Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Similar documents
Information Resources Security Guidelines

Information Security Program

Vulnerability Management Policy

Who Should Know This Policy 2 Definitions 2 Contacts 3 Procedures 3 Forms 5 Related Documents 5 Revision History 5 FAQs 5

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Security Awareness Training Policy

Security Tool Kit System Checklist Departmental Servers and Enterprise Systems

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Information Security Policy

IT SECURITY EDUCATION AWARENESS TRAINING POLICY OCIO TABLE OF CONTENTS

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Document Title: System Administrator Policy

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Payment Card Industry Data Security Standard

Information Security Program Management Standard

Rowan University Data Governance Policy

R345, Information Technology Resource Security 1

Security Controls What Works. Southside Virginia Community College: Security Awareness

UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C

Title: Data Security Policy Code: Date: rev Approved: WPL INTRODUCTION

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Encryption Security Standard

Protecting Personal Information: The Massachusetts Data Security Regulation (201 CMR 17.00)

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

University Information Technology Security Program Standard

How To Manage Information Security At A University

INFORMATION SYSTEMS. Revised: August 2013

Central Texas College District Human Resource Management Operating Policies and Procedures Manual Policy No. 294: Computer Security Policy

Top Ten Technology Risks Facing Colleges and Universities

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009

Client Security Risk Assessment Questionnaire

Index .700 FORMS - SAMPLE INCIDENT RESPONSE FORM.995 HISTORY

Altius IT Policy Collection Compliance and Standards Matrix

Intel Enhanced Data Security Assessment Form

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Cal Poly Information Security Program

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Data Management Standard

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

University of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Specific observations and recommendations that were discussed with campus management are presented in detail below.

Marist College. Information Security Policy

FISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS

New River Community College. Information Technology Policy and Procedure Manual

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

CREDIT CARD PROCESSING & SECURITY POLICY

STATE OF NEW JERSEY Security Controls Assessment Checklist

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

HIPAA Security Alert

Guide for the Role and Responsibilities of an Information Security Officer Within State Government

Qatar University Information Security Policies Handbook November 2013

Supplier Security Assessment Questionnaire

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

This policy applies to all GPC units that process, transmit, or handle cardholder information in a physical or electronic format.

Responsible Administrative Unit: Computing, Communications & Information Technologies. Information Technology Appropriate Use Policy

Valdosta Technical College. Information Security Plan

Computer Use Policy Approved by the Ohio Wesleyan University Faculty: March 24, 2014

Miami University. Payment Card Data Security Policy

University of Pittsburgh Security Assessment Questionnaire (v1.5)

HIPAA Information Security Overview

ISAAC Risk Assessment Training

2012 Risk Assessment Workshop

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Information Shield Solution Matrix for CIP Security Standards

VMware vcloud Air HIPAA Matrix

DHHS Information Technology (IT) Access Control Standard

PII Compliance Guidelines

Indiana University of Pennsylvania Information Assurance Guidelines. Approved by the Technology Utilities Council 27-SEP-2002

ACE Advantage PRIVACY & NETWORK SECURITY

FINAL May Guideline on Security Systems for Safeguarding Customer Information

ADMINISTRATIVE POLICY # (2014) Information Security Roles and Responsibilities

Data Management & Protection: Common Definitions

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

INFORMATION TECHNOLOGY SECURITY STANDARDS

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

ForeScout CounterACT and Compliance June 2012 Overview Major Mandates PCI-DSS ISO 27002

How To Protect Decd Information From Harm

Compliance and Industry Regulations

INFORMATION TECHNOLOGY Policy 8400 (Regulation 8400) Data Security

DEVELOPING A CYBERSECURITY POLICY ARCHITECTURE

Institutional Data Governance Policy

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

Transcription:

Information Security Policy and Handbook Overview ITSS Information Security June 2015

Information Security Policy Control Hierarchy System and Campus Information Security Policies UNT System Information Security Handbook UNT System Information Security Regulation ISO 27001 and 27002 TAC 202 NIST 800-53 2

Information Security Program Documents UNT System Information Security Policy Requires the adoption and implementation of a security program Requires any security program to be consistent with the UNT System Information Security Handbook UNT System Information Security Handbook Establishes the security program framework Is based on 1TAC 202 and 203, and ISO 27001 and 27002 Applies to all users of information and information resources of UNT System and Institutions 3

https://itss.untsystem.edu/security/guidelines-laws-and-regulations 4

https://itss.untsystem.edu/it-policies Date 5

Policy: Procedures and Responsibilities Handbook 1. Security Program and Controls Section 3 Structure of the Handbook Section 5 Information Security Policy Section 15 Compliance with Legal Requirements 2. Information Security Roles Section 6 Information Security Structure 3. Secure Access and Management of Info Resources Section 4 Risk Management and Assessment Section 7 Asset Management Section 8 Human Resources Security Section 9 Physical Security Section 10 Communications and Operations Management Section 11 Access Control Section 12 Information Systems Acquisition and Development, Testing and Maintenance 4. Security Incident Management Section 13 Information Security Incident Management 5. Business Continuity Planning Section 14 Business Continuity Management 6. Security Exceptions Section 16 Security Exceptions 7. Sanctions Section 17 Sanctions for Violations 6

Information Security Handbook Establishes the information security program framework Confidentiality Integrity Availability Principle of Least Privilege Risk Management 7

1. Security Program and Controls Handbook sections 3,5,15 Texas Business & Commerce code FERPA TAC 202 NIST 800-53 Information Security Program Texas ID Theft Enforcement and Protection Act Digital Millennium Copyright Act Texas Medical Records Privacy Act HIPAA GLBA PCI-DSS ISO 27001/27002 8

2. Roles and Responsibilities Handbook 6 Executive Management Chancellor oversees protection of information resources, and reviews and approves the designation of information owners and their responsibilities UNTS Associate Vice Chancellor for Information Technology has oversight of the security program Information Security Officer The ISO for System Administration is responsible for administration and management of the information security program. 9

2. Roles and Responsibilities Handbook 6 Functional Roles Information Owners - are individuals with operational authority for specified information and who are responsible for authorizing the controls for the generation, collection, processing, access, dissemination, and disposal of that information. Examples of Information Owners are Registrars, Provosts, Deans, Budget Officers, Chief Financial Officer Functional Roles Custodians are responsible for implementing the information owner-defined controls and access to an information resource. Examples of custodians are ITSS, ACEs, IT Managers and support staff, Business Unit employees, end users Functional Roles Users - are individuals or an automated application authorized to access an information resource External Parties Includes guests, contractors, consultants, vendors Must adhere to policy Security review required for third-party services All access and information resources must be managed 10

2. Roles and Responsibilities Handbook 6 Categories of Information Category I Confidential information: e.g. social security numbers, credit card information, student education records. Category II Should be controlled before release: e.g. some student directory Information Category III Public information available for release. 11

3. Secure Access and Management of Information Least Privilege Risk Assessments Compliance User Responsibility Controls Security Awareness Training Information Classification 12

3. Secure Access and Management of Information Handbook 4 Risk Management Risks must be managed (eliminated, mitigated, or accepted). The expense of safeguards must be commensurate with the value of information and information resources. Institutional management is responsible for risk management decisions 13

3. Secure Access and Management of Information Handbook 7,8,9 Asset Management a documented asset inventory must be maintained. An asset is anything of value to an organization including hardware, software and information Human Resources Security - Annual Security Awareness training is required for all faculty and staff Physical Security - Areas housing critical information must be secured physically 14

3. Secure Access and Management of Information Handbook 10 Communications and Operations Management Operational Procedures and Responsibilities System Planning and Acceptance Protection against Malware, malicious or unwanted programs Back-ups Principle of Least Privilege Separation of Functions Password Management Manage and monitor networks Protect from malicious or unauthorized code 3rd party agreements require: security review before signing annual compliance review Anti-virus must be used, kept current and not to be disabled by users Periodic scans are required Required to regularly back up and test mission critical information 15

3. Secure Access and Management of Information Handbook 10 Communications and Operations Management Network Security Management Media Handling Exchange of Information Electronic Commerce Monitoring Principle of Least Privilege Restricted access Access must be logged and networks monitored Security controls based on criticality and value of the network resources Removable media requires encryption and must be securely disposed of Information exchanged internally and externally must be protected Must adhere to PCI DSS Must proved a sufficiently complete history of transactions Specifies logon banner requirements 16

3. Secure Access and Management of Information Handbook 11 Access Control User Access Management User Responsibility Network Access Control Operating System Access Applications and Information Access Mobile computing and telework Access should be granted and used on the principle of least privilege. 17

3. Secure Access and Management of Information Handbook 12 Information Systems Acquisition, Development, Testing and Maintenance Security must be applied to all phases of the systems development lifecycle Must implement policies and procedures to manage operating system and software updates and patches that follow best practices Cryptographic Controls Minimum requirements: confidential information transmitted over a public network, publicly accessible, or stored on a portable or personal device must be encrypted Vulnerability assessments may only be performed by documented, authorized individuals 18

4. Security Incident Management Handbook 13 The ISO is responsible for managing security incidents Security incidents shall be reported to the ISO and investigated promptly All users shall cooperate during investigations All users shall maintain confidentiality of incidents 19

5. Business Continuity Planning Handbook 14 Business continuity and disaster recovery plans must be developed for all systems and functions Plans must be updated as changes occur and must be reviewed at least annually A test of the disaster recovery plan must occur at least annually 20

6. Security Exceptions Handbook 16 Exceptions to security policy and to TAC 202 mandates must be approved by the Information Security Officer or Information Security Director ISO coordinates exceptions with the CIO and Information Owners 21

7. Sanctions Handbook 17 Penalties for violations of the Information Security Policy include, but are not limited to disciplinary action, loss of access and usage, termination, prosecution and/or civil action 22

In Summary Protect Confidentiality, Integrity and Availability of information and information resources by: Applying the principle of least privilege Using secure password practices Using anti-virus and keeping it current Backing up and testing data regularly Documenting and following procedures Maintaining and monitoring systems Applying security to any device accessing our resources Date 23

Information Security University of North Texas System (940) 565-7800 Paula.Mears@untsystem.edu 24

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information