Table of Contents
The initial process in developing an information security policy is to identify which laws, regulations, and information security drivers are applicable to your institution.
Perform a high level gap analysis of each regulatory requirement and driver that is applicable to determine where policy is needed.
Develop a prioritized action plan that will help you organize your efforts.
Prepare a summary document of the impact that the information security policy or policies will have on the institution. The document should:
Describe the policy
Communicate the reason or business justification for the policy, as well as the risks and negative impact of not implementing the policy
Identify regulatory, technical, cultural, and organizational dependencies for implementation of the policy
Identify milestones and possible roadblocks of implementation, compliance, and enforcement
Identify impacted stakeholders
Develop the policy in collaboration with other key stakeholders at your institution.
Ensure the policy is vetted by impacted subject matter experts and business owners, including information security, legal counsel, human resources, and any other applicable steering committees.
Review resources in the Guide such as the GRC FAQ, as well as standards and regulations that address specific requirements (e.g., PCI DSS 3.0, HIPAA, GLBA).
Publish, communicate, train, and implement.
Top of page
The adoption of one or more information security policies is the first step that institutions of higher education take to express their commitment to the protection of institutional information resources and the information entrusted to them by constituencies and partners. The policy statement should clearly communicate the institution's beliefs, goals, and objectives for information security.
The information security policy also provides institutional leaders with an opportunity to set a clear plan for information security, describe its role in supporting the missions of the institution, and its commitment to comply with relevant laws and regulations. The policy should be brief, clear to understand, enforceable and focused on desired behaviors and outcomes, and most importantly, balanced in affording security while enabling and preserving productivity.
At institutions of higher education, the overarching information security policy document is often (though not always) drafted through a consensus building process with solicitation and feedback from all identified stakeholders. Once approved and published, its effective communication and periodic reviewing and updating ensures that the policy stated intent and corresponding expectations are consistent and relevant over time to reflect changes in technology, laws, business practices, and other factors.
Prior to starting the policy development process, it is important to understand the difference between policies, procedures, guidelines, and standards. Institutional policies are typically broad, short statements that reflect the philosophies, attitudes, or values of an organization related to a specific issue. Procedures are more detailed and generally mandatory, describing how to accomplish a task or reach a goal. Guidelines, sometimes referred to as best practices, contain information about how to accomplish a task or reach a specific goal, but may not be mandatory. Standards establish a rule from a recognized authority, with no deviation allowed. More details can be found in A Primer on Policy Development for Institutions of Higher Education.
Top of page
Management Direction for Information Security
If a policy is a statement of intent (according to most definitions), then a policy for information security can be defined as a formal high-level statement that embodies the course of action adopted by an institution regarding the use and safeguarding of institutional information resources. The policy statement should clearly communicate the institution's beliefs, goals, and objectives for information security.
To be effective an information security policy must:
- Require compliance (i.e., it should be mandatory to the intended audience)
- Be implementable (e.g., impact on legacy systems and current infrastructure)
- Be enforceable. (i.e., failure to comply should result in disciplinary actions)
- Be brief and easy to understand
- Balance protection with productivity
Also, the information security policy should:
- State why the policy is needed (i.e., business reasons)
- Exemplify the institution's commitment to information security
- Express leadership support for the role of information security in the carrying out of the institution's missions,
- Focus on desired behaviors (e.g., acceptable use) and outcomes
- Define roles and responsibilities
- Outline the standards and procedures to be followed.
A careful balance must be reached to ensure that the policy enhances institutional security by providing enough detail that community members understand their expected role and contribution but not so much detail that the institution is exposed to unnecessary risk.
See Making the Case for IT Policy: An event kit for campuses seeking to host a workshop where they can develop IT policy through facilitated discussion and collaboration.
Top of page
Policies for Information Security
There are a number of standards that can be used as a foundation for an institution's information security policy framework. The Standards box below lists a few popular industry standards. Choosing the right policy framework is all about what will work best for the institution and its missions. Institutions of higher education should consider the following when selecting a framework for their information security policy:
- What works for the institution?
- What has not worked before?
- What fits the institutions culture?
- What regulatory requirements must be met?
- What are the organizational drivers?
- What future technology is on the institution's roadmap?
- What resources (staff, budget, skill sets) are needed to obtain the desired outcomes?
See A Framework for IT Policy Development, which supports the ideas expressed in an EDUCAUSE Review article that suggested "colleges and universities should adopt a more holistic framework that takes into account considerations of law, values, ethics, and morality."
It is important to keep in mind that one of the main goals of an information security policy is to issue directives. The difficult part is deciding on the appropriate level of control to exert. The appropriate level should be informed by the following facts:
- If policies are too restrictive or hard to implement, people will find ways to circumvent the controls.
- Technical controls are not always possible or, at times, desirable.
- Ensure that directives are ‘top-down’—i.e., fully supported by top management.
Since most information security practitioners would agree that it is impossible to protect everything the same way all the time, institutions should identify the business and technical drivers that will guide the creation and implementation of the information security policy as well as assist in its vetting, approval, and socialization. These drivers can be high-level statements that convey the institution's priorities and direction and help stakeholders make the right decisions regarding what standards to require, what technology to deploy, and how to build the architecture required to implement the policy.
The information security CIA triad exemplifies the highest level driver - to preserve the confidentiality, integrity, and availability of institutional information resources. More specific examples include:
- Uniquely identify and authenticate all users and entities affiliated with the institution.
- Provide users the least access required to perform their job function
- Adopt information security industry standards where appropriate.
- Implement mitigating controls proactively and based on risk and cost of risk mitigation
- Identify what information the institution maintains, where is it located, and who owns is responsible for it
- Classify institutional data and safeguard it based on risk
- Balance the business need to offer and deploy new applications and services against the security risks it might pose to the institution
Review of Information Security Policy
Most institutions of higher education will have a documented periodic policy review process in place (e.g., annually) to ensure that ensure that policies are kept up to date and relevant. In some institutions, a policy manager would be the individual who would determine the need for a new policy or the update to an existing policy. In other institutions, the role of policy manager may be played by the Business Owner (e.g., the Chief information Security Officer may be the owner/manager of the information security policy.)
Policy Review and Update Drivers
The information security policy owner or manager will review and update the policy at the required intervals or when external or internal drivers require the review and update of the policy. The following are the most common drivers that would prompt a review of the institution's information security policy.
- Changes in Federal or State laws and regulations
- Changes in technology (e.g., increased use of mobile devices on campus)
- Major information security project deployments (e.g., deployment of Mobile device Management (MDM)
- Audit findings
- Policy format changes (e.g., new policy management function and process)
- Increased reliance on third-party service providers (e.g., outsourcing, cloud)
- New business practices (e.g., online education, telecommuting, telemedicine)
Policy Review and Update Process
The process to review and update the information security policy should include the following steps:
- Document needed changes
- Make changes to a draft version of the policy
- Are the changes significant or alter the intent of the original policy?
- If Yes, ensure the changes are vetted by impacted subject matter experts and business owners, information security, legal counsel, human resources if applicable, any other applicable steering committee
- Publish, communicate, train, and implement
Top of page
Information Security Policies
In an effort to assist in developing important security policy, below you will find institutional policies identified as examples of good policies for the topics corresponding to the chapters of the Information Security Guide.
- EDUCAUSE Risk Management Framework
- UT Health Science Center at San Antonio Electronic Information Security Risk Management Policy
Organization of Information Security
General Information Security Resources
- EDUCAUSE Security Policies Resource Page (General)
- ISO Standards in Plain English
- NIST SP800-53 rev 3: Recommended Security Controls for Federal Information Systems and Organizations
- Computing Policies at James Madison University
- Computing Policies at University of Iowa
- University of California at Los Angeles (UCLA) Electronic Information Security Policy
- University of Notre Dame Information Security Policy
Information Services Privacy
- EDUCAUSE Campus Privacy Policies Resource Page
Institutional Data Protection
- Carnegie Mellon Guidelines for Data Protection
- UCLA Protection of Electronically Stored Personal Information Policy
Policy Creation, Review, and Exceptions
- EDUCAUSE Campus Cellular Telephone Policies
- EDUCAUSE Mobile Internet Device Security Guidelines
- EDUCAUSE Securing Mobile Devices: A Security Professionals 2011 Pre-Conference Seminar
- EDUCAUSE BYOD Resources
- University of Texas Health Science Center at San Antonio Portable Computing Policy
- University of Texas at Austin Handheld Hardening Checklists
- University of Oregon Mobile Device Security Policy Recommendations and Questions
- University of Pennsylvania Server-Managed Personal Digital Assistant (PDA) Policy with Disclaimer
Human Resources Security
Acceptable Use Policy
- University of Texas Health Science Center at San Antonio Acceptable Use Policy
- University of Minnesota Acceptable Use of information Technology Resources Policy
- Purdue University Acceptable Use Policy
- EDUCAUSE Security Training resource page
- UT Health Science Center at San Antonio Information Security Training and Awareness Policy
- State of Texas Social Media Policy
- Stanford University Chat Rooms and Other Forums Policy
- Ball State University Social Media Policy
- University of California Santa Barbara Social Networking Guidelines for Administrators
- University of Florida Social Media Guidelines
- State University of New York Social Media Policy
Roles and Responsibilities
- EDUCAUSE Information Security Governance
- NIST SP800-100 Information Security Handbook: A Guide For Managers
- NISTIR 7359 Information Security Guide for Government Executives
- University of Iowa Information Security Framework
- Carnegie Mellon Information Security Roles and Responsibilities
- Stanford University Computer and Network Usage Policy
Acquisition of Technology
- EDUCAUSE Data Protection [RFP] Contractual Language Toolkit
- Northwestern University Policy for Information Technology Acquisition, Development and Deployment
- State of Texas Department of Information Resources Data Classification Guide
- EDUCAUSE Data Classification Toolkit
- EDUCAUSE Campus Data Classification Policies
- FIPS 199 Standards for Security Categorization of Federal Information and Information Systems
- University of Texas at Austin Data Classification Standard
- University of Texas Health Science Center at San Antonio Data Classification Policy
- Carnegie Mellon Guidelines for Data Classification
- Stanford University Data Classification
- Purdue University Data Classification and Governance Policy
Access Control/Data Access (see also Network Access)
- University of South Carolina Data Access Policy
- Virginia Tech Administrative Data Management and Access Policy
Administrative / Special Access
- University of Texas Health Science Center at San Antonio Administrative and Special Access Policy
- Carnegie Mellon Guidelines for Appropriate Use of Administrator Access
Authentication Requirements (Framingham)
- NIST SP800-63 rev 1 Electronic Authentication Guideline
- EDUCAUSE Two-Factor Authentication Resource
- University of Iowa Enterprise Authentication Policy
- Purdue University Authentication and Authorization Policy
Identity Management Access Structure
- University of Texas Health Science Center at San Antonio Access Control and Password Management Policy
- Carnegie Mellon Guidelines for Password Management
- University of Iowa Enterprise Password Policy
- University of Texas at Austin Data Encryption Guidelines
- Northwestern University Data Encryption Policy
Physical and Environmental Security
Data Center Security
Disposal of Computers, Hard Drives
- University of Texas at Austin University Identification Card Guidelines
- University of Texas Health Science Center at San Antonio Physical Security for Electronic Information Resources
- Cornell University Responsible Use of Video Surveillance Systems
Backup and Data Recovery
- University of Texas Health Science Center at San Antonio Data Backup Policy and Guideline
- University of Iowa Backup and Recovery Policy
- EDUCAUSE Copier and MFD Security Hot Topic (8 Steps to Secure Your Copier or Multi-Function Device)
- University of Texas Health Science Center at San Antonio Administration of Security on Workstation Computers Policy
- University of Texas at Austin Network Monitoring Guidelines
- University of Texas Health Science Center at San Antonio Security Monitoring Policy
Server/Network Device Hardening
- NIST SP800-123 Guide to General Server Security
- University of Texas at Austin Minimum Security Standards for Systems
- University of Texas Health Science Center at San Antonio Administration of Security on Server Computers Policy
- University of Texas at Arlington Server Management Policy
- UCLA Minimum Security Standards for Network Devices Policy
- Northwestern University Server Certificate Policy
- EDUCAUSE Campus Domain Name Policies
- Carnegie Mellon Recursive DNS Server Operations Guideline
- Registration and Use of UCLA Domain Names Policy
- State of Texas Department of Information Resources Internet and E-mail Domain Name Policy
- University of Texas Health Science Center at San Antonio Electronic Mail Use and Retention Policy
- Purdue University Electronic Mail Policy
- University of Texas at Austin University Electronic Mail Student Notification Policy (Use of E-mail for Official Correspondence to Students)
E-mail (bulk) Approvals
- EDUCAUSE File Sharing Resources
- University of Texas Health Science Center at San Antonio Peer-To-Peer Access Policy
Instant Messaging (IM)
- University of Texas Health Science Center at San Antonio Network Access Policy
- University of California at Berkeley Guidelines and Procedures for Blocking Network Access
- University of Texas Health Science Center at San Antonio Computer Network Security Configuration Policy
- University of Texas Health Science Center at San Antonio Web Application Security Policy
- Carnegie Mellon Web Server Security Guidelines
System Acquisition, Development and Maintenance
- University of Texas at Austin Change Management Guidelines
- University of Texas Health Science Center at San Antonio Change Management Policy
Data File Security (Confidentiality)
SQL Databases and Proxy Servers
Academic Applications Hosting
Administrative Application Hosting
Application Service Provider
- University of Texas at Austin Minimum Security Standards for Application Development and Administration
- EDUCAUSE Cloud Computing Policy resource page
- Cloud Security Alliance Resource Page
- Cloud Security Alliance Security Guidance for Critical Areas of Focus in Cloud Computing
- NIST SP800-145 Draft NIST Definition of Cloud Computing
- NIST SP800-144 Draft Guidelines on Security and Privacy in Public Cloud Computing
- University of California Cloud Computing Task Force
- Cornell University Outsourcing and Cloud Computing resource page
- Purdue University Cloud Computing Consumer Guidelines
Research Application Hosting
Third-Party Application Hosting
- EDUCAUSE Data Protection [RFP] Contractual Language Toolkit
- University of Texas Health Science Center at San Antonio Third-Party Management of Information Resources Policy
Information Security Incident Management
- EDUCAUSE Data incident Notification Toolkit
- NIST SP800-61 rev 1 Computer Security Incident Handling Guide
- University of Texas Health Science Center at San Antonio Information Security Incident Reporting Policy
- University of Iowa Computer Security Breach Notification Policy
- UCLA Notification of Breaches of Computerized Personal Information Policy
- University of Minnesota Reporting and Notifying Individuals of Security Breaches Policy
- NIST SP 800-61 Computer Security Incident Handling Guide
Information Security Aspects of Business Continuity Management
Federal Laws and Guidelines
- Family Educational Rights and Privacy Act, 20 U. S. C. § 1232g
- Health Insurance Portability and Accountability Act (HIPAA)
- Gramm-Leach-Bliley Act (GLBA) (financial records)
- Digital Millennium Copyright Act (DMCA)
- Federal Trade Commission ID Theft Red Flags Rule
- Federal Trade Commission 16 CFR Part 314 Standards for Safeguarding Customer Information, Final Rule
- Uniform Electronic Transactions Act 1999 (UETA)
- Electronic Signatures in Global and National Commerce Act (ESign)
- FDA 21 CFR Part 11 Electronic Record; Electronic Signatures; Final Rule
- Higher Education Opportunity Act of 2008 (HEOA)
- FIPS – 200 Minimum Security Requirements for Federal information and Information Systems
- Federal Information Security Management Act (FISMA)
- EDUCAUSE Campus Copyright and Intellectual Property Policies
- Carnegie Mellon Copyright Violation Guideline
- EDUCAUSE PCI DSS Resource Page
- University of Texas at Austin Minimum Security Standards for Merchant Payment Card Processing
- Stanford University Credit Card Acceptance and Processing Policy
- EDUCAUSE Campus Licensing Policies
- University of Texas Health Science Center at San Antonio Software Policy
- University of Iowa SSN Policy
- Purdue University Social Security Number Policy
- Northwestern University Secure Handling of Social Security Numbers Policy
See the EDUCAUSE library collection of sample policies from colleges and universities, including policies on privacy, passwords, data classification, security, e-mail, and many more.
Top of page
Top of page
27002:2013 Information Security Management
800-53: Recommended Security Controls for Federal
45 CFR 164.316(a)
Top of page
Questions or comments? Contact us.
Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).