G12.01 Information Assurance
Missouri State University will protect the confidentiality, integrity, and availability of its information by providing administrative and technical controls for the following areas:
- Information Security Unit Organization and Mission
- Risk Assessment and Management
- Information Management
- Human Resources Management
- Employee Information Access
- Physical Security
- Network and Computing Infrastructure
- Software Application Development
- Identity and Access Management
- Component Integration and Removal
- Awareness and Training
- Information Security Incident Management
- Disaster Recovery of Core Systems
- Regulatory Compliance
- Information Classification Levels
- HIPAA Security Rule
Reason or purpose for policy
Missouri State University is committed to protecting the information entrusted to its care and will provide the appropriate infrastructure to meet that commitment. This policy applies to academic, administrative, auxiliary services, and all other entities under the direction of Missouri State University’s administration.
Information Assurance (IA) is defined as the practice of managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes. Information assurance includes protection of the integrity, availability, authenticity, non-repudiation, and confidentiality of data. It is comprised of physical, technical, and administrative controls designed to accomplish these tasks. While focused predominantly on information in digital form, the full range of IA encompasses not only digital but also analog or physical form. These protections apply to data in transit, both physical and electronic forms, as well as data at rest in various types of physical and electronic storage facilities.
Risk is defined as the probability of compromised confidentiality, integrity, or availability; in light of threats, vulnerabilities, and impact.
The Information Security department of the Information Services division provides guidance and oversight for all information security-related activities. The Information Security Officer chairs the Information Security Executive Committee (ISEC). This committee consists of representatives from the Office of the Provost, Faculty Senate, Administrative Services, Financial Services, Enrollment Services, Residence Life Housing and Dining Services, Research and Economic Development, Office of Development, General Counsel, President’s Office, West Plains Campus, and the Student Government Association; it is responsible for:
- Developing a shared vision of the University’s desired information assurance characteristics.
- Determining the appropriate resources required to achieve the desired state.
- Reviewing and enhancing existing policies and developing new policies to appropriately secure information resources.
- Developing effective marketing and education plans to inform and raise awareness of various information security-related issues.
- Developing an action plan to respond to security breaches should any occur within the University system.
Standards and procedures accompany all policy statements and are jointly developed by the areas governed by the policy, ISEC, and the Information Security Officer. The Chief Information Officer will review all policies and procedures for accuracy and completeness and, where appropriate, bring forth to the Administrative Council to solicit approval.
The University uses the National Institute of Standards and Technology, Federal Information Processing Standards and Special Publications for guidance, with adaptations appropriate to an academic environment.