Information Security Policies & Procedures Manual
Section 800: Awareness and Training
Encryption key that is 128 bits in length. This form of encryption is commonly found as the default encryption level on commercially available software.
Baselines are mandatory descriptions of how to implement security packages to ensure a consistent level of security throughout the organization. Different systems have different methods of handling security issues. Baselines are created to inform user groups about how to set up the security for each platform so that the desired level of security is achieved consistently.
Chief Information Security Officer (CISO)
The CISO is responsible for the University’s information security program and for ensuring that policies, procedures, and standards are developed, implemented and maintained.
The Family Educational Rights and Privacy Act establishes an obligation for the University to keep student records private and accessible only to those with an educational need to know, rather than information designated as directory information which is public.
General statements designed to achieve a policy’s objectives by providing a framework within which to implement controls not covered by procedures.
The Health Insurance Portability and Accountability Act establishes an obligation for the University to secure and protect all Individually Identifiable Health Information which we possess.
Information Security Incidents
Information security incidents include virus infections, spam generation reports, computers that have been “hacked”, sharing of Protected Information to unauthorized personnel, etc. Incidents may have Information Security, student confidentiality, and/or personnel action implications. Student confidentiality and personnel actions take precedence and should be addressed first and in the standard manner.
Information Systems are composed of three major components: data, applications, and infrastructure systems. All three must be addressed in order to ensure overall security of these assets.
Institutional Information is all information created, collected, maintained, recorded or managed by the university, its staff, and all agents working on its behalf.
Personally Identifiable Information
In the context of this set of policies and procedures, this term will be used as defined in Oregon’s 2007 SB583 the Consumer Identity Theft Protection Act:
“(11) 'Personal information':
(a) Means a consumer's first name or first initial and last name in combination with any one or more of the following data elements, when the data elements are not rendered unusable through encryption, redaction or other methods, or when the data elements are encrypted and the encryption key has also been acquired:
(A) Social Security number;
(B) Driver license number or state identification card number issued by the Department of Transportation;
(C) Passport number or other United States issued identification number; or
(D) Financial account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to a consumer's financial account.
(b) Means any of the data elements or any combination of the data elements described in paragraph (a) of this subsection when not combined with the consumer's first name or first initial and last name and when the data elements are not rendered unusable through encryption, redaction or other methods, if the information obtained would be sufficient to permit a person to commit identity theft against the consumer whose information was compromised.
(c) Does not include information, other than a Social Security number, in a federal, state or local government record that is lawfully made available to the public.”
An information security policy is a set of directives established by the University administration to create an information security program, establish its goals and measures, and target and assign responsibilities. Policies should be brief and solution-independent.
Step by step specifics of how standards and guidelines will be implemented in an operating environment.
Protected Information is information protected by statutes, rules, regulations, University policies, contractual language, and/or is considered to be personally identifiable. The highest levels of restriction apply, both internally and externally, due to the potential risk or harm that may result from disclosure or inappropriate use.
Certain Records Custodians are designated by the University President and documented in the Acceptable Use of University Information policy. These Record Custodians (or their delegates) have planning and policy-level responsibility for data within their functional areas and management responsibility for defined segments of institutional data relating to student records, financial information, and employee records. For the purposes of this Information Security Policy, any university personnel collecting data not falling under these definitions will be considered the appropriate Records Custodian for that data.
Segments of data networks which have network level security rules applied to restrict access to authorized personnel only. This is done typically with Firewall rules and Virtual Private Networks.
Sensitive Information is information that must be guarded due to proprietary, ethical, privacy considerations, or whose unauthorized access, modification or loss could seriously or adversely affect the University, its partners, or the public. High or moderate levels of restriction apply, both internally and externally, due to the potential risk or harm that may result from disclosure or inappropriate use. This classification applies even though there may not be a statute, rule, regulation, University policy, or contractual language prohibiting its release.
Standards are mandatory activities, actions, rules or regulations designed to provide policies with the support structure and specific direction they require to be meaningful and effective.
University Community Members
Students, faculty, staff, volunteers, contractors, affiliates, or agents, who have access to University Information Systems and all University units and their agents including external third-party relationships. This access is granted solely to conduct University business.
Unrestricted Information, while subject to University disclosure rules, may be made available to members of the University community and to individuals and entities external to the University. In some cases, general public access to Unrestricted Information is required by law. While the requirements for protection of Unrestricted Information are considerably less than for Protected Information or Sensitive Information, sufficient protection will be applied to prevent unauthorized modification of such information.