Table of Contents
- #Overview | #Standards | #Getting Started | #Resources
- Management Direction for Information Security (ISO 5.1)
Overview
The adoption of one or more information security policies is the first step that institutions of higher education take to express their commitment to the protection of institutional information resources and the information entrusted to them by constituencies and partners. The policy statement should clearly communicate the institution's beliefs, goals, and objectives for information security.
The information security policy also provides institutional leaders with an opportunity to set a clear plan for information security, describe its role in supporting the missions of the institution, and its commitment to comply with relevant laws and regulations. The policy should be brief, clear to understand, enforceable and focused on desired behaviors and outcomes, and most importantly, balanced in affording security while enabling and preserving productivity.
At institutions of higher education, the overarching information security policy document is often (though not always) drafted through a consensus building process with solicitation and feedback from all identified stakeholders. Once approved and published, its effective communication and periodic reviewing and updating ensures that the policy stated intent and corresponding expectations are consistent and relevant over time to reflect changes in technology, laws, business practices, and other factors.
#Top of page
Standards
27002:2013 Information Security Management |
800-53: Recommended Security Controls for Federal |
APO01.03 |
Req 12 |
ID.GV-1 |
45 CFR 164.316(a) |
#Top of page
Getting Started
The initial process in developing an information security policy is to identify which laws, regulations and information security drivers are applicable to your institution
- Perform a high level gap analysis of each regulatory requirement and driver that is applicable to determine where policy is needed.
- Develop a prioritized action plan that will help you organize your efforts.
- Prepare a summary document of the impact that the information security policy or policies will have on the institution. The document should:
- Describe the policy
- Communicate the reason or business justification for the policy as well as the risks and negative impact of not implementing the policy
- Identify regulatory, technical, cultural, and organizational dependencies for implementation of the policy
- Identify milestones and possible roadblocks of implementation, compliance, and enforcement
- Identify impacted stakeholders
- Develop the policy in collaboration with other key stakeholders at your institution.
- Ensure the policy is vetted by impacted subject matter experts and business owners, information security, legal counsel, human resources if applicable, any other applicable steering committee
- Take advantage of resources in the Guide such as the GRC FAQ, as well as standards and regulations that address specific requirements (PCI DSS 3.0, HIPAA, GLBA, et al).
- Publish, communicate, train, and implement
#Top of page
Management Direction for Information Security (ISO 5.1)
Objective: Executive Management should define a policy or set of policies to clarify their direction of, and support for, information security.
To be effective an information security policy must:
- Require compliance (i.e., it should be mandatory to the intended audience)
- Be implementable (e.g., impact on legacy systems and current infrastructure)
- Be enforceable. (i.e., failure to comply should result in disciplinary actions)
- Be brief and easy to understand
- Balance protection with productivity
Also, the information security policy should:
- State why the policy is needed (i.e., business reasons)
- Exemplify the institution's commitment to information security
- Express leadership support for the role of information security in the carrying out of the institution's missions,
- Focus on desired behaviors (e.g., acceptable use) and outcomes
- Define roles and responsibilities
- Outline the standards and procedures to be followed.
A careful balance must be reached to ensure that the policy enhances institutional security by providing enough detail that community members understand their expected role and contribution but not so much detail that the institution is exposed to unnecessary risk.
See Making the Case for IT Policy: An event kit for campuses seeking to host a workshop where they can develop IT policy through facilitated discussion and collaboration.
#Top of page
Policies for Information Security (ISO 5.1.1)
There are a number of standards that can be used as foundation for an institution's information security policy framework. The Standards box atop this chapter name a few viable candidates. Choosing the right policy framework is all about what will work best for the institution and its missions. Institutions of higher education should consider the following when selecting a framework for their information security policy:
- What works for the institution?
- What has not worked before?
- What fits the institutions culture?
- What regulatory requirements must be met?
- What are the organizational drivers?
- What future technology is on the institution's roadmap?
- What resources (staff, budget, skill sets) are needed to obtain the desired outcomes?
See A Framework for IT Policy Development, an EDUCAUSE Review article suggesting that "colleges and universities should adopt a more holistic framework that takes into account considerations of law, values, ethics, and morality."
It is important to keep in mind that one of the main goals of an information security policy is to implement control. The difficult part is deciding on the level of control to be implemented. There appropriate level should be informed by the following facts:
- If policies are too restrictive or hard to implement, people will find ways to circumvent the controls.
- Technical controls are not always possible or, at times, desirable.
- Management must be committed on the level of control.
Organizational Drivers:
Since most information security practitioners would agree that it is impossible to protect everything the same way all the time, institutions should identify the business and technical drivers that will guide the creation and implementation of the information security policy as well as assist in its vetting, approval, and socialization. These drivers can be high-level statements that convey the institution's priorities and direction and help stakeholders make the right decisions regarding what standards to require, what technology to deploy, and how to build the architecture required to implement the policy.
The information security CIA triad exemplifies the highest level driver - to preserve the confidentiality, integrity, and availability of institutional information resources. More specific examples include:
- Uniquely identify and authenticate all users and entities affiliated with the institution.
- Provide users the least access required to perform their job function
- Adopt information security industry standards where appropriate.
- Implement mitigating controls proactively and based on risk and cost of risk mitigation
- Identify what information the institution maintains, where is it located, and who owns is responsible for it
- Classify institutional data and safeguard it based on risk
- Balance the business need to offer and deploy new applications and services against the security risks it might pose to the institution
Core Information Security Policies:
The EDUCAUSE Outline of Model Security Policy Elements toolkit has adopted a security policy taxonomy consisting of the eleven topics listed below. Each of the eleven topics has sub-topics beneath it to comprise a full taxonomy of security policy. The Outline also explains the methodology used to select policy models.
1.0 Security Policy (This section is policy about security policy)
2.0 Organizational Security
3.0 Asset Classification
4.0 Personnel Security
5.0 Physical and Environmental Security
6.0 Communications and Operations Management
7.0 Access Control
8.0 System Development and Maintenance
9.0 Business Continuity Management
10.0 Compliance
11.0 Incident Management
12.0 Security Plans
Other information security policies to consider include:
- Acceptable Use Policy
- Risk Management Policy
- Remote Access Policy
- Email Security Policy
- Mobile Device Use and Protection Policy
See Sample Policies for an EDUCAUSE library collection of sample policies from colleges and universities, including policies on privacy, passwords, data classification, security, e-mail, and many more.
Review of Information Security Policy (ISO 5.1.2)
Most institutions of higher education will have an documented periodic policy review process in place (e.g., yearly) to ensure that ensure that policies are kept up to date and relevant. In some institutions a Policy Manager would be the individual who would determine the need for a new policy or the update to an existing policy. In other institutions, the role of policy manager may be played by the Business Owner (e.g., the Chief information Security Officer may be the owner/manager of the Information Security policy.)
Policy Review and Update Drivers:
The information security policy owner or manager will review and update the policy at the required intervals or when external or internal drivers require the review and update of the policy. The following are the most common drivers that would prompt a review of the institution's information security policy.
- Changes in Federal or State laws and regulations
- Changes in technology (e.g., increased use of mobile devices on campus)
- Major information security project deployments (e.g., deployment of Mobile device Management (MDM)
- Audit findings
- Policy format changes (e.g., new policy management function and process)
- Increased reliance on third-party service providers (e.g., outsourcing, cloud)
- New business practices (e.g., online education, telecommuting, telemedicine)
Policy Review and Update Process:
The process to review and update the information security policy should include the following steps:
- Document needed changes
- Make changes to a draft version of the policy
- Are the changes significant or alter the intent of the original policy?
- If Yes, ensure the changes are vetted by impacted subject matter experts and business owners, information security, legal counsel, human resources if applicable, any other applicable steering committee
- Publish, communicate, train, and implement
#Top of page
Resources
EDUCAUSE Resources
- Information Policies
- Sample Information Security Policies, an EDUCAUSE library collection of sample policies from colleges and universities, including policies on privacy, passwords, data classification, security, e-mail, and many more.
- Security Policies
- EDUCAUSE/Cornell Institute for Computer Policy and Law
- EDUCAUSE Policy Initiatives
- Federal Privacy Law
- FERPA
- Gramm-Leach-Bliley (GLB) Act
- Higher Education Act
- Higher Education Compliance Alliance Matrix
- HIPAA
- ID Theft Red Flags
- Outline of Model Security Policy Elements
- PCI DSS
- Policy and Law
- Policy and Law: Campus
- Policy and Law: Federal
- Policy and Law: State
- http://www.educause.edu/ero/article/framework-it-policy-development
- Outline of Model Security Policy Elements, An EDUCAUSE Toolkit that provides examples of security policy and procedures that may be edited to fit the needs of institutions of higher education.
- A Framework for IT Policy Development, an EDUCAUSE Review article
Initiatives, Collaborations, & Other Resources
- Higher Education Compliance Alliance
- SANS Information Security Policy Templates (Note: These templates may need customization for the higher education environment.)
- Toolkit to Support Federal Agencies Implementing Bring Your Own Device (BYOD) Programs (includes several sample policies)
- Making the Case for IT Policy: An event kit for campuses seeking to host a workshop where they can develop IT policy through facilitated discussion and collaboration.
Questions or comments? Contact us.
Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).