Skip to main content

400.11 - Information Resource Security

University Group Policy #400.11

I.    Executive Summary

Winston-Salem State University (WSSU) is committed to protecting the confidentiality, integrity, and availability of information and information resources in its various forms (electronic, paper, etc.). Access to these resources shall be appropriately managed. The guidelines identified in this plan represent commonly accepted goals of information security management as identified by the ISO/IEC 27002:2013 Information Technology – Security techniques – Code of practice for information security management, the recognized standard adopted by the University of North Carolina System and affiliated organizations, and to address requirements defined by state and federal laws, and relevant contractual obligations.

II.  Policy Statement

It is the policy of University to protect Information Resources based on Risk against accidental or unauthorized access, disclosure, modification, or destruction and assure the availability, confidentiality, and integrity of these resources while avoiding the creation of unjustified obstacles to conducting business and achieving the mission of WSSU and supports security, business continuity, risk management, and compliance with applicable laws and regulations.  The purpose of this policy:

  1. Establish Standards regarding the use and safeguarding of WSSU Information Resources;
  2. Protect the privacy of individuals by preserving the confidentiality of Personally Identifiable Information entrusted to the WSSU;
  3. Ensure compliance with applicable Policies and State and Federal laws and regulations regarding management of risks to and the security of Information Resources;
  4. Appropriately reduce the collection, use, or disclosure of social security numbers contained in any medium, including paper records;
  5. Establish accountability;
  6. Educate individuals regarding their responsibilities associated with use and management of WSSU Information Resources; and
  7. Serve as the foundation for WSSU’s Information Security Program, providing the authority to implement Policies, Standards, and Procedures necessary to implement an effective Information Security Program in compliance with this Policy.

III.    Guidelines

a. Information Technology Security Support by Management

Organizational assets and operations have become increasingly dependent on information resources and technology to accomplish mission and performance goals. Recognizing WSSU’s dependency on these resources, information becomes a strategic enabler for mission accomplishment; therefore, protecting that information becomes a high priority that WSSU’s Executive Management fully supports. Meeting this need necessitates senior leadership focuses on effective information security governance and support, which requires integration of security into the strategic and daily operations of WSSU.

  1. The Chancellor and Executive Staff are responsible for:
    1. Establishing the organization’s information resource security program;
    2. Setting program goals and priorities that support the mission of the organization;
    3. Ensuring resources are available to support the information resource security program and make it successful;
  2. The Provost, Vice Chancellors, General Counsel, Deans, and Department Heads are responsible for ensuring staff has the appropriate training and the correct handling of any institutional information produced and managed by their division/unit.
  3. The Office of Information Technology is responsible for ensuring that the appropriate technologies and system policies and permissions are in place to ensure appropriate access to electronic data.
  4. Department directors and managers are responsible for enforcing information technology security policies and practices within their departments.

b. Security Framework

The University of North Carolina System and WSSU have adopted the ISO 27002 security standard as the framework for university information security policy.  This policy is the umbrella University information security policy that will refer to existing and future policies and standards that support it.

c. Risk Management and Assessment

Risks to information resources must be managed using a methodology that is compatible with industry standards, such as ISO/IEC 27005:2011 and NIST Special Publication 800-30. The expense of security safeguards shall be commensurate with the value of the assets being protected and the liability inherent in regulations, laws, contractual obligations, or other agreements governing the assets.

  1. The Chief Information Officer will commission an information technology security risk assessment of information resources consistent with University of North Carolina System and campus compliance and risk assessment plans.
  2. Risk assessments of mission critical and high-risk information resources shall be conducted annually. All information resources shall be assessed biennially.
  3. The Chancellor or their designated representative is responsible for approving the risk management plan and making risk management decisions based on the risk assessment and either accepts exposures or protect the data according to its value/sensitivity.
  4. If a public information request for the risk management plan or a risk assessment is received, Legal Counsel for the campus shall determine whether the requested information is exempt from disclosure.
d. Information Technology Security Roles & Responsibilities

WSSU Senior Management has overall responsibility for ensuring that adequate protection of valuable information assets is maintained. All students, faculty, staff, independent contractors, consultants, temporary workers and other workers including all personnel affiliated with third parties of WSSU share in the responsibility to help protect University information resources.  Specific responsibilities are assigned to designated positions and groups as needed to support the University’s information technology security program.

i. WSSU Management

Senior management has overall responsibility for ensuring that adequate protection of information is maintained by supporting and enabling an effective information security organization and program. Senior management also has responsibility for reviewing and approving security practices and measures as recommended by the Information Security Officer.
All managers and department heads are responsible for protecting information within their assigned areas of control. They are responsible for ensuring that approved protection policies, standards, and procedures are followed. They are also responsible for recognizing and reporting security vulnerabilities and ensuring that appropriate measures are implemented to address them.

 ii. Office of Information Technology

Personnel in the Office of Information Technology are responsible for maintaining a secure processing environment for the University. Working with the Information Security Manager, IT personnel will implement security tools and practices consistent with the defined strategy, and address identified security risks. They are also responsible for on-going monitoring and assessment to recognize new security vulnerabilities and risks.

iii. Information Security Officer

The Information Security Officer is responsible for the definition, management, and execution of WSSU’s information technology security strategy, program, and controls. The Information Security Officer works closely with management throughout the University in defining security practices and measures to:

1. Identify and assess information security risks
2. Define security strategy and direction to address defined risks
3. Implement and enforce policies, procedures, and standards
4. Implement and maintain appropriate security practices and measures
5. Implement and maintain information security awareness and training program
6. Direct the response to security incidents and threats to minimize impact to the University
7. Provide consulting and assistance as needed for unanticipated information security issues.

 iv. Information Owner

An information owner refers to the person who has the ultimate authority and accountability for the information assets in his/her functional area, usually senior management such as the head of the business function or department. An information owner is directly responsible for the protection of the information resources to which he or she is assigned ownership. Ownership is usually designated to the functional area where the data originates, or that is the primary user of the data. Information owners’ responsibilities include:

1. Classifying Information
2. Ensuring that appropriate protection measures are in place
3. Authorizing access to information
4. Ensuring compliance with policies, standards, and procedures
5. Business Continuity Planning

Information security and IT personnel will provide assistance and tools to support these requirements. The information owner may delegate specific tasks associated with these responsibilities, such as authorizing access to information, to appropriate persons in his/her area, but may not delegate the responsibility.

v. Custodians

Custodians (typically system and application administrators) are the direct link between information security policies and the network, systems, and data. System and Application Administrator responsibilities include:

1. Apply information security policies and procedures as applicable to all information assets
2. Administer user account and authentication management throughout the computing           
environment
3. Administer and enforce access control policies
4. Maintain secure processing and infrastructure equipment configurations
5. Assist in response to security incidents and threats
         vi. Users

Everyone that uses or has access to WSSU information assets must recognize their responsibility for the safekeeping of those assets. Users must guard against abuses that disrupt or threaten the viability of all systems. The following are specific responsibilities of all WSSU users:

1. Maintain awareness of and comply with the contents of all information security policies
2. Immediately report any suspected security breach to Technical Support Services or the
Information Security Office
2. Handle all data and information resources with the appropriate level of security, consistent
with data classification requirements
3. Understand the consequences of actions with regard to computing security practices and
act accordingly
4. Use strong passwords, never share them, and maintain their security and confidentiality
5. Always secure sensitive hardcopy documents under lock and key
6. Always lock computer screens (desktop or laptop) when left unattended, even if for only a
few minutes.

e. Policy Review

The Information Resource Security Policy, to include supporting Standards and Guidelines, will be reviewed at planned intervals biennially or if significant changes occur to ensure their continuing suitability, adequacy, and effectiveness.  The Office of Information Technology’s Information Security Officer, or their designee, will notify the campus community if changes are made. A working group may be assembled with representatives from among the campus units to review proposed changes if needed.

f. Deviations, Exceptions, and Consequences

In cases where University information resources are actively threatened, the Chief Information Officer (CIO), or their designee(s), will act in the best interest of the University by securing those resources. When possible, the CIO will abide by established incident handling procedures to mitigate any threat. In an urgent situation requiring immediate action and leaving no time for collaboration, the CIO is authorized to disconnect any affected device from the network. University information resources are subject to vulnerability assessment and safeguard compliance by the CIO, the Information Security Officer, or their designee(s).

i. Exceptions

Any information resource that cannot comply with the Information Resource Security Policy or its supportive standards may be granted an exception after a review and approval by the Information Security Officer. If a department requesting an exception to this policy on the basis of non-security-related issues disagrees with the decision of the Information Security Officer, the department may appeal the decision to the Chief Information Officer, or to the Provost and Vice Chancellor for Academic Affairs, who has final approval authority for the non-security-related exception.

ii. Consequences

• Any violation of this policy by a University student is subject to the Student Code of Conduct in the
Student Handbook.
• For employees, any violation of this policy is "misconduct" under EHRA policies (faculty and EHRA
non-faculty) and "unacceptable personal conduct" under SHRA policies, including any appeal rights stated therein.
• Violations of law may also be referred for criminal or civil prosecution.
• Violations of this policy may result in termination or suspension of access, in whole or in part, to
University information systems at the discretion of OIT where such action is reasonable to protect the University or the University information infrastructure.
• The University, in consultation with its legal counsel, may also refer suspected violations of
applicable law to appropriate law enforcement agencies to investigate any matter at its sole discretion.

IV.     Applicability

This policy and supported standards, procedures, and guidelines, does not supersede any applicable state or federal laws regarding access to or disclosure of information and apply to:

  1. All active members of the University community, including faculty, students, staff, and affiliates, and to authorized visitors, guests, and others for whom University technology resources and network access are made available by the University. This policy also applies to campus visitors who avail themselves of the University’s temporary visitor wireless network access service and to those who register their computers and other devices through Conference and Event Services programs or through other offices, for the use of the campus network.
  2. Any information asset owned, leased or controlled by, or operated on behalf of WSSU to include, but not limited to, desktop and laptop computing systems, tablets, servers, data storage devices, communication systems, firewalls, routers, switches, hubs, personal digital assistants (PDAs), smartphones, and mobile devices, where lawfully permitted.
  3. All computing platforms, operating system software, middleware or application software under the control of third parties that connect in any way to the WSSU enterprise computing or telecommunications network.
  4. All data, information, knowledge, documents, presentations, databases or other information resource stored on WSSU’s computing platforms and/or transferred by WSSU’s enterprise network.

Responsible Division: Office of Information Technology

Authority: Board of Trustees

History:

  • Adopted: March 16, 2018

Related Resources: