800 Awareness and Training

801: Awareness and Training Action Plan

Information Security Policies & Procedures Manual
Section 800: Awareness and Training
Effective: 01/11/2010

Purpose

The purpose of this section is to identify the activities OSU is engaged in to promote Information Security awareness among members of the University Community.

Background

The first step in promoting Information Security awareness at OSU is the formation of this Information Security Program.  By formalizing our policies and procedures with respect to Information Security and posting this manual on the web for employees to read, we hope to initiate the discussion of Information Security and what we all can do to better protect the information entrusted to the institution.  Beyond this and related discussion events, OSU will:

  • Integrate training for proper handling of protected information in the Banner training required by all employees seeking access to the Banner System.
  • Include information about stopping ID theft in New Employee Orientation.
  • Incorporate a statement of understanding and acceptance of policies and procedures included in this manual with every secure socket layer certificate credential issued on behalf of OSU and managed by Network Services.

802: Definitions

Information Security Policies & Procedures Manual
Section 800: Awareness and Training
Effective: 01/11/2010

128-Bit Encryption

Encryption key that is 128 bits in length.  This form of encryption is commonly found as the default encryption level on commercially available software.

Baselines

Baselines are mandatory descriptions of how to implement security packages to ensure a consistent level of security throughout the organization. Different systems have different methods of handling security issues. Baselines are created to inform user groups about how to set up the security for each platform so that the desired level of security is achieved consistently.

Chief Information Security Officer (CISO)

The CISO is responsible for the University’s information security program and for ensuring that policies, procedures, and standards are developed, implemented and maintained.

Clear Text

Non-encrypted data

FERPA

The Family Educational Rights and Privacy Act establishes an obligation for the University to keep student records private and accessible only to those with an educational need to know, rather than information designated as directory information which is public.

Guidelines

General statements designed to achieve a policy’s objectives by providing a framework within which to implement controls not covered by procedures.

HIPAA

The Health Insurance Portability and Accountability Act establishes an obligation for the University to secure and protect all Individually Identifiable Health Information which we possess.

Information Security Incidents

Information security incidents include virus infections, spam generation reports, computers that have been “hacked”, sharing of Protected Information to unauthorized personnel, etc.  Incidents may have Information Security, student confidentiality, and/or personnel action implications.  Student confidentiality and personnel actions take precedence and should be addressed first and in the standard manner.

Information Systems

Information Systems are composed of three major components: data, applications, and infrastructure systems.  All three must be addressed in order to ensure overall security of these assets. 

Institutional Information

Institutional Information is all information created, collected, maintained, recorded or managed by the university, its staff, and all agents working on its behalf. 

Personally Identifiable Information

In the context of this set of policies and procedures, this term will be used as defined in Oregon’s 2007 SB583 the Consumer Identity Theft Protection Act:
“(11) 'Personal information':
  (a) Means a consumer's first name or first initial and last name in combination with any one or more of the following data elements, when the data elements are not rendered unusable through encryption, redaction or other methods, or when the data elements are encrypted and the encryption key has also been acquired:
  (A) Social Security number;
  (B) Driver license number or state identification card number issued by the Department of Transportation;
  (C) Passport number or other United States issued identification number; or
  (D) Financial account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to a consumer's financial account.
  (b) Means any of the data elements or any combination of the data elements described in paragraph (a) of this subsection when not combined with the consumer's first name or first initial and last name and when the data elements are not rendered unusable through encryption, redaction or other methods, if the information obtained would be sufficient to permit a person to commit identity theft against the consumer whose information was compromised.
  (c) Does not include information, other than a Social Security number, in a federal, state or local government record that is lawfully made available to the public.”

Policy

An information security policy is a set of directives established by the University administration to create an information security program, establish its goals and measures, and target and assign responsibilities. Policies should be brief and solution-independent.

Procedures

Step by step specifics of how standards and guidelines will be implemented in an operating environment.

Protected Information

Protected Information is information protected by statutes, rules, regulations, University policies, contractual language, and/or is considered to be personally identifiable.  The highest levels of restriction apply, both internally and externally, due to the potential risk or harm that may result from disclosure or inappropriate use.

Records Custodian

Certain Records Custodians are designated by the University President and documented in the Acceptable Use of University Information policy.  These Record Custodians (or their delegates) have planning and policy-level responsibility for data within their functional areas and management responsibility for defined segments of institutional data relating to student records, financial information, and employee records.  For the purposes of this Information Security Policy, any university personnel collecting data not falling under these definitions will be considered the appropriate Records Custodian for that data.

Secured Zones

Segments of data networks which have network level security rules applied to restrict access to authorized personnel only.  This is done typically with Firewall rules and Virtual Private Networks.

Sensitive Information

Sensitive Information is information that must be guarded due to proprietary, ethical, privacy considerations, or whose unauthorized access, modification or loss could seriously or adversely affect the University, its partners, or the public.  High or moderate levels of restriction apply, both internally and externally, due to the potential risk or harm that may result from disclosure or inappropriate use. This classification applies even though there may not be a statute, rule, regulation, University policy, or contractual language prohibiting its release.

Standards

Standards are mandatory activities, actions, rules or regulations designed to provide policies with the support structure and specific direction they require to be meaningful and effective.

University Community Members

Students, faculty, staff, volunteers, contractors, affiliates, or agents, who have access to University Information Systems and all University units and their agents including external third-party relationships.  This access is granted solely to conduct University business.

Unrestricted Information

Unrestricted Information, while subject to University disclosure rules, may be made available to members of the University community and to individuals and entities external to the University. In some cases, general public access to Unrestricted Information is required by law.  While the requirements for protection of Unrestricted Information are considerably less than for Protected Information or Sensitive Information, sufficient protection will be applied to prevent unauthorized modification of such information.

803: Reference Material

Information Security Policies & Procedures Manual
Section 800: Awareness and Training
Effective: 01/11/2010

803-01 ISO 27000 Series

From www.27000.org:

The ISO 27000 series of standards have been specifically reserved by ISO for information security matters and will be populated with a range of individual standards and documents. The following series is currently planned or already published:

ISO 27001 – Specification for an information security management system (ISMS).

ISO 27002 – Potential new standard for existing ISO 17799, which is a code of practice for Information Security.

ISO 27003 – New standard for guidance on the implementation of an ISMS.

ISO 27004 – New standard for information management measurement and metrics.

ISO 27005 – New standard for information risk management.

ISO 27006 – New standard to provide guidelines for the accreditation of organizations offering ISMS certification.

 

803-02 Control Objectives for Information and related Technology (COBIT)

From www.isaca.org/cobit:  COBIT is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks.

OUS Internal Audit will be using COBIT as their auditing standard for Information Security.

 

803-03 OUS Information Security Policy

Formally adopted by the Board of Higher Education in June 2007, the Oregon University System Information Security Policy has been incorporated as OAR 580-055-0000 and is available at:

http://arcweb.sos.state.or.us/rules/OARS_500/OAR_580/580_055.html

This policy identifies eight areas where policies and procedures are required to be adopted by each institution in the system and contains some minimum requirements for each area.  This manual is organized to address all eight areas.

 

803-04 Oregon’s 2007 Consumer Identity Theft Protection Act

Passed by the 2007 Oregon Legislature as Senate Bill 583 and signed into law by the Governor, this law requires entities who collect “personal information” on Oregon residents to adopt administrative and technical safeguards to protect it.  It also requires notification in the event of a security breach involving this information.  More information can be found at:

http://www.cbs.state.or.us/dfcs/id_theft.html

804: Frequently Asked Questions

Information Security Policies & Procedures Manual
Section 800: Awareness and Training  
Effective: 01/11/2010

Q. What is the purpose of this Manual?

A.  The purpose of this manual is to document all of the University’s Polices and Procedures around Information Security to ensure that we comply with all of the federal and state regulations that we are required to.

 

Q. Who is responsible for Information Security?

A. Given the nature of Information and how we all use it every day, it is everyone’s responsibility to protect information that we use.  Certain roles and responsibilities have been defined within this document to help give guidance on how to do that but it really must be an activity we all take seriously to be effective.

 

Q. What do I need to protect?

A.  This manual outlines three classifications for Information Systems.  Protected, Sensitive, and Unrestricted.  Each class has different levels of security applied and need to be protected in different ways.

 

Q.  How do I protect it?

A.  Baseline standards for each of the classifications are defined within this document and minimum requirements are explained along with some basic rules of thumb for paper documents as well as electronic information.

 

Q.  I am an employee of the University; how do I figure out what classification applies to information I deal with?

A.  Protected Information will be designated by Records Custodians who have been assigned by the University to ensure that legal requirements are met for certain types of Information.  If you obtain Protected Information such as Student Records, Financial Information, or Employee Records, from a central source such as Banner you should be informed when granted access that the information is Protected.  If you collect information directly (web forms for example), the classification still applies and you will be required to determine both who the Records Custodian is and whether or not the information you collect would be considered Protected.  In general, other than Student Records, Financial Information, and Personnel Records,  it would be at the department’s discretion as to whether or not information is to be classified as Sensitive or Unrestricted if it is not already classified as Protected by a Records Custodian.

 

Q.  What do I do if I suspect a security breach?

A.  Report it to your department head and local IT staff who will escalate to appropriate administrative departments.

 

Q.  How do I decide if a public notification is required by the new ID Theft law in Oregon?

A.  That determination will be done by legal counsel.