200 Information Systems Security

201: Information Systems Security - General

Information Security Policies & Procedures Manual
Section 200: Information Systems Security
Effective: 01/11/2010

Purpose

The purpose of this section is to define in general terms what is meant by Information Systems Security and to set forth the University’s commitment to create and maintain an Information Security Program.

Scope

Information Systems are composed of three major components: data, applications, and infrastructure systems.  All three must be addressed in order to ensure overall security of these assets.

Information Security Program

OSU hereby establishes an Information Security Program by adopting and documenting within this Information Security Manual, policies, procedures, security controls, and standards which govern Information Systems including data, applications, and infrastructure systems as those assets are classified according to their relative sensitivity and criticality.  This program should ensure that fundamental security principles, such as those embodied in the ISO 27000 series standards or those generally incorporated into the COBIT framework, are established and maintained.

The foundation of this Information Security Program will be the established information classification system and baseline standards of care established in this manual; however, for these to be effective all three aspects of information systems must be addressed.  This is not just about data, it is also about how data are stored and processed.

202: Information Systems – Data Classification and Stewardship Policy

Information Security Policies and Procedures Manual
Section 200: Information Systems Security
Effective: 01/11/2010
Revised: 02/20/2014

I. Scope

This policy applies to all academic, research, and administrative departments and offices at all Oregon State University locations. This policy applies to all University faculty, staff, students, visitors, contractors and affiliates. 

This policy governs the confidentiality, integrity, and availability of university data and the responsibilities of institutional units and individuals for that data.

 

II.  Purpose

Oregon State University has an established history of sharing data with the many communities of which it is a part.  We are also entrusted by our constituencies with data of a private or personal nature.  These data are essential to our operation as an institution of higher education and we are obligated to protect them. Additionally, there are State and Federal laws that identify certain types of data that must be treated with care.

This policy establishes a framework to allow us to comply with these mandates and to protect the confidentiality, integrity, and availability of university data.

 

III. Information Classifications

Protected Information

Protected Information is the most restrictive information classification. There are four types of data that fit within this classification:

  1. Information of a personal nature that could lead to identity theft or exposure of personal health information if not safeguarded,
  2. Research data identified as highly sensitive by a funding agency or other research partner,
  3. Certain financial data, and
  4. Specific technical information about the mechanisms used to restrict access to, or otherwise secure, data within this classification.

Specific data elements classified as Protected Information are listed in Appendix A.

Access to Protected Information is on a need to know basis only and requires prior approval from the designated Records Custodian (see Acceptable Use of University Information Policy). The use or storage of Protected Information, either in paper or electronic form, must follow the Standards of Care for Protected Information

Unauthorized disclosure of Protected Information must be reported to the Chief Information Security Officer.

Sensitive Information

Sensitive Information is data that, by their very nature or regulation, are private or confidential and must not be disclosed except to a previously defined set of authorized users.

Some examples of Sensitive Information include data defined as confidential by the Family Educational Rights and Privacy Act (FERPA), employee performance evaluations, confidential donor information, some research data, accusations of misconduct, or any other information that has been identified by the University, its contractors or funding agencies, or Federal or State regulations, as private or confidential and not to be disclosed.

Specific data elements classified as Sensitive Information are listed in Appendix A.

Access to Sensitive Information is on a need to know basis only. The use or storage of Sensitive Information, either in paper or electronic form, must follow the Standards of Care for Sensitive Information

Unauthorized disclosure of Sensitive Information must be reported to the designated Records Custodian.

Unrestricted Information

Unrestricted Information is data intended for general use. 

In order to ensure the integrity of Unrestricted Information, the use or storage of that information must follow the Standards of Care for Unrestricted Information

 

203: Information Systems – Baseline Standards of Care

Information Security Policies & Procedures Manual
Section 200: Information Systems Security
Effective: 01/11/2010
Revised: 02/20/2014

Purpose

The purpose of this policy is to define the baseline standards of care based on the designated classification of Information Systems. 

Standards of Care

The following standards apply to people and machines that have access to and/or process information according to its classification as Protected, Sensitive, or Unrestricted.  Specific additional handling requirements above the baseline may in fact be required by the Records Custodian to ensure compliance with law, policy, or contractual obligation.  These baseline standards are set as a minimum; adoption of stricter security practices is encouraged where practicable.  

 

203-01 Baseline Standards for Protected Information

All computer systems (workstations and servers) which store or process Protected Information shall have restricted access to only authorized personnel; fully patched operating systems and applications; current anti-virus software with current virus definitions; and if attached to the network will be in a secured zone protected by appropriate firewall rules.  Workstations used by authorized personnel with direct write access to Protected Information will also be configured to automatically apply patches and current anti-virus definitions and will not be accessed via a local system administrator or domain administrator account on the local machine for day-to-day activities.

All personnel granted direct access to Protected Information should be instructed on the proper use and handling of this information and are subject to OSU Policies regarding security sensitive personnel.  Under no circumstances should Protected Information be disclosed to anyone outside OSU without authorization from the appropriate supervisory personnel.

 

203-02 Baseline Standards for Sensitive Information

All computer systems which store or process Sensitive Information should have restricted access granted only to authorized personnel affiliated with OSU, and shall have fully patched operating systems and applications, and current antivirus software with current virus definitions.  Any such computer system is also subject to Network Services’ network security policy.

All personnel granted access to sensitive information should not disclose this information to parties outside of OSU without authorization by appropriate supervisory personnel.

 

203-03 Baseline Standards for Unrestricted Information

All computer systems which store or process Unrestricted Information will have write access restricted only to authorized personnel to ensure that information presented is not edited without appropriate authorization. Any such computer system is also subject to Network Services’ network security policy and should have fully patched operating systems and applications, and current antivirus software with current virus definitions.

 

203-04 Mobile Computing

All mobile computer systems or portable storage media, which store Protected Information, shall be encrypted with at least the 256-bit encryption common in operating systems and encoding devices sold in the United States in addition to the baseline requirement prescribed in 203-01.  Those that cannot meet this requirement due to the proprietary nature of how they are created, such as back-up tapes, must be stored in a physically secure area and shall only be transported in a manner commensurate with OSU ISM 601-03.

As noted in the Personal Information Privacy Policy (OSU ISM 301), certain highly sensitive data elements are strictly prohibited from portable media. 

204: Use of Third-Party/Non-OSU Services

Information Security Policies & Procedures Manual
Section 200: Information Systems Security
Effective: 02/20/2014

I. Scope

This policy applies to all academic, research, and administrative departments and offices at all Oregon State University locations. This policy applies to all University faculty, staff, students, visitors, contractors and affiliates. 

This policy governs the confidentiality, integrity, and availability of university data and the responsibilities of institutional units and individuals for that data.

For purposes of this policy, a “non-OSU System” is a computer system that is not physically, administratively, and legally controlled by OSU.  A system is administratively controlled by OSU only if OSU controls the software, devices and procedures used to access the system. This policy is not directed toward devices personally owned by employees.

II. Purpose

The purpose of this section of the policy is to define acceptable terms for the use of third-party information technology services, such as Software as a Service (SAAS), Infrastructure as a Service (IAAS), or “Cloud” services.  This policy establishes a framework that complies with Federal, State and Local laws, as well as with other University Policies, requiring the protection of the confidentiality, integrity, and availability of data.

III. Policy

Under no circumstance shall any information classified as Protected be placed on a non-OUS System other than those officially designated by the Vice Provost for Information Services. Data elements classified as Protected are located in Appendix A.

Information classified as Sensitive may be placed on a non-OSU System following the completion of a regulatory compliance review, approval by the designated records custodian charged with the care of that data, and contract terms that establish appropriate protection of that data.  At the request of the records custodian, the Vice Provost for Information Services will conduct a risk assessment to help the records custodian determine whether the protection is adequate.

Furthermore, the individuals managing data classified as Protected or Sensitive must limit access consistent with the restrictions established in Section 200, must understand the policies associated with the use of that service, and must ensure that permissions to the data are accurately and appropriately managed. Protected and Sensitive information housed on non-OSU Systems must never be made publicly accessible.

If the third-party service does not meet the standards for storing certain types of information, the records custodian may ask the Vice Provost for Information Services for assistance in determining whether the University can establish appropriate protection to use the service by modifying types of information stored, business practices, or establishing other safeguards.

Information classified as Unrestricted may be stored on a non-OSU System by employees in the course of conducting University business, whether or not a University contract is in place. Employees are responsible for assuring that access is consistent with the restrictions established in Section 200, that they understand the policies associated with the use of that service, and that permissions to the data are accurately and appropriately managed.