1 Information Assurance Policy for Information Systems
2 1. Purpose Goals Applicability Compliance Roles & Responsibilities All Departments FCT Information Systems Security Officer (ISSO) Computing and Network Services (CNS) FCT Center for Information Assurance & Cybersecurity Training (IACT) System Owners and Operators Data Custodians Users Policy General Statement of Policy Monitoring User Accounts, Files and Access Electronic Data and Records Management Access Controls Systems and Network Security Physical Security Personnel Security Measures Policy Enforcement Policy Maintenance...14
3 1. Purpose Fountainhead College of Technology (FCT) is a proprietary institution with custodial responsibilities for a significant and diverse amount of sensitive information. This role places significant responsibilities on FCT regarding the management and use of its information systems resources. This document establishes FCT s information assurance policy for information systems. The information assurance policy for information systems is intended to protect the integrity of campus networks and to mitigate the risks and losses associated with security threats to campus networks and information systems resources. Attacks and security incidents constitute a risk to FCT s academic mission. The loss or corruption of data or unauthorized disclosure of information on research and instructional computers, student records, and financial systems could greatly hinder the legitimate activities of the college staff, faculty and students. The college also has a legal responsibility to secure its computers and networks from misuse. Failure to exercise due diligence may lead to financial liability for damage done by persons accessing the network from or through the college. Moreover, an unprotected college network open to abuse might be shunned by parts of the larger network community. This policy will allow FCT to handle information systems security responsibly. The purpose of this policy is to help ensure the security, and availability of information technology systems and networks and the confidentiality, integrity, proper authorization and non-repudiation of electronic information captured, maintained, and used by FCT. This policy provides direction for compliance with federal and state regulations, specifies appropriate practices, and defines custodial responsibilities for confidential records associated with FCT operations. This policy should be used as the foundation document for all standards, procedures, and guidelines that are developed and implemented by FCT related to information systems and data security. This policy is subject to revision and will be valuated as FCT gains experience with this policy. 2. Goals The goals of this information assurance policy for information systems are to: Establish institution-wide policies to protect the college s networks and information systems from abuse and inappropriate us. Establish mechanisms that will aid in the identification and prevention of abuse of college networks and information systems. Provide an effective mechanism for responding to external complaints and queries about real or perceived abuses of college networks and information systems. Establish mechanisms that will protect the reputation of the college and will allow the college to satisfy its legal and ethical responsibilities with regard to network and information system connectivity to the worldwide Internet. Establish mechanisms that will support the goals of other existing policies, e.g., Acceptable Use Policy and Student Rules of Conduct. Note: Any violation of the information assurance policy for information systems will also be deemed a violation of the above listed policies, as appropriate.
4 3. Applicability This policy is applicable to all users (employees, faculty, students, contractors, and others) and support personnel (system administrators, network engineers, systems engineers, and others) of FCT computing systems, networks, digital information, and any other electronic processing or communications related resources or services provided throughout FCT. 4. Compliance Successful compliance and protection of information systems assets requires that all owners, operators, and users of FCT computing and network services and systems learn, understand, and abide by this policy. In addition, it is the responsibility of owners and operators of computer systems and applications associated with FCT to evaluate their specific compliance requirements on a regular basis as directed by FCT security policy. 5. Roles & Responsibilities Responsibility for protecting FCT information systems and data is shared by many entities and individuals throughout the institution including the Information Systems Security Officer (ISSO), the Center for Information Assurance & Cybersecurity Training, Computing & Network Services (CNS), and all FCT system owners, operators, data custodians, and users. The following section describes the specific roles and responsibilities of each of these groups All Departments In support of this policy, all departments that administer LANs connected to the backbone will: Provide CNS with the names, addresses, and telephone numbers for a primary technical contact and (if applicable) an alternate contact. Endeavor to assign to an individual the authority to connect systems to the departmental network(s). Endeavor to keep this information up to date FCT Information Systems Security Officer (ISSO) The Information Systems Security Officer (ISSO) serves as a bridge to both those responsible for technical aspects (CNS, data custodians, system operators and users) and the business and administrative issues (upper-managment and IACT) of securing information. The information assurance objectives of FCT are critical to the success of the college s mission. FCT has appointed an ISSO as an integral component of its commitment to protect privacy and integrity, and comply with all requirements for information systems protection. The role of the ISSO is to provide strategic oversight, coordination, and implementation of the college's information assurance and compliance efforts. The ISSO is appointed by FCT s president. Person responsible: Tim Thomas The success of the ISSO s efforts depends on strong support from all system owners, operators, data custodians, and users throughout the FCT. The responsibilities of the ISSO are as follows: Coordinate all network security efforts and act as the primary administrative contact for all related activities.
5 Coordinate investigations into any alleged computer or network security compromises, incidents, or problems; to ensure that this coordination is effective, security compromises should be reported to the ISSO or Cooperate in the identification and prosecution of activities contrary to college policies and the law; actions will be taken in accordance with relevant college Policies, Codes and Procedures with, as appropriate, the involvement of campus security officers or other law enforcement agencies. Consult with system administrators in the development of procedures for handling and tracking a suspected intrusion, and the deployment of those procedures in the resolution of security incidents. Manage and oversee the FCT Computing and Network Services (CNS). The development, implementation, and maintenance of an institution-wide strategic information systems security plan. The development, implementation, and enforcement of institution-wide information systems security policy and related recommended guidelines, operating procedures, and technical standards. Manage the process of handling requested policy exceptions. Advise upper-management on related risk issues and recommend appropriate actions in support of the FCT's larger risk management programs. Ensure related compliance requirements are addressed, e.g., privacy, security, and administrative regulations associated with federal and state rules. Ensure appropriate risk mitigation and control processes for security incidents as required Computing and Network Services (CNS) Computing & Network Services (CNS) provides an active, key role in computer security planning, analysis, prevention, incident response, and technical education for the college community. Persons responsible: Taylor Barnes, Network Administrator CNS s security responsibilities include the following: Monitor, in real time, backbone network traffic, as necessary and appropriate, for the detection of unauthorized activity and intrusion attempts. Carry out such monitoring in compliance with the college s statement on Personal Privacy (See Acceptable Use Policy: General Use and Ownership). Seek the cooperation of the appropriate contacts for the systems and networks involved when a security problem (or potential security problem) is identified to resolve such problems, but in the absence or unavailability of such individuals, be prepared to act unilaterally to contain the problem, up to and including temporary isolation of systems or devices from the network, and to notify the responsible system administrator when this is done. Publish security alerts, vulnerability notices and patches, and other pertinent information in an effort to prevent security breaches.
6 Carry out and review the results of automated network-based security scans of the systems and devices on college networks to detect known vulnerabilities or compromised hosts. Inform the departmental system administrators of planned scan activity, providing detailed information about the scans, including time of scan, originating machine, and vulnerabilities for which the information system(s) are being tested. The security, operation, or functionality of the scanned machines should not be endangered by the scan. Report the results of the scans that identify security vulnerabilities only to the departmental system administrator contact responsible for those systems. Report recurring vulnerabilities over multiple scans to departmental management. If identified security vulnerabilities, deemed to be a significant risk to others and which have been reported to the relevant system administrators, are not addressed in a timely manner, take steps to disable network access to those systems or devices until the problems have been rectified. Prepare summary reports of its network security activities for the ISSO on a quarterly basis. Prepare recommendations and guidelines for network and system administrators. Provide assistance and advice to system administrators to the extent possible with available resources. Issue semiannual requests to verify the accuracy of departmental contact information. Support for FCT security policy development, implementation, and enforcement. Support for FCT strategic security planning and plan implementation. Support for the development of security strategy in FCT information systems architecture. Support for security and privacy awareness and education programs. Incident response services as needed. Computer forensic services as required. Security consulting services as needed. Support for the development and implementation of all appropriate standards and guidelines as necessary. CNS coordinates its administrative activities and incident response procedures as necessary with the ISSO. In addition, it works closely with Center for Information Assurance & Cybersecurity Training (IACT) Team to ensure institution-wide service continuity and to leverage all mutually beneficial activities and resources FCT Center for Information Assurance & Cybersecurity Training (IACT) The FCT Center for Information Assurance & Cybersecurity Training (IACT) plays a key role of centralized direction, and support for all information systems security-related services for FCT. The group's responsibilities include the following: Persons responsible: John Mailen, Patrick Allen; IACT Program Coordinator
7 Support and guidance for FCT security policy development, implementation, and enforcement. Support for FCT strategic security planning and plan implementation. Development, implementation and support for security awareness and education programs. Incident response services as needed. Computer forensic services as required. Security consulting services as needed. Support for the development and implementation of all appropriate standards and guidelines as necessary within the FCT community. The IACT works closely with the ISSO to ensure institution-wide service continuity and to leverage all mutually beneficial activities and resources System Owners and Operators System owners and operators play a critical role in protecting FCT information systems and data. Their ranks might include members of the FCT professional staff, department heads, faculty members, contracted employees, or students. System owners' and operators' areas of responsibilities for systems and information security include the following: Comply with FCT policies and statutory and regulatory requirements. Comply with FCT guidelines related to logical and physical security. Comply with "Acceptable Use Policy. Maintain confidentiality of sensitive data, especially personally identifiable information and valuable intellectual property. Grant access to all users based on the principle of least privilege where required. Grant access to all users based on the principle of separation of duties where required. Submit documented reports to the appropriate authority involving incidents of security breaches with the potential to compromise personally identifiable information. Submit documented requests to the ISSO of any desired exceptions to FCT policy. Perform incident response activities when incidents involve their system(s). Specify security resources as required in college budget processes and in grant proposals. All system owners and operators are encouraged to work closely with the ISSO, data custodians, and CNS to help ensure the successful protection of FCT computing resources and data Data Custodian
8 5.6. Data Custodian Data custodians are individuals who have been officially designated as accountable for specific data that is transmitted, used, and stored on a system or systems within a department or administrative unit of FCT. The role of the data custodians is to provide direct authority and control over the management and use of specific information. These individuals might be department heads, managers, supervisors, or designated staff. They might serve dual roles as a system owner or operator and a data custodian. Data custodians must follow all appropriate and related security guidelines to ensure the protection of sensitive data and intellectual property residing on systems for which they have accountability. Data custodians' responsibilities include the following: Ensure compliance with all FCT policies and all statutory and regulatory requirements. Provide system owners and operators with requirements for access control measures to protect sensitive data. Ensure appropriate disposal of all media on which data is stored at the end of its use. Ensure appropriate security measures for transmission of data. Support access control of data by acting as a control point for all access requests. Support regular review and control procedures that ensure that all access privileges are current and appropriate. Submit documented reports to the appropriate authority if there is a possibility of compromise of personally identifiable information. Ensure that all access is granted based on the principle of least privilege where required. Ensure that all access is granted based on the principle of separation of duties where required. Data custodians, in conjunction with the system owners and operators and the FCT ISSO, are responsible for documenting any requested exceptions to FCT privacy protection policies. Documented exceptions must be approved in writing by the authorized college officials responsible for the electronic information to which the exception applies. Exceptions will be considered only when warranted and only to the degree necessary to achieve the mission and business needs of the college. Any and all exceptions made must be documented with the ISSO and upper-management Users All users have a critical role in the effort to protect and maintain FCT information systems and data. Users of FCT computing resources and data have the following responsibilities: Support compliance with all federal and state statutes and regulations. Comply with all FCT policies and guidelines. Protect against unauthorized access to accounts, privileges, and associated passwords. Maintain confidentiality of sensitive information to which they are given access privileges.
10 The user's activity prevents access to computing and network resources by others. General usage patterns indicate that unacceptable activity is occurring. There is reasonable cause to believe that a user has violated or is violating policy or law. It appears necessary to do so to protect FCT from liability. It is required by and consistent with law. Evidence of misuse of computing resources will be referred to appropriate FCT officials. Evidence of possible criminal activity, which could include user files, , and/or activity logs, will be turned over to appropriate FCT and law enforcement officials Electronic Data and Records Management Much of the vast amount of electronic data generated throughout the college comprises official FCT records and requires specific management and handling practices and procedures as defined by FCT and state law. All FCT system owners, operators, data custodians, and users are obligated to understand the nature of the data they generate, use, or store and to ensure that they are managing that data in full compliance with all state laws and FCT records management policies. All FCT system owners, operators, data custodians, and users are required to properly manage and protect electronic data they may be using, transmitting, and storing. FERPA is the primary source for direction and information regarding personally identifiable information Access Controls FCT has many different computing environments hosted on the institution networks, and within FCT departments and business units. These environments require different security measures. Consequently, access control measures required for establishing users' access to any FCT computing resources should be commensurate with the functional nature and degree of criticality of the computer systems, network resources, and data involved. All system owners, operators, and data custodians are responsible for ensuring that their systems are properly protected with appropriate access control measures based on the criticality of their systems and the data involved. In addition, all computing systems hosted on FCT networks must support and comply with the following fundamental access control measures, functions, and operating principles: Systems are required to have an access control mechanism that allows for an appropriate level of authorization and allocation of system and data resources to individual users. Access mechanisms can be physical, transactionbased, role-based, time-based, user-based, or use any other reasonable control method appropriate for the systems' functions. Shared systems are required to have the capability to log basic information about user access activity and to create historical logs and access violation reports. System access accounts for users must be based on a unique identifier, and no shared account is allowed except as authorized by the system owner or operator and where appropriate accountability can be maintained. Users' system access must be based on the principle of least privilege and the principle of separation of duties.
11 Computer applications must be developed and integrated in a way that maintains individual user accountability and audit capability. Documented procedures should be in place for issuing, altering, and revoking access privileges on shared systems Systems and Network Security In light of the complex and diverse nature of the different computing environments hosted on FCT networks and the wide range of statutory and regulatory compliance requirements, all systems and network security measures must be based upon the functional nature and degree of criticality of the computer systems, network resources, and data involved. All system owners and operators are responsible for ensuring that they have implemented all necessary security measures. Failure to do so risks creating security breeches or other incidents and could lead to temporary restrictions or even suspension of access to FCT network resources. 1) Systems Security Minimum Measures and Practices To protect the availability and integrity of FCT computing resources, all computing systems and servers hosted on FCT networks should comply with the following systems security measures and practices: Operating systems and applications must be maintained with the timely application of all related vender-issued patches necessary to prevent the systems from being compromised and/or causing disruptions of network services and/or other systems. FCT-owned Networks must install antivirus software and maintain procedures for regular signature updates as per the FCT Anti-virus Policy. Shared systems are required to have a technical access control mechanism that allows authorization and allocation of system and data resources to individual users. Procedures must be maintained for regular backup of all data and system files necessary for discovery and recovery purposes. All backup media should be stored properly in a location authorized by the data owner with protections that allow access to the data by authorized personnel only. The ability to recover data from backups should be tested regularly. Critical servers must be housed in protected areas such as server sanctuaries (locations where suitable physical and logical security measures can be implemented). 2) Network Security Minimum Measures and Practices To protect the security, availability, and integrity of FCT network resources, all computing systems and servers hosted on FCT networks should comply with the following security measures and practices: Support proactive vulnerability probing and reporting by FCT authorized technicians to help manage system security needs. Use secure protocols (e.g., SSL/SSH/Kerberos) for accessing all services that require authentication.
12 Report all security breaches to the appropriate security entity (CNS, and/or the FCT ISSO). Display security-warning banners prior to allowing the access log-on process to be initiated on systems running applications that are accessible on the FCT-owned network. These security banners must inform all users that the system or application being accessed is proprietary, that it should be accessed only by authorized users, and that system use is monitored for enforcement purposes Physical Security Physical security measures are an important part of any effort to protect information system assets and services. As with logical security measures at FCT, the physical security measures required for protecting FCT computing resources must be commensurate with the nature and degree of criticality of the computer systems, network resources, and data involved. FCT has a wide spectrum of information systems deployments. They include: Data center facilities. Modest-sized server rooms. Computer labs. Telecommunications closets and vaults of all shapes and sizes. Media storage areas. Desktop computer workstations and printers. Wireless and mobile systems. These technology deployments require different physical security measures. These measures are especially important when sensitive information is involved. All system owners and operators are responsible for ensuring that they have implemented the appropriate physical security measures for their particular computing environment. All users are required to respect the physical security measures in place Personnel Security Measures This section outlines security measures and procedures that should be established and maintained when working with FCT personnel throughout the employment process and when dealing with vendors, contractors, and temporary employees. 1) Measures for Hiring Employees Comprehensive pre-employment screening is recommended for all potential candidates for key technical positions when those positions include an actual or potential wide span of systems control, and/or access to sensitive information, especially personally identifiable information or FCT financial information. This screening could include checking and confirming references, background checks for criminal convictions (both federal and local, as necessary), and reviewing educational records and credit reports. All hiring officials should consider using such screening practices when hiring for key technical positions, regardless of employee type (contract, classified, professional, academic, or temporary).
13 All pre-employment inquiries must be conducted in full compliance with state and federal laws. All FCT departments and business units should have procedures in place to provide new employees with information about user responsibilities and guidelines associated with their assigned computer and network privileges and resources, including access to this document and related departmental policies, procedures, and guidelines. Appropriate supervision of new employee access to systems and data should be standard practice. New employees should be made aware that secure computing practices will be part of their performance reviews. All physical and logical access to computing and network facilities and resources should be assigned in accordance with the principle of least privilege and principle of separation of duties. 2) Measures for Separating Employees All FCT departments and business units should establish and maintain processes and procedures to properly and quickly close and remove all computing system and network privileges and resources when an employee is separated, even if the employee is going to another job within FCT. These processes and procedures should include the following: The separated employee's immediate manager is responsible for notifying all system owners and operators, or the designated system administrator handling the computer or communications accounts, to close all related accounts and remove all access capabilities related to the separated employee. Separated employees may not retain, give away, or remove from FCT premises any FCT information (electronic or hard copy) other than personal copies of information disseminated to the public and personal copies of correspondence directly related to the terms and conditions of their employment. All other FCT information in the custody of the departing employee must be turned over to the employee's immediate supervisor at the time of departure. At the time of separation, all FCT property must be returned. This includes portable computers, printers, modems, software, cellular telephones, digital pagers, PDAs, documentation, building keys, lock combinations, physical keys, encryption keys, and access cards. 3) Measures for Employees on Leave or Suspension All FCT departments and business units should establish and maintain processes and procedures to properly and quickly close and remove all computing system and network privileges and resources when an employee is suspended or is taking an extended leave of absence (including long-term illness or disability). It is important to use the same security measures for suspended employees as are used for separating employees. In addition, extended leaves of absence may require these measures, at the supervisor's discretion, taking into consideration such factors as level of access, nature and scope of computer applications and permissions, and duration of absence. 4) Measures for Vendors Vendors with access to computers and networks should meet many of the same standards placed on employees. They should understand the security policies and practices. Their access should be limited to just what is necessary for them to meet their contract requirements. When appropriate, vendors should be escorted into physically restricted areas. When their job is complete, they should return all access devices, and their log-on privileges should be terminated.
14 6.8. Policy Enforcement Individuals who violate this policy may be denied access to FCT resources and may be subject to other penalties and disciplinary action within and outside FCT. Departmental managers are expected to work with appropriate FCT resources in investigating and addressing suspected violation of this policy. FCT may temporarily suspend, block, or restrict access to computing resources and accounts at any time when it reasonably appears necessary to do so in order to protect the integrity, security, or availability of FCT computing and network resources or to protect FCT from liability. FCT will refer suspected violations of applicable law to appropriate law enforcement agencies. In general: If violations of this policy are minor and unintentional, FCT will take appropriate actions to resolve the issue, and violators may be subject to disciplinary measures. If violations of this policy are a result of negligent or deliberate acts, FCT will take appropriate actions to resolve the issue including disciplinary measures up to and including termination of employment or expulsion. In addition to any other measures taken, if violations of this policy are a result of suspected illegal activities, FCT will notify appropriate college authorities and law enforcement agencies. FCT reserves the right to pursue appropriate legal actions to recover any financial losses suffered as the result of violations of this policy Policy Maintenance This policy and the related guidelines will be reviewed yearly. A major security compliance audit must take place every three years.
Network Security Policy I. PURPOSE Attacks and security incidents constitute a risk to the University's academic mission. The loss or corruption of data or unauthorized disclosure of information on campus
Information Technology Acceptable Use Policy Overview The information technology resources of Providence College are owned and maintained by Providence College. Use of this technology is a privilege, not
Information Resources Security Guidelines 1. General These guidelines, under the authority of South Texas College Policy #4712- Information Resources Security, set forth the framework for a comprehensive
Indiana University of Pennsylvania Information Assurance Guidelines Approved by the Technology Utilities Council 27-SEP-2002 1 Purpose... 2 1.1 Introduction... 2 1.1.1 General Information...2 1.1.2 Objectives...
Stephen F. Austin State University Information Security Program Revised: September 2014 2014 Table of Contents Overview... 1 Introduction... 1 Purpose... 1 Authority... 2 Scope... 2 Information Security
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations
AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN 1250 Siskiyou Boulevard Ashland OR 97520 Revision History Revision Change Date 1.0 Initial Incident Response Plan 8/28/2013 Official copies
PURPOSE The University of Rochester recognizes the vital role information technology plays in the University s missions and related administrative activities as well as the importance in an academic environment
Sample Information Security Policies Sample Information Security Policies May 31, 2011 1 13740 Research Blvd Suite 2, Building T Austin, TX 78750 512.351.3700 www.aboundresources.com Boston Austin Atlanta
1.0 BACKGROUND AND PURPOSE Information Technology ( IT ) includes a vast and growing array of computing, electronic and voice communications facilities and services. At the Colorado School of Mines ( Mines
LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed
Texas Wesleyan Firewall Policy Purpose... 1 Scope... 1 Specific Requirements... 1 PURPOSE Firewalls are an essential component of the Texas Wesleyan information systems security infrastructure. Firewalls
Responsible Use of Technology and Information Resources Introduction: The policies and guidelines outlined in this document apply to the entire Wagner College community: students, faculty, staff, alumni
Wright State University Information Security Controls Policy Title: Category: Audience: Reason for Revision: Information Security Framework Information Technology WSU Faculty and Staff N/A Created / Modified
HIPAA COMPLIANCE PLAN For CHARLES RETINA INSTITUTE (Practice Name) Date of Adoption 1/02/2003 Review/Update 10/25/2012 Review/Update 4/01/2014 I. COMPLIANCE PLAN A. Introduction This HIPAA Compliance Plan
Page 1 of 9 Pages Standard Operating Procedure Information Security Compliance Requirements under the cabig Program This cover sheet controls the layout and components of the entire document. Issued Date:
Payment Card Industry Data Security Standard Introduction Purpose Audience Implications Sensitive Digital Data Management In an effort to protect credit card information from unauthorized access, disclosure
State of California California Information Security Office Information Security Program Management Standard SIMM 5305-A September 2013 REVISION HISTORY REVISION DATE OF RELEASE OWNER SUMMARY OF CHANGES
Vermont Information Technology Leaders HIPAA COMPLIANCE POLICIES AND PROCEDURES Policy Number: InfoSec 4 Policy Title: Information Security Incident Response January 26, 2016 IDENT INFOSEC4 Type of Document:
Information Technology Management Procedure June 1, 2015 Information Technology Management, page 1 of 7 Contents Responsibility for Local Information Technology Policies 3 Responsibility to Maintain Functionality
6 th Floor, Tower A, 1 CyberCity, Ebene, Mauritius T + 230 403 6000 F + 230 403 6060 E ReachUs@abaxservices.com INFORMATION SECURITY POLICY DOCUMENT Information Security Policy Document Page 2 of 15 Introduction
Vermont Information Technology Leaders HIPAA COMPLIANCE POLICIES AND PROCEDURES Policy Number: InfoSec 1 Policy Title: Information Privacy and Security Management Process IDENT INFOSEC1 Type of Document:
933 COMPUTER NETWORK/SERVER SECURITY POLICY 933.1 Overview. Indiana State University provides network services to a large number and variety of users faculty, staff, students, and external constituencies.
ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements
AP 417 Information and Communication Services Background Access and use of information and communication services (ICS) are an integral component of the learning and working environment. The ability for
Odessa College Use of Computer Resources Policy Policy Date: November 2010 1.0 Overview Odessa College acquires, develops, and utilizes computer resources as an important part of its physical and educational
United States Department of Agriculture Marketing and Regulatory Programs Animal and Plant Health Inspection Service Directive APHIS 3140.3 5/26/2000 APHIS INTERNET USE AND SECURITY POLICY 1. PURPOSE This
R345, Information Technology Resource Security 1 R345-1. Purpose: To provide policy to secure the private sensitive information of faculty, staff, patients, students, and others affiliated with USHE institutions,
MCOLES Information and Tracking Network Security Policy Version 2.0 Adopted: September 11, 2003 Effective: September 11, 2003 Amended: September 12, 2007 1.0 POLICY STATEMENT The Michigan Commission on
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
Executive Summary Texas state law requires that each state agency, including Institutions of Higher Education, have in place an Program (ISP) that is approved by the head of the institution. 1 Governance
Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Data Handling and Storage Standard This standard is applicable to all VCU School of Medicine personnel. Approval
Information Technology Security Policy for IBTS Pakistan Stock Exchange Limited Table of contents Information Technology Security Policy for IBTS 1- INTRODUCTION AND SCOPE... 3 2- CHARTER OF THE DOCUMENT...
PBGC Information Security Policy 1. Purpose. The Pension Benefit Guaranty Corporation (PBGC) Information Security Policy (ISP) defines the security and protection of PBGC information resources. 2. Reference.
Network Security 6-005 INFORMATION TECHNOLOGIES July 2013 INTRODUCTION 1.01 OSU Institute of Technology (OSUIT) s network exists to facilitate the education, research, administration, communication, and
BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 Adopting Multnomah County HIPAA Security Policies and Directing the Appointment of Information System Security
DHHS Information Technology (IT) Access Control Standard Issue Date: October 1, 2013 Effective Date: October 1,2013 Revised Date: Number: DHHS-2013-001-B 1.0 Purpose and Objectives With the diversity of
Rowan University Data Governance Policy Effective: January 2014 Table of Contents 1. Introduction... 3 2. Regulations, Statutes, and Policies... 4 3. Policy Scope... 4 4. Governance Roles... 6 4.1. Data
Ohio Supercomputer Center Intrusion Prevention and Detection No: Effective: OSC-12 5/21/09 Issued By: Kevin Wohlever Director of Supercomputer Operations Published By: Ohio Supercomputer Center Original
Subject: Authoritative Policy: Procedure Number: Distribution: Purpose: Acceptable Use of Information Technology (former Ad Guide 1460.00) Standard Number 1340.00 Information Technology Information Security
You can learn more about the programme by downloading the information in the related documents at the bottom of this page. Information Security Document Information Security Policy 1 Version History Version
Forrestville Valley School District #221 Student Acknowledgment of Receipt of Administrative Procedures for Acceptable Use of the Electronic Network 2015-2016 All use of electronic networks shall be consistent
UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This
Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University
Information Security Policy and Handbook Overview ITSS Information Security June 2015 Information Security Policy Control Hierarchy System and Campus Information Security Policies UNT System Information
Bates Technical College Information Technology Acceptable Use Policy Consistent with policy adopted by the Board of Trustees, Bates Technical College, hereinafter referred to as the College, has a commitment
Jun29,2016 HIPAA Compliance Evaluation Report Custom HIPAA Risk Evaluation provided for: OF Date of Report 10/13/2014 Findings Each section of the pie chart represents the HIPAA compliance risk determinations
Policy History Date October 5, 2012 October 5, 2010 October 19, 2004 July 8, 2004 May 11, 2004 January May 2004 December 8, 2003 Action Modified Separation or Change of Employment section to address data
PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES TECHNICAL COMMITTEE OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS FEBRUARY 2005 Preamble The IOSCO Technical Committee
TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL Title: Software Policy Number: 04.71.12 Issuing Authority: Office of the Vice President for Computer & Financial Services and CIO Responsible Officer: Vice
TABLE OF CONTENTS University of Northern Colorado HIPAA Policies and Procedures Page # Development and Maintenance of HIPAA Policies and Procedures... 1 Procedures for Updating HIPAA Policies and Procedures...
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
RESPONSIBLE COMPUTER USE POLICY (ADOPTED AUGUST 3, 2006) on-line at www.ccc.edu I. INTRODUCTION All users shall abide by the following provisions contained herein, or otherwise may be subject to disciplinary
CSU The California State University Office of Audit and Advisory Services INFORMATION SECURITY California Maritime Academy Audit Report 14-54 April 8, 2015 Senior Director: Mike Caldera IT Audit Manager:
COMPUTER USE POLICY 1.0 Purpose and Summary 1. This document provides guidelines for appropriate use of the wide variety of computing and network resources at Methodist University. It is not an all-inclusive
New River Community College Information Technology Policy and Procedure Manual 1 Table of Contents Asset Management Policy... 3 Authentication Policy... 4 Breach Notification Policy... 6 Change Management
PAGE 1 of 6 UNIVERSITY GUIDEBOOK Title of Policy: Acceptable Use of University Technology Resources Responsible Division/Office: Information Technology Approving Officer: Vice President for Finance and
Virginia Commonwealth University Information Security Standard Title: Scope: Data Classification Standard This document provides the classification requirements for all data generated, processed, stored,
Document Title: System REVISION HISTORY Effective Date:15-Nov-2015 Page 1 of 5 Revision No. Revision Date Author Description of Changes 01 15-Oct-2015 Terry Butcher Populate into Standard Template Updated
I. Title A. Name: Information Systems Security Incident Response Policy B. Number: 20070103-secincidentresp C. Author(s): David Millar (ISC Information Security) and Lauren Steinfeld (Chief Privacy Officer)
North American Partners in Anesthesia Corporate Compliance Plan VERSION EFFECTIVE: JANUARY 2015 CONTENTS Introduction and Mission 1. Corporate Commitment to Compliance: Code of Conduct 2. Written Compliance
DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY This Plan we adopted by member, partner, etc.) on Our Program Coordinator (date). (Board of Directors, owner, We have appointed
SITA Information Security SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA September, 2012 Contents 1. Introduction... 3 1.1 Overview...
Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)
Table of Contents 1 Acceptable use 1 Violations 1 Administration 1 Director and Supervisor Responsibilities 1 MIS Director Responsibilities 1 The Internet and e-mail 2 Acceptable use 2 Unacceptable use
Technical Standards for Information Security Measures for the Central Government Computer Systems April 21, 2011 Established by the Information Security Policy Council Table of Contents Chapter 2.1 General...
CLIENT VPN New York State Office Of Children & Family Services New York State Office of Children & Family Services (OCFS) Client Virtual Private Network (VPN) Access to the Human Services Enterprise Network
region16.net Acceptable Use Policy ( AUP ) Introduction By using service(s) provided by region16.net (including, but not necessarily limited to, Internet Services and videoconferencing), you agree to comply
To view the complete Information and Security Policies and Procedures, log into the Intranet through the IRSC.edu website. Click on the Institutional Technology (IT) Department link, then the Information
Niagara County Community College NCCCnet Computer Usage Policy Document: NCCCnet Computer Usage Policy Owner: Chief Information Officer Version: 2.0 NCCCnet Policy Page 1 of 7 NCCCnet Use Policy Introduction:
Boston Public Schools Guidelines for Implementation of Acceptable Use Policy for Digital Information, Communication, and Scope of Policy Technology Resources ACCEPTABLE USE POLICY AND GUIDELINES Boston
SUPPLIER SECURITY STANDARD OWNER: LEVEL 3 COMMUNICATIONS AUTHOR: LEVEL 3 GLOBAL SECURITY AUTHORIZER: DALE DREW, CSO CURRENT RELEASE: 12/09/2014 Purpose: The purpose of this Level 3 Supplier Security Standard
Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS AT STATE MEDICAID AGENCIES Inquiries
CSU The California State University Office of Audit and Advisory Services INFORMATION SECURITY Humboldt State University Audit Report 14-50 October 30, 2014 EXECUTIVE SUMMARY OBJECTIVE The objectives of
State of Illinois Department of Central Management Services GENERAL SECURITY FOR STATEWIDE IT RESOURCES POLICY Effective December 15, 2008 State of Illinois Department of Central Management Services Bureau
Office of Information Technology Roger Williams University Appropriate Use Policy Purpose: This is intended to regulate the use of Roger Williams University s electronic communications systems. Users of
MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...
University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant
IM&T Infrastructure Security Policy Board library reference Document author Assured by Review cycle P070 Information Security and Technical Assurance Manager Finance and Planning Committee 3 Years This
Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Business Continuity Management Standard for IT Systems This standard is applicable to all VCU School of Medicine