IT Security

Effective: July 1, 2004
Updated/Revised: May 1, 2007
Contact: Office of the CIO

Contents

Introduction
Definitions
Objectives
Scope
Policy Statement
Security Roles and Responsibilities
Risk Assessment
Education
Resources

Introduction

Information technology (IT) permeates all aspects of teaching, learning, research, outreach, and the business and facilities functions of the university. Safeguarding information and information systems is essential to preserving the ability of the university to perform its missions and meet its responsibilities to students, faculty, staff, and the citizens whom it serves. State and federal statutes, rules, and regulations; Board of Regents policies; and other explicit agreements mandate the security of information and information systems. Failure to protect the university's information technology assets leads to financial, legal, and ethical ramifications.

Iowa State University acknowledges its obligation to ensure appropriate security for information and IT systems in its domain of ownership and control. Furthermore, the university recognizes its responsibility to promote security awareness among the members of the Iowa State University community.

The purpose of this policy is to:

• Define terms that relate to the IT Security policy
• Communicate the objectives of IT security
• Specify the scope of IT resources to which the IT Security policy applies
• Indicate the responsibilities of the entire university community for maintaining IT security and reporting security breaches
• Assure appropriate IT risk and impact assessments occur
• Establish responsibility for educating Iowa State University students, faculty, and staff about the university's IT Security policy and required practices

Approval of the IT Security policy is vested with the President who will rely on the recommendations of the Information Technology Executive Committee (ITEC).

Definitions

Familiarity with the following terms will help users of information technology to better understand their responsibilities for IT security.

Impact

The degree to which a security failure has the potential to result in harm or loss. The impact of a potential risk may be identified by the responses to the following questions:

• What are the ramifications of the loss of confidentiality, integrity, availability, or authorized use of systems?
• Will physical harm to any individual result?
• Will the strategic mission of the university be affected?
• Will personal information be compromised?
• Will large segments of the community be inconvenienced?
• Will the reputation of the university suffer?
• Who will need to resolve the security incident?
• What is the magnitude of resources required to resolve the security incident?

Low Impact
Incidents that cause limited damage to operations or assets and that do not involve risk for individuals. These incidents require minor corrective actions or repairs within the designated custodial structure and communication is frequently required only within the affected unit.

Moderate impact

Incidents that cause short-term degradation or partial loss of the university's mission capability; that affect or disadvantage only subsets of the university community; or result in limited loss or damage to significant assets. These incidents require corrective actions or repairs that can normally be handled within the designated custodial structure, usually involves only internal communications, and normally will not require the involvement of high-level administration.

High impact

Incidents that cause an extensive loss of the university's mission capability; result in a loss of major assets; pose a significant threat to the well-being of large numbers of individuals or to human life; or damage the reputation of the university. These incidents require substantial allocation of human resources to correct; may require communication to external agencies or law enforcement and the public; and often require the involvement of high-level administration within the university.

Risk

A source of danger; a possibility of incurring loss or damage. In general, risk is a composite of three factors: threats, vulnerabilities, and impact (see definitions of these terms in this section).

Risk assessment

In information technology security, a systematic process used to determine the potential for any given information system to be subject to loss and to assess the impact of that loss. Risk assessment involves determining potential for and impact of a negative event by evaluating the nature of the information and information systems.

Risk factors

Factors used to determine the level of risk include the effect of the loss on the university's strategic missions; the extent of loss to major information systems; the potential for injury or damage to individual(s); the inconvenience or loss of productivity for subsets of the university community; the potential for damage to the university's reputation; the level of administrative involvement required; and the level at which the security problem can be resolved.

Risk mitigation

Action taken to reduce risk to an acceptable level. An analysis evaluating costs, benefits, and impacts to the university will be critical in determining what, if any, action should be taken. Some options to reduce risk include:

Risk assumption: Accepting the potential risk and continuing operations of the IT system.

Risk avoidance: Risk mitigation by eliminating a risk cause and/or consequence.

Risk limitation: Risk mitigation by implementing controls reducing the negative impact of a threat exercising a vulnerability.

Risk transfer: Risk mitigation by using other options to compensate for a loss due to a security incident.

Security

The state of being free from unacceptable risk. IT security focuses on reducing the risk of computing systems, communications systems, and information being misused, destroyed, or modified, or for information to be disclosed inappropriately either by intent or accident.

Security incident

An accidental or malicious act that exercises a vulnerability resulting in the potential of a negative impact.

Threats

Actions or events that potentially compromise the confidentiality, integrity, availability, or authorized use. These threats may be human or non-human, natural, accidental, or deliberate. Examples:

• Acts of malice by individuals or groups; purposeful or malicious use of information or information systems.
• Natural or physical disasters such as fire, flood, hardware failures.
• Unintentional oversight, action, or inaction; data left open to unauthorized access; accidental deletion of data files; inadequate data backup procedures.

Vulnerabilities

Security exposures that increase the potential for a failure of security. A narrow technical definition includes only those exposures created by software or hardware design. However, a broader definition includes exposure that can be inherent to an activity or practice. Examples:

• Software or hardware that allows unauthorized access to information or information systems.
• Business practices such as collecting and storing personal information that could, if revealed, be damaging to individuals.
• Personal practices or procedures such as improperly protecting one's password or providing inadequate physical environments for IT systems.

Objectives

All faculty members, staff, students, and others using university-owned and affiliated IT systems have the responsibility to protect information and resources as indicated by the following objectives:

Confidentiality

Confidentiality provides protection of information from either intentional or accidental attempts to access personal or university information by unauthorized entities. Confidentiality covers data in storage, during processing, and in transit. State and federal laws and regulations require the university to take reasonable steps to ensure security of some classifications of data (e.g., FERPA, HIPAA, GLBA).

Integrity

Integrity requires protection against either intentional or accidental attempts by unauthorized entities to alter data or modify information systems to impede it from performing its intended function. Integrity requires maintaining the university's reputation to manage the resources entrusted to it.

Availability

Availability ensures timely and reliable access to and use of data and information technology resources to carry on the mission of the university. These resources include assets such as intellectual property, research and instructional data and systems, and physical assets.

Authorized Use

Authorized use guards against use of Iowa State University systems and infrastructure for malicious acts against its own systems as well as attacks against other individuals and organizations.

Scope

The above IT security objectives apply to a broad range of university assets and activities. The following assets and activities are within the scope of the IT Security policy:

Computer systems

The hardware, software, and IT infrastructure assets of the university represent significant monetary investments. The value of these assets is not only in their purchase costs, but also in the personnel time spent to develop them into functioning systems.

Data storage, transmittal, and use

Information can include personal records about students, employees, alumni, or others; financial and business information; archives of historic significance; critical, classified, and irreproducible research data; and other information of critical significance to the operation and prestige of the university. Legal and policy guidelines impact the security practices that must be exercised for various types of data.

Procedures

Procedures include the processes, steps, and forms that guide the activities and interactions of faculty, staff, and students. Included are the procedures used by IT support staff and management personnel with regard to systems, data, physical assets, and communication information.

Physical assets

These assets include premises occupied by IT personnel and equipment.

Environment

The environment includes environmental controls, power, physical security devices, etc.

Communications systems

Communications systems include communication equipment, personnel, transmission paths, and adjacent areas.

Policy Statement

Security Roles and Responsibilities

Chief Information Officer (CIO)

The Office of the Chief Information Officer has overall responsibility for the security of the university's information technologies. Implementation of security policies is delegated throughout the university to various university services (noted below); to colleges, departments, and other units; and to individual users of campus IT resources.

University Services

Service units within the university are charged with the primary responsibility and authority to ensure that Iowa State University meets external and internal requirements for privacy and security of specific types of confidential and business information (e.g., student educational records, personnel records, health records, financial transaction data). These units are responsible for other general security issues and for assisting in the development of university IT security policies, standards and best practices in the areas of their responsibility. They are also responsible for advising colleges, departments, units, and individuals in security practices relating to these areas:

• Financial information and transactions (Treasurer's Office)
• Health information (Health Information Privacy Officer)
• Infrastructure, communications, and systems security (Information Technology Services)
• Law enforcement information (ISU Police)
• Legal issues (Office of University Counsel)
• Library circulation records (University Library)
• Personnel information and confidentiality (Human Resource Services)
• Physical building security (Facilities Planning and Management)
• Research information, confidentiality, and compliance (Office for Responsible Research)
• Security audits (Office of Internal Audit)
• Student loan information (Office of Student Financial Aid)
• Student record information and confidentiality (Office of the Registrar)

Colleges, Departments, and Other Units

Colleges, departments, and other units are responsible for securing any information they create, manage, or store, and for any information they acquire or access from other university systems (e.g., student educational records, personnel records, business information). This responsibility includes completing periodic risk assessments, developing and implementing appropriate security practices, and complying with all aspects of this policy.

Third Party Vendors

Third party vendors providing hosted services, sometimes referred to as Application Service Providers, and vendors providing support, whether on campus or from a remote location, are subject to Iowa State University security policies and will be required to acknowledge this in the contractual agreements. The vendors are subject to the same auditing and risk assessment requirements as colleges, departments, and other units. All contracts, audits and risk assessments involving third party vendors will be reviewed and approved by the university service units based on their area of responsibility.

Individual IT System Users

Every member of the university community is responsible for protecting the security of university information and information systems by adhering to the objectives and requirements stated within published university policies. In addition, individuals are required to comply with the additional security policies, procedures, and practices established by colleges, departments or other units. Failure to comply with established policies and practices may result in loss of computing privileges and/or disciplinary action.

Individuals Using Personally-Owned Computers and Other Network Devices

Students, faculty, and staff who use personally-owned systems to access university resources are responsible for the security of their personally-owned computers or other network devices and are subject to the following:

• The provisions of the IT Security policy and the standards, procedures, and guidelines established by IT Services for university computing and network facilities.
• All other laws, regulations, or policies directed at the individual user.

Other Registered Entities

Any entity that is a registered user and connected to the university network is responsible for the security of its computers and network devices and is subject to the following:

• The provisions of the IT Security policy and the standards, procedures, and guidelines established by IT Services for university computing and network facilities.
• All other laws, regulations, or policies directed at the organization and its individual users.

Reporting of Security Incidents (All Users)

Reporting security breaches or other security-related incidents is an ethical responsibility of all members of the Iowa State University community. A critical component of security is to address security breaches promptly and with the appropriate level of action. The IT Security Incident Reporting Policy outlines the responsibilities of colleges, departments, units, and individuals in reporting as well as defining procedures for handling security incidents.

Risk Assessment

The purpose of risk assessment is to help ensure that threats and vulnerabilities are identified, the greatest risks are considered, and appropriate decisions are made regarding the risks to assume and those to mitigate through security controls. Risk assessments will be conducted at various levels as found under Security Roles and Responsibilities.

The following key factors will guide the process to insure a successful risk assessment program:

• A university department or unit will be designated as responsible for conducting a risk assessment and at a prescribed frequency in the Schedule of Risk Assessments for Information Security.
• Risk assessments will involve both the administrative department responsible for the business operation and the technical staff supporting the systems.
• Final sign-off by the department head of the organization doing the risk assessment indicating agreement with risk acceptance and risk reduction decisions.
• Documentation of risk assessments and resulting actions will be placed on file for audit and accountability purposes.

Education

All units-from the university level through the college, department, and unit level-must provide opportunities for individuals to learn about their roles in creating a secure IT environment. Creating a heightened awareness of the importance of information technology security is an important component in establishing an environment in which each individual feels both responsible and empowered to act in their own and the community's best interests.

Resources

• Code of Computer Ethics and Acceptable Use
• IT Security Incident Reporting form
• IT Security Incident Reporting policy
• IT Standards, Procedures, Guidelines, Best Practices
• Stay Cyber Safe