The Catholic University of America

Archived 10/4/11

Information Assurance

I. Introduction
The Catholic University of America endeavors to protect the confidentiality, integrity and availability of all data in its care.

CUA information assurance policies are designed to provide legitimate and timely access to information necessary to its teaching, learning, and research mission, and administrative functions in support of this mission.

The university recognizes that the interests of information assurance and free access to information are sometimes in conflict. CUA attempts to resolve this conflict, but prefers to protect data when the conflict cannot be reconciled.

Rather than being merely one responsibility among others, information assurance is an aspect of every activity that takes place at the university. Rather than being merely the responsibility of the Center for Planning and Information Technology, all members of the university community are responsible for the security of its information.

The university provides technological resources for the storage and transmission of information. The protection and appropriate use of these resources is integral to the mission and activities of the university. Users of data are expected to familiarize themselves with all safeguarding resources and guidelines provided by the university.

II. Definitions

Information: The university collects, generates, analyzes, shares and makes use of a vast amount of facts, records, results of academic discoveries, inventions and proprietary institutional data. This is one of the university's core assets and constitutes information for the purposes of this policy.

Information Assurance means that data that should remain confidential is protected against inappropriate use, data produced by the university is preserved in accuracy in day to day use, and data required to carry out the university's mission is available to those who need it.

Covered Data refers to all information collected by, shared with, or reported to the university in the course of its daily activity that is protected by local, state or federal law or that the university is contractually obligated to protect. In addition, the university may designate additional covered data through the creation of standards, procedures and guidelines. Covered data includes but is not limited to financial information as specified by the Financial Services Modernization Act of 1999 (Gramm Leach Bliley Act or GLB); certain Protected Health Information as specified by the Health Insurance Portability and Accountability Act of 1996 (HIPAA); education records of students as defined by the Family Educational Rights Privacy Act of 1974 (FERPA), information disclosed to researchers of human subjects which falls under the jurisdiction of the university's Institutional Review Board (IRB), patient records protected by the DC Mental Health Information Act of 1978, confidential medical records used to provide an employee with a reasonable accommodation under the ADA, any controlled technology which is subject the International Traffic in Arms Regulations (ITAR) or Export Administration Regulations (EAR) but does not fall under the Fundamental Research Exclusion or other exclusions to ITAR/EAR and credit card data covered by the Payment Card Industry (PCI) standards.

Reasonable Expectation of Privacy. Except as noted in the Employee Electronic Communications and Resources Policy and the Computer Ethics policy, users of university systems, networks, services, and databases may expect that their personal communications, activities, and information will not be monitored or examined by the university except as necessary to maintain quality of service, investigate a breach of security, when required by law, or at their explicit request.

III. Principles of Information Assurance

The Catholic University of America encourages the use of technology to advance the institutional and pedagogical mission of the university, and continually invests time, resources, and creativity in bringing new means of collecting, analyzing, integrating, presenting, and reporting on the data in its care. The university also takes seriously its responsibility to maintain the confidentiality of its information, and its constituents' reasonable expectation of privacy in the use of the systems provided for information transmission, storage, and presentation.

To accomplish these goals, the university has identified principles of information assurance that guide the creation of standards, procedures and guidelines. These are:

A. Minimization. The university makes reasonable efforts to limit the covered information it collects to that strictly relevant to accomplishing a clearly defined institutional or pedagogical goal. The university makes every reasonable effort to define data sunset or end of life, and to safely dispose of covered data when it reaches that period.

B. Least Privilege. The university grants to assigned individuals the reasonable, minimum access to covered information they need to accomplish their institutional or pedagogical goals.

C. Separation of Duties. For each assigned duty that uses covered data, the university assigns one or more individuals or review bodies to oversee the proper handling and protection of that data.

D. Non-Disclosure and Consent. The university favors a reasonable expectation of privacy of its constituents, consistent with the accomplishment of institutional goals and in accord with applicable laws, standards and university policies. Information collected for a specific purpose will ordinarily not be shared beyond the university community and its agents without notification or consent.

E. Notification. In the event of a breach of security that leaks covered information, senior university officials will determine, in light of the circumstances and applicable law, what risks are posed by the breach and whether and how those persons whose covered data was released should be notified.

IV. Information Assurance Roles

The Catholic University of America has assigned responsibilities for the creation, implementation, and oversight of information assurance standards, procedures and guidelines. The university has also created roles to support the technology systems and services that assist personnel in accomplishing institutional goals. These are:

A. Information Security Plan Coordinator. In order to comply with GLB and information assurance best practices, the university has designated an Information Security Plan Coordinator. The Coordinator works closely with all elements of the university to help identify reasonably foreseeable vulnerabilities and threats to covered data; design and implement safeguards to minimize risk; evaluate the effectiveness of safeguards; limit the damage from security breaches; and report findings to the relevant offices.

B. Network Security Officer. The university's IT infrastructure, consisting of its networks and network devices, servers, desktops, and other electronic devices, are assets critical to the completion of institutional goals. The university has named a Network Security Officer to define standards, procedures, and guidelines that minimize risk of intrusion or breach, while allowing university entities to exploit these assets to their maximum benefit.

C. Service, System, and Database Administrators. The university provides technology solutions for the storage and transmission of data in the form of off-the-shelf software, contracted software development and software written in-house by university faculty and staff. Most programs are managed by a service or database administrator, either named by CPIT or by the department, school or office that purchased or commissioned the program. In addition, the university names CPIT or departmental staff to manage the systems on which these services and databases run.

D. Data Custodians. Every piece of information collected by the university in its daily activities is collected on behalf of a specific university department that requires that data for the realization of a specific university goal. The collecting department is the custodian of that data, and has particular responsibilities for maintaining the confidentiality, integrity, and availability of the data under its purview. When information is shared within the university for accomplishing additional goals, the recipient of that data becomes a data custodian with the same responsibilities as the original collecting entity. Data Custodians, through the principle of Minimization, limit the data collected to that strictly necessary for the completion of a specific goal. Through the principle of non-disclosure and consent Data Custodians must respect the privacy and confidentiality of all data under their control. Where required by law or university policy, consent should be obtained prior to disclosure.

E. Incident Response Team. CPIT and the Office of General Counsel will name individuals to act as a standing team of first responders. This team will respond to a suspected security breach, determine if a breach is in process or has occurred, and will use best practices to minimize the loss of evidence. The Information Security Plan Coordinator and the Network Security Officer in consultation with the CIO will determine the level of investigation the response team is authorized to undertake in the event of a confirmed breach, and in conjunction with the Office of General Counsel, will decide whether to pursue further action or report to other university entities.

F. Information Assurance Advisory Council. CPIT and the Office of General Counsel will convene a council consisting of at least the Information Security Plan Coordinator, the Network Security Officer, and the General Counsel or his/her designee. This council will meet regularly, invite members of the university community to serve in rotation, and define an agenda to identify assurance tasks, commission and review standards, procedures, and guidelines, advise on and implement risk mitigation, coordinate response to emerging threats, and report results to campus entities.

V. Information Assurance Responsibilities

Anyone using university systems, networks, software, databases, or other computing devices, whether on campus or off, is responsible for abiding by the Computer Ethics policy. All are further responsible for knowing and following information assurance procedures and guidelines when working with covered data.

If, in the process of executing their duties, members of the university community discover a breach of security or evidence of illegal activity they must report their findings immediately to the Assistant Director of Networks and Security at tel 202-319-5373, as well as their immediate manager or supervisor. They may not take steps to investigate a breach, unless they are also on the Incident Response Team. In that case, they will follow the procedures set forth for incident handling and notification. Suspected breaches of HIPAA protected data must be reported directly to the Chief Information Officer at tel 202-319-5373.

Covered data may be disclosed to third parties pursuant to contract, as long as the service providers are required by contract to implement and maintain safeguards, and the university takes reasonable steps to select and maintain service providers.

VI. Policies Governing Specific Categories of Information

The following policies apply to specific types of information that is collected by campus entities for the realization of institutional goals. These policies are listed in descending order of specificity, but all relevant policies should apply to any given piece of data.

Financial Transactions

All campus financial transactions shall comply with the PCI standard, and are under the supervision of the Vice President Finance and Administration, Treasurer. Technical compliance with the PCI standard must be endorsed by the Information Security Plan Coordinator.

Education Records

All elements of the university will comply with the Family Education Rights Privacy Act. Advice on technical compliance with FERPA may be offered by the Office of the Registrar or the Office of General Counsel.

Research on Human Subjects

All research data involving human subjects is governed by the Institutional Review Board. Research proposals involving human subjects must be approved by the IRB before the research can be conducted.

Intellectual Property

All intellectual property is governed by the relevant intellectual property policies, including the Patent Policy.

Electronic Communications

All electronic communications are governed by the university's Employee Electronic Communications and Resources Policy and the Computer Ethics Policy.

Credentials

The use of credentials for access to university systems, networks, services, facilities, and databases are confidential, non-transferable, and governed by the procedures and guidelines established by CPIT, the Office of Public Safety, and data custodians.

Appropriate Use

The appropriate use of university systems and networks are governed by the Computer Ethics Policy and relevant CPIT standards, guidelines, and procedures.

Covered Data

All covered data not otherwise controlled by this Information Assurance Policy or other university policies is protected by the data custodian to whom use is granted for a specific purpose.