Policy AD95 - INFORMATION ASSURANCE AND IT SECURITY (Formerly AD20-Computer and Network Security)

Policy Steward: Vice President for Administration

Contents

  • Purpose
  • Definitions
  • Scope
  • Policy
  • I. General Information Security
  • II. Guiding Principles of Information Security
  • III. Classification of Information
  • IV. Use of Approved IT Services
  • V. Adherence to IT Security Standards and Requirements
  • VI. Certification of Unit-Based System Security
  • VII. Acceptable Use
  • VIII. Security Liaisons
  • Responsibilities
  • Oversight of the Information Security Program
  • Exceptions and Exemptions
  • Policy Violations
  • Further Information
  • Cross References

  • PURPOSE:

    To establish an institution-wide security program designed to ensure the confidentiality, integrity, and availability of The Pennsylvania State University’s (“Penn State“ or “the University”) information assets from unauthorized access, loss, alteration, or damage while supporting the open, information-sharing needs of our academic culture.

    DEFINITIONS:

    Availability - ensuring that information is ready and suitable for use.

    Chief Information Security Officer (CISO) - oversees the Office of Information Security, and is responsible for developing and implementing an information security program, which includes policies, standards, and procedures designed to protect enterprise communications, systems and assets from both internal and external threats.

    Confidentiality - ensuring that information is not disclosed to unauthorized individuals.

    Data - unstructured facts and figures without added organization, interpretation or analysis.

    Data Owner - Individual responsible for University information.

    Information - contextualized, categorized, calculated and condensed data.

    Information Classifications:

    Information Assets - any Penn State-owned data, information, software or hardware that is used in the course of business activities. This includes information that is processed or resides on privately owned devices that are used for University purposes.

    Integrity of Data - ensuring accuracy, completeness, and consistency.

    Institutional Data -information created, collected, maintained, transmitted, or recorded by or for the University to conduct University business, including, but not limited to, information in paper, electronic, audio, or visual formats.

    Security Staff - Penn State employees who have information security listed as part of their official duties.

    Unauthorized Access or Access in Excess of Authorization- viewing, modifying or destroying information without proper authorization/approval and/or legitimate business need.

    SCOPE:

    This policy is applicable to all members of the Penn State community, and applies to all locations and operations of the University, except for Penn State Health and The Pennsylvania College of Technology, which will follow separate policies. Specifically, the scope of this policy includes:

    POLICY:

    I. GENERAL INFORMATION SECURITY:

    This policy establishes University-wide strategies and responsibilities for protecting the confidentiality, integrity, and availability of information assets that are created, accessed, managed, and/or controlled by the University. Information Assets addressed by the policy include data, information systems, computers, network devices, as well as paper documents.

    With this policy and corresponding standards, the University will:

    II. GUIDING PRINCIPLES OF INFORMATION SECURITY:

    All faculty, staff, students, and units have an obligation to protect institutional data in accordance with this policy and its supplemental Guidelines and Standards, which take into consideration the University's mission, as well as the level of sensitivity and criticality of the information. The University promotes, supports and adopts an institutional culture that elevates the importance of its overall information security posture by implementation of the following principles:

    The University recognizes that it is organizationally and functionally complex and that campus units, research programs, and clinical care settings will have unique needs, as well as different threats and risk tolerances. Consequently, variation in how this policy and its supporting Guidelines and Standards are implemented will be managed and tracked by the Office of Information Security (OIS) through an exception process.

    III. CLASSIFICATION OF INFORMATION:

    The University will use Information Classification to develop Policies, Guidelines and Standards for risk-based protection of information and systems. Information Classifications are based upon the expected risk of harm to individuals and the University if the information were to be subject to unauthorized access or disclosure. Harm may encompass negative psychological, reputational, financial, personal safety, legal, and/or other ramifications to individuals or the University. The classification of information determines the baseline security protections and controls that are appropriate. The University's identified/designated Data Owners are primarily responsible for the implementation of appropriate safeguards and controls, and the safeguards for the highest classification of information applies. Definitions and basic principles of Information Classification are provided below and further supplemented in the supporting Standards.

    Note that the examples provided are illustrative, rather than exhaustive. The University, faculty, staff, students, and units will interact with many more specific types of information. In the event that a specific type of information is not listed as an example, the Information Classification will be based upon the Definition of each Classification.

    Sensitive Information Classification Definition Examples
    Restricted (Level 4) Access and use is strictly controlled and restricted by laws, regulations, or contracts. Unauthorized access, use, disclosure, or loss will have significant legal consequences, including civil and criminal penalties, loss of funding, inability to continue current research, and inability to obtain future funding or partnerships.
    • Payment Card Industry Data Security Standard (PCI-DSS) Data
    • Data subject to Federal Information Security Management Act (FISMA) moderate or high standards
    High (Level 3) Unauthorized access, use, disclosure, or loss is likely to have significant and severe adverse effects for individuals, groups, or the University. These adverse effects could include, but are not limited to, social, psychological, reputational, financial, or legal harm. Compliance requires are not as strict as for Restricted Information.
    • Personally Identifiable Information (PII) as defined in Privacy Policy AD53
    • Health Insurance Portability and Accountability Act (HIPAA) data
    Moderate (Level 2) Unauthorized access, use, disclosure, or loss is likely to have adverse effects for individuals, groups, or the University, but will not have a significant impact on the University. These adverse effects could include but are not limited to social, psychological, reputational, financial, or legal harm.
    • Non-PII student records
    • Personnel records
    Low (Level 1) Unauthorized access, use, disclosure, or loss is likely to have low or no risk to individuals, groups, or the University. These adverse effects may, but are unlikely to, include limited reputational, psychological, social, or financial harm. Low Risk Information may include some non-public data.
    • Data made freely available by public sources
    • Published data
    • Educational data
    • Initial and intermediate Research Data

    Instructions on handling information classification levels can be located in the standards listed in Section V. OIS will work with Data Owners to determine appropriate classification, as necessary. The CISO will make the final determination when the Data Owner and OIS cannot agree. For informational questions regarding your information classification, please contact security@psu.edu.

    IV. USE OF APPROVED IT SERVICES:

    Approved information technology infrastructure, services, staff training and facilities are a key method to securing information at the University. Faculty, staff, students, or units, should give preference to utilization of approved IT services where such services are available and appropriate to meet the individual's needs. These approved IT services will be designed to follow specific, level-appropriate information security requirements based on the strategic risk the information represents as well as regulatory and contractual compliance requirements.

    V. ADHERENCE TO IT SECURITY STANDARDS AND REQUIREMENTS:

    This policy also recognizes the need to accommodate unique research, teaching, and clinical needs that may not be feasible to accomplish through the use of approved IT services. If an approved IT service is not appropriate to meet the needs of faculty, staff, students, or units, level-appropriate information security requirements must be implemented per University Standards. Implementation for each Standard can be located below (click on the link):

    This Information Security Policy is supported and supplemented by specific operational, procedural, and technical Guidelines and Standards. These Standards will be enforced in the same manner as this policy.

    Each Standard will be owned by a Standard Working Group. The Working Group will be representative of the standard stakeholders and will be led by an OIS staff member and will include members of faculty and/or staff. The Standard Working Groups will be chartered by the CISO. The Standard Working Groups will review their Standard at least quarterly, incorporating input from the University community, changes in the threat, compliance standards, technology and industry best practices.

    VI. CERTIFICATION OF UNIT-BASED SYSTEM SECURITY:

    Any unit or individual that operates IT systems and/or applications that process information classified as High or Restricted under this policy must have Authority to Operate granted by the Office of Information Security. OIS will grant this authority after performing proper due diligence confirming that the information is properly secured and meeting any compliance requirements. Prior to obtaining the Authority to Operate, a unit or individual may have provisional Authority to Operate by informing OIS and certifying to OIS that the information is properly secured and meeting compliance requirements. OIS is responsible for the processes that grant Authority to Operate and provisional Authority to Operate.

    VII. ACCEPTABLE USE:

    To create a secure environment in which faculty, staff, students, and units may feel free to create and collaborate without fear that the products of their efforts will be violated by misrepresentation, tampering, destruction, or theft, all individuals must follow AD96, Acceptable Use of University Information Resources.

    VIII. SECURITY LIAISON:

    Each unit at the University will appoint a Security Liaison. This person will be a conduit for communication between the Office of Information Security (OIS) and the unit. This person does not have to be a security specialist or an IT specialist. However, if the unit has dedicated security staff or an individual who has security duties, then they are the preferred liaison. OIS will maintain a list, complete with contact information. OIS will provide training to all Security Liaisons.

    RESPONSIBILITIES:

    This matrix spells out the responsibility of high level groups for high level functions. Other more detailed responsibilities may be specified in the Guidelines and Standards.

      University Leaders Deans, Chancellors, Unit Directors, Principal Investigators CISO/OIS Unit Security Staff IT Leaders Governance Data Owner
    Risk Accountable Responsible Consulted Responsible Informed Consulted Consulted Consulted
    Strategy and Policy Responsible Consulted Accountable Responsible Consulted Consulted Consulted Consulted
    Identification Informed Accountable Responsible Responsible Responsible Responsible Informed Responsible
    Protection Informed Accountable Responsible Responsible Responsible Consulted Informed
    Detection Informed Informed Accountable Responsible Responsible Responsible Consulted Informed
    Response Informed Informed Accountable Consulted Responsible N/A Informed
    Recover Informed Accountable Consulted Consulted Responsible N/A Informed

    Functions:

    Roles:

    Responsibilities:

    All University faculty, staff, students, and units when acting on behalf of the University, and others granted use of University information are expected to:

    OVERSIGHT OF THE INFORMATION SECURITY PROGRAM

    The CISO will convene a CISO Advisory Committee representative of stakeholders across the University. This committee will be the primary governance mechanism for the Information Security Program. In addition, the CISO will engage appropriate leaders and governance groups for advice on the Information Security Program.

    EXCEPTIONS AND EXEMPTIONS:

    Exceptions to, or exemptions from, any provision of this Policy or supplemental IT Guidelines and Standards must be approved by the Office of Information Security in accordance with the Requests for Exception to Information Security Policy Standard.

    Any questions about the contents of this policy or supplemental IT Guidelines and Standards should be referred directly to the CISO and the Office of Information Security (security@psu.edu) who has the responsibility to interpret the Security Standards.

    POLICY VIOLATIONS:

    Any Penn State department or unit found to operate in violation of this Policy may be held accountable for remediation costs associated with a resulting information security incident or other regulatory non-compliance penalties, including but not limited to financial penalties, legal fees, and other costs.

    Faculty, staff, students, or units who violate this policy and supplemental IT Guidelines and Standards may be subject to disciplinary action.

    FURTHER INFORMATION:

    For questions, additional details, or to request change to this Policy, please contact the Office of Information Security at security@psu.edu.

    CROSS REFERENCES:

    Other Policies may also be referenced, especially the following:

    AD53 - Privacy Statement

    AD96- Acceptable Use of University Information Resources


    Effective Date: July 18, 2017
    Date Approved: July 17, 2017
    Date Published: July 20, 2017

    Most recent changes:

    Revision History (and effective dates):

    | top of this policy | GURU policy menu | GURU policy search | GURU home | GURU Tech Support | Privacy and Legal Statement | Penn State website |