University Information Security Program
Responsible Office: Information Technology Services
Policy Type: Information Security Policy
Policy Number: 302
Last Date Revised: 6/21/2017
Objective: Defines the data management environment and assigned roles and responsibilities for protecting Binghamton University's information from unauthorized access, disclosure, or misuse.
This policy builds upon the University's Information Security Program Policy #300.
It is the responsibility of the University data users who access non-public data and information to secure and protect University data. Many federal and state laws regulate the collection, handling and disclosure of University administrative data, including but not limited to the Family Rights to Privacy Act (FERPA), the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act, the Federal Privacy Act of 1974, New York State laws including the New York State Personal Privacy Protection Law, and Payment Card Industry regulations.
This policy must be communicated to faculty, staff, students and all others who have access to or manage University information. This information security policy is not specific to any type of hardware, communications method, network topology, or software applications. As such, it applies to all University offices.
1) Organizational and Functional Responsibilities
a) Information Security Council: The Information Security Council has overall responsibility for ensuring the implementation, enhancement, monitoring and enforcement of this program. The Council will ensure that an organization structure is in place for:
i) Coordinating and implementing information security policies, standards, and procedures;
ii) Assigning information security responsibilities;
iii) Implementing an information security awareness program;
iv) Monitoring significant changes in the exposure of information assets to major threats, legal or regulatory requirements;
v) Responding to IT security incidents;
vi ) Leading major initiatives to enhance IT Security;
vii) Leading disaster preparedness planning to ensure continuity of University business.
b) University Designated Staff: University designated staff will be responsible for the implementation of this and other information security policies and the compliance of University data users to this policy. The designated staff must educate University employees with regard to information security issues; explain the issues, why the policies have been established; and what role(s) individuals have in safeguarding information assets.
c) Data Stewards: Data Stewards are responsible for determining who should have access to protected resources within their jurisdiction, and what those access privileges should be (read, update, etc.). These access privileges must be in accordance with the user's job responsibilities. Data Stewards also communicate to the Chief Information Security Officer (CISO) the legal requirements for access and disclosure of their data. Data Stewards must be identified for all University data assets and assigned responsibility for the maintenance of appropriate information security measures such as assigning and maintaining asset classification and controls, managing user access to their resources, etc. Responsibility for implementing information security measures may be delegated, although accountability remains with the identified steward of the asset.
d) Chief Information Security Officer: The Chief Information Security Officer is responsible for chairing the Information Security Council and providing direction to the development of a formal security architecture for the University. The Chief Information Security Officer is responsible for investigating all alleged information security violations. In this role, the Chief Information Security Officer may refer the investigation to other investigatory entities, including law enforcement.
e) Information Technology (IT) Security Designated Staff: Information technology security staff will report to the Information Technology Services management and be responsible for administering IT security tools, auditing IT security practices, offering security awareness training, identifying and analyzing IT security threats and solutions, and responding to IT security violations.
f) Departments or Individuals with Direct Responsibility for Technology Support and Data Custodians: These areas have responsibility for the data processing infrastructure and computing networks which support the data stewards. It is their responsibility to support the Information Security Program and provide resources needed to enhance and maintain a level of information security control consistent with the University's Information Security Program.
These departments have the following responsibilities in relation to information security:
i) Ensuring processes, policies and requirements are identified and implemented relative to information security requirements defined by the University;
ii) Ensuring the proper security controls are implemented for which the University has assigned ownership responsibility, based on the University's classification designations;
iii) ensuring that appropriate information security requirements for user access to automated information are defined for files, databases, and physical devices assigned to their areas of responsibility;
iv) Ensuring that critical data and recovery plans are backed up and the associated recovery plans are developed jointly with data stewards
v) Ensuring data is maintained in a manner consistent with the requirements of a data custodian as defined in the Data Governance policy
g) University Data Users: It is the responsibility of the University data users to protect University information and resources, including passwords, and to report suspected information/computer security incidents as required in the Security Incident Management and Response section of this policy.
2) Information Security
a) All stored or transmitted and written or electronic information which is created, acquired or used in support of the University's mission, regardless of the form or format, must be used for University business only. This information is an asset and must be protected from its creation, through its useful life, and to its authorized disposal. It must be maintained in a secure, accurate, and reliable manner and be readily available for authorized use.
b) Information must be classified based on its importance to business activities, risks, and information security best practices as defined in the university data governance policy.
c) Information is one of the University's most valuable assets and the University relies upon that information to support its mission. The quality and availability of that information is central to the University's ability to carry out its mission. Therefore, the security of the University's information, and of the technologies and systems that support it, is the responsibility of everyone concerned. Each authorized user of University information has an obligation to preserve and protect University information assets in a consistent and reliable manner. Information security controls provide the necessary physical, logical and procedural safeguards to accomplish those goals.
d) Information security management enables information to be shared while ensuring protection of that information and its associated computer assets including the networks over which the information travels. University designated staff are responsible for ensuring that appropriate physical, logical and procedural controls are in place on these assets to preserve the information security properties of confidentiality, integrity, availability and privacy of University information.
e) Individual accountability is the cornerstone of any information security program. Without it, there can be no information security. Individual accountability is required when accessing all University resources, and includes:
i) Access to University computer systems and networks must be provided through the
use of individually assigned unique computer identifiers, known as user-IDs;
ii) Individuals who use University computers must only access information assets to which he or she is authorized;
iii) Authentication tokens associated with each user-ID, such as a password, must be used to authenticate the person accessing the data, system or network. Passwords, tokens or similar technology must be treated as confidential information, and must not be disclosed. Transmission of such authentication information must be made only over secure mechanisms;
iv ) Each individual is responsible to reasonably protect against unauthorized activities performed under his or her user-ID;
v) user-IDs and passwords (or other tokens or mechanisms used to uniquely identify an individual) must not be shared. In certain circumstances, where there is a clear requirement or system limitation, the use of a shared user-ID for a group of users or a specific job can be used. Additional compensating controls must be implemented to ensure accountability is maintained.
f) Confidentiality / Integrity / Availability: All University information must be protected from unauthorized access to help ensure the information's confidentiality and maintain its integrity. Data stewards will secure information within their jurisdiction based on the information's value, sensitivity to disclosure, consequences of loss or compromise, and ease of recovery. The University will adopt policies and procedures to guide data stewards in securing their information assets;
g) Information will be readily available for authorized use when it is needed by users in the normal performance of their duties. Appropriate processes will be defined and implemented to ensure the reasonable and timely recovery of all the University information, applications and systems, regardless of computing platform, should that information become corrupted, destroyed, or unavailable for a defined period.
3) Personnel Security
a) User Training:
i) All faculty, staff and students must receive general information security awareness
training to ensure they are knowledgeable of information security procedures, their
roles and responsibilities regarding the protection of the University information
assets, and the proper use of information processing facilities to minimize information
ii) Departments that process or maintain restricted, sensitive or internal information are responsible for conducting specific information security awareness training for employees who handle such information in the course of their job duties. This training should include physical handling and disposition of non-electronic documents containing restricted, sensitive or internal information as well as proper procedures to follow in processing and storing electronic information and documents;
iii) Log-on banners will be implemented on all systems where that feature exists to inform all users that the system is for the University business or other approved use consistent with University mission.
iv ) Central authentication and authorization services will be implemented on all systems where possible to centralize access control and auditing.
4) Security Incident Management and Response
a) Responding to Information Security Incidents and Malfunctions:
i) Incidents affecting information security must be reported as quickly as possible
to the Chief Information Security Officer (via email@example.com), the designated
steward data and designated data trustee.
ii) Formal incident reporting procedures that define the actions to be taken when an incident occurs must be established. Feedback mechanisms must be implemented to ensure that individuals reporting incidents are notified of the results after the incident has been resolved and closed.
b) Incident Management Process and Procedures: The logging of information security incidents will be used by the University to identify recurring or high impact incidents and to record lessons learned. Review of this information may indicate the need for additional controls to limit the frequency, damage and cost of future incidents.
i) All users of University information systems must be made aware of the procedure
for reporting information security incidents, threats, weaknesses, or malfunctions
that may have an impact on the security of University information. All University
staff and contractors are required to report any observed or suspected incidents to
the appropriate manager and the University CISO as quickly as possible;
ii) Incident management responsibilities must be documented and procedures must be clearly defined to ensure a quick, effective and orderly response to information security incidents. At a minimum, these procedures must address:
- 1. Information system failures and loss of service;
- 2. Denial of service;
- 3. Errors resulting from incomplete or inaccurate data;
- 4. Breaches of confidentiality;
- 5. Loss of integrity of the software or other system component;
iii) In addition to normal contingency plans designed to recover applications, systems or services, the incident response procedures must also cover:
1. Analysis and identification of the cause of the incident;
2. Planning and implementation of corrective actions to prevent reoccurrence;
3. Collection of audit log information;
4. Communication with those affected by or involved in the recovery from the incident;
iv ) University administration and the University CISO will investigate all information security incidents and implement corrective actions to reduce the risk of recurrence.
5) Access Control
a) To preserve the properties of integrity, confidentiality and availability, the University's information assets will be protected by logical and physical access control mechanisms commensurate with the value, sensitivity, consequences of loss or compromise, legal requirements and ease of recovery of these assets.
b) Data Stewards are responsible for determining who should have access to information assets within their jurisdiction, and what those access privileges will be (read, update, etc.). These access privileges will be granted in accordance with the user's job responsibilities.
c) Identity and Access Management:
i) A process shall be established by the University to outline and identify all functions of user management, to include the generation, distribution, modification and deletion of user accounts for access to resources. The purpose of this process is to ensure that only authorized individuals have access to University applications and information and that these users only have access to the resources required for authorized purposes;
ii) The User Management Process will include the following sub-processes:
1. Enrolling new users;
2. Removing user-IDs;
3. Granting "privileged accounts" to a user;
4. Removing "privileged accounts" from a user;
5. Periodic reviewing "privileged accounts" of users;
6. Periodic reviewing of users enrolled to any system; and
7. Assigning a new authentication token (e.g. password reset processing);
iii) In most cases the appropriate data steward or supervisor will make requests for the registration and granting of access rights for employees. In some cases, access can be automatically granted or taken away based on employment status;
iv ) For applications that interact with individuals that are not employed by the University, the data steward is responsible for ensuring an appropriate user management process is implemented. Standards for the registration of such external users must be defined, to include the credentials that must be provided to prove the identity of the user requesting registration, validation of the request and the scope of access that may be provided.
d) User Password Management:
i) Passwords are a common means of authenticating a user's identity to access an information system or service. Password standards will be implemented to ensure all authorized individuals accessing university resources follow proven password management practices. These password rules must be mandated by automated system controls whenever possible;
ii) To ensure best practice in password management, systems shall implement standards based on NIST Special Publication 800-63 where feasible.
iii) A user who needs a password reset must be authenticated before the request is granted.
a) Compliance with this Information Security policy is mandatory. Each user must understand his/her role and responsibilities regarding information security issues and protecting the University's information assets. The failure to comply with this or any other information security program policy that results in the compromise of University information confidentiality, integrity, privacy, and/or availability may result in appropriate action as permitted by law, rule, regulation or negotiated agreement. The University will take every reasonable step necessary, including legal and administrative measures, to protect its information assets.
b) The University Information Security Council shall review this document annually, at minimum. If changes are needed the council shall propose the changes to the Vice President for Operations. The Vice President will be required to review the proposed changes for acceptance within 30 days of receipt. A response to the proposed changes must be made in writing to the Information Security Council chair, within 30 days of receipt of the proposed changes.
c) University managers and supervisors will ensure that all information security processes and procedures within their areas of responsibility are followed. In addition, all units within the University are subject to regular reviews to ensure compliance with information security policies and standards. Areas where compliance with the program requirements is not met will be documented and reported to the University's Chief Information Security Officer. For each area of non-compliance, a plan will be developed to address the deficiencies.
Binghamton University Policy: Information Security Program, Policy #300
SUNY Compliance Procedure(s):
Information Security Policy, Document #6900
Information Security Guidelines, Part 1, Document #6608
Records Retention and Disposition, Document #6609
Data Governance Policy 304
NIST Special Publication 800-63