Skip to end of metadata
Go to start of metadata

Table of Contents

Getting Started

The initial process in developing an information security policy is to identify which laws, regulations, and information security drivers are applicable to your institution.

  1. Perform a high level gap analysis of each regulatory requirement and driver that is applicable to determine where policy is needed.

  2. Develop a prioritized action plan that will help you organize your efforts.

  3. Prepare a summary document of the impact that the information security policy or policies will have on the institution. The document should:

    1. Describe the policy

    2. Communicate the reason or business justification for the policy, as well as the risks and negative impact of not implementing the policy

    3. Identify regulatory, technical, cultural, and organizational dependencies for implementation of the policy

    4. Identify milestones and possible roadblocks of implementation, compliance, and enforcement

    5. Identify impacted stakeholders

  4. Develop the policy in collaboration with other key stakeholders at your institution.

  5. Ensure the policy is vetted by impacted subject matter experts and business owners, including information security, legal counsel, human resources, and any other applicable steering committees.

  6. Review resources in the Guide such as the GRC FAQ, as well as standards and regulations that address specific requirements (e.g., PCI DSS 3.0, HIPAA, GLBA).

  7. Publish, communicate, train, and implement.

Top of page

Overview

The adoption of one or more information security policies is the first step that institutions of higher education take to express their commitment to the protection of institutional information resources and the information entrusted to them by constituencies and partners. The policy statement should clearly communicate the institution's beliefs, goals, and objectives for information security.

The information security policy also provides institutional leaders with an opportunity to set a clear plan for information security, describe its role in supporting the missions of the institution, and its commitment to comply with relevant laws and regulations. The policy should be brief, clear to understand, enforceable and focused on desired behaviors and outcomes, and most importantly, balanced in affording security while enabling and preserving productivity.

At institutions of higher education, the overarching information security policy document is often (though not always) drafted through a consensus building process with solicitation and feedback from all identified stakeholders. Once approved and published, its effective communication and periodic reviewing and updating ensures that the policy stated intent and corresponding expectations are consistent and relevant over time to reflect changes in technology, laws, business practices, and other factors.

Prior to starting the policy development process, it is important to understand the difference between policies, procedures, guidelines, and standards. Institutional policies are typically broad, short statements that reflect the philosophies, attitudes, or values of an organization related to a specific issue. Procedures are more detailed and generally mandatory, describing how to accomplish a task or reach a goal. Guidelines, sometimes referred to as best practices, contain information about how to accomplish a task or reach a specific goal, but may not be mandatory. Standards establish a rule from a recognized authority, with no deviation allowed. More details can be found in A Primer on Policy Development for Institutions of Higher Education.

Top of page

Management Direction for Information Security

Objective: Executive Management should define a policy or set of policies to clarify their direction of, and support for, information security.

If a policy is a statement of intent (according to most definitions), then a policy for information security can be defined as a formal high-level statement that embodies the course of action adopted by an institution regarding the use and safeguarding of institutional information resources. The policy statement should clearly communicate the institution's beliefs, goals, and objectives for information security.

To be effective an information security policy must:

  • Require compliance (i.e., it should be mandatory to the intended audience)
  • Be implementable (e.g., impact on legacy systems and current infrastructure)
  • Be enforceable. (i.e., failure to comply should result in disciplinary actions)
  • Be brief and easy to understand
  • Balance protection with productivity

Also, the information security policy should:

  • State why the policy is needed (i.e., business reasons)
  • Exemplify the institution's commitment to information security
  • Express leadership support for the role of information security in the carrying out of the institution's missions,
  • Focus on desired behaviors (e.g., acceptable use) and outcomes
  • Define roles and responsibilities
  • Outline the standards and procedures to be followed.

A careful balance must be reached to ensure that the policy enhances institutional security by providing enough detail that community members understand their expected role and contribution but not so much detail that the institution is exposed to unnecessary risk.

See Making the Case for IT Policy: An event kit for campuses seeking to host a workshop where they can develop IT policy through facilitated discussion and collaboration.

Top of page

Policies for Information Security

There are a number of standards that can be used as a foundation for an institution's information security policy framework. The Standards box below lists a few popular industry standards. Choosing the right policy framework is all about what will work best for the institution and its missions. Institutions of higher education should consider the following when selecting a framework for their information security policy:

  • What works for the institution?
  • What has not worked before?
  • What fits the institutions culture?
  • What regulatory requirements must be met?
  • What are the organizational drivers?
  • What future technology is on the institution's roadmap?
  • What resources (staff, budget, skill sets) are needed to obtain the desired outcomes?

See A Framework for IT Policy Developmentwhich supports the ideas expressed in an EDUCAUSE Review article that suggested "colleges and universities should adopt a more holistic framework that takes into account considerations of law, values, ethics, and morality."

It is important to keep in mind that one of the main goals of an information security policy is to issue directives. The difficult part is deciding on the appropriate level of control to exert. The appropriate level should be informed by the following facts:

  •  If policies are too restrictive or hard to implement, people will find ways to circumvent the controls.
  •  Technical controls are not always possible or, at times, desirable.
  •  Ensure that directives are ‘top-down’—i.e., fully supported by top management.

Organizational Drivers

Since most information security practitioners would agree that it is impossible to protect everything the same way all the time, institutions should identify the business and technical drivers that will guide the creation and implementation of the information security policy as well as assist in its vetting, approval, and socialization. These drivers can be high-level statements that convey the institution's priorities and direction and help stakeholders make the right decisions regarding what standards to require, what technology to deploy, and how to build the architecture required to implement the policy.

The information security CIA triad exemplifies the highest level driver - to preserve the confidentiality, integrity, and availability of institutional information resources. More specific examples include:

  •  Uniquely identify and authenticate all users and entities affiliated with the institution.
  •  Provide users the least access required to perform their job function
  •  Adopt information security industry standards where appropriate.
  •  Implement mitigating controls proactively and based on risk and cost of risk mitigation
  •  Identify what information the institution maintains, where is it located, and who owns is responsible for it
  •  Classify institutional data and safeguard it based on risk
  •  Balance the business need to offer and deploy new applications and services against the security risks it might pose to the institution

Review of Information Security Policy

Most institutions of higher education will have a documented periodic policy review process in place (e.g., annually) to ensure that ensure that policies are kept up to date and relevant. In some institutions, a policy manager would be the individual who would determine the need for a new policy or the update to an existing policy. In other institutions, the role of policy manager may be played by the Business Owner (e.g., the Chief information Security Officer may be the owner/manager of the information security policy.)

Policy Review and Update Drivers

The information security policy owner or manager will review and update the policy at the required intervals or when external or internal drivers require the review and update of the policy. The following are the most common drivers that would prompt a review of the institution's information security policy.

  • Changes in Federal or State laws and regulations
  • Changes in technology (e.g., increased use of mobile devices on campus)
  • Major information security project deployments (e.g., deployment of Mobile device Management (MDM)
  • Audit findings
  • Policy format changes (e.g., new policy management function and process)
  • Increased reliance on third-party service providers (e.g., outsourcing, cloud)
  • New business practices (e.g., online education, telecommuting, telemedicine)

Policy Review and Update Process

The process to review and update the information security policy should include the following steps:

  1. Document needed changes
  2. Make changes to a draft version of the policy
  3. Are the changes significant or alter the intent of the original policy?
    1. If Yes, ensure the changes are vetted by impacted subject matter experts and business owners, information security, legal counsel, human resources if applicable, any other applicable steering committee
  4. Publish, communicate, train, and implement

Top of page

 

Information Security Policies

In an effort to assist in developing important security policy, below you will find institutional policies identified as examples of good policies for the topics corresponding to the chapters of the Information Security Guide.

Risk Management

Organization of Information Security

 General Information Security Resources

Information Services Privacy

Institutional Data Protection

Policy Creation, Review, and Exceptions

Portable Computing

Human Resources Security

Acceptable Use Policy

Security Training

Social Media

Asset Management

Roles and Responsibilities

Acquisition of Technology

Data Classification

Access Control

Access Control/Data Access (see also Network Access)

Administrative / Special Access

Authentication Requirements (Framingham)

Identity Management Access Structure

Passwords

Cryptography

Encryption

Physical and Environmental Security

Data Center Security

Disposal of Computers, Hard Drives

Physical Access

Operations Security

Backup and Data Recovery

Computer Configuration

Copiers/Printers

Desktop Management

Log Management

Security Monitoring

Server/Network Device Hardening

Communications Security

DNS Policies

E-mail

EDUCAUSE E-mail Policies

E-mail (bulk) Approvals

File Sharing

Firewall Maintenance

Instant Messaging (IM)

Internet Use

Network Access

Network Configuration

VPN Usage

Web Applications

System Acquisition, Development and Maintenance

Change Management

Data File Security (Confidentiality)

SQL Databases and Proxy Servers

Supplier Relationships

Academic Applications Hosting

Administrative Application Hosting

Application Service Provider

Cloud Computing

Research Application Hosting

Third-Party Application Hosting

Information Security Incident Management

Incident Management

Information Security Aspects of Business Continuity Management

Compliance

Federal Laws and Guidelines

Copyright Section

DMCA Policies

PCI

Software Licensing

SSN’s

See the EDUCAUSE library collection of sample policies from colleges and universities, including policies on privacy, passwords, data classification, security, e-mail, and many more.

Top of page

Resources

EDUCAUSE Resources

Initiatives, Collaborations, & Other Resources

Top of page

Standards

ISO

NIST

COBIT

PCI DSS

2014 Cybersecurity Framework

HIPAA Security

27002:2013 Information Security Management
Chapter 5: Information Security Policies

800-53: Recommended Security Controls for Federal
Information Systems and Organizations

APO01.03
EDM01.01
EDM01.02

Req 12

ID.GV-1

45 CFR 164.316(a)
45 CFR 164.316(b)

Top of page


(question) Questions or comments? (info) Contact us.

(warning) Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).