phase must follow the University’s change control policies and procedures to limit risk-induced problems (misconfigurations, system or service availability, etc.).

          5. Incident Management and Response

            A Security Incident Response Plan is critical to enable rapid mitigating and investigatory actions upon becoming aware of a potential security incident. The proper response and handling of such incidents helps reduce its impact and integrates continual improvement measures over time. 

            The University shall adopt a Security Incident Response Plan focused on rapid response and supporting triage activities.

          6. Detection and Monitoring 

            Detection and monitoring refer to mechanisms used to improve necessary visibility and event tracing required to detect threats and confirm the validity and effectiveness of the security controls deployed throughout the network and computing environment.

            As these are key foundational components to effective information security operations and effective incident investigation and response, the University shall build processes and standards to ensure that appropriate detection and monitoring is in place and functional, and that appropriate systems, activities, and data are within scope.

          7. Data and Communications Security 

            To ensure the confidentiality and integrity of information stored, processed, or communicated by the University, a Data Classification Policy has been established, and a Data Handling Policy is planned. The Data Handling Policy will outline how data in classification should be stored, transmitted, processed, and destroyed.

          8. Disaster Recovery

            A disaster recovery plan is a set of documentation and procedures to ensure the proper and efficient resumption of critical services that support the daily operations of the University based on an unforeseen or unexpected interruption of the systems and resources. 

            GovState currently has established a robust disaster recovery process which is tested semi-annually. A formal policy is planned to accompany these processes.

          9. Training and Awareness

            A formal training and awareness policy shall be adopted to accompany and build upon existing yearly information security training exercises. This policy will outline the necessity and coverage areas, and other requirements of GovState’s Information Security Awareness and Training efforts.

          10. Information Asset Management 

            A full and comprehensive accounting of information assets is necessary for effective security efforts. An Information Asset Management Policy shall be adopted outlining the need to assemble and maintain a comprehensive inventory of the following information asset types.

            1. Hardware; 
            2. Virtual machines; 
            3. Network shares; 
            4. Storage media; 
            5. Applications; 
            6. Cloud services; and 
            7. Vendors and service providers.

      4. Exemptions and Risk Acceptance

        Although rare, exemptions to information security policies and processes may be necessary to carry out the mission of the University. A formal exemption policy and process shall be adopted to allow individuals to formally request an exemption and allow for the approval or rejection of the request based on specified criteria.

      5. Enforcement

        Any individual that accesses or consumes University data or information technology resources provided by the University shall be required to comply with all applicable laws and regulations, and policies and procedures developed in accordance with GovState’s information security efforts. Any individual with who engages in unauthorized use, disclosure, alteration, or destruction of University data will be in violation of the Information Security Policy and will be subject to appropriate disciplinary action, up to and including termination and/or legal action