Information Security and Assurance Policy
|History:||Issued -- May 23, 2003|
|Revised -- March 9, 2015|
|Related Policies:||Acceptable Use Policy; Conflict of Interest Policy for Staff and Faculty; Copyright Policy; Credit Card Acceptance Policy; Electronic Communications Policy; Property Administration Policy; Protection of Human Subjects in Research; Student Records Policy|
|Additional References:||Privacy and Information Security Training|
|Responsible Official:||Chief Information Officer tel. 202-319-5373|
I. Policy Statement
The University is entrusted with a great deal of information from students, employees, business partners, the government, and other sources. That information is critical to the University's teaching, learning and research mission, and to the administrative functions that support that mission. The loss or misuse of information can cause substantial injury to the University, its constituents and/or affiliates in terms of financial loss, reputational damage, operational capability, and/or significant embarrassment.
All members of the University community are responsible for protecting the security, confidentiality, integrity and availability of information entrusted to them, and for taking affirmative steps to prevent its unauthorized disclosure or loss. This policy sets forth the security requirements that all members of the University community must follow to meet that responsibility.
This policy applies to all University activities, whether on campus or off, and to all information regardless of the medium in which it is stored (paper, electronic, etc.) or shared (electronically, verbally, visually, etc.). This policy applies to all staff, faculty and students, and anyone accessing University Systems (defined below) or information contained on those systems, such as visitors, vendors, and contractors.
Violations of this policy may result in disciplinary action up to and including separation from the University.
Information generated, collected by, or entrusted to the University is classified as follows:
A. Confidential Information means data that is protected by federal, state or local law or contractual obligation, or that is specifically designated as confidential by the University. Information also is considered confidential if its loss, misuse or unauthorized disclosure or alternation might cause substantial injury to the University, its constituents and/or affiliates in terms of financial loss, reputational damage, operational capability, and/or significant embarrassment. Examples of Confidential Information include, but are not limited to:
• Student education records (e.g., grades, biographical information, class rosters)
• Social Security Numbers and related data
• Medical records
• Payroll records
• Personnel (employment) records
• Bank account, credit/debit card or other financial information
The highest levels of security must be applied to restrict access to confidential information to authorized individuals, and to protect against its unauthorized use, disclosure or modification.
B. Internal Use Only Information is the University’s default classification, and refers to all institutional data that is not classified as either “Confidential” or “Public.” Information is considered Internal Use if its loss, misuse or unauthorized disclosure or alteration might cause moderate injury to the University, its constituents and/or affiliates. Examples include, but are not limited to:
• Internal directories
• Non-public meeting minutes or memoranda
• Information about financial transactions
• Drafts of official documents
A reasonable level of security must be applied to limit access to Internal Use Only Information, and to prevent its unauthorized use, disclosure, or modification.
C. Public Information means data that is open to the University community, external entities, and the general public. Examples of Public Information include, but are not limited to:
• Press releases
• The University website
• Publicly-posted schedules or calendars
• Publicly-posted or published newsletters or magazines
A reasonable level of security must be applied to protect Public Information against unauthorized modification.
The following additional definitions are applicable to this policy:
A. Custodian means any individual who has been approved to execute a Legitimate Business Function which requires the provision of access to Restricted University Information, or who uses that information in support of a Legitimate Business Function.
B. Data Steward means a university official at the rank of Provost or Vice President with enterprise responsibility over Restricted University Information.
C. Legitimate Business Function refers to the business justification, as approved by an appropriate supervisor, for which access to Restricted University Information is approved.
D. Mobile Device means an electronic device, without regard to ownership, that is easily transportable and capable of accessing, storing, or transmitting information. Mobile devices include, but are not limited to: laptop computers; tablets; netbooks; cell phones; Smartphones (e.g., iPhones, Galaxy); flash or “thumb” drives; magnetic tape; discs; and external hard drives.
E. Restricted University Information means any information which is classified by the University as either Confidential or Internal Use Only.
F. University Systems include University-owned or controlled computing devices, data networks, software, databases, services and facilities. Examples of University Systems include shared computer drives, network file shares, networkable copiers, University-provided wireless networks (WiFi), and University-provided programs or software such as Microsoft Word, Outlook, Cardinal Station and Cardinal Financials.
III. Reasonable Expectation of Privacy
Generally, users of University Systems (defined above) may expect that their personal communications, activities and information will not be monitored or examined by the University. Exceptions are noted in the Electronic Communications Policy and the Acceptable Use Policy. Exceptions also may occur when necessary in order to maintain quality of service; investigate a potential breach of security or violation of law or University policy; when required by law; upon departure from the University or in the event of unplanned leave of absence; at the user’s explicit request; or in emergency situations.
IV. System Access Requirements
Limiting access to University Systems can prevent unauthorized access to those systems and the information they contain. The University therefore provides limited access to those systems based upon a demonstrated business need. Access to University Systems requires the following:
A. An authorized relationship with the University (i.e., staff, faculty, students, and in limited circumstances vendors or contractors);
B. A Legitimate Business Function as certified in writing by the individual’s direct supervisor;
C. A completed system access agreement;
D. Approval for access to information domains by the relevant Data Steward; and
E. Use of a unique username and password by each individual granted system access (group access and shared credentials may be permitted on an exception basis with the approval of the CIO.) See Information Security Requirements, below, for required steps for protecting credentials.
Access is conditioned upon the user’s agreement to abide by the foregoing requirements and all applicable University policies.
All members of the University community share the responsibility for safeguarding University information. The following individuals/offices have a heightened expectation as outlined below:
A. Custodian: Responsible for the security of Restricted University Information to which they have been granted access, in whatever format (e.g., electronic, paper, verbal).
B. Data Steward: Responsible for the decision to authorize, or not, access to Restricted University Information for which they are the primary University executive in charge of that functional area (e.g., academic records fall under the purview of the Provost).
C. Technology Services IT Security Office: Responsible for the implementation and auditing of functional controls which support the restriction of access to Restricted University Information to individuals with a Legitimate Business Function that has been appropriately approved for such access.
D. Unit/Division Head: Responsible for ensuring that Restricted University Information is appropriately handled, stored and destroyed in accordance with applicable University policy.
VI. Information Security Practices
Every staff and faculty member is responsible for completing the University’s mandatory online Privacy and Information Security Training.
All members of the University community, and anyone accessing University Systems, are responsible for adhering to the University information security requirements, including but not limited to the following:
A. Protect System and Network Access
1. Know and follow the requirements in the University’s Acceptable Use Policy.
2. Do not use University systems in a way that negatively impacts the functioning or availability of those systems.
3. Treat credentials for access to University systems (e.g. usernames and passwords) as confidential. Such credentials are non-transferable and should never be shared, even with University personnel from Technology Services.
4. Use strong passwords to access University systems and to secure personal computers.
5. Do not write down passwords where they are easily accessible to others.
6. Do not save passwords in University web browsers or send via e-mail.
7. Do not attempt to access University systems unless authorization has been provided (see System Access Requirements, above).
8. Log out from a University system when you are finished working, or if you will be away from your computer for more than a few minutes.
9. Maintain up-to-date anti-virus software and system patches on all computers. When prompted to update such software or patches do so as soon as possible.
10. Do not download or install computer programs or software onto University Systems without prior approval from Technology Services (TS).
11. Access University systems and Restricted University Information only on University provided or specifically approved hardware.
B. Protect the Confidentiality of Information
1. Do not share information collected for a specific purpose with those outside the University community without notification and consent.
2. Do not access or use Restricted University Information other than for a Legitimate Business Function.
3. Do not share Restricted University Information with those who do not have a Legitimate Business Function which requires knowledge of that information.
4. Fax confidential data only after confirming that the receiving fax machine is located in a secure area accessed only by those with a legitimate need to see the information being transmitted.
5. Do not leave paper documents containing Restricted University Information where they are accessible to those who do not have a legitimate need to know that information. Secure all such documents in a locked suite, office, desk, or file cabinet.
6. Store Confidential Information only on an appropriately encrypted medium. Contact Technology Services (TECHSUPPORT@CUA.EDU or tel. 202-319-4357) to have the necessary encryption technology installed on your departmental server and computers.
C. Protect the Integrity of Information
1. Do not modify University information for purposes other than a Legitimate Business Function.
2. Do not use University information for personal use or benefit (see the University’s Conflict of Interest Policy for Staff and Faculty).
3. Protect the intellectual property of others (see the University’s Copyright Policy).
D. Take Care with E-mail
1. Adhere to the requirements in the University’s Electronic Communications Policy.
2. Do not use personal e-mail for work purposes.
3. Do not download e-mail attachments from unknown senders.
4. Do not e-mail Confidential Information to non-University addresses unless the file is appropriately encrypted or pursuant to departmental procedures regarding transmission of such Confidential Information. To obtain encryption technology or assistance with establishing departmental procedures, contact Technology Services (TECHSUPPORT@CUA.EDU or 202-319-4357).
5. If using a mobile device, follow the Additional Requirements for Mobile Devices, below.
E. Dispose of Information and Equipment Properly
1. Dispose of all University computer equipment and Mobile Devices (defined above) only in accordance with the University’s Property Administration Policy. Such equipment not only contains hazardous materials, but may contain Restricted University Information that must be removed.
In addition, employees may contact Technology Services (TECHSUPPORT@CUA.EDU or 202-319-4357) for assistance disposing of personal computers or Mobile Devices that were used for University business.
2. Shred all written documents that contain Restricted University Information when they are no longer required.
3. If you are unsure whether you are authorized to access, share, or transmit confidential information, or have other questions about protecting that information, contact Technology Services (TS-SECURITY@CUA.EDU, tel. 202-319-4357) or Chief Ethics and Compliance Officer and Chief Privacy Officer (CUA-COMPLIANCE@CUA.EDU, tel. 202-319-6170) for guidance.
F. Additional Requirements for Mobile Devices
Mobile Devices (defined above) pose an increased security risk due to their portability. Employees must take extra care to secure such devices, particularly when traveling. Take the following steps in order to minimize the risk of theft or loss of data:
1. Data storage on Mobile Devices must be encrypted, and the device protected by a password. Contact Technology Services (TS-SECURITY@CUA.EDU, tel. 202-319-4357) for information and assistance with encrypting such devices.
2. Do not access, store or transmit proprietary, sensitive or confidential information via such devices without prior approval.
G. Additional Requirements for Off-Campus Computing
Employees who work from off-campus locations must take additional steps to protect information, including use of an encrypted communication channel to access University systems and information. Before accessing such systems or information see Home Computer Security for Off-Campus Computing and contact Technology Services at tel. (202) 319-4357 in order to implement the required security measures for off-campus computing.
VI. Report Potential Information Security Breaches
Immediately report potential information security breaches, or evidence of potential illegal activity, to Technology Services (TS-SECURITY@CUA.EDU, tel. (202) 319-4357), and to your immediate supervisor. Do not take steps to investigate a potential security incident unless you are also on the Technology Services Incident Response Team.