INFORMATION SECURITY

About This Policy

Policy Statement

North Central University is committed to protecting the confidentiality, integrity, and availability systems and data that is critical to teaching, research, and the university’s many varied activities, business operations, and its supported communities, While the university cannot guarantee the privacy of information, the university will make a reasonable effort protect the privacy rights of employees and students.

The university promotes and supports an institutional culture that elevates its overall information security posture by following these principles:

• The university will establish and maintain a comprehensive, institution-wide information security and cybersecurity risk management framework and program.
• The university will optimize its ability to protect institutional data, systems, resources, and services from unauthorized access and other threats or attacks that could potentially result in harm to the university or to members of the university community.
• Members of the university community have individual and shared responsibilities to protect the university’s information assets and comply with applicable laws, regulations, and policies.
• The university will comply with federal, state, and local law, university policies, contracts, and agreements that require the university to implement security safeguards in as cost-effective manner as possible.
• The university will seek to maximize the use of secure and compliant university-provided services that are readily and affordably accessible to faculty, staff, students.
• The university will educate, inform, and enable university community members to use information in a secure and compliant manner.

All institutional data must be protected in accordance with the provisions below, which take into consideration the level of sensitivity and criticality that the data has to the university.

• Data Classification: All university information is classified into an appropriate level based on its sensitivity and risk of harm to individuals and the university if the information is subject to a breach or unauthorized disclosure. Harm may encompass negative psychological, reputational, financial, personal safety, legal, or other ramifications to individuals or the university, or otherwise result in an adverse impact on the university’s mission, research activity, or operations.
• Data Security: The university establishes minimum security controls appropriate for safeguarding data based on the data’s classification level.
• Risk Management: The university maintains a risk-management framework which requires periodic risk assessments of systems and applications that maintain sensitive institutional data.
• Risk Acceptance: University leadership exercises authority to accept information security and privacy related risks to the university’s information assets. University department, units, and individuals may not unilaterally accept information security, privacy, and compliance risks that have the potential to increase the university’s vulnerability to cyber risks.

Authorization and Access
All users of university information resources must be accurately and individually identified. The university will rely on the principle of least privilege in granting access to data and information, in accordance with business requirements and legitimate institutional purpose.

Unauthorized use or disclosure of data protected by laws, regulations, or contractual obligations could cause severe harm to the university or members of the university community and could subject the university to fines or government sanctions. The physical and logical integrity of these resources must also be protected against threats such as unauthorized intrusions, malicious misuse, or inadvertent compromise. Activities outsourced to off-campus entities must comply with the same security requirements as in-house activities.

Some university information systems maintain information that uniquely identifies individuals. This information must be maintained consistent with federal and state laws and regulations and with university policies. All university employees with access to personally identifiable information must respect the confidentiality of that information consistent with federal and state laws and regulations and with university policies.

The university maintains the following requirements for all university information. All university-owned and maintained information:

• Must be accessible only by authorized individuals.
• Must only be accessed for a legitimate university purpose.
• Must be corrected if incorrect information is known to exist.
• Must be removed or made inaccessible if appropriate and if the individual makes this request consistent with federal and state laws and regulations and with university policies.
• Must be gathered in a manner consistent with federal and state laws and regulations and with university policies.
• Must be protected using computer-based and non-computer-based access controls.
• Must be retained for the longer amount of time as required by federal and state laws and regulations or as required by university policies and then, unless there is a pending subpoena, must be disposed of by physical destruction of the media on which the information resides or by erasing the information from this media in a manner that results in the information being totally unrecoverable.
• Must be used only as authorized by federal and state laws and regulations and by university policies.
• Must not be disclosed unless authorized or required by federal and state laws and regulations and by university policies.

External Relationships
The university’s information security requirements must be considered when establishing relationships with external vendors and partners, to ensure that information assets accessible to external parties are protected. In accordance with its obligations, all contracts with vendors that will gain access to and/or transmits university information, must be reviewed by university information security, university counsel, and must directly contain or adhere to the university’s pre-approved addendum on information security.

Security Incident Management
All employees and non-employees must adhere to the Data Breach Notification policy for reporting any event that may have an impact on the security of university information.

Security incident management procedures and responsibilities must be established and documented to ensure an effective, orderly, and timely response to any security incident to restore any disrupted services as quickly as possible. The response to any security incident must additionally include analysis of the cause of the incident and implementation of any corrective actions to prevent re-occurrence of the same incident.

Identification of Cybersecurity Risks
To ensure continuity of services, a formal Business Impact Analysis (BIA) must be completed by each university business unit.

Purchases of new university technology recourses must adhere to the requirements established within established university policies to ensure the resource is compatible with the university’s existing technologies and will not impose an unnecessary risk to the university.

Third-parties seeking to contract with the university to perform technology and information services must complete a vendor risk assessment, provide assurances of compliance with applicable laws and regulations, and agree to adhere to established Information Security Program prior to entering into an agreement with the university.

• The University conducts risk assessments on the following:
• University technology resources, including specific assets or information systems.
• Vendors of technology and information services.
• Individual colleges, departments, or business units.
• Requests for exceptions to Information Security Program.

Additional technology risks to the university may be identified through other activities including technology project planning, privacy impact assessments, in-person visits, whistle blowers, or self-disclosures.

All identified technology risks will be classified based on the likelihood that harm will occur as a result of the threat occurring and the harm that that may occur to the university or individuals given the potential for the threat to exploit vulnerabilities.

Technology risks must be remediated, mitigated through implementation of compensating security controls, or accepted.

• Accepted risks will be tracked and re-assessed annually, at a minimum, to ensure the continual risk is still in line with the university’s level of risk tolerance.
• Aggregated data of known risks to the university will be compiled on an annual basis and provided to senior leadership to aid in determining the university’s ongoing technology risk appetite.

Oversight and Enforcement
The Program Administrator is responsible for the development, implementation, monitoring, and enforcement of the university’s information security program. Other university staff perform essential information security and cybersecurity risk management functions contributing to program implementation and regulatory compliance.

Exceptions
Departments unable to meet a requirement defined by the information security standards must obtain an exception. The university Program Administrator or delegate may allow exceptions to this policy after consultation with university leadership and the affected department.

Enforcement
Any employee who violates this Policy will be subject to appropriate disciplinary action.

Any student who violates this Policy will be subject to appropriate disciplinary action in accordance with the Student Code of Conduct.

Any individual affiliated with the University who violates this Policy will be subject to appropriate corrective action, including, but not limited to, termination of the individual’s relationship with the University.

The Program Administrator will coordinate with appropriate university entities on the implementation and enforcement of the Information Security Program and information security standards.

Consistent with the Acceptable Use of Information Technology Resources policy, the university may temporarily suspend, block, or restrict a user’s access to information and systems when it reasonably appears necessary to do so to protect the integrity, security, or functionality of university resources or to protect the university from liability.

The university may routinely monitor network traffic and information systems to assure the continued integrity and security of university resources in accordance with applicable university policies and laws.

Reason For Policy

The purpose of this policy is to establish a framework for the protection of university information resources from accidental or intentional unauthorized access, modification, or damage in order to meet applicable federal, state, regulatory, and contractual requirements.

Policy Scope

This policy and its supporting controls, processes and procedures apply to all information used at the university, in all formats. This includes information processed by other organizations in their dealings with the university.

This policy applies to all universityfaculty and staff, as well as to students acting on behalf of the university through service on university bodies such as task forces, councils and committees. This policy also applies to all other individuals and entities granted use of university information, including, but not limited to, contractors, temporary employees, and volunteers.

Procedures

• There are no procedures associated with this policy.

Forms

• There are no forms associated with this policy.

Appendices

• There are no appendices associated with this policy. 

Additional Contacts

Definitions

Authorization
The function of establishing an individual’s privilege levels to access and/or handle information.

Authorized Individuals
Employee, students, and third-parties who have been given access to university information systems and university information

Availability
Ensuring that information is ready and suitable for use.

Baseline Configuration
A documented set of specifications for hardware, software, or applications that reflect the most restrictive mode consistent with operational requirements and serve as a basis for future builds, releases, and/or changes to the University Technology Resource.

Business Impact Analysis
An assessment to identify the Mission Critical Services performed by all business units within the University. The BIA should identify vulnerabilities and threats that may impact the business unit’s ability to fulfill these services and preventative controls to mitigate or eliminate threats; the University Technology Resources used to perform these Mission Critical Services; and recovery time objectives and priorities for the Mission Critical Services.

Confidentiality
Ensuring that information is kept in strict privacy.

Criticality
The relative importance of the service and the consequences of incorrect behavior of the systems(s) that support it.

1. Mission Critical Service means that system is required to conduct essential mission-oriented operations of the University. Unplanned interruptions have immediate and widespread impact.
2. Core Service means the system must be available to conduct the most basic business activities. Interruptions have an immediate, University-wide impact.
3. Business Critical Service means the system is required to conduct normal University operations. Interruptions in service impact important operations but is not University-wide.

Data Owner
Individual with primary authority and accountability for specified information (e.g., a specific business function) or type of data (e.g., research).

Data User
Individual, who in the course of carrying out official university business or research, may collect, store, transfer or report data consistent with their function at the institution.

Disruption
An unplanned event that causes the University Technology Resource to be inoperable for an unacceptable length of time.

High Availability
A failover feature to ensure Availability during a Disruption.

Information Security
The state of being free from unacceptable risk. Information security focuses on reducing the risk of computing systems, communications systems, and information being misused, destroyed, modified or disclosed inappropriately either by intent or accident.

Integrity
The accuracy and consistency of stored data, indicated by an absence of any variance in data between two updates of a data record.

Least Privilege
The minimum system resources and authorizations needed to perform its function or restricting access privileges of authorized personnel to the minimum functions necessary to perform their job.
Maximum Tolerable Downtime (MTD) the total amount of time the business unit is willing to accept for an outage or disruption.Program Administrator
Individual responsible for the management of the Information Security Program.

Security Incident
A suspected, attempted, successful, or imminent threat to the confidentiality, integrity, and/or availability of University Data; interference or Unauthorized Access to a University Technology Resource; or, a violation, or imminent threat of violation of University information technology rules, policies, standards, and/or procedures.

Unauthorized Access
Looking up, reviewing, copying, modifying, deleting, analyzing, or handling information without proper authorization and legitimate business need.

University Data (Information)
Information that the university collects, possesses, transmits, or has access to, regardless of its source. This includes information contained in hard copy documents or other media, communicated over voice or data networks, or exchanged in conversation.

Responsibilities

Users and Departments

• Be knowledgeable about relevant security requirements and guidelines.
• Protect the resources under their control, such as access passwords, computers, and data they download.
  Report information security related incidents.

Administrators and Supervisors

• Authorizing and de-authorizing access to data under their stewardship, based on the principle of least privilege, and in a manner that supports individual accountability for user activity.

Information Technology Security Staff

• Handling information security incidents, and incident reporting, for the university.

Program Administrator (Executive Director of Innovation & Technology

• Responsible for the security of the university’s information technologies. Implementation of security policies is delegated throughout the university to various university services, departments and other units; and to individual users of campus information resources.
• Provide interpretation of this and other related policies, disseminating related information, and enforcing information security policies across campus.

RELATED INFORMATION

Relevant University Policies

• Acceptable Use of Information Technology Resources
• Data Breach Notification
• Managing Physical Security Data 
• Managing Student Records
• Privacy

Relevant Legislation

• FERPA – Family Education Rights and Privacy Act
• HIPAA – Health Insurance Portability and Accountability Act
• GLBA – Gramm Leach Bliley Act
• FACTA – Fair and Accurate Credit Transactions Act
• PCI-DSS – Payment Card Industry Data Security Standard

History

Issued
2022-07-20