Information Systems Security Policy

Background

This policy establishes the requirements, roles, and responsibilities for ensuring the confidentiality, integrity, and availability of ��Ҵ�ý IT Services accessed, managed, or controlled by ��Ҵ�ý (“��Ҵ�ý”).

Purpose

The purpose of this policy is to ensure the protection of ��Ҵ�ý’s information technology services, including applications, computing equipment, networks, servers, licensed third party software and systems, telecommunications systems, other technology or communications platforms, and other resources and the data stored in or on any such technology (collectively, “��Ҵ�ý IT Services” or “IT Services”) from unauthorized access or alteration, as well as damage, intrusion, and misuse.

By implementing this policy, ��Ҵ�ý will:

Establish standards for ensuring the security and confidentiality of ��Ҵ�ý’s IT Services.
Establish administrative, technical, and physical safeguards to protect against unauthorized access or use of ��Ҵ�ý’s IT Services.
Assign responsibility for the security of departmental, administrative, and other critical ��Ҵ�ý IT Services.

This policy applies to all employees (faculty and staff) or, as relevant, students who create or are responsible for ��Ҵ�ý IT Services or which collect, process, transact or transmit ��Ҵ�ý data as defined in the Data Security Policy. All such individuals must maintain the IT Services for which they are responsible in accordance with this policy and other ��Ҵ�ý policies and regulations.

Policy

1. Framework for Institutional Information Security Decisions

Establishment of Ownership

“Information Security” for the purpose of this policy means the protection of information against unauthorized disclosure, transfer, modification, or destruction, whether accidental or intentional. ��Ҵ�ý’s Information Security Program Manager (ISPM), reporting to the Chief Information Officer (CIO) or his or her designee, has the principal obligation for Information Security. This includes, but is not limited to, the execution of ��Ҵ�ý college’s Information Security Plan.

The ISPM will develop policies, standards, procedures, and guidelines with input and review from campus stakeholders, based upon best practices in information security, and in accordance with applicable laws and regulations.

Policies, standards, procedures, and guidelines set minimum requirements and expectations under which ��Ҵ�ý operates and protects the Services. These will be regularly reviewed and updated to properly reflect changing risk conditions and mitigation techniques. At a minimum, information security policies, standards, procedures, and guidelines will be reviewed annually and updated as required.

The ISPM will collaborate with campus leadership and department management to develop information security policies that appropriately address ��Ҵ�ý’s needs. Departments must notify the ISPM of issues requiring attention through policy, as well as any needed policy changes.

Approval

��Ҵ�ý’s information security policies, standards, procedures, and guidelines shall be consistent with existing laws, regulations, ��Ҵ�ý culture, and support the ��Ҵ�ý mission to develop, educate, and serve its community. Policies will be reviewed and approved according to ��Ҵ�ý’s (��Ҵ�ý login required) prior to implementation. As part of implementation, faculty, staff, and students will be notified of the policies.

Exceptions

Individuals or units within ��Ҵ�ý that cannot comply with the requirements of the information systems security program established pursuant to this policy or related security policies must submit a written exception request to the ISPM for review and consideration. Exception requests must include the scope and duration of the exception, business justification, and for exceptions that are temporary, a committed remediation plan to achieve compliance. The ISPM will review the request to ensure proper consideration has been given to the business needs and benefits, and weighed against the security risk to the institution. Requests for policy exceptions must be submitted to and approved by the ISPM or the CIO prior to implementation of the requested exception.

In the event of an emergency, the CIO acting with input from members of ��Ҵ�ý’s Senior Leadership Team has the authority to temporarily suspend a specific information security policy in order to recover from a service outage or incident. The ISPM should be notified of the temporary policy suspension so that efforts can be considered and undertaken, as necessary, to mitigate the risks of any increased security threat.

2. Information Security Roles and Responsibilities

Information Security Program Manager (ISPM)

��Ҵ�ý’s Information Security Program Manager is responsible for coordinating and overseeing compliance with this policy including investigating and evaluating any incident that may violate this or other policies or information security best practices and, with input from the Vice President and General Counsel, outside counsel, consultants and other resources, determining if a security breach occurred under applicable law.

Technology & Innovation (T&I)

The Technology & Innovation division (T&I) has the primary operational responsibility for ��Ҵ�ý IT Services that receive, create, store, handle, or discard information. T&I shall be responsible for:

Implementing information security technologies, controls, and services to protect IT Services and data as required by the Information Systems Security Program.
Granting and revoking user rights and privileged access to IT Services as directed by the ISPM or Product Owners.
Ensuring availability and recovery of IT Services.
Abiding by the requirements of the Information Systems Security Program.

Product Owners

Each information technology system, application, server or other service used at ��Ҵ�ý (“IT Service”) must have a designated Product Owner, a named individual maintained on file in the Technology & Innovation division. This individual is responsible for ensuring that each such IT Services comply with this policy, and the Product Owner must report any discovered non-compliance or possible security events promptly to the Information Security Program Manager. Product Owner designations are determined at the Vice President or division head level, and VPs/division heads must promptly name a new Product Owner upon reassignment or the departure of a Product Owner from ��Ҵ�ý employment.

All information and data at ��Ҵ�ý, including that which is stored, processed or transmitted by IT Services, is regulated by the College’s Data Security Policy. Product Owners are responsible for ensuring their IT Services are compliant with the Data Security Policy.

For student-developed IT Services in use at ��Ҵ�ý, a student may be the Product Owner under the supervision of an authorized faculty or staff member, but the faculty or staff member or relevant department or division must name a Product Owner upon the student’s graduation or termination of enrollment from ��Ҵ�ý. The supervising faculty or staff member will become the Product Owner by default if a new Product Owner is not named.

End Users of IT Services (Faculty, Staff, Students)

End Users shall be responsible for abiding by the ��Ҵ�ý Technology Terms of Service when using IT Services at ��Ҵ�ý.

Third-Party (Vendor) Access

Third parties executing business on behalf of ��Ҵ�ý, in lieu of or in addition to ��Ҵ�ý employees, must agree to follow the information systems security policies. Third parties are expected to be contractually obligated to protect ��Ҵ�ý IT Services to the same degree expected from ��Ҵ�ý employees.

Third parties may only access ��Ҵ�ý IT Services where there is a business need, only with approval of Product Owners, and only with the minimum access needed to accomplish the business objective. A copy of the relevant information security policies and the third party’s role in ensuring compliance must be formally delivered to the third party prior to access being granted, with provisions made to grant the access in a secure manner. In these cases, third parties shall be subject to the same policies and practices as other members of the ��Ҵ�ý community, unless an exception is granted by the ISPM.

Security Obligations in Contracts for Outsourced Services

Contracts with third parties for outsourced information technology services (e.g. SaaS solutions) must include provisions that govern the handling and proper security of all ��Ҵ�ý IT Services. These provisions should clearly define requirements of the third party for protection of ��Ҵ�ý information, and where possible, should provide ��Ҵ�ý the ability to audit the third party as needed in order to ensure information is appropriately protected. Use of the ��Ҵ�ý Technology Contact Addendum is recommended for this purpose.

��Ҵ�ý offices and departments must provide oversight of all outsourced information technology service providers to ensure their policies and practices regarding information security are consistent with ��Ҵ�ý’s policies.

Third parties may be audited as needed in order to ensure compliance. ��Ҵ�ý data must be protected whether used, housed, or supported by ��Ҵ�ý employees or by third parties.

The policy provisions will be addressed on a go-forward basis for new and renewed contracts. There is no expectation that existing contracts will be renegotiated ahead of their renewal dates to comply with these requirements.

3. Human Resources Security

All employees of ��Ҵ�ý, whether regular or temporary, full or part-time, and any third parties, contractors, volunteers, or vendors who receive access to IT Services must be aware of, understand, and fulfill their information security responsibilities and requirements for any IT Services that they access.

��Ҵ�ý’s Human Resources division completes a criminal background check on all prospective employees that must be completed before the first day worked and access to IT Services begins. Faculty/staff sponsoring any access by third parties, contractors, volunteers, or vendors who will access Restricted or Confidential data, as defined in the Data Security Policy, in ��Ҵ�ý IT Services must contact Human Resources to request a criminal background check prior to access to such data being granted.

All employees, students, and third parties sponsored for account access are required to review and accept the ��Ҵ�ý Technology Terms of Service before completing the self-service account registration process.

The manager or supervisor of employees and third parties (e.g., authorized or approved vendors or contractors) who have access to ��Ҵ�ý IT Services is responsible for ensuring that all such individuals are aware of and fulfill their information security responsibilities. Employee disciplinary processes will include provisions addressing violations of information security policies.

4. Information Systems Access Control

Access to ��Ҵ�ý IT Services that store, process or transmit Restricted or Confidential data as defined in the Data Security Policy will only be provided to End Users based on business requirements, job function, responsibilities, or need-to-know, and such access must be approved by the manager/supervisor, Product Owner, or data steward, as appropriate.

To the greatest extent technically possible, Product Owners will use group membership data derived from Human Resources systems data (such as department or division affiliation or role) to automatically grant and revoke access to IT Services.

All IT Services must use ��Ҵ�ý-authorized single-sign on (SSO) and multifactor authentication, unless an exception has been approved by the Chief Information Officer.

Access to ��Ҵ�ý IT Services will be revoked, and assets, including assigned laptop or desktop and peripherals, must be returned upon termination of employment with the College. If an employee accepts a new position at the College, the outgoing division’s manager is responsible for deactivating access to IT Services no longer needed in the employee’s new role.

Authorized T&I divisional staff with superuser/root level to high-risk systems (such as domain administrator roles) are required to use a unique, separate account from their regular campus account to perform such roles, and must only use it for such system administration tasks. Any service accounts, root level passwords, or equivalent that cannot be disabled due to the nature of the relevant system must be stored in T&I’s secure credential enclave or a privileged account management system.

5. Information Security Awareness and Training

The ISPM will develop, implement and manage an information security awareness program to be delivered periodically to ��Ҵ�ý faculty, staff, and certain other authorized users of ��Ҵ�ý IT Services.

To demonstrate basic competency in information security best practices, designated faculty and staff must complete this training as part of the onboarding process, approximately annually thereafter, or as required by the ISPM. Training requirements for ��Ҵ�ý employees are based on job role, division of employment, and scope of data and IT Services access, among other factors; as such, employee information security awareness training needs must be reassessed by managers and supervisors following any change in employee job role or responsibilities.

The Information Security Program Manager will:

Develop or acquire information security training and test materials.
Update and revise training and test materials at least annually to reflect current threats and information security best practices.
Provide the ability to collect feedback regarding the content and efficacy of the training program.
Track, record, and report training/testing completion rates and other program statistics.
Ensure compliance with training mandates across the College.

The information security awareness program will review security awareness best practices including information classification and handling and how to identify different forms of social engineering attacks (e.g. phishing, phone scams, impersonation calls); it will also include simulated non-malicious phishing email to assess End User readiness and identify knowledge gaps and areas for continuous improvement.

Training in information security threats and safeguards for T&I staff and Product Owners is mandatory, with the extent of technical training to reflect the individual’s responsibility for configuring and maintaining information security safeguards.

6. IT Service Acquisition, Development, and Maintenance

Acquisition of IT Services, including all technology devices, equipment and peripherals, must be either approved by the Chief Information Officer or purchased by T&I, as specified in the ��Ҵ�ý Technology Terms of Service.

The Product Owner is responsible for any IT Services written, coded, built or otherwise developed by ��Ҵ�ý staff, including ensuring that the IT Products and their subcomponents (including application stack elements) are free from known security vulnerabilities and follow best practices. Product Owners should be aware that virtually all homegrown/developed software and IT Services will require review and updates on a periodic basis, potentially as frequently as monthly or weekly.

7. Information Systems Operations Security

All Product Owners must coordinate and cooperate with the Information Security Program Manager and other T&I staff to ensure that ��Ҵ�ý IT Services are operationally secure. This includes:

Ensuring all IT Services meet information security standards for approval at acquisition and on an ongoing basis (for (��Ҵ�ý login required), this typically involves review of the EDUCAUSE HECVAT questionnaire submitted by the vendor and ongoing review of vendor security reports);
(��Ҵ�ý login required) hosted by ��Ҵ�ý on-campus or in the cloud are configured for routine network and application vulnerability scans and are public accessed only through appropriate security measures (such as the web application firewall);
Resolving any vulnerabilities or risks associated with an IT Product when reported by vulnerability scans, vendor notices, industry or government warnings, etc., including evaluating IT Services for the presence of risky code, modules or components;
For ��Ҵ�ý-hosted IT Services, using servers and other infrastructure components that are subject to standard configuration and management by T&I to ensure ongoing updates, patches and maintenance;
Resolving IT Product errors or problems caused by required updates to supporting infrastructure (such as a server operating system security patch causing a problem with the operation of an IT Product);
Ensuring that IT Services implement data retention schedules for Restricted and Confidential data to ensure that Restricted and Confidential data are not maintained for longer than the business need requires;
Ensuring that backups of business critical data are captured and maintained in accordance with industry best practices;
Verifying that ��Ҵ�ý IT Services utilize industry (��Ҵ�ý login required), where appropriate, in order to protect the confidentiality and integrity of information, both in transit and at rest;
Understanding relevant data security and privacy legal requirements such as those of the Gramm-Leach-Bliley Act, the Federal Educational Rights and Privacy Act, the North Carolina Identity Theft Act, the European Union General Data Protection Directive, and other applicable laws and regulations, sufficient to know whether their IT Product(s) must comply with such regulations and ensuring that they do comply if required;
For any IT Product that collects, processes or transmits credit card information as regulated by Payment Card Industry (PCI) standards, ensuring that only ��Ҵ�ý-authorized security technologies (typically P2PE) are used to avoid bringing other ��Ҵ�ý IT services and the network into compliance scope, and coordinating with third-party vendors to ensure they complete a PCI Attestation of Compliance (AoC) annually.

8. Passwords and Multi-factor Authentication

To protect the confidentiality and integrity of ��Ҵ�ý data, all ��Ҵ�ý account passwords should follow industry best practices for length, complexity, age, password history, dictionary checks, etc. Additionally, to further strengthen the ��Ҵ�ý environment, multi-factor authentication should be used where possible in line with industry standards and best practices (e.g., following National Institute of Standards and Technology recommendations), and must be used for administrator and superuser access except by approval of the ISPM.

9. Risk Assessment and Management

To ensure information security is implemented and operated as required in ��Ҵ�ý’s policies, standards, procedures, and guidelines, T&I will perform a risk assessment, or other industry standard practices, at planned intervals to assess the institution’s security posture as stated in the Information Security Plan. T&I additionally routinely performs regular automated security vulnerability assessments and participates in processes such as penetration testing as needed to assess possible risks and current remediations, and participates in the College’s financial audits and related processes. Updates on cybersecurity including the ISPM or CIO’s assessment of known risks shall be reported to the College’s Senior Leadership Team, or as appropriate or upon request, to the ��Ҵ�ý Board of Trustees.

10. Incident Response

The response to information security incidents that threaten the confidentiality, integrity, and availability of ��Ҵ�ý IT Services are managed by ��Ҵ�ý's Incident Response Plan. This internal document identifies the Incident Response Team, roles and responsibilities, and appropriate steps needed to detect, contain, eradicate, and recover from a security incident.

11. Physical and Environment Security

To protect ��Ҵ�ý IT Services from physical threats, access to facilities housing servers and or network equipment is limited to authorized personnel only. Visitors must be escorted at all times while accessing these areas. Reasonable safeguards should be implemented to protect ��Ҵ�ý equipment from environmental threats, including, but not limited to water, fire, power failures, and surges.

All technology equipment that is end of life (servers, network equipment, laptops/desktops, etc.) should be disposed of in accordance to the latest industry standard recommendations depending on the potential data elements present.

12. Network Management Security

All networking equipment must be properly configured and maintained at all times. All relevant security updates must be applied in a timely manner to prevent exploitation or compromise. All default user accounts and passwords on network equipment must be changed prior to implementation. Network devices should have a hardened system configuration that includes disabling all unnecessary services. Management interfaces should only be accessible from the ��Ҵ�ý network or with the use of a virtual private network (VPN).

13. Business Continuity and Disaster Recovery

To ensure adequate plans and procedures are in place to enable ��Ҵ�ý to avoid or minimize interruption to any critical functions during and after major failures or disasters, ��Ҵ�ý will develop and document an appropriate and resilient Business Continuity and Disaster Recovery Plan. This plan will address interruptions to ��Ҵ�ý business activities and to protect critical business processes from the effects of major failures or disasters. This plan should be tested periodically based on industry best practices and reviewed at least annually.

Administration of Policy

The CIO shall oversee this policy and review it at least once every two years. Changes to this policy shall be made in accordance with the college’s Policy on Policies.

Last Revised: April 2022

Appendix: Definitions

Each term listed below shall carry the associated meaning in the policy unless otherwise defined.

access - The ability to view, use, or change information in ��Ҵ�ý IT Services.
availability - The degree to which information and critical ��Ҵ�ý IT Services are accessible for use when required.
confidentiality - The degree to which confidential ��Ҵ�ý information is protected from unauthorized disclosure.
control - Safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. Controls help to reduce the risk of damage or loss by stopping, deterring, or slowing down an attack against an asset.
End User - The person that a software program or hardware device is designed for and who uses the software or hardware after it has been fully developed, marketed, and installed. End Users include students, faculty, staff, contractors, consultants, and temporary employees.
IT Services - ��Ҵ�ý’s information technology services, including applications, computing equipment, networks, servers, licensed third party software and systems, telecommunications systems, other technology or communications platforms, and other resources and the data stored in or on any such technology
Information Security - The protection of information against unauthorized disclosure, transfer, modification, or destruction, whether accidental or intentional. The focus is on the confidentiality, integrity, and availability of data.
integrity - The degree to which the accuracy, completeness, and consistency of information is safeguarded to protect the business of the Institution.
Product Owner - Individual with primary responsibility for overseeing the collection, storage, use, and security of a particular IT Service.
risk - A probability or threat of damage, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through preemptive action.
security breach - An unauthorized intrusion into a ��Ҵ�ý IT Service where unauthorized disclosure, modification, or destruction of confidential information may have occurred.
security incident - An attempted or successful unauthorized access, use, disclosure, modification, or destruction of information; interference with IT Service operation; or violation of information security policy.
threat - An event or condition that has the potential for causing the loss of confidentiality, integrity, and accessibility of ��Ҵ�ý IT Services or data.

���Ҵ�ý