Op3.12-13 Information Security
What is my role as department head in securing university information?
The department head should ensure that their employees are aware of information security policies, standards, procedures and responsibilities concerning the information they handle.
What is information security?
Information security is the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk and maximize return on investments and business opportunities (from ISO/IEC 27002:2005, Code of Practice for Information Security Management).
The Information Security Executive Committee (ISEC) evaluates information security issues and makes recommendations for protecting university information and computer systems through policy, awareness, incident response and resource planning.
The information services division has an information security unit to assist departments in assessing and managing risks for university information. For help in assessing risks, contact the information security office.
What do I need to know about university information?
Information is one of our most important assets and protecting it is one of our top priorities. All users play a critical role in protecting information. Each department is responsible for the information it receives, creates, transmits or stores. Information that can identify an individual, referred to as PII (Personally Identifiable Information), including but not limited to student grades and health information, is protected from improper disclosure by federal and state law. The university classifies information on five levels as specified in the information classification policy.
Information levels three through five must be fully protected in accordance with federal and state laws and university policy. Contact the information security unit for questions or assistance.
Credit card information should never be handled without the consent of the university bursar.
How should we work together to protect information?
Protecting information consists of understanding what data is being handled and employing a combination of controls among people, processes and technology.
People must understand their role and responsibility in the safe handling of university information and associated processes.
Processes must be in place to safely handle and maintain information. Suggestions for protecting information include:
- Avoid clicking on links or opening attachments in email messages from unknown sources.
- Never revealing university access credentials. Never share a password.
- Log off after workstation use.
- Lock the keyboard when temporarily leaving your workstation.
- Ensure maximum physical security (e.g., locked file cabinet inside locked office with limited access for paper records that contain PII (personally identifiable information), not leaving mobile devices such as laptops unattended).
Technology controls that should always be in place include:
- Up-to- date anti-virus software
- Up-to-date operating system patches (e.g., Windows, Mac OS, Linux)
- Up-to-date browser or application patches (e.g., Internet Explorer, Firefox, Safari, Adobe)
- Enable workstation firewalls
- Data backups
- Encrypt PII on any mobile device or in transmission (e.g., email)
- Information management policy
- University acceptable use policy
- Computer services help desk
Contact the information security unit for help with safe and proper storage, transmission and handling of sensitive information.
How do we properly dispose of data processing equipment?
All hardware (e.g., workstations, laptops, printers, multi-function copiers, fax machines) assigned to a department must have the data removed from any storage device it contains (e.g., hard drive, memory card) and written validation that the data is removed before it is physically moved to be retired or redeployed. All paper that contains PII or PHI must be shredded using cross-shredding.
Any device (e.g., hard drive, thumb drive, cd) that contains electronic PII or PHI must be ‘wiped’ following guidelines specified by property control. Contact the computer services help desk for questions or assistance, and please refer to the component integration and removal policy.
What should we do to protect our servers and web pages?
If you have a server that is not managed by the computer services department, contact the information security unit for risk assessments and standards for protection.
Contact web strategy and development for questions or assistance with university web pages.
How do I keep current with information security issues?
News and advisories about current information security issues are available through the information security and computer services help desk websites.
What if information is breached?
Suspected or confirmed information security incidents, data breaches or disclosures (e.g., lost/stolen mobile device such as laptops, smartphones, thumb drives that contains PII (personally identifiable information), emailing/mailing PII to unintended recipients) must be immediately reported. If you suspect university information has been breached (compromised), follow the instructions on the information security website.
Frequently asked questions:
Do these policies apply to any data (including old paper files stored in my department?)
Yes, these policies apply to any data held by the university. Paper documents with information in Levels 3-5 of the information classification policy should be kept out of public view when in use and stored in a locked file cabinet when not in use. When the documents are no longer needed and are outside any data retention requirements, they should be shredded in a cross-cut shredder.
What if someone in my department has a laptop stolen with student grades or personal information on it?
The information security officer (ISO) should be notified immediately. See the information security website for our data incident process.
Do I have to protect my own personal smart phone or computer if I used it for work?
Yes. When dealing with university information, it, and the device carrying it, must be protected according to university policy.
My department would like to have our own secure server – how can we do that?
Contact the information security officer for a risk assessment to determine the type of information that will be stored on the server.
Who is the person I need to call if we have a data breach?
The information security officer. See the information security website for the process.
Are there any criminal liabilities to me or the university if we knowingly keep sensitive information and it is lost?
A variety of penalties can be imposed depending on the nature of the loss. Information at the university is governed by several government regulations and each specified the penalties for infractions. Criminal penalties are a possibility.
Why can’t I just toss the old printers or copiers?
Most printers, copiers, and multi-function devices contain storage devices such as hard drives, flash memory, etc., that may have images of documents processed by them. Some of this information may be sensitive so we must make sure it remains confidential. Disposing of these devices without sanitizing the storage device can lead to data leaks.
What do I need to do when I want to make changes to our department web page?
Departments who maintain their own web pages should make sure that they are coded securely using the OWASP Top 10 vulnerability listing as a guide. Also, be sure not to display, or link to, any information not considered public.