Information Security Policy
- 1. Introduction
- 2. Purpose
- 3. Scope
- 4. Implementation
- 5. Roles and Responsibilities
- 6. Information and System Classification
- 7. Provisions for Information Security Standards
- 8. Enforcement
- 9. Privacy
- 10. Exceptions
- 11. Disclaimer
- 12. References
- 13. Related Policies
- 14. Responsible Departments and Persons
- 15. Policy Authority
- 16. Revision History
The purpose of this policy is to assist the organization in its efforts to fulfill its fiduciary responsibilities relating to the protection of information assets and comply with regulatory and contractual requirements involving information security and privacy. This policy framework consists of eighteen (18) separate policy statements, with supporting Standards documents, based on guidance provided by the National Institute of Standards and Technology (NIST) Special Publication 800-53 r4.
Although no set of policies can address every possible scenario, this framework, taken as a whole, provides a comprehensive governance structure that addresses key controls in all known areas needed to provide for the confidentiality, integrity and availability of the organization’s information assets. This framework also provides administrators guidance necessary for making prioritized decisions, as well as justification for implementing organizational change.
The purpose of this Information Security Policy is to clearly establish Vassar College’s role in protecting its information assets and communicate minimum expectations for meeting these requirements. Fulfilling these objectives enables Vassar College to implement a comprehensive system-wide Information Security Program.
- All information assets and IT resources operated by the organization;
- All information assets and IT resources provided by the organization through contracts, subject to the provisions and restrictions of the contracts; and
- All authenticated users of Vassar College’s information assets and IT resources.
Vassar College needs to protect the availability, integrity and confidentiality of data while providing information resources to fulfill the organization’s mission. The Information Security Program must be risk-based and implementation decisions must be made based on addressing the highest risk first.
Vassar College’s administration recognizes that fully implementing all controls within the NIST Standards is not possible due to organizational limitations and resource constraints. Administration must implement the NIST standards whenever possible, and document exceptions in situations where doing so is not practicable.
5. Roles and Responsibilities
Vassar College has assigned the following roles and responsibilities:
Chief Information Officer: The Chief Information Officer is accountable for the implementation of the Information Security Program including:
- Security policies, standards, and procedures
- Security compliance including managerial, administrative and technical controls
The Chief Information Officer is to be informed of information security implementations and ongoing development of the Information Security Program design.
Information Security Officer: The Information Security Officer is responsible for advising the Chief Information Officer on all matters related to Information Security, in addition to the day-to-day operation and maintenance of the Information Security Program. The Information Security Officer serves as the primary contact and coordinator with GreyCastle Security.
Information Stewardship Council: The group is responsible for the design, implementation, operations and compliance functions of the Information Security Program for all Vassar College constituent units. The committee is comprised of senior staff and functions as the Information Security Program Office.
Information Security Consulting: GreyCastle Security is supportive and performs as the Information Security Consulting service for Vassar College. GreyCastle is responsible for advising on the development, implementation and maintenance of a comprehensive Information Security Program for Vassar College. This includes security policies, standards and procedures which reflect best practices in information security.
6. Information and System Classification
7. Provisions for Information Security Standards
The Vassar College Security Program is framed on National Institute of Standards and Technology (NIST) and controls implemented based on SANS Critical Security Controls priorities. Vassar College must develop appropriate control standards and procedures required to support the organization’s Information Security Policy. This policy is further defined by control standards, procedures, control metrics and control tests to assure functional verification.
The Vassar College Security Program is based on NIST Special Publication 800-53. This publication is structured into 18 control groupings, herein referred to as Information Security Standards. These Standards must meet all statutory and contractual requirements.
7.1 Access Control (AC)
Vassar College must limit information system access to authorized users, processes acting on behalf of authorized users or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise.
7.2 Awareness and Training (AT)
Vassar College must: (i) ensure that managers and users of information systems are made aware of the security risks associated with their activities and of the applicable laws, directives, policies, standards, instructions, regulations, or procedures related to the security of organization information systems; and (ii) ensure that personnel are adequately trained to carry out their assigned information security-related duties and responsibilities.
7.3 Audit and Accountability (AU)
Vassar College must: (i) create, protect, and retain system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity on protective enclave systems, specific to confidential data and confidential networks, at a minimum; and (ii) ensure that the actions of individual information system users can be uniquely traced for all restricted systems.
7.4 Assessment and Authorization (CA)
Vassar College must: (i) periodically assess the security controls in organization information systems to determine if the controls are effective in their application; (ii) develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organization information systems; (iii) authorize the operation of the organization’s information systems and any associated information system connections; and (iv) monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls.
7.5 Configuration Management (CM)
Vassar College must: (i) establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles; and (ii) establish and enforce security configuration settings for information technology products employed in organizational information systems.
7.6 Contingency Planning (CP)
Vassar College must establish, maintain, and effectively implement plans for emergency response, backup operations, and post-disaster recovery for the organization’s information systems to ensure the availability of critical information resources and continuity of operations in emergency situations.
7.7 Identification and Authentication (IA)
Vassar College must identify information system users, processes acting on behalf of users, or devices and authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to Vassar College information systems.
7.8 Incident Response (IR)
Vassar College must: (i) establish an operational incident handling capability for organization information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities; and (ii) track, document, and report incidents to appropriate organization officials and/or authorities.
7.9 Maintenance (MA)
Vassar College must: (i) perform periodic and timely maintenance on organization information systems; and (ii) provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance.
7.10 Media Protection (MP)
Vassar College must: (i) protect information system media, both paper and digital; (ii) limit access to information on information system media to authorized users; and (iii) encryption, where applicable, (iiii) sanitize or destroy information system media before disposal or release for reuse.
7.11 Physical and Environmental Protection (PE)
Vassar College must: (i) limit physical access to information systems, equipment and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provide supporting utilities for information systems; (iv) protect information systems against environmental hazards; and (v) provide appropriate environmental controls in facilities containing information systems.
7.12 Planning (PL)
Vassar College must develop, document, periodically update and implement security plans for organization information systems that describe the security controls in place or planned for the information systems as well as rules of behavior for individuals accessing the information systems.
7.13 Personnel Security (PS)
Vassar College must: (i) ensure that individuals occupying positions of responsibility within organizations are trustworthy and meet established security criteria for those positions; (ii) ensure that organization information and information systems are protected during and after personnel actions such as terminations and transfers; and (iii) employ formal sanctions for personnel failing to comply with Vassar College security policies and procedures.
7.14 Risk Assessment (RA)
Vassar College must periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage or transmission of organizational information.
7.15 System and Services Acquisition (SA)
Vassar College must: (i) allocate sufficient resources to adequately protect organizational information systems; (ii) employ system development life cycle processes that incorporate information security considerations; (iii) employ software usage and installation restrictions; and (iv) ensure that third- party providers employ adequate security measures, through federal and state law and contract, to protect information, applications and/or services outsourced from the organization.
7.16 System and Communications Protection (SC)
Vassar College must: (i) monitor, control and protect organization communications (i.e., information transmitted or received by organization information systems) at the external boundaries and key internal boundaries of the information systems for confidential data transmissions; and (ii) employ architectural designs, software development techniques, encryption, and systems engineering principles that promote effective information security within organization information systems.
7.17 System and Information Integrity (SI)
Vassar College must: (i) identify, report and correct information and information system flaws in a timely manner; (ii) provide protection from malicious code at appropriate locations within organization information systems; and (iii) monitor information system security alerts and advisories and take appropriate actions in response.
7.18 Program management (PM)
Vassar College must implement security program management controls to provide a foundation for the organizational Information Security Program.
Vassar College may temporarily suspend or block access to any individual or device when it appears necessary to do so in order to protect the integrity, security or functionality of organization and computer resources.
Any personnel found to have violated this procedure may be subject to disciplinary action, up to and including termination of employment.
Vassar College must make every reasonable effort to respect a user's privacy. However, personnel do not acquire a right of privacy for communications transmitted or stored on Vassar resources.
Additionally, in response to a judicial order or any other action required by law or permitted by official organization policy or as otherwise considered reasonably necessary to protect or promote the legitimate interests of the organization, the Chief Information Officer, or an authorized agent, may access, review, monitor and/or disclose computer files associated with an individual's account.
Exceptions to the policy may be granted by the Chief Information Officer, or his or her designee.
NIST SP 800-53,
The Gramm - Leach Bliley Act (GLBA)
Family Educational Rights and Privacy Act (FERPA)
New York State Information Security Breach and Notification Act
PCI DSS 3.1
14. Responsible Departments and Persons
Computing and Information Services
Person(s) responsible for developing, changing, and communicating this policy
Information Security Officer, Chief Information Officer, and Vassar’s Senior Officers
Person(s) responsible for implementing and enforcing this policy
Chief Information Officer and Information Security Officer
15. Policy Authority
This policy is issued by Vassar College under the authority of the President and Senior Officers.