Information Security Policy
Category: Information Security
Owner(s): Information Security Officer and Vice President for Operations
Effective Date: 1/31/2011
Objective: Defines the data management environment and assigned roles and responsibilities for protecting Binghamton University's information from unauthorized access, disclosure, or misuse.
This policy builds upon the University's Information Security Program Policy #300.
Audience: University workforce.
Reformat – corrected owner and numbering
It is the responsibility of the University workforce who accesses non-public data and information to secure and protect University data. Many federal and state laws regulate the collection, handling and disclosure of University administrative data, including the Family Rights to Privacy Act (FERPA), the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act, the Federal Privacy Act of 1974, New York State laws including the New York State Personal Privacy Protection Law, and Payment Card Industry regulations.
This policy must be communicated to faculty, staff, students and all others who have access to or manage University information. This information security policy is not specific to any type of hardware, communications method, network topology, or software applications. As such, it is designed to be implemented across campus.
1) Organizational and Functional Responsibilities
a) Information Security Council: The Information Security Council has overall responsibility for ensuring the implementation, enhancement, monitoring and enforcement of this program. The Council will ensure that an organization structure is in place for:
i) coordinating and implementing information security policies, standards, and procedures;
ii) assigning information security responsibilities;
iii) implementing an information security awareness program;
iv) monitoring significant changes in the exposure of information assets to major threats, legal or regulatory requirements;
v) responding to IT security incidents;
vi) leading major initiatives to enhance IT Security;
vii) leading disaster preparedness planning to ensure continuity of University business.
b) University Designated Staff: University designated staff will be responsible for the implementation of this and other information security policies and the compliance of University workforce to this policy. The designated staff must educate University employees with regard to information security issues; explain the issues, why the policies have been established; and what role(s) individuals have in safeguarding information assets.
c) Information Owners: Information owners are responsible for determining who should have access to protected resources within their jurisdiction, and what those access privileges should be (read, update, etc.). These access privileges must be in accordance with the user's job responsibilities. Information owners also communicate to the University Information Security Officer (ISO) the legal requirements for access and disclosure of their data. Information owners must be identified for all University information assets and assigned responsibility for the maintenance of appropriate information security measures such as assigning and maintaining asset classification and controls, managing user access to their resources, etc. Responsibility for implementing information security measures may be delegated, though accountability remains with the identified owner of the asset.
d) University Information Security Officer: The University Information Security Officer is responsible for chairing the Information Security Council and providing direction to the development of a formal security architecture plan for the University. The University Information Security Officer is responsible for investigating all alleged information security violations. In this role, the University Information Security Officer may refer the investigation to other investigatory entities, including law enforcement.
e) Information Technology (IT) Security Designated Staff: Information technology security staff will report to the Information Technology Services management and be responsible for administering IT security tools, auditing IT security practices, identifying and analyzing IT security threats and solutions, and responding to IT security violations.
f) Departments or Individuals with Direct Responsibility for Technology Support: These areas have responsibility for the data processing infrastructure and computing networks which support the information owners. It is their responsibility to support the Information Security Program and provide resources needed to enhance and maintain a level of information security control consistent with the University's Information Security Program.
These departments have the following responsibilities in relation to information security:
i) ensuring processes, policies and requirements are identified and implemented relative to information security requirements defined by the University;
ii) ensuring the proper security controls are implemented for which the University has assigned ownership responsibility, based on the University's classification designations;
iii) ensuring that appropriate information security requirements for user access to automated information are defined for files, databases, and physical devices assigned to their areas of responsibility;
iv) ensuring that critical data and recovery plans are backed up and the associated recovery plans are developed jointly with information owners.
g) University Workforce: It is the responsibility of the University workforce to protect University information and resources, including passwords, and to report suspected information/computer security incidents to one or more of the following: the information owner, the Information Technology Services Help Desk, the Information Security Officer, or IT Security staff as appropriate.
2) Information Security
a) All stored or transmitted and written or electronic information which is created,
acquired or used in support of the University's mission, regardless of the form or
format, must be used for University business only. This information is an asset and
must be protected from its creation, through its useful life, and to its authorized
disposal. It must be maintained in a secure, accurate, and reliable manner and be
readily available for authorized use.
Information must be classified and protected based on its importance to business activities, risks, and information security best practices as defined in ISO 27002 - The Information Security Standard.
b) Information is one of the University's most valuable assets and the University relies upon that information to support our mission. The quality and availability of that information is central to the University's ability to carry out its mission. Therefore, the security of the University's information, and of the technologies and systems that support it, is the responsibility of everyone concerned. Each authorized user of University information has an obligation to preserve and protect University information assets in a consistent and reliable manner. Information security controls provide the necessary physical, logical and procedural safeguards to accomplish those goals.
c) Information security management enables information to be shared while ensuring protection of that information and its associated computer assets including the networks over which the information travels. University designated staff are responsible for ensuring that appropriate physical, logical and procedural controls are in place on these assets to preserve the information security properties of confidentiality, integrity, availability and privacy of University information.
d) Individual Accountability: Individual accountability is the cornerstone of any information security program. Without it, there can be no information security. Individual accountability is required when accessing all University resources, and includes:
i) access to University computer systems and networks must be provided through the use of individually assigned unique computer identifiers, known as user-IDs;
ii) individuals who use University computers must only access information assets to which he or she is authorized;
iii) authentication tokens associated with each user-ID, such as a password, must be used to authenticate the person accessing the data, system or network. Passwords, tokens or similar technology must be treated as confidential information, and must not be disclosed. Transmission of such authentication information must be made only over secure mechanisms;
iv) each individual is responsible to reasonably protect against unauthorized activities performed under his or her user-ID;
v) user-Ids and passwords (or other tokens or mechanisms used to uniquely identify an individual) must not be shared. In certain circumstances, where there is a clear requirement or system limitation, the use of a shared user- id for a group of users or a specific job can be used. Additional compensatory controls must be implemented to ensure accountability is maintained.
e) Confidentiality / Integrity / Availability: All University information must be protected from unauthorized access to help ensure the information's confidentiality and maintain its integrity. Information owners will secure information within their jurisdiction based on the information's value, sensitivity to disclosure, consequences of loss or compromise, and ease of recovery. The University will adopt policies and procedures to guide information owners in securing their information assets;
f) Information will be readily available for authorized use when it is needed by users in the normal performance of their duties. Appropriate processes will be defined and implemented to ensure the reasonable and timely recovery of all the University information, applications and systems, regardless of computing platform, should that information become corrupted, destroyed, or unavailable for a defined period.
3) Asset Classification and Control
a) Data and data types should be classified by their use and sensitivity; categories are open, restricted, and confidential. These are defined as follows:
i) Open: Public information about the University and its community releasable at the lowest department level (e.g. sports scores, public events information, announcements, faculty expertise, student accomplishments * , aggregate data prepared for release); *See paragraph note 3) a) iii)
ii) Restricted: Public information subject to established University protocol for release (e.g. budget information, salaries, expenditures, directory information);
iii) Confidential: All other information, including any personally-identifying information about employees or students. Note: Student directory information is confidential if directory exclusion is requested by the student. It is the responsibility of all University employees to respect the highest level of privacy for their colleagues and other members of the University community. Disclosure and discussion of information obtained from University records, either during or after employment with the University, is not permissible unless such disclosure is a normal requirement of an employee's position or has been so authorized.
b) Information must be properly managed from its creation, through authorized use, to proper disposal and requires different levels of protection. Information will be classified based on its value, sensitivity, consequences of loss or compromise, and/or legal and retention requirements. Criteria for determining the sensitivity of information will include consideration of confidentiality, integrity, availability, privacy, safety, legal and retention compliance requirements.
c) All information will have an information owner established within the University's lines of business who will be responsible for assigning the initial information classification, and make all decisions regarding controls, access privileges of users, and daily decisions regarding information management.
d) Each classification will have a set or range of controls, designed to provide the appropriate level of protection of the information and its associated application software commensurate with the value of the information in that classification. Protective measures will address the above considerations with control categories that include: identification & authentication, access control, confidentiality, network security, host security, integrity, non-repudiation, monitoring and compliance.
4) Personnel Security
a) User Training:
i) All faculty, staff and students must receive general information security awareness training to ensure they are knowledgeable of information security procedures, their roles and responsibilities regarding the protection of the University information assets, and the proper use of information processing facilities to minimize information security risks;
ii) Departments that process or maintain sensitive information are responsible for conducting specific information security awareness training for employees who handle such information in the course of their job duties. This training should include physical handling and disposition of non-electronic documents containing sensitive information as well as proper procedures to follow in processing and storing electronic information and documents;
iii) Logon banners will be implemented on all systems where that feature exists to inform all users that the system is for the University business or other approved use consistent with University mission.
5) Security Incident Management and Response
a) Responding to Information Security Incidents and Malfunctions:
i) Incidents affecting information security must be reported as quickly as possible to one or more of the following: the information owner, the Information Security Officer, or IT Security staff as appropriate;
ii) Formal incident reporting procedures that define the actions to be taken when an incident occurs must be established. Feedback mechanisms must be implemented to ensure that individuals reporting incidents are notified of the results after the incident has been resolved and closed.
b) Incident Management Process and Procedures: The logging of information security incidents will be used by the University to identify recurring or high impact incidents and to record lessons learned. Review of this information may indicate the need for additional controls to limit the frequency, damage and cost of future incidents.
i) All users of University information systems must be made aware of the procedure for reporting information security incidents, threats, weaknesses, or malfunctions that may have an impact on the security of University information. All University staff and contractors are required to report any observed or suspected incidents to the appropriate manager and the University ISO as quickly as possible;
ii) Incident management responsibilities must be documented and procedures must be clearly defined to ensure a quick, effective and orderly response to information security incidents. At a minimum, these procedures must address:
(1) information system failures and loss of service;
(2) denial of service;
(3) errors resulting from incomplete or inaccurate data;
(4) breaches of confidentiality;
(5) loss of integrity of the software or other system component;
iii) In addition to normal contingency plans designed to recover applications, systems or services, the incident response procedures must also cover:
(1) analysis and identification of the cause of the incident;
(2) planning and implementation of corrective actions to prevent reoccurrence;
(3) collection of audit log information;
(4) communication with those affected by or involved in the recovery from the incident;
iv) University management and the University ISO will investigate all information security incidents and implement corrective actions to reduce the risk of recurrence.
6) Access Control
a) To preserve the properties of integrity, confidentiality and availability, the University's information assets will be protected by logical and physical access control mechanisms commensurate with the value, sensitivity, consequences of loss or compromise, legal requirements and ease of recovery of these assets.
b) Information owners are responsible for determining who should have access to information assets within their jurisdiction, and what those access privileges will be (read, update, etc.). These access privileges will be granted in accordance with the user's job responsibilities.
c) User Registration and Management:
i) A process shall be established by the University to outline and identify all functions of user management, to include the generation, distribution, modification and deletion of user accounts for access to resources. The purpose of this process is to ensure that only authorized individuals have access to University applications and information and that these users only have access to the resources required for authorized purposes;
ii) The User Management Process should include the following sub-processes:
(1) enrolling new users;
(2) removing user-ids;
(3) granting "privileged accounts" to a user;
(4) removing "privileged accounts" from a user;
(5) periodic reviewing "privileged accounts" of users;
(6) periodic reviewing of users enrolled to any system; and
(7) assigning a new authentication token (e.g. password reset processing);
iii) In most cases the appropriate information owner or supervisor will make requests for the registration and granting of access rights for employees. In some cases access can be automatically granted or taken away based on employment status;
iv) For applications that interact with individuals that are not employed by the
University, the information owner is responsible for ensuring an appropriate user
management process is implemented. Standards for the registration of such external
users must be defined, to include the credentials that must be provided to prove the
identity of the user requesting registration, validation of the request and the scope
access that may be provided.
d) User Password Management:
i) Passwords are a common means of authenticating a user's identity to access an information system or service. Password standards will be implemented to ensure all authorized individuals accessing College resources follow proven password management practices. These password rules must be mandated by automated system controls whenever possible;
ii) To ensure good password management, the following password standards will be implemented where feasible:
(1) Password cannot not be the same as user-id;
(2) password length minimum of 8 characters;
(3) strong passwords including alpha and numeric characters;
(4) maximum password age 180 days;
(5) minimum password age 7 days;
(6) password uniqueness equal to five (5);
(7) lock out account after an appropriate number of failed logon attempts;
(8) password lockout duration - 60 minutes, or until reset by authorized person;
(9) passwords should not be written down;
(10) passwords must be kept confidential- they must not be shared with another
(11) temporary passwords must be changed at the first logon;
iii) A user who needs a password reset must be authenticated before the request is granted.
a) Compliance with this Information Security policy is mandatory. Each user must understand his/her role and responsibilities regarding information security issues and protecting the University's information assets. The failure to comply with this or any other information security program policy that results in the compromise of University information confidentiality, integrity, privacy, and/or availability may result in appropriate action as permitted by law, rule, regulation or negotiated agreement. The University will take every reasonable step necessary, including legal and administrative measures, to protect its information assets.
b) The University Information Security Council shall review this document annually, at minimum. If changes are needed the council shall propose the changes to the Vice President for Operations. The Vice President will be required to review the proposed changes for acceptance within 30 days of receipt. A response to the proposed changes must be made in writing to the Information Security Council chair, within 30 days of receipt of the proposed changes.
c) University managers and supervisors will ensure that all information security processes and procedures within their areas of responsibility are followed. In addition, all units within the University may be subject to regular reviews to ensure compliance with information security policies and standards. Areas where compliance with the program requirements is not met will be documented and reported to the University's Information Security Officer. For each area of non-compliance, a plan will be developed to address the deficiencies.
Binghamton University Policy: Information Security Program, Policy #300
SUNY Compliance Procedure(s):