| Security Policies
Summary Document (Last Updated 08-16-2004) - DRAFT |
||
| Policy | Purpose of Policy | Policy Highlights |
| Electronic Data Security Management Policy | To ensure that the University has implemented the major security management processes needed to recognize data security risks at the University and institute the safeguards needed to protect its information technology resources. | Requires departments to develop a security program that includes: Risk Assessment (of potential risks and vulnerabilities); Risk Management (security measurements to reduce and manage risks and vulnerabilities); Sanctions (for security violations); Security Management Audits (review of information system activity); Electronic Activity Audits (recording and reporting of access, storage and transmission activity to information). |
| Workforce Security - Access to Data | To ensure that the University has (1) implemented safeguards to limit access to data to only those authorized to use the data (2) implemented the processes needed to ensure that people who are granted access to data on the UniversityÕs network are only given appropriate access authority; and (3) that a user's identity and access rights to non-public information are verified. | Requires departments to: develop procedures for authorization/supervision of the workforce (1,2); limit access to only those persons/software that have been granted access (assignment of unique user identifier, procedures for emergency data access, procedures for automatic logoff, use of data encryption) (3,6,7,8); authenticate users (i.e., verify that the person seeking access to non-public is the one claimed) (5); develop procedures for management of user accounts (i.e., creating, modifying, suspending, terminating) (4). |
| Data Security Training | To ensure that each area within the University provides each of the people within its control with an appropriate awareness of data security issues, and provides the training needed for those people to understand and use the security safeguards in effect for that department. | Requires departments to develop procedures for security awareness & training of workforce; procedures that support security safeguards (guarding against, detecting and reporting malicious activity, password protections, monitoring log-in activity, reporting security incidents); procedures concerning security reminders/updates; maintenance of training records. |
| Security Incident Response | To ensure that the University has implemented the processes needed to identify and respond to electronic security incidents that occur at the University. | Requires that procedures be implemented for (1) identifying and responding to security incidents, (2) mitigating impacts of security incidents, and (3) documenting security incidents and their outcomes. |
| Contingency Planning | To ensure that the University has developed plans for continuing critical operations during periods when normal computing functions are not available and has instituted the safeguards needed to protect its information technology resources during those periods. | Requires a plan for continuity of critical resources that includes: Inventory of critical resources; data backup plan; disaster recovery plan; emergency mode operation plan; periodic testing/revision of contingency plans; and oversight of 3rd parties. |
| Security Testing and Evaluation | To ensure that the University has implemented the processes for periodically testing, reviewing, and revising the safeguards used to protect its information technology resources. | Requires development of a program for periodically evaluating the (1) technical procedures/mechanisms for protecting computing resources, and (2) non-technical (administrative) procedures/mechanisms for protecting computing resources |
| Electronic Workstation Use and Security | To ensure that each department within the University has identified the proper functions and environmental security for each computer workstation within its control. | Requires departments to develop and implement processes for: specifying functions appropriate for workstations (i.e. programs/applications to be run on workstation); how functions are to be performed on workstations (i.e. distribution of any documentation on use of programs/applications); how workstations are to be setup to perform functions (e.g. minimal configuration requirements, virus protection updates, security patch updates, etc.); physical security of workstations |
| Electronic Data Integrity | To ensure that the University has implemented the safeguards needed to protect the integrity of electronic data that is accessed, stored, or transmitted using computing resources at the University. | Requires processes for: (1) protecting data from unauthorized access or modification and for corroborating that data has not been altered or destroyed in an unauthorized manner (including use of tools and mechanisms) and (2) encryption of data when appropriate. |
| Device and Media Control | To ensure that each area within the University has implemented appropriate processes for managing devices used to store electronic data. | Requires the development and use of procedures for protecting data that include: data disposal, media re-use, hardware/media movement; media repair/replacement; data backup. |
| Access Control for Computing Resources and Equipment | To ensure that the University has implemented the controls needed to limit physical access to computing resources to only those people who are authorized to use the resources. | Requires implementation of controls that include: physical safeguards to equipment and data (i.e. physical access controls); limiting person access to equipment and data; maintaining documentation showing the history of maintenance to resources; and having procedures for emergency access to data. |