400.11 - Information Resource Security
University Group Policy #400.11
I. Executive Summary
Winston-Salem State University (WSSU) is committed to protecting the confidentiality, integrity, and availability of information and information resources in its various forms (electronic, paper, etc.). Access to these resources shall be appropriately managed. The guidelines identified in this plan represent commonly accepted goals of information security management as identified by the ISO/IEC 27002:2013 Information Technology – Security techniques – Code of practice for information security management, the recognized standard adopted by the University of North Carolina System and affiliated organizations, and to address requirements defined by state and federal laws, and relevant contractual obligations.
II. Policy Statement
It is the policy of University to protect Information Resources based on Risk against accidental or unauthorized access, disclosure, modification, or destruction and assure the availability, confidentiality, and integrity of these resources while avoiding the creation of unjustified obstacles to conducting business and achieving the mission of WSSU and supports security, business continuity, risk management, and compliance with applicable laws and regulations. The purpose of this policy:
- Establish Standards regarding the use and safeguarding of WSSU Information Resources;
- Protect the privacy of individuals by preserving the confidentiality of Personally Identifiable Information entrusted to the WSSU;
- Ensure compliance with applicable Policies and State and Federal laws and regulations regarding management of risks to and the security of Information Resources;
- Appropriately reduce the collection, use, or disclosure of social security numbers contained in any medium, including paper records;
- Establish accountability;
- Educate individuals regarding their responsibilities associated with use and management of WSSU Information Resources; and
- Serve as the foundation for WSSU’s Information Security Program, providing the authority to implement Policies, Standards, and Procedures necessary to implement an effective Information Security Program in compliance with this Policy.
III. Guidelinesa. Information Technology Security Support by Management
Organizational assets and operations have become increasingly dependent on information resources and technology to accomplish mission and performance goals. Recognizing WSSU’s dependency on these resources, information becomes a strategic enabler for mission accomplishment; therefore, protecting that information becomes a high priority that WSSU’s Executive Management fully supports. Meeting this need necessitates senior leadership focuses on effective information security governance and support, which requires integration of security into the strategic and daily operations of WSSU.
- The Chancellor and Executive Staff are responsible for:
- Establishing the organization’s information resource security program;
- Setting program goals and priorities that support the mission of the organization;
- Ensuring resources are available to support the information resource security program and make it successful;
- The Provost, Vice Chancellors, General Counsel, Deans, and Department Heads are responsible for ensuring staff has the appropriate training and the correct handling of any institutional information produced and managed by their division/unit.
- The Office of Information Technology is responsible for ensuring that the appropriate technologies and system policies and permissions are in place to ensure appropriate access to electronic data.
- Department directors and managers are responsible for enforcing information technology security policies and practices within their departments.
b. Security Framework
The University of North Carolina System and WSSU have adopted the ISO 27002 security standard as the framework for university information security policy. This policy is the umbrella University information security policy that will refer to existing and future policies and standards that support it.
c. Risk Management and Assessment
Risks to information resources must be managed using a methodology that is compatible with industry standards, such as ISO/IEC 27005:2011 and NIST Special Publication 800-30. The expense of security safeguards shall be commensurate with the value of the assets being protected and the liability inherent in regulations, laws, contractual obligations, or other agreements governing the assets.
- The Chief Information Officer will commission an information technology security risk assessment of information resources consistent with University of North Carolina System and campus compliance and risk assessment plans.
- Risk assessments of mission critical and high-risk information resources shall be conducted annually. All information resources shall be assessed biennially.
- The Chancellor or their designated representative is responsible for approving the risk management plan and making risk management decisions based on the risk assessment and either accepts exposures or protect the data according to its value/sensitivity.
- If a public information request for the risk management plan or a risk assessment is received, Legal Counsel for the campus shall determine whether the requested information is exempt from disclosure.
WSSU Senior Management has overall responsibility for ensuring that adequate protection of valuable information assets is maintained. All students, faculty, staff, independent contractors, consultants, temporary workers and other workers including all personnel affiliated with third parties of WSSU share in the responsibility to help protect University information resources. Specific responsibilities are assigned to designated positions and groups as needed to support the University’s information technology security program.
i. WSSU Management
ii. Office of Information Technology
Personnel in the Office of Information Technology are responsible for maintaining a secure processing environment for the University. Working with the Information Security Manager, IT personnel will implement security tools and practices consistent with the defined strategy, and address identified security risks. They are also responsible for on-going monitoring and assessment to recognize new security vulnerabilities and risks.
iii. Information Security Officer
The Information Security Officer is responsible for the definition, management, and execution of WSSU’s information technology security strategy, program, and controls. The Information Security Officer works closely with management throughout the University in defining security practices and measures to:
iv. Information Owner
An information owner refers to the person who has the ultimate authority and accountability for the information assets in his/her functional area, usually senior management such as the head of the business function or department. An information owner is directly responsible for the protection of the information resources to which he or she is assigned ownership. Ownership is usually designated to the functional area where the data originates, or that is the primary user of the data. Information owners’ responsibilities include:
Information security and IT personnel will provide assistance and tools to support these requirements. The information owner may delegate specific tasks associated with these responsibilities, such as authorizing access to information, to appropriate persons in his/her area, but may not delegate the responsibility.
Custodians (typically system and application administrators) are the direct link between information security policies and the network, systems, and data. System and Application Administrator responsibilities include:
Everyone that uses or has access to WSSU information assets must recognize their responsibility for the safekeeping of those assets. Users must guard against abuses that disrupt or threaten the viability of all systems. The following are specific responsibilities of all WSSU users:
e. Policy Review
The Information Resource Security Policy, to include supporting Standards and Guidelines, will be reviewed at planned intervals biennially or if significant changes occur to ensure their continuing suitability, adequacy, and effectiveness. The Office of Information Technology’s Information Security Officer, or their designee, will notify the campus community if changes are made. A working group may be assembled with representatives from among the campus units to review proposed changes if needed.
f. Deviations, Exceptions, and Consequences
In cases where University information resources are actively threatened, the Chief Information Officer (CIO), or their designee(s), will act in the best interest of the University by securing those resources. When possible, the CIO will abide by established incident handling procedures to mitigate any threat. In an urgent situation requiring immediate action and leaving no time for collaboration, the CIO is authorized to disconnect any affected device from the network. University information resources are subject to vulnerability assessment and safeguard compliance by the CIO, the Information Security Officer, or their designee(s).
Any information resource that cannot comply with the Information Resource Security Policy or its supportive standards may be granted an exception after a review and approval by the Information Security Officer. If a department requesting an exception to this policy on the basis of non-security-related issues disagrees with the decision of the Information Security Officer, the department may appeal the decision to the Chief Information Officer, or to the Provost and Vice Chancellor for Academic Affairs, who has final approval authority for the non-security-related exception.
This policy and supported standards, procedures, and guidelines, does not supersede any applicable state or federal laws regarding access to or disclosure of information and apply to:
- All active members of the University community, including faculty, students, staff, and affiliates, and to authorized visitors, guests, and others for whom University technology resources and network access are made available by the University. This policy also applies to campus visitors who avail themselves of the University’s temporary visitor wireless network access service and to those who register their computers and other devices through Conference and Event Services programs or through other offices, for the use of the campus network.
- Any information asset owned, leased or controlled by, or operated on behalf of WSSU to include, but not limited to, desktop and laptop computing systems, tablets, servers, data storage devices, communication systems, firewalls, routers, switches, hubs, personal digital assistants (PDAs), smartphones, and mobile devices, where lawfully permitted.
- All computing platforms, operating system software, middleware or application software under the control of third parties that connect in any way to the WSSU enterprise computing or telecommunications network.
- All data, information, knowledge, documents, presentations, databases or other information resource stored on WSSU’s computing platforms and/or transferred by WSSU’s enterprise network.
Responsible Division: Office of Information Technology
Authority: Board of Trustees
- Adopted: March 16, 2018