Information Security

Oregon State University
Information Security Policies & Procedures Manual v1.7

Dave Nevin, Chief Information Security Officer

Table of Contents:

Manual Revision Record

Information Security Policies and Procedures Manual
Effective: 01/11/2010



Date Policy Summary of Change
March 20, 2014 601-02 Disposal of Surplus Property updated link for Disposal of Data Storage Equipment
February 20, 2014 Entire manual Changed name to Information Security Policies & Procedures Manual v1.7
February 20, 2014 202 Major revision of Classification Standards for increased clarification
February 20, 2014 203 Updated encryption standard to 256-bit
February 20, 2014 204 Created new policy for Use of Third-Party Services
February 20, 2014 401 Revised policy to remove the exception of University Email System from encrypted transmission requirement
February 20, 2014 501 Revised policy to allow proactive risk assessments to be performed by the Office of Information Security on systems housing or processing Protected or Sensitive information.
January 27, 2010 Entire manual Created a web site for manual.

000 Introduction

Information Security Policies & Procedures Manual
Section 000: Introductory Material
Effective: 01/11/2010

The OSU Information Security Manual documents key elements of OSU’s Information Security Program, including Policies and Procedures required by Oregon law, Oregon University System Rules, and Information Security best practices. Its formation was specifically dictated by the Oregon University System Information Security Policy (OAR 580-055-0000) and the Oregon Consumer Identity Theft Protection Act of 2007 (more info at http://www.cbs.state.or.us/dfcs/id_theft.html).

OSU takes its responsibility to protect and care for the information entrusted to us by our students, faculty, staff, and partners seriously.  Policies and Procedures outlined in this manual are meant to document how we will meet our  responsibilities as stewards of information entrusted to us as an institution of higher education.  This manual is not intended to be step by step guide for faculty and staff; however, elements of it may be required reading in certain circumstances.

Information Security Policies apply to all members of the OSU Community; however, in certain circumstances specific restrictions on information may be required by the terms of a grant, federal law, or departmental policies.  In the event of an inconsistency or conflict, applicable law and the State Board of Higher Education’s policies supersede University policies and University policies supersede college, department or lower unit bylaws, policies, or guidelines. 

These policies and procedures apply regardless of the media on which information resides. Specifically they apply to paper and traditional hard copy information, as well information on electronic, microfiche, CD\DVD, or other media. They also apply regardless of the form the information may take; for example: text, graphics, video or audio, or their presentation.

Appendix A: Data Classification by Data Element

Information Security Policies and Procedures Manual
Appendix A: Data Classification by Data Element
Effective: 02/20/2014
Revised: 04/11/2014

 

Protected Information:

Social Security Number

Driver’s License/State-issued Identification Number

Visa/Passport Number

Credit Card Number

Bank Account Number

Health Insurance Policy Number

Income Tax Records

Personally Identifiable Health Information, including Personally Identifiable Genetic Information

Classified Research Data

Personal Finance Disclosure/Information

Identifiable Human Subjects Research Data designated as Level 3 by the Institutional Review Board (IRB)

Research Data with Export Control/ITAR limitations

 

Sensitive Information:

Data defined as confidential by the Family Educational Rights and Privacy Act (FERPA)

Employment Applications

Employee Performance Evaluations

Confidential Donor Information

Identifiable Human Subjects Research Data designated as Level 2 by the IRB

Minutes from Confidential Meetings

Accusations of Misconduct and records from investigations

Common Identifiers: Date of Birth, Place of Birth, Mother’s Maiden Name

Demographic Information such as race, ethnicity, gender, sexual orientation or identity when personally identifiable

Admission applications

Privileged Attorney-Client Communications

ID Photos

100 Information Security Roles and Responsibilities

101: Institutional Responsibilities

Information Security Policies & Procedures Manual
Section 100: Information Security Roles and Responsibilities
Effective: 01/11/2010

Purpose

The purpose of this Institutional Responsibilities document is to clearly outline the roles of President, CIO, and CISO in fulfilling Oregon State University’s responsibilities with respect to information security as directed in the OUS Information Security Policy.

Institutional Responsibilities

President:  As directed in the OUS Information Security Policy, the President has overall oversight responsibility for institutional provisions set forth in that policy.  The President will hold the CIO and CISO accountable for instituting appropriate policy and programs to ensure the security, integrity, and availability of OSU’s information assets.

Chief Information Officer (CIO):  As directed in the OUS Information Security Policy, the CIO is responsible for ensuring that the institutional policies governing Information Systems, User and Personal Information Security, Security Operations, Network and Telecommunications Security, Physical and Environmental Security, Disaster Recovery, and Awareness and Training are developed and adhered to in accordance with the OUS policy.

Chief Information Security Officer (CISO):  Reporting to the CIO, the CISO is responsible for the member institution’s security program and for ensuring that institutional policies, procedures, and standards are developed, implemented maintained and adhered to.

102: University Community Responsibilities

Information Security Policies & Procedures Manual
Section 100: Information Security Roles and Responsibilities
Effective: 01/11/2010

Purpose

The purpose of this section is to clarify individual responsibility in handling information entrusted to the institution.

Background

The University is required to protect certain information by federal laws, state laws, and State Board of Higher Education administrative rules.  However, ready access to information is a requirement for academic inquiry and the effective operation of the institution.  Current information technology makes it easier than ever for individuals to collect, process, and store information on behalf of the University; therefore, all individuals acting on behalf of the university need to understand their responsibilities.

Responsibilities

Individuals, including faculty, staff, other employees, and affiliated third party users, who are part of the University Community have a responsibility to protect the information entrusted to the institution.  When special protections are warranted, the appropriate Records Custodian will define appropriate handling requirements and minimum safeguards.  All members of the OSU Community have an obligation to understand the relative sensitivity of information they handle, and abide by University policy regarding protections afforded that information.  These protections are designed to comply with all federal and state laws, regulations, and policies associated with Information Security. 

Responsibilities include:

  • Comply with University policies, procedures, and guidelines associated with information security.
  • Meet or exceed the minimum safeguards as required by the Records Custodian based on the information classification.
  • Comply with handling instructions for Protected Information as provided by the Records Custodian. 
  • Report any unauthorized access, data misuse, or data quality issues to your supervisor, who will contact the Records Custodian for remediation.
  • Participate in education, as required by the Records Custodian(s), on the required minimum safeguards for Protected Information.

103: Records Custodians

Information Security Policies & Procedures Manual
Section 100: Information Security Roles and Responsibilities
Effective: 01/11/2010

Purpose

The purpose of this section is to clarify the role of “Records Custodian” as defined in OSU policy and practice, to ensure that specific University obligations are met.

Background Information

OSU’s policy on Acceptable Use of University Information defines a specific set of data related to the operation of the University and assigns a set of Records Custodians for those data in accordance with state law and University standard practice.  These Records Custodians have been designated by the University President to ensure accountability and proper records handling for institutional data regardless of which individual collects this information on behalf of the University.  These data include student records, financial records, and human resource records.  For the purposes of Information Security Policy, University personnel who collect data that do not fit these categories are recognized as the appropriate Records Custodian for that data.  

Responsibilities

Records Custodians documented in the Acceptable Use of University Information policy (or their delegates) have planning and policy-level responsibility for Information Systems within their functional areas and management responsibility for defined segments of Institutional Information.  All Records Custodians have the responsibility to ensure appropriate handling of information entrusted to the institution.

Records Custodians should do the following:

  1. Develop, implement, and manage information access policies and procedures.
  2. Ensure compliance with contractual obligations and/or federal, state, and University polices and regulations regarding the release of, responsible use of, and access to information.
  3. Assign information classifications based on a determination of the level of sensitivity of the information (see OSU ISM 202: Information Systems – Classification Standards.)
  4. Assign appropriate handling requirements and minimum safeguards which are merited beyond baseline standards of care as defined in OSU ISM 203.
  5. Promote appropriate data use and data quality, including providing communication and education to data users on appropriate use and protection of information.
  6. Develop and implement record and data retention requirements in conjunction with University Archives.

200 Information Systems Security

201: Information Systems Security - General

Information Security Policies & Procedures Manual
Section 200: Information Systems Security
Effective: 01/11/2010

Purpose

The purpose of this section is to define in general terms what is meant by Information Systems Security and to set forth the University’s commitment to create and maintain an Information Security Program.

Scope

Information Systems are composed of three major components: data, applications, and infrastructure systems.  All three must be addressed in order to ensure overall security of these assets.

Information Security Program

OSU hereby establishes an Information Security Program by adopting and documenting within this Information Security Manual, policies, procedures, security controls, and standards which govern Information Systems including data, applications, and infrastructure systems as those assets are classified according to their relative sensitivity and criticality.  This program should ensure that fundamental security principles, such as those embodied in the ISO 27000 series standards or those generally incorporated into the COBIT framework, are established and maintained.

The foundation of this Information Security Program will be the established information classification system and baseline standards of care established in this manual; however, for these to be effective all three aspects of information systems must be addressed.  This is not just about data, it is also about how data are stored and processed.

202: Information Systems – Data Classification and Stewardship Policy

Information Security Policies and Procedures Manual
Section 200: Information Systems Security
Effective: 01/11/2010
Revised: 02/20/2014

I. Scope

This policy applies to all academic, research, and administrative departments and offices at all Oregon State University locations. This policy applies to all University faculty, staff, students, visitors, contractors and affiliates. 

This policy governs the confidentiality, integrity, and availability of university data and the responsibilities of institutional units and individuals for that data.

 

II.  Purpose

Oregon State University has an established history of sharing data with the many communities of which it is a part.  We are also entrusted by our constituencies with data of a private or personal nature.  These data are essential to our operation as an institution of higher education and we are obligated to protect them. Additionally, there are State and Federal laws that identify certain types of data that must be treated with care.

This policy establishes a framework to allow us to comply with these mandates and to protect the confidentiality, integrity, and availability of university data.

 

III. Information Classifications

Protected Information

Protected Information is the most restrictive information classification. There are four types of data that fit within this classification:

  1. Information of a personal nature that could lead to identity theft or exposure of personal health information if not safeguarded,
  2. Research data identified as highly sensitive by a funding agency or other research partner,
  3. Certain financial data, and
  4. Specific technical information about the mechanisms used to restrict access to, or otherwise secure, data within this classification.

Specific data elements classified as Protected Information are listed in Appendix A.

Access to Protected Information is on a need to know basis only and requires prior approval from the designated Records Custodian (see Acceptable Use of University Information Policy). The use or storage of Protected Information, either in paper or electronic form, must follow the Standards of Care for Protected Information

Unauthorized disclosure of Protected Information must be reported to the Chief Information Security Officer.

Sensitive Information

Sensitive Information is data that, by their very nature or regulation, are private or confidential and must not be disclosed except to a previously defined set of authorized users.

Some examples of Sensitive Information include data defined as confidential by the Family Educational Rights and Privacy Act (FERPA), employee performance evaluations, confidential donor information, some research data, accusations of misconduct, or any other information that has been identified by the University, its contractors or funding agencies, or Federal or State regulations, as private or confidential and not to be disclosed.

Specific data elements classified as Sensitive Information are listed in Appendix A.

Access to Sensitive Information is on a need to know basis only. The use or storage of Sensitive Information, either in paper or electronic form, must follow the Standards of Care for Sensitive Information

Unauthorized disclosure of Sensitive Information must be reported to the designated Records Custodian.

Unrestricted Information

Unrestricted Information is data intended for general use. 

In order to ensure the integrity of Unrestricted Information, the use or storage of that information must follow the Standards of Care for Unrestricted Information

 

203: Information Systems – Baseline Standards of Care

Information Security Policies & Procedures Manual
Section 200: Information Systems Security
Effective: 01/11/2010
Revised: 02/20/2014

Purpose

The purpose of this policy is to define the baseline standards of care based on the designated classification of Information Systems. 

Standards of Care

The following standards apply to people and machines that have access to and/or process information according to its classification as Protected, Sensitive, or Unrestricted.  Specific additional handling requirements above the baseline may in fact be required by the Records Custodian to ensure compliance with law, policy, or contractual obligation.  These baseline standards are set as a minimum; adoption of stricter security practices is encouraged where practicable.  

 

203-01 Baseline Standards for Protected Information

All computer systems (workstations and servers) which store or process Protected Information shall have restricted access to only authorized personnel; fully patched operating systems and applications; current anti-virus software with current virus definitions; and if attached to the network will be in a secured zone protected by appropriate firewall rules.  Workstations used by authorized personnel with direct write access to Protected Information will also be configured to automatically apply patches and current anti-virus definitions and will not be accessed via a local system administrator or domain administrator account on the local machine for day-to-day activities.

All personnel granted direct access to Protected Information should be instructed on the proper use and handling of this information and are subject to OSU Policies regarding security sensitive personnel.  Under no circumstances should Protected Information be disclosed to anyone outside OSU without authorization from the appropriate supervisory personnel.

 

203-02 Baseline Standards for Sensitive Information

All computer systems which store or process Sensitive Information should have restricted access granted only to authorized personnel affiliated with OSU, and shall have fully patched operating systems and applications, and current antivirus software with current virus definitions.  Any such computer system is also subject to Network Services’ network security policy.

All personnel granted access to sensitive information should not disclose this information to parties outside of OSU without authorization by appropriate supervisory personnel.

 

203-03 Baseline Standards for Unrestricted Information

All computer systems which store or process Unrestricted Information will have write access restricted only to authorized personnel to ensure that information presented is not edited without appropriate authorization. Any such computer system is also subject to Network Services’ network security policy and should have fully patched operating systems and applications, and current antivirus software with current virus definitions.

 

203-04 Mobile Computing

All mobile computer systems or portable storage media, which store Protected Information, shall be encrypted with at least the 256-bit encryption common in operating systems and encoding devices sold in the United States in addition to the baseline requirement prescribed in 203-01.  Those that cannot meet this requirement due to the proprietary nature of how they are created, such as back-up tapes, must be stored in a physically secure area and shall only be transported in a manner commensurate with OSU ISM 601-03.

As noted in the Personal Information Privacy Policy (OSU ISM 301), certain highly sensitive data elements are strictly prohibited from portable media. 

204: Use of Third-Party/Non-OSU Services

Information Security Policies & Procedures Manual
Section 200: Information Systems Security
Effective: 02/20/2014

I. Scope

This policy applies to all academic, research, and administrative departments and offices at all Oregon State University locations. This policy applies to all University faculty, staff, students, visitors, contractors and affiliates. 

This policy governs the confidentiality, integrity, and availability of university data and the responsibilities of institutional units and individuals for that data.

For purposes of this policy, a “non-OSU System” is a computer system that is not physically, administratively, and legally controlled by OSU.  A system is administratively controlled by OSU only if OSU controls the software, devices and procedures used to access the system. This policy is not directed toward devices personally owned by employees.

II. Purpose

The purpose of this section of the policy is to define acceptable terms for the use of third-party information technology services, such as Software as a Service (SAAS), Infrastructure as a Service (IAAS), or “Cloud” services.  This policy establishes a framework that complies with Federal, State and Local laws, as well as with other University Policies, requiring the protection of the confidentiality, integrity, and availability of data.

III. Policy

Under no circumstance shall any information classified as Protected be placed on a non-OUS System other than those officially designated by the Vice Provost for Information Services. Data elements classified as Protected are located in Appendix A.

Information classified as Sensitive may be placed on a non-OSU System following the completion of a regulatory compliance review, approval by the designated records custodian charged with the care of that data, and contract terms that establish appropriate protection of that data.  At the request of the records custodian, the Vice Provost for Information Services will conduct a risk assessment to help the records custodian determine whether the protection is adequate.

Furthermore, the individuals managing data classified as Protected or Sensitive must limit access consistent with the restrictions established in Section 200, must understand the policies associated with the use of that service, and must ensure that permissions to the data are accurately and appropriately managed. Protected and Sensitive information housed on non-OSU Systems must never be made publicly accessible.

If the third-party service does not meet the standards for storing certain types of information, the records custodian may ask the Vice Provost for Information Services for assistance in determining whether the University can establish appropriate protection to use the service by modifying types of information stored, business practices, or establishing other safeguards.

Information classified as Unrestricted may be stored on a non-OSU System by employees in the course of conducting University business, whether or not a University contract is in place. Employees are responsible for assuring that access is consistent with the restrictions established in Section 200, that they understand the policies associated with the use of that service, and that permissions to the data are accurately and appropriately managed.

300 User and Personal Information Security

301: Personal Information Privacy

Information Security Policies & Procedures Manual
Section 300: User and Personal Information Security
Effective: 01/11/2010

Purpose

The purpose of this policy is to establish clear guidelines for handling specific data elements which pose a risk of Identity Theft to our community members, should those data elements be compromised through unauthorized access due to a breach of security.  These data elements are generally used in conjunction with other information, such as full name, which may constitute enough information to establish credit or perpetuate other forms of fraud associated with Identity Theft.

Scope

This policy is applicable to all OSU community members including all employees, students, contractors, consultants, agents, and vendors working on OSU’s behalf.  It is applicable to all OSU Information Assets, regardless of form or media. It applies to information gathering, protection, use, processing, storage, communications, and transit.

Policy

Each element below merits extra protections beyond any baseline.

Social Security Number:   All access and use at Oregon State University of the Social Security Number is prohibited except for meeting federal or state requirements, compliance and reporting.

VISA/Credit Card Numbers:  All access and use at Oregon State University of VISA/Credit Card numbers shall meet Procurement Card Industry (PCI) security standards and any system handling these numbers shall have a responsible party of record who will be accountable to the Director of Business Affairs for ensuring compliance. 

Bank Account Numbers:  All access and use of bank account numbers at Oregon State University is restricted to the following uses:

Business Affairs

Processing direct deposit transactions; both incoming and outgoing

Processing wire transfers

Department Personnel

Processing wire transfers – Paper copies of this data may be stored during the processing phase. They should be kept in a physically secure location with limited personnel access.  Departments are prohibited from storing electronic copies of this data.  Once verification of transfer is complete the paper copy should be redacted or destroyed through approved OSU confidential document destruction method.

Driver’s License Numbers and/or National Identification Numbers:   All access and use of state or national Driver’s License and/or National Identification Numbers for Oregon residents at Oregon State University will be reported to the Chief Information Security Officer and all reasonable precautions will be taken to ensure the integrity and confidentiality of this information.       

Under no circumstance shall Social Security Number, VISA/Credit Card Numbers, Bank Account Numbers, or Driver’s License/National Identification Numbers be stored in a non-redacted form on any portable electronic media including but not limited to laptops, flash drives, CDROMS.

Procedures

Specific procedures for handling these elements will be defined by the Records Custodians for student records, employee data, and business transactions.

Responsibilities

All members of the OSU community have a responsibility to protect these elements and ensure that they are handled with the utmost care.  All efforts should be made to avoid the direct storage and use of these elements unless required by business need.

Records Custodians with student record, employee data, or business transactions responsibilities have a responsibility to ensure that those business needs that require handling these elements are limited to the employees required to handle this information and that reasonable controls and precautions to protect these elements are in place. 

302: User Specific Policies

Information Security Policies & Procedures Manual
Section 300: User and Personal Information Security
Effective: 01/11/2010

Purpose

The purpose of this section is to outline existing OSU User specific policies which fulfill OSU’s obligations under the OUS Information Security Policy.

Policies and Procedures

 

302-01 Acceptable Use Policy (AUP)

OSU maintains the Acceptable Use of University Computing Resources as part of the General Policies of the institution with the official and current copy residing at http://oregonstate.edu/aup.htm .  As stated in the AUP, it applies to “all users of university computing resources, whether affiliated with the University or not, and to all use of those resources, whether on campus or from remote locations. Additional policies may apply to computing resources provided or operated by individual units of the University or to uses within specific units.”  Acknowledgement of this policy and agreement to abide by it are part of the account activation process for all central computer systems.

 

302-02 Security Sensitive Personnel

OSU maintains a policy regarding criminal background checks for Security Sensitive Personnel in compliance with Oregon Administrative Rules and as part of the Office of Human Resources Policy and Procedure Manual.

 

302-03 Account Management

OSU creates system accounts, referred to as OSU Network ID (or ONID), for general access to OSU centralized resources.  These accounts are generated and disabled programmatically based on information stored in the Student and Human Resources Information Systems about current status as employee or student.  Accounts local to a specific system are defined by the department which manages the system.  In the case of the Banner Human Resources, Student, and Financial Information System, accounts are authorized and revoked in accordance with parameters set by the appropriate Records Custodian.   

400 Network and Telecommunications Security

401: Transmission of Protected Information

Information Security Policies & Procedures Manual
Section 400: Network and Telecommunications Security
Effective: 01/11/2010
Revised: 02/20/2014

Purpose

The purpose of this section is to state OSU’s policy regarding the transmission of protected information over the network.

Background

Once information is classified as Protected Information, established baseline standards ensure that the information resides and is processed within a secured zone of the network.  However, normal business operation does from time to time require the transfer of Protected Information to other authorized parties for purposes consistent with OSU’s mission and OSU’s obligations to protect the information.

Policy

It is the policy of OSU that no Protected Information be transmitted over any network outside of the secured zones within the OSU network, unless appropriate and standard encryption techniques are used.  Under no circumstances will Protected Information be transmitted across an unsecured network in clear text. In particular, it should be noted that Email is not by default an encrypted means of transmission and any Email sent is subject to this restriction.

402: Secured Zones for Protected Systems

Information Security Policies & Procedures Manual
Section 400: Network and Telecommunications Security
Effective: 01/11/2010

Purpose

The purpose of this section is to state OSU’s procedures regarding network security and firewall architecture to protect Protected Information.

Procedure

OSU Network Services establishes Secured Zones using current firewall technology and the appropriate network access control rule set to ensure that only authorized access is permitted to information systems which contain or will have access to Protected Information.  The overall architecture is based on separation of servers and workstations and the creation of various security zones based on the relative sensitivity.  Departmental zones are established for local servers and services and authority to manage the rules set for those zones is delegated to authorized departmental personnel.  Network Services monitors and audits all rule sets.

Direct connections to the OSU data network are controlled and restricted to authorized personnel only by means of ONID credentials and a registration process for computers.  All remote connections are limited to approved gateways only.  .  All machines connected to the OSU network are subject to the OSU Network Security Policy (see http://oregonstate.edu/net/info/policy/network_security_policy.php ).

500 Security Operations

501: Risk Assessment

Information Security Policies & Procedures Manual
Section 500: Security Operations
Effective: 01/11/2010
Revised: 02/20/2014

Purpose

The purpose of this section is to articulate how OSU will conduct risk assessment by first proactive and then reactive means.

Procedure

TThe proactive component will include the conducting of regular risk assessments on systems declared critical by the University, or on systems that house or process Protected or Sensitive Information by the Office of Information Security or by Internal Audit or an agent acting on their behalf. This will ensure that data elements identified as Protected or Sensitive have the appropriate security measures in place to protect them.

The reactive component of risk assessment will be a periodic review of information security incidents.  The Chief Information Security Officer will periodically review the tracked information security incidents and will identify problem areas to be addressed in an Annual Information Security report to the Chief Information Officer.

502: Incident Response and Escalation

Information Security Policies & Procedures Manual
Section 500: Security Operations
Effective: 01/11/2010

Purpose

The purpose of documenting this procedure in the Information Security Manual is to clarify and formalize Security Operations and Procedures in the event of Information Security incidents.

Scope

The scope of these procedures is limited to Information Security Incidents.  Incidents overlapping with physical security, personnel action, or student conduct will be handled in accordance with established protocols and procedures; however, the CISO will be appraised to ensure that Information Security specific aspects of any incident are addressed.

Procedure

In compliance with RFC2142, OSU maintains appropriate Email aliases for the reporting of various activities originating from hosts on OSU’s network.  The abuse@oregonstate.edu alias in particular is widely accepted across the internet, and specifically identified by OSU in our network registration, as the appropriate alias to notify when a breach is suspected or other Information Security Incidents are detected.  Network Engineering will maintain this Email alias; respond to and track all reports of Information Security Incidents; and will ask that responsible parties verify whether or not Personal Information, Protected Information, or Sensitive Information was involved.

In the case where Personal Information or Protected Information is involved, these incidents will be initially escalated to the attention of theChief Information Security Officer who will create an incident response report. 

Information Security Incidents involving Personal Information will be reviewed by legal counsel to ensure appropriate responses are taken in accordance with Oregon law, and a copy of the report will be shared with the appropriate Records Custodian(s), the University Provost, the Oregon University System Vice Chancellor for Finance and Administration, the Oregon University System Internal Audit Division, and University News and Communications Services as appropriate to deal with media implications.  

Information Security Incidents involving Protected Information will be reviewed by the appropriate Records Custodian(s) along with a copy of the incident report to be shared as deemed appropriate by the Records Custodian(s). 

Information Security Incidents involving Sensitive Information will be logged and noted in the annual Information Security Report.

600 Physical and Environmental Security

601: Physical Areas Containing Protected Information

Information Security Policies & Procedures Manual
Section 600: Physical and Environmental Security
Effective: 03/20/2014

Purpose

The purpose of this section is to outline specific physical security policies and procedures which overlap with Information Security.

Background

In general, physical security is the responsibility of Public Safety on campus.  There are, however, areas where special attention is needed where Information Security can be effected.  Specifically, the buildings where central servers are housed, office space where Protected Information is regularly accessed and visible to people in the immediate proximity, when electronic storage media is surplused from the university, and where Protected Information is physically transported such as when tape backups are taken off site.

Policies and Procedures

 

601-01 Milne Computer Center and Banner Systems

The machine room within Milne Computer Center is to be considered a restricted area where only authorized personnel are allowed.  Standard security measures such as name badges and audited door access codes shall be employed for physical access to the room.  Given the critical nature of the Banner systems, the facility shall also be equipped with standby emergency power (both stored and generated) and shall be monitored 7 days a week; 24 hours a day for availability.

 

601-02 Disposal of Surplus Property

All electronic storage media are subject to the OSU Policy on Disposal of Data Storage Equipment maintained by OSU Business Services.  This policy states that information shall be purged from all electronic media prior to surplus.

 

601-03 Transportation of Protected Information

All physical transportation of Protected Information shall be done by a trusted courier who can provide document and pouch-level traceability.  In the case where Personal Information for more than 1000 individuals is to be transported either in paper or electronic form; sealed pouches for paper documents and lock boxes for transport of tapes/CDs are required.

602: Protecting Information Stored on Paper

Information Security Policies & Procedures Manual
Section 600: Physical and Environmental Security
Effective: 01/11/2010

Background

Paper documents that include Protected Information or Sensitive Information such as social security numbers, student education records, an individual's medical information, benefits, compensation, loan, or financial aid data, and faculty and staff evaluations are to be secured during printing, transmission (including by fax), storage, and disposal.

Procedure

University employee and supervisor responsibilities include:

Do not leave paper documents containing Protected Information or Sensitive Information unattended; protect them from the view of passers-by or office visitors.

Store paper documents containing Protected Information or Sensitive Information in locked files.

Store paper documents that contain information that is critical to the conduct of University business in fireproof file cabinets. Keep copies in an alternate location.

Do not leave the keys to file drawers containing Protected Information or Sensitive Information in unlocked desk drawers or other areas accessible to unauthorized personnel.

All records are subject to OUS records retention policies and should be only be disposed of in accordance with the retention schedule defined within those policies.  More information can be found at http://osulibrary.oregonstate.edu/archives/schedule/ .  Once the retention schedule has been met, shred confidential paper documents and secure such documents until shredding occurs. If using the University pulping service, ensure that the pulping bin is locked and that it is accessed only by individuals identified by Business Services as those who are responsible for picking up pulping bins and who will be attentive to the confidentiality requirements.

  • Make arrangements to retrieve or secure documents containing Protected Information or Sensitive Information immediately that are printed on copy machines, fax machines, and printers.  If at all possible, documents containing Protected Information should not be sent by fax.  Those documents should be sent via a trusted courier service and secured in transit as per OSU ISM 601-03.
  • Double-check fax messages containing Sensitive Information:
    • Recheck the recipient's number before you hit 'start.'
    • Verify the security arrangements for a fax's receipt prior to sending.
    • Verify that you are the intended recipient of faxes received on your machine.

700 Disaster Recovery

Information Security Policies & Procedures Manual
Section 700: Disaster Recovery
Effective: 01/11/2010

Purpose

The purpose of this section is to outline the Disaster Recovery Plans that are in place or in progress.

Background

Disaster Recovery is part of planning for every department at OSU.  The overall campus plan envisions coordination in an Emergency, with the expectation that university departments are ensuring the survivability of their critical assets, maintain the functioning of their critical assets as long as possible, and will be able to resume their normal function after the Emergency is over and the recovery begins.  For Information Security there are two critical areas where planning is required to meet these objectives: the Banner System (with critical Enterprise Information) and the campus Communications System.

 

701-01 Enterprise Computing

Enterprise Computing maintains a disaster plan for the Banner systems.  The current copy is managed by the Director of Enterprise Computing and can be reviewed upon request.

 

701-02 Communications Systems

Network Services is responsible for both the phone and data networks on campus and maintains a disaster plan for those networks.  The current copy is managed by the Director of Network Services and can be reviewed upon request.

800 Awareness and Training

801: Awareness and Training Action Plan

Information Security Policies & Procedures Manual
Section 800: Awareness and Training
Effective: 01/11/2010

Purpose

The purpose of this section is to identify the activities OSU is engaged in to promote Information Security awareness among members of the University Community.

Background

The first step in promoting Information Security awareness at OSU is the formation of this Information Security Program.  By formalizing our policies and procedures with respect to Information Security and posting this manual on the web for employees to read, we hope to initiate the discussion of Information Security and what we all can do to better protect the information entrusted to the institution.  Beyond this and related discussion events, OSU will:

  • Integrate training for proper handling of protected information in the Banner training required by all employees seeking access to the Banner System.
  • Include information about stopping ID theft in New Employee Orientation.
  • Incorporate a statement of understanding and acceptance of policies and procedures included in this manual with every secure socket layer certificate credential issued on behalf of OSU and managed by Network Services.

802: Definitions

Information Security Policies & Procedures Manual
Section 800: Awareness and Training
Effective: 01/11/2010

128-Bit Encryption

Encryption key that is 128 bits in length.  This form of encryption is commonly found as the default encryption level on commercially available software.

Baselines

Baselines are mandatory descriptions of how to implement security packages to ensure a consistent level of security throughout the organization. Different systems have different methods of handling security issues. Baselines are created to inform user groups about how to set up the security for each platform so that the desired level of security is achieved consistently.

Chief Information Security Officer (CISO)

The CISO is responsible for the University’s information security program and for ensuring that policies, procedures, and standards are developed, implemented and maintained.

Clear Text

Non-encrypted data

FERPA

The Family Educational Rights and Privacy Act establishes an obligation for the University to keep student records private and accessible only to those with an educational need to know, rather than information designated as directory information which is public.

Guidelines

General statements designed to achieve a policy’s objectives by providing a framework within which to implement controls not covered by procedures.

HIPAA

The Health Insurance Portability and Accountability Act establishes an obligation for the University to secure and protect all Individually Identifiable Health Information which we possess.

Information Security Incidents

Information security incidents include virus infections, spam generation reports, computers that have been “hacked”, sharing of Protected Information to unauthorized personnel, etc.  Incidents may have Information Security, student confidentiality, and/or personnel action implications.  Student confidentiality and personnel actions take precedence and should be addressed first and in the standard manner.

Information Systems

Information Systems are composed of three major components: data, applications, and infrastructure systems.  All three must be addressed in order to ensure overall security of these assets. 

Institutional Information

Institutional Information is all information created, collected, maintained, recorded or managed by the university, its staff, and all agents working on its behalf. 

Personally Identifiable Information

In the context of this set of policies and procedures, this term will be used as defined in Oregon’s 2007 SB583 the Consumer Identity Theft Protection Act:
“(11) 'Personal information':
  (a) Means a consumer's first name or first initial and last name in combination with any one or more of the following data elements, when the data elements are not rendered unusable through encryption, redaction or other methods, or when the data elements are encrypted and the encryption key has also been acquired:
  (A) Social Security number;
  (B) Driver license number or state identification card number issued by the Department of Transportation;
  (C) Passport number or other United States issued identification number; or
  (D) Financial account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to a consumer's financial account.
  (b) Means any of the data elements or any combination of the data elements described in paragraph (a) of this subsection when not combined with the consumer's first name or first initial and last name and when the data elements are not rendered unusable through encryption, redaction or other methods, if the information obtained would be sufficient to permit a person to commit identity theft against the consumer whose information was compromised.
  (c) Does not include information, other than a Social Security number, in a federal, state or local government record that is lawfully made available to the public.”

Policy

An information security policy is a set of directives established by the University administration to create an information security program, establish its goals and measures, and target and assign responsibilities. Policies should be brief and solution-independent.

Procedures

Step by step specifics of how standards and guidelines will be implemented in an operating environment.

Protected Information

Protected Information is information protected by statutes, rules, regulations, University policies, contractual language, and/or is considered to be personally identifiable.  The highest levels of restriction apply, both internally and externally, due to the potential risk or harm that may result from disclosure or inappropriate use.

Records Custodian

Certain Records Custodians are designated by the University President and documented in the Acceptable Use of University Information policy.  These Record Custodians (or their delegates) have planning and policy-level responsibility for data within their functional areas and management responsibility for defined segments of institutional data relating to student records, financial information, and employee records.  For the purposes of this Information Security Policy, any university personnel collecting data not falling under these definitions will be considered the appropriate Records Custodian for that data.

Secured Zones

Segments of data networks which have network level security rules applied to restrict access to authorized personnel only.  This is done typically with Firewall rules and Virtual Private Networks.

Sensitive Information

Sensitive Information is information that must be guarded due to proprietary, ethical, privacy considerations, or whose unauthorized access, modification or loss could seriously or adversely affect the University, its partners, or the public.  High or moderate levels of restriction apply, both internally and externally, due to the potential risk or harm that may result from disclosure or inappropriate use. This classification applies even though there may not be a statute, rule, regulation, University policy, or contractual language prohibiting its release.

Standards

Standards are mandatory activities, actions, rules or regulations designed to provide policies with the support structure and specific direction they require to be meaningful and effective.

University Community Members

Students, faculty, staff, volunteers, contractors, affiliates, or agents, who have access to University Information Systems and all University units and their agents including external third-party relationships.  This access is granted solely to conduct University business.

Unrestricted Information

Unrestricted Information, while subject to University disclosure rules, may be made available to members of the University community and to individuals and entities external to the University. In some cases, general public access to Unrestricted Information is required by law.  While the requirements for protection of Unrestricted Information are considerably less than for Protected Information or Sensitive Information, sufficient protection will be applied to prevent unauthorized modification of such information.

803: Reference Material

Information Security Policies & Procedures Manual
Section 800: Awareness and Training
Effective: 01/11/2010

803-01 ISO 27000 Series

From www.27000.org:

The ISO 27000 series of standards have been specifically reserved by ISO for information security matters and will be populated with a range of individual standards and documents. The following series is currently planned or already published:

ISO 27001 – Specification for an information security management system (ISMS).

ISO 27002 – Potential new standard for existing ISO 17799, which is a code of practice for Information Security.

ISO 27003 – New standard for guidance on the implementation of an ISMS.

ISO 27004 – New standard for information management measurement and metrics.

ISO 27005 – New standard for information risk management.

ISO 27006 – New standard to provide guidelines for the accreditation of organizations offering ISMS certification.

 

803-02 Control Objectives for Information and related Technology (COBIT)

From www.isaca.org/cobit:  COBIT is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks.

OUS Internal Audit will be using COBIT as their auditing standard for Information Security.

 

803-03 OUS Information Security Policy

Formally adopted by the Board of Higher Education in June 2007, the Oregon University System Information Security Policy has been incorporated as OAR 580-055-0000 and is available at:

http://arcweb.sos.state.or.us/rules/OARS_500/OAR_580/580_055.html

This policy identifies eight areas where policies and procedures are required to be adopted by each institution in the system and contains some minimum requirements for each area.  This manual is organized to address all eight areas.

 

803-04 Oregon’s 2007 Consumer Identity Theft Protection Act

Passed by the 2007 Oregon Legislature as Senate Bill 583 and signed into law by the Governor, this law requires entities who collect “personal information” on Oregon residents to adopt administrative and technical safeguards to protect it.  It also requires notification in the event of a security breach involving this information.  More information can be found at:

http://www.cbs.state.or.us/dfcs/id_theft.html

804: Frequently Asked Questions

Information Security Policies & Procedures Manual
Section 800: Awareness and Training  
Effective: 01/11/2010

Q. What is the purpose of this Manual?

A.  The purpose of this manual is to document all of the University’s Polices and Procedures around Information Security to ensure that we comply with all of the federal and state regulations that we are required to.

 

Q. Who is responsible for Information Security?

A. Given the nature of Information and how we all use it every day, it is everyone’s responsibility to protect information that we use.  Certain roles and responsibilities have been defined within this document to help give guidance on how to do that but it really must be an activity we all take seriously to be effective.

 

Q. What do I need to protect?

A.  This manual outlines three classifications for Information Systems.  Protected, Sensitive, and Unrestricted.  Each class has different levels of security applied and need to be protected in different ways.

 

Q.  How do I protect it?

A.  Baseline standards for each of the classifications are defined within this document and minimum requirements are explained along with some basic rules of thumb for paper documents as well as electronic information.

 

Q.  I am an employee of the University; how do I figure out what classification applies to information I deal with?

A.  Protected Information will be designated by Records Custodians who have been assigned by the University to ensure that legal requirements are met for certain types of Information.  If you obtain Protected Information such as Student Records, Financial Information, or Employee Records, from a central source such as Banner you should be informed when granted access that the information is Protected.  If you collect information directly (web forms for example), the classification still applies and you will be required to determine both who the Records Custodian is and whether or not the information you collect would be considered Protected.  In general, other than Student Records, Financial Information, and Personnel Records,  it would be at the department’s discretion as to whether or not information is to be classified as Sensitive or Unrestricted if it is not already classified as Protected by a Records Custodian.

 

Q.  What do I do if I suspect a security breach?

A.  Report it to your department head and local IT staff who will escalate to appropriate administrative departments.

 

Q.  How do I decide if a public notification is required by the new ID Theft law in Oregon?

A.  That determination will be done by legal counsel.