Information Technology Security Services
Draft Information Technology Security Policy 

Policy ID: P-01
Date Instituted: August 4, 2008
Last Revised: October 7, 2008

Policy Description

Preface

This document outlines the overall Seton Hall University Policy to protect critical information and data, and to comply with Federal Law.  To this end, the University Information Technology Services (UITS) proposes certain practices in the University information technology environment and institutional information security procedures. The main area to be impacted by these practices is UITS.  Other areas of the University that might be impacted include, but are not limited to: Enrollment Management, Student Life, Student Accounts and Registrar Services, Financial Aid, University Library, and many third-party contractors, including the Seton Hall Identification/One Card, Food Services, and the Bookstore.

Introduction

Information is one of Seton Hall University’s most valuable assets and therefore must be protected at all costs! It is of paramount importance that all faculty, staff, students and contractors be aware of the “value” of information and be more sensitive to how it is handled. Seton Hall is committed to protecting information resources that are critical to its academic and research mission. To that extent, this Information Security Policy has been developed and mandates a framework of controls for ensuring the continuous protection of SHU information resources.

Purpose
 

This document defines the Information Security Policy and establishes expectations and directives to address risks associated with the University’s computing and information resources. The purpose of this policy is to
protect Seton Hall’s information resources from accidental or intentional unauthorized access or damage, while supporting the mission statement requirements of its academic culture.

Scope

This policy applies to faculty, staff, students, vendors, contractors, consultants and all others granted use of University information or related assets and defines their responsibility for the protection and appropriate use of University information, applications, computer systems, and networks.

Security Management

Information Security is the provision of Administrative, Technical and Physical controls to safeguard IT assets against unauthorized access, damage and interference – both malicious and accidental. Organizations meet this goal by striving to accomplish the following objectives:  

a. Availability of Data or Systems: The ongoing availability of systems addresses the processes, policies, and controls used to ensure authorized users have prompt access to information.  This objective protects against intentional or accidental attempts to deny legitimate users access to information or systems.
b. Integrity of Data or Systems: System and data integrity relate to the processes, policies, and controls used to ensure information has not been altered in an unauthorized manner and that systems are free from unauthorized manipulation that will compromise accuracy, completeness, and reliability.
c. Confidentiality of Data or Systems: Confidentiality covers the processes, policies, and controls employed to protect information of customers and the institution againstunauthorized access or use.
d. Accountability: Clear accountability involves the processes, policies, and controls necessary to trace actions to their source.  Accountability directly supports non-repudiation, deterrence, intrusion prevention, security monitoring, recovery, and legal admissibility of records

Policy Enforcement

Violation of this policy should be brought to the immediate attention of the Information Security Officer who will work to ensure that the problem is resolved and to address necessary steps to eliminate future violations. University IT Services will investigate suspected violations, and may recommend disciplinaryaction in accordance with University codes of conduct, policies, or applicable laws. Sanctions may include one or more of the following:

  1. Suspension or termination of access
  2. Disciplinary action up to and including termination of employment
  3. Student discipline in accordance with applicable University policy
  4. Civil or criminal penalties

Roles and Responsibilities

a. The legal and regulatory requirements such as GLBA, SOX, HIPAA, FERPA and others prohibit unauthorized computer access. They hold individuals, as well as organizations, legally responsible for the protection and appropriate use of organizational information. It is the responsibility of each individual to become familiar with and abide by the policies and procedures. These include the policies set forth in the policy as well as others that may be specific to your department unit or function. 
b. All SHU users are entrusted with handling essential university information in a professional and secure manner. It is your obligation to ensure that theinformation you use is being used within the limits of your authorization and for appropriate business purposes. Department Directors/Managers are specifically responsible for applying economically efficient security safeguards to the information assets under their control. In addition, managers must provide leadership and support to their staff. They must assist employees in understanding the importance ofinformation security and ensure their compliance and observance of relevant regulations.

Executive Management 


Information security is a not only a Technology issue but also significant business risk that demands engagement of University’s Executive Management,  who should

a. Clearly support all aspects of the information security program;
b. Assign responsibility for managing specific elements of University information to individual Data Stewards;
c. Participate in assessing the effect of security issues on the institution and its business lines and
d. Delineate clear lines of responsibility and accountability for information security risk management decisions;
e. Establish acceptable levels of information security risks;
f. Ensure that appropriate training is provided to data owners, data custodians, IT staff, and users entrusted to preserve the confidentiality, integrity and availability of the University’s data, systems and network. processes; 

Information Security Officer

  1. Is the Subject Matter Expert and has the overall responsibility for Information Security matters,
  2. Has the responsibility of establishing a Comprehensive IT Risk Management Framework including development of security policies, standards, procedures and guidelines;
  3. Implements a University-wide security Training and awareness program;
  4. Leads Information Security governance and Information Security Program Management;
  5. Plays a Lead role in the IT Disaster Recovery and Security Incident Response;
  6. Works closely with the University Legal Counsel, Compliance Officer, CIO, Executive Director of UITS, as well as all relevant departments throughout the University;
  7. Advices UITS on protection goals, objectives and metrics to measure effectiveness of new procedures and policies.

Data Security Steward

  1. Ensures the confidentiality, integrity and availability of University information under their jurisdiction;
  2. Classifies all departmental information according to its sensitivity;
  3. Defines access to and restrictions on use of the information for which he or she is responsible;
  4. Recertification of Departmental User Access Privileges on a quarterly basis;

Faculty, Staff, Students

  1. Protect the privacy and security of University information, applications, computer systems, and networks under their control;
  2. Adhere to all relevant information handling standards;
  3. Report suspected violations of this policy to the appropriate Data Steward or Information Security Officer;

Office of University Information Technology Services:

a. Include all the staff members of the IT Department not limited to Project Managers, Application Developers, System and Network Support, Operations, and Help Desk.
b. Implement this policy to protect the Confidentiality, Integrity and Availability of the University’s computing resources;
c. Maintains the information security awareness, training and education program;
d. Investigates suspected violations of the Information Security Policy;
e. Assists in creating and maintaining standards and procedures related to this policy;
f. Ensure that information security requirements are defined and integrated into the project throughout its lifecycle;

Human Resources

Human resources along with departmental management are responsible for providing timely information about employee termination or transfers so that appropriate steps can be taken to revoke or change access to systems and information. HR will also ensure that new hires read the appropriate policies and procedures during employee orientation.

Data Classification

The University and all members of the University community are obligated to protect confidential data. Medical records, student records, certain employment-related records, library use records, attorney-client communications, and certain research and other intellectual property-related records are, subject to limited exceptions, confidential as a matter of law. Many other categories of records, including faculty and other personnel records, and records relating to the University's business and finances are, as a matter of University policy, treated as confidential.

  1. Confidential Information is defined as information a person or an entity that, if disclosed, could reasonably be expected to place either the person or the entity at risk, or be damaging to financial standing, employability, or reputation. In addition to any University penalties, inappropriate disclosure or misuse of confidential information may, in some cases, lead to criminal or civil liability. All SHU users are responsible for the protection of confidential Information entrusted to them. To prevent the Risk of loss of confidential data due to theft one should not store Confidential Information on laptops or on a portable storage device. Non-electronic records containing high-risk confidential information must kept in secure locked containers except when in use. Confidential Information stored on systems should have additional security controls and secured via encryption during its transmission and storage.

    Measures required to secure information varies according to the level of risk that the University faces if its information should suffer a loss of confidentiality, integrity or availability. It is essential that all University data be protected. There are however gradations that require different levels of security. All data should be reviewed on a periodic basis and classified according to its criticality.

    University information should be classified in the following categories and based upon intended use and expected impact if disclosed:

    1. Public - Information intended for public use that, when used as intended, would have no adverse effect on the operations, assets, or reputation of the University, or the University's obligations concerning information privacy;
    2. For Internal Use - Information not intended for parties outside the University that, if disclosed, would have minimal or no adverse effect on the operations, assets, or reputation of the University, or the University's obligations to information privacy.
    3. Confidential - Information intended for limited use within the University that, if disclosed, could be expected to have a serious adverse effect on the operations, assets, or reputation of the University, or the University's obligations concerning information privacy.

Risk Assessment

A risk assessment is an important part of any information security process and helps in identifying the criticality of information and the consequences if the information is disclosed, modified or destroyed. Risk Assessment is the basis of assigning priorities for mitigating risk. It is the responsibility of Executive Management to ensure that All Department Directors/Managers and Data Stewards periodically conduct such assessments within their areas of operation. The Office of Internal Audit should oversee functional Risk Assessments. The Information Security Officer must work with all relevant areas of the University and conduct Technical Risks Assessments to identify both internal and external risks and recommend corrective actions to reduce risk to an acceptable level.

Information Security Architecture

A defined Information Security Architecture must be followed to ensure that all technology and technology services used by SHU enable appropriate security measures to operate consistently and effectively.

Access Control

Access to information and systems should be based on the principles of ‘Need to Know’ and ‘Need to Do’. Access should be granted only to authorized SHU users. To ensure that controls are in place to protect information from errors and malicious behavior, individuals must only have access to information, systems or services that are necessary for the proper performance of their duties. Access to information must be explicitly authorized in writing, electronically or through adequate workflow and based on the principle of least privilege. The default level of access is “no access”.

Segregation of Duties

To reduce risk to the loss of confidentiality, integrity and availability of the University’s systems and data and as an internal control mechanism the principle of Segregation of Duties must be enforced. In order to eliminate dependency on key personnel or single points of failure, high-value information and processes must never be under the exclusive control of a single person. Developers should not have permanent access to production systems.

Internet Access

The Internet is an open, public, and shared network. It is not regulated and Information Security is at a minimum. Consequently, correspondence is unprotected when sent via open networks. Confidential information therefore, should not be sent over the Internet. Downloading of viruses, unlicensed software, hacking tools or offensive materials is prohibited.

Change Management

All changes to systems, including infrastructure, applications and user-developed systems, as well as the introduction of infrastructure technology products, must be controlled through an approved lifecycle methodology. All Changes to the Production systems must explicitly be approved by Functional Data Owners.

Vulnerability Management

Historical, existing, and emerging vulnerabilities within or external to SHU networks, systems, and other information resources must be managed and/or monitored to ensure the on-going safety, security, and integrity of the systems and the information they contain and transmit. Under the guidance of the University Information Security Officer, vulnerability scans should be run in order to identify security risks and to protect computing and networking resources. Network operators should monitor network activity for signs of attack and take appropriate action.

Security Awareness

It is ultimately the responsibility of Executive Management to ensure that all the users of Information understand how to protect SHU assets including information systems and comply with policies standards and procedures. Supervisors and Managers must ensure that personnel working within their departments understand general information security requirements and that they are sufficiently knowledgeable about the Information Technology security policies and procedures .  Information-security Training and awareness programs shall be developed by the Information Security Officer to ensure that all Users are provided relevant and timely guidance and Security awareness information.

Media Handling and Destruction

Access to Electronic or physical records containing confidential information must be properly secured and disposed of so that the confidential information cannot be retrieved.

Physical Security

Physical access to any facility that is sensitive for any reason should be appropriately controlled and documented as per business need. Logs of access to physical facilities or electronic systems need to be properly protected. To protect the availability of systems and data, appropriate environmental controls should be in place within the Data Center and storage facilities.

Remote Access

The term "remote access" refers to the use of University network’s resources from a remote location—that is a location that is not directly connected to the local area network (LAN). Users accessing SHU resources from remote locations must take all reasonable measures to secure their connection, including, but not limited to use of Strong dual factor Authentication, Encryption, Personal firewall, Antivirus Software. Access should be granted only on a strong business need and controls should be in place such as session timeouts, audit trail, and automatic account lockouts after unsuccessful attempts. Third party Service providers should not be granted remote access to the University Systems. Remote Access requests must be approved and reviewed by the Information Security Officer.

Protection against Malicious Software

The introduction and proliferation of malicious code, on SHU networks, systems, and other information resources must be defended against through the application or establishment of reasonable and accepted devices, software, protocols, or other means, and the continual maintenance and upkeep of those means. With regard to malicious code, any and all means employed to protect and secure networks, systems, and other information resources must be established, applied, and/or utilized in accordance with business objectives.

Operating System and Workstation Security

IT Assets including Operating System Servers must be properly configured and maintained in order to ensure the protection of information on those resources. IT Personnel must ensure that the computing environment is secure, default vendor accounts are removed, patches are up to date and the machines are operated in a way to minimize the chance of a security breach. Computer operators also must ensure that only required applications are enabled on a computer. All Laptops should be equipped with antivirus and personal Firewall Protection to minimize risk of compromise or infection.

Network Security

All confidential information must be encrypted when transported across any network. All Network Equipment, especially firewalls should be properly configured with the rule of Default Deny. Firewall Ports should not be opened without the explicit approval from Information Security Officer. All University Network connections shall be monitored for any suspicious activity and to protect its confidentiality, integrity and availability.

Application Security

All applications should be developed using an approved SDLC methodology that ensures data accuracy, completeness, accountability and integrity through formal controls. Critical application system files and customer identifying data must be protected against unauthorized access. Encryption should be used to store or transmit confidential data. Session timeouts should be in place for applications that deal with confidential information. Secure coding practices must be employed to mitigate the risks of loss of confidentiality, integrity and availability.

Security Breaches / Incident Handling

Mechanisms must be in place to detect and record security breaches, anomalies, incidents and unauthorized actions. Processes must be established to report incidents and to react in a sensible and effective manner to limit or avoid business interruption and to highlight any lessons learned to minimize the risk of future recurrences. It is the responsibility of all employees to report breaches, weaknesses and malfunctions. This applies equally where information is processed, transmitted or stored on behalf of SHU, by third party service providers. The Information Security Officer will lead investigations and reporting of information security incidents, acting as the point of contact when working with other University groups.

External Service Providers

Gramm Leach Bliley (GLBA)  mandates that the University:  

a. appoint an Information Security Plan Coordinator (ISPC)
b. conduct a risk assessment of possible security and privacy risks,  
c. institute a training program for employees that access covered data and information,  
d. oversee service providers and contracts, and  
e. evaluate the Information Security Plan and adjust as needed.   

The GLBA mandates that the University take reasonable steps to select and retain Technology and outside service providers who maintain appropriate technical, administrative and physical safeguards for data protection.
A Comprehensive risk management process should be in place that includes risk assessment, contract review, confidentiality and privacy agreements and periodic monitoring. SLA’s should be reviewed periodically for relevance. 

Disaster Recovery and Business Continuity Planning

To Mitigate the negative effects of operating disruptions, when confronted with adverse events such as natural disasters, technological failures, human error or sabotage and to ensure the integrity and availability of critical information resources, the University must implement a effective BCP program that encompasses risk assessment, risk mitigation, emergency response, and business recovery to maintain and recover when operations have been disrupted unexpectedly. Any systems that host electronic information identified as critical to the continuing operation of the campus or the University should be appropriately backed up and included in disaster recovery plans.

Departmental Policies and Procedures

Each department should develop and maintain additional procedures and guidelines that support the overall intent of the Information Security Policy, to meet special situations and specific to the departmental applications.

Exceptions to the Policy

There may be certain instances where compliance with specific policy requirements may not be immediately possible. Exceptions may be made on a case-by-case basis whereby, departments must submit a detailed justification of the compliance issue and an action plan to the Information Security Officer for coming into compliance within a reasonable amount of time.

Information Security Standards and Guidelines

SHU Information Security standards, Procedures and Guidelines are detailed methods for achieving the security objectives stated in this policy and shall be developed under the guidance of the Information Security Officer by the team members of the University Information Technology Services.

Seton Hall Information Technology - User Responsibilities Form V1.0

As a user of Seton Hall’s Information Technology Resources, I agree to…

1. Understand the access authorizations granted to me and not attempt to exceed them and to not  disclose sensitive information related to Seton Hall University to friends, family or anyone who does not have a need-to-know:
a. Protect, at all costs, personally identifiable information (names, SSN, addresses, telephone numbers, drivers license numbers, credit card information, etc.) that I may have access to in the normal course of doing business; 
b. Protect, at all costs, University Confidential Information (enrollment projections, budget projections, grades, payroll information, etc.) that I may have access to in the normal course of doing business;
2. Keep my password(s) confidential and not divulge them, except for emergency diagnostics (in person – never over the telephone) or maintenance, after which I will change them immediately.  (If I divulge my passwords, I understand that I am accountable for all activities performed through the use of that UserId/password);
3. Construct complex passwords according to the following requirements:
a. Be a minimum of  eight characters in length (the longer the better)
b. Be composed of at least one Upper Case alphabetic and at least one Lower Case alphabetic and at least one numeric and at least one symbolic character, with not more than two consecutive repeating characters 
c. Not be composed so that they can be easily guessed – names, dates, words from the dictionary should be avoided
4. Not to store my password in computer storage media or to write them down;
5. Change my password at least every ninety (90) days to a never before used password associated with my account;
6. Not to ever leave my terminal/workstation unattended – I will always lock my workstation when away from the Desk;
7. Notify my manager as soon as my access authorization is no longer needed;
8. Physically secure data storage media (e.g., USB Memory Keys, CD ROM’s,  back-up tapes) when not in use;
9. Not to make, accept, or use unauthorized copies of software or download any unauthorized programs from the Internet and ensure that license agreements are not purposefully violated;
10. Ensure that all media is scanned for viruses prior to use, and  report all virus and security incidents immediately after occurrence;
11. To back-up vital information on stand-alone PCs or workstation hard drives, at creation, and whenever it is significantly changed, and move the copy as soon as possible to a physically secure off-premises location.

Note: If there are any questions concerning these requirements, please discuss them with your manager or your Information Security Officer, Anand Malwade, Malwadan@shu.edu, (973) 275-2209.
 
As User of SHU Technology assets, I understand #1-11 above and will comply to the best of my ability. 

User Name: _______________________________

SHUID#:      _______________________________

 
 
Contact Us

Information Technology Security Services
Telephone (973) 275-2209
Fax (973) 761-9600
E-mail itsec@shu.edu
Corrigan Hall