Missouri State University will protect the confidentiality, integrity, and accessibility of its information by providing policy and protective controls for the following areas:
- Information Security Unit Organization and Mission
- Risk Assessment and Management
- Information Management
- Human Resources Management
- Physical Security
- Network and Computing Infrastructure
- Software Application Development
- Identity and Access Management
- Component Integration and Removal
- Awareness and Training
- Information Security Incident Management
- Disaster Recovery of Core Systems
Reason or Purpose for Policy:
Missouri State University is committed to protecting information entrusted to its care and will provide the appropriate infrastructure to meet that commitment. This policy applies to academic, administrative, auxiliary services, and all other entities under the direction of Missouri State University’s administration. “Information security” is defined as the protection of hardware, software, and data assets (both digital and physical) at a level commensurate with the risk associated with the asset. “Risk” is defined as the probability of loss based on threats, vulnerabilities, impact, and the likelihood a threat will be successful.
The Information Security Unit of the Computer Services department provides guidance and oversight of all information security-related activities. The Information Security Officer chairs an Information Security Executive Committee (ISEC)> This committee consists of representatives from the Office of the Provost, Faculty Senate, Administrative & Information Services, Financial Services, Enrollment Services, Residence Life, Housing and Dining Services, Research and Economic Development, Office of Development, General Counsel, President’s Office, West Plains campus, and the Student Government Association, and is responsible for:
- Developing a shared vision of the University System’s desired information security characteristics.
- Determining the appropriate resources required to achieve the desired state.
- Reviewing and enhancing existing policies and, where needed, developing new policies to appropriately secure information resources.
- Developing effective marketing and education plans to inform and raise awareness of various information security-related issues.
- Developing an action plan to respond to security breaches that may occur within the University system.
Standards and procedures accompany all policy statements and are jointly developed by the areas governed by the policy, ISEC, and the Information Security Officer (ISO). The Chief Information Officer (CIO) will review all policies and procedures for accuracy and completeness and where appropriate bring them forward to Administrative Council for approval.
All policies are based on the ISO/IEC 27002:2005 framework, and for supporting procedures, the University will use the National Institute of Standards and Technology (NIST) FIPS and the 800-series of Special Publications for guidance. These have been adapted for use in a higher education environment.
Entities Affected by this Policy:
All entities contained in or under the direction of the Missouri State University system.
Line of Authority:
- Responsible Administrator and Office: Chief Information Officer (CIO), Computer Services
- Contact Person in that Office: Information Security Officer (ISO), Computer Services