Approver(s):
Authorizes Release:
Responsible Area:
Review Cycle:
Last Review:
Related Policies and Additional References:
None
Summary
The Information Security Plan was created to allow Information Services the ability to create a foundation of information security for the St. Mary’s University community.
Purpose
The purpose of the Information Security Plan (ISP) is to establish a framework for the design, implementation and maintenance of an information security program that protects the University’s systems, services and data against unauthorized use, disclosure, modification, damage and loss. The ISP has been developed by the Information Security Committee (ISC) to establish an appropriate information security governance structure that enables collaboration and support for critical information security initiatives.
Governance
In recognition of the increasing need to protect the University’s critical business, academic and computing resources, an Information Services governance structure was created. Though the governance process is still evolving, we are anticipating the stakeholders that participate in the decision-making process will include:
- Vice President Information Services/Chief Information Officer (CIO) – The CIO is responsible for the overall management, direction and security of the University’s information assets (Established).
- Information Security Committee – The purpose of the Information Security Committee (ISC), within Information Services (IS), is to ensure the confidentiality, integrity, and availability of the University’s information technology resources and data by safeguarding them from compromise, misuse, loss or damage caused intentionally or unintentionally as well as ensuring adherence of these policies and procedures by all relevant parties. (Established).
- Information Services Advisory Committee – (In development).
- Enterprise Risk Management Committee (ERM) – The ERM is chaired but the Vice President, Finance & Administration (CFO) and exists to identify risks that may adversely impact the operations of the university and reviews options to eliminate or mitigate those risks. The ISC reports matters related to information security that may impact the university to the ERM.
Other University governance groups that may have input on policies and practices concerning information security include:
- Executive Council – Chaired by the President, the Executive Council is composed of the Provost, Vice Provosts, Assistant Provost, Vice Presidents, Associate Vice President, and the Chief of Staff. This Council considers and advises the President on internal and external policy matters pertaining to the University.
- Academic Council – Chaired by the Provost and Vice President for Academic Affairs, the Academic Council is composed of the Deans of the five Schools, the Vice Provosts and Assistant Provost, Vice President of Information Services and the Executive Director of the Blume Library. This Council considers and advises the Provost and Vice President for Academic Affairs on academic matters and programs.
- Faculty Senate – All faculty appointees with full-time or pro-rata status annually elect at-large a Senate of eighteen members. Representation of the various academic units of the University is provided for in the election procedures described in the Constitution of the Faculty Senate. The Senate elects its own officers, who report directly to the Provost and Vice President for Academic Affairs. The Senate meets regularly during the Fall and spring semesters and all appointees with full-time or pro-rata faculty status may attend.
- Student Government Association – The Student Government Association (SGA) is the recognized student governing body at St. Mary’s University. It is composed of officers and senators representing each class and also has representation from the various student organizations. Its Constitution and By Laws are found in the Student Handbook of St. Mary’s University.
- Association and Student Bar Association – Student Bar Association (SBA) serves an important governing body for students attending the St. Mary’s School of Law.
Strategic Objectives
The strategic objectives outlined below define areas where the University needs to acknowledge and address security risks to its information resources. Implementation of the ISP will require appropriate allocation of staff time, systems/tools and the development of processes. Assuming these are allocated, it will take 36 months to completely implement the information security objectives that follow. Each objective has one or more initiatives that need to be completed in order to satisfy the objective.
Objectives:
- Data Loss Prevention – Initiatives that support this objective will help the University reduce the likelihood of data loss/disclosure of confidential/Federally protected data.
- Improved Security of Systems and Network Services – Initiatives that support this objective will promote an enhanced defense in a layered architecture and provide increased security of critical University services.
- Proactive Risk Management – Initiatives that support this objective will allow data owners and administrators to be more aware of the security risks that their information assets are vulnerable to, identify controls to reduce those risks, and understand what risks remain after any identified controls have been implemented.
- Disaster and Security Incident Management – Initiatives that support this objective will help the University recover its information assets in the event of a catastrophic event. Additionally, these initiatives will enable the University to manage security events more efficiently and effectively, thereby reducing or minimizing the damages to the University.
Information Security Goals
Goal 1: Security Policies, Standards, Guidelines & Framework
Related Objectives: Data Loss Prevention, Improved Security of Systems and Network Services, Proactive Risk Management & Disaster and Security Incident Management
Responsibilities: Develop, approve and publish a collection information security polices, standards and guidelines to build a framework of information security for St. Mary’s University. These policies are to build the foundation of the University’s Information Security Program. These will identify the shared responsibility of information security. These policies, standards and guidelines will be based upon the ISO/IEC27001, NIST 800-53 & NIST 800-171 standards and best practices.
These policies will also take into account other regulations that are required of the University to perform business operations. These regulations are:
- Family Educational Rights and Privacy Act (FERPA)
- Gramm-Leach-Bliley Act
- Clery Act
- Health Insurance Portability and Accountability Act (HIPAA)
- Payment Card Industry Data Security Standard (PCI DSS)
- General Data Protection Regulation (GDPR)
Benefits:
- Creates a foundation of Information Security for St. Mary’s University.
- Helps establish measurable foundations for Information Security.
- Information Services to apply security controls throughout the Enterprise Systems.
Goal 2: Risk Management
Related Objectives: Data Loss Prevention, Improved Security of Systems and Network Services, Proactive Risk Management
Responsibilities: Create and Oversee the Information Services Risk Management Program. The Information Services Risk Management program allows Information Services (IS) to appropriately identify and protect St. Mary’s business data and operations. The Risk Assessment Program data can be used to report to University Leadership on risk related vulnerabilities to the systems/data critical to business operations of St. Mary’s University.
Benefits:
- Enables Information Services the ability to identify & manage risks.
- Will provide the procedure for identifying and reporting risks throughout the University.
- Ensures that risks are being accepted at the appropriate level of leadership.
- Ensures data is identified, classified and appropriately secured.
Goal 3: Continuity and Disaster Recovery
Related Objectives: Data loss prevention, Disaster and Security Incident Management and Proactive Risk Management
Responsibilities: Develop, implement and manage the change management process and test plans to ensure that critical University systems are operational and available at all times. Successful completion of this goal will result in a disaster recovery plan and associated implementation strategy.
Benefits:
- This will allow the university to provide critical and core services in the event of an emergency or disaster.
- Allows the university the ability to recover & restore the systems, services and data to the community to resume normal operations.
Goal 4: Identity and Access Management
Related Objectives: Data loss prevention, Improved Security of Systems, Network Services and Proactive Risk Management
Responsibilities: A flexible Identity and Access Management system that is capable of managing the information access needs of the St. Mary’s University community. It will provide authentication and authorization services to enterprise and departmental systems. This will allow St. Mary’s University to identify the right individuals have access to the proper data at the right times in a secure manner.
Benefits:
- Better security through constant and repeatable access control procedures.
- Reduced potential for security breaches and fines due to non-compliance with federal regulations and or security breaches.
Goal 5: Network and System Security
Related Objectives: Data Loss Prevention, Improved Security Systems and Network Services, Proactive Risk Management and Crisis and Security Incident Management.
Responsibilities: A tiered security architecture that provides Information Services the ability to separate resources based on their data, business criticality and function. Information Services will apply the appropriate controls within each level to address the risks to the resources in that tier.
Benefits:
- Improved security by applying technical safeguards that enforce policies.
- Ability to determine high-risk areas and focus security resources where they safeguard the Universities most critical resources.
- Provides a defense system to prevent attacks and locate where attacks may have been successful.
Goal 6: Security Awareness Program
Related Objectives: Data Loss Prevention, Improved Security of Systems and Network Services, Proactive Risk Management and Disaster and Security Incident Management.
Responsibilities: Make available information security awareness training to members of the St. Mary’s University community. This will serve to inform the community of the shared responsibilities for protecting the information in their care. To further engage the community, the Information Security Committee will work to develop a variety of information-sharing forums to include electronic and live mediums.
Benefits:
- Improve the knowledge of information security for the entire St. Mary’s University community.
- Increase awareness of the current information security threats and how to minimize the risk associated with the threats.
- Reduce the number of security incidents.
Definitions
ISP – Information Security Plan
ISC – Information Security Committee
GDPR – This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.
Information Security Governance – Information security governance balances the use and security of information. Information governance helps with legal compliance, operational transparency, and reducing expenditures associated with legal discovery. Consist in establishing a consistent and logical framework for employees to handle data through their information governance policies and procedures. These policies guide proper behavior regarding how organizations and their employees handle electronically stored information.
ISO/IEC 27001 – ISO/IEC 27001:2013 (ISO 27001) is the international standard that describes best practice for an ISMS (information security management system). ISO 27001 is supported by its code of practice for information security management, ISO/IEC 27002:2013.
https://www.iso.org/obp/ui/#iso:std:iso-iec:27001:ed-2:v1:en
NIST 800-53 – Recommended Security Controls for Federal Information Systems and Organizations.
https://nvd.nist.gov/800-53
NIST 800-171 – Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.
https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-171.pdf
FERPA – The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.
https://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html
Gramm-Leach-Bliley Act – The Gramm-Leach-Bliley Act requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice to explain their information-sharing practices to their customers and to safeguard sensitive data.
https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act
Clery Act – The Clery Act requires colleges and universities that receive federal funding to disseminate a public annual security report (ASR) to employees and students every October 1st. This ASR must include statistics of campus crime for the preceding 3 calendar years, plus details about efforts taken to improve campus safety.
https://www.gpo.gov/fdsys/pkg/FR-2014-10-20/pdf/2014-24284.pdf#page=33
HIPAA – Health Insurance Portability and Accountability Act – is the federal Health Insurance Portability and Accountability Act of 1996. The primary goal of the law is to make it easier for people to keep health insurance, protect the confidentiality and security of healthcare information and help the healthcare industry control administrative costs.
https://www.hhs.gov/hipaa/index.html
PCI DSS – Payment Card Industry Data Security Standard – The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes. The PCI Standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council
https://www.pcisecuritystandards.org/pci_security/