Information Security Manual
Section 200: Information Systems Security
Effective: 01/11/2010
The purpose of this section is to define in general terms what is meant by Information Systems Security and to set forth the University’s commitment to create and maintain an Information Security Program.
Information Systems are composed of three major components: data, applications, and infrastructure systems. All three must be addressed in order to ensure overall security of these assets.
OSU hereby establishes an Information Security Program by adopting and documenting within this Information Security Manual, policies, procedures, security controls, and standards which govern Information Systems including data, applications, and infrastructure systems as those assets are classified according to their relative sensitivity and criticality. This program should ensure that fundamental security principles, such as those embodied in the ISO 27000 series standards or those generally incorporated into the COBIT framework, are established and maintained.
The foundation of this Information Security Program will be the established information classification system and baseline standards of care established in this manual; however, for these to be effective all three aspects of information systems must be addressed. This is not just about data, it is also about how data are stored and processed.
Information Security Manual
Section 200: Information Systems Security
Effective: 01/11/2010
The purpose of this section is to provide guidance and standards regarding the classification of Institutional Information. Institutional Information is defined as all information created, collected, maintained, recorded, or managed by the University, its staff, and all agents working on its behalf. It is essential that Institutional Information be protected. There are, however, gradations that require different levels of security and accurate classification provides the basis to apply an appropriate level of security to OSU’s Information Systems. It is the Records Custodian’s responsibility to review Institutional Information periodically and classify each according to its use, sensitivity, and importance and to implement appropriate security requirements.
Protected Information is information for which there are legal requirements for preventing disclosure or financial penalties for disclosure. Personally identifiable information, financial records, and student records are examples of Institutional Information in this class. This information is protected by statutes, rules, regulations, University policies, and/or contractual language. The highest levels of restriction apply, both internally and externally, due to the potential risk or harm that may result from disclosure or inappropriate use.
Protected Information must be protected from unauthorized access, modification, transmission, storage, or other use. Protected Information should be disclosed to individuals on a need-to-know basis only. Disclosure to parties outside the University is generally not permitted and must be authorized by the appropriate supervisory personnel. Employees may be required to sign non-disclosure agreements before access to Protected Information is granted.
Sensitive Information is information that would not necessarily expose the University to loss if disclosed, but that the Records Custodian feels should be guarded against unauthorized access or modification due to proprietary, ethical, or privacy considerations. High or moderate levels of restriction apply, both internally and externally, due to the potential risk or harm that may result from disclosure or inappropriate use. This classification applies even though there may not be a statute, rule, regulation, University policy, or contractual language prohibiting its release.
Sensitive Information must be protected from unauthorized access, modification, transmission, storage or other use. Sensitive Information is generally available to members of the University community who have a legitimate purpose for accessing such information. Disclosure to parties outside of the University should be authorized by the appropriate supervisory personnel.
Unrestricted Information, while subject to University disclosure rules, may be made available to members of the University community and to individuals and entities external to the University. In some cases, general public access to Unrestricted Information is required by law.
While the requirements for protection of Unrestricted Information are considerably less than for Protected or Sensitive Information, sufficient protection will be applied to prevent unauthorized modification of such information.
This section applies to all Institutional Information and all systems, processes, and data sets that may access this information, regardless of the environment where the data resides or is processed; for example the University mainframe enterprise server, other enterprise servers, distributed departmental servers, or personal workstations and mobile devices. All information with a designated Records Custodian must meet the same classification level and utilize the same protective measures as prescribed by the Records Custodian for the central systems.
This policy applies regardless of the media on which data resides, for example electronic, microfiche, paper, CD\DVD, or other media. It also applies regardless of the form the information may take, for example text, graphics, video or audio, or their presentation. University units may have additional policies for information within their areas of operational or administrative control. In the event these local policies conflict with University Policy, University Policy applies.
This section applies to all University community members, whether students, faculty, staff, volunteers, contractors, affiliates, or agents, who have access to University Information Systems and to all University units and their agents including external third-party relationships.
Information Security Manual
Section 200: Information Systems Security
Effective: 01/11/2010
The purpose of this policy is to define the baseline standards of care based on the designated classification of Information Systems.
The following standards apply to people and machines that have access to and/or process information according to its classification as Protected, Sensitive, or Unrestricted. Specific additional handling requirements above the baseline may in fact be required by the Records Custodian to ensure compliance with law, policy, or contractual obligation. These baseline standards are set as a minimum; adoption of stricter security practices is encouraged where practicable.
All computer systems (workstations and servers) which store or process Protected Information shall have restricted access to only authorized personnel; fully patched operating systems and applications; current anti-virus software with current virus definitions; and if attached to the network will be in a secured zone protected by appropriate firewall rules. Workstations used by authorized personnel with direct write access to Protected Information will also be configured to automatically apply patches and current anti-virus definitions and will not be accessed via a local system administrator or domain administrator account on the local machine for day-to-day activities.
All personnel granted direct access to Protected Information should be instructed on the proper use and handling of this information and are subject to OSU Policies regarding security sensitive personnel. Under no circumstances should Protected Information be disclosed to anyone outside OSU without authorization from the appropriate supervisory personnel.
All computer systems which store or process Sensitive Information should have restricted access granted only to authorized personnel affiliated with OSU, and shall have fully patched operating systems and applications, and current antivirus software with current virus definitions. Any such computer system is also subject to Network Services’ network security policy.
All personnel granted access to sensitive information should not disclose this information to parties outside of OSU without authorization by appropriate supervisory personnel.
All computer systems which store or process Unrestricted Information will have write access restricted only to authorized personnel to ensure that information presented is not edited without appropriate authorization. Any such computer system is also subject to Network Services’ network security policy and should have fully patched operating systems and applications, and current antivirus software with current virus definitions.
All mobile computer systems or portable storage media, which store Protected Information, shall be encrypted with at least the 128 bit encryption common in operating systems and encoding devices sold in the United States in addition to the baseline requirement prescribed in 203-01. Those that cannot meet this requirement due to the proprietary nature of how they are created, such as back-up tapes, must be stored in a physically secure area and shall only be transported in a manner commensurate with OSU ISM 601-03.
As noted in the Personal Information Privacy Policy (OSU ISM 301), certain highly sensitive data elements are strictly prohibited from portable media.