Information Security Policies (ISO 5)

Table of Contents

• #Overview | #Standards | #Getting Started | #Resources
• Management Direction for Information Security (ISO 5.1)

Overview

Adoption of one or more information security policies is how an institution of higher education expresses intent with regards to information security requirements and expectations. Policy governance involves a Board of Trustees or the executive management of an institution showing evidence of their intent to secure information, to provide guidance and governance of the information security program, and of the institution's core belief in the importance of efforts to secure information.​

Within such a policy, institutional leaders are able to set a clear plan for information security, describing its important role in supporting organizational goals, as well as compliance with relevant laws and regulations. It can additionally set out operating plans and processes to arrive at the institution's goals for information security. The policy can also establish required standards, behaviors and outcomes, depending on the specificity sought.

In the context of higher education, the overarching security policy document is often (though not always) arrived at through a consensus building process; with solicitation and feedback from parties within an institution's governance structure. Once established, effectively communicating, maintaining and updating the security policy ensures that the stated intent and corresponding community expectations are consistent and maintain their relevancy over time to reflect changes in technology, laws, organizational approach, and other factors.

#Top of page

Standards

#Top of page

#Top of page

Management Direction for Information Security (ISO 5.1)

If a policy is a statement of intent (according to most definitions), then a policy for information security can be defined as a formal high-level statement that embodies the course of action adopted by an institution regarding the use and safeguarding of institutional information resources.  The policy statement should clearly communicate the institution's beliefs, goals, and objectives for information security. 

To be effective an information security policy must:

• Require compliance (i.e., it should be mandatory to the intended audience)
• Be implementable (e.g., impact on legacy systems and current infrastructure)
• Be enforceable.  (i.e., failure to comply should result in disciplinary actions)
• Be brief and easy to understand
• Balance protection with productivity

Also, the information security policy should:

• State why the policy is needed (i.e., business reasons)
• Exemplify the institution's commitment to information security
• Express leadership support for the role of information security in the carrying out of the institution's missions,
• Focus on desired behaviors (e.g., acceptable use) and outcomes
• Define roles and responsibilities
• Outline the standards and procedures to be followed.

A careful balance must be reached to ensure that the policy enhances institutional security by providing enough detail that community members understand their expected role and contribution but not so much detail that the institution is exposed to unnecessary risk.

See Making the Case for IT Policy: An event kit for campuses seeking to host a workshop where they can develop IT policy through facilitated discussion and collaboration. 

#Top of page

Policies for Information Security (ISO 5.1.1)

There are a number of standards that can be used as foundation for an institution's information security policy framework.  The Standards box atop this chapter name a few viable candidates.  Choosing the right policy framework is all about what will work best for the institution and its missions. Institutions of higher education should consider the following when selecting a framework for their information security policy:

• What works for the institution?
• What has not worked before?
• What fits the institutions culture?
• What regulatory requirements must be met?
• What are the organizational drivers?
• What future technology is on the institution's roadmap?
• What resources (staff, budget, skill sets) are needed to obtain the desired outcomes?

See A Framework for IT Policy Development, an EDUCAUSE Review article suggesting that "colleges and universities should adopt a more holistic framework that takes into account considerations of law, values, ethics, and morality." 

It is important to keep in mind that one of the main goals of an information security policy is to implement control.  The difficult part is deciding on the level of control to be implemented.  There appropriate level should be informed by the following facts:

• If policies are too restrictive or hard to implement, people will find ways to circumvent the controls.
• Technical controls are not always possible or, at times, desirable.
• Management must be committed on the level of control.

Organizational Drivers:

Since most information security practitioners would agree that it is impossible to protect everything the same way all the time, institutions should identify the business and technical drivers that will guide the creation and implementation of the information security policy as well as assist in its vetting, approval, and socialization.  These drivers can be high-level statements that convey the institution's priorities and direction and help stakeholders make the right decisions regarding what standards to require, what technology to deploy, and how to build the architecture required to implement the policy.

The information security CIA triad exemplifies the highest level driver - to preserve the confidentiality, integrity, and availability of institutional information resources.  More specific examples include:

• Uniquely identify and authenticate all users and entities affiliated with the institution.
• Provide users the least access required to perform their job function
• Adopt information security industry standards where appropriate.
• Implement mitigating controls proactively and based on risk and cost of risk mitigation
• Identify what information the institution maintains, where is it located, and who owns is responsible for it
• Classify institutional data and safeguard it based on risk
• Balance the business need to offer and deploy new applications and services against the security risks it might pose to the institution

Core Information Security Policies:

The EDUCAUSE Outline of Model Security Policy Elements toolkit has adopted a security policy taxonomy consisting of the eleven topics listed below. Each of the eleven topics has sub-topics beneath it to comprise a full taxonomy of security policy. The Outline also explains the methodology used to select policy models.

1.0 Security Policy (This section is policy about security policy)
2.0 Organizational Security
3.0 Asset Classification
4.0 Personnel Security
5.0 Physical and Environmental Security
6.0 Communications and Operations Management
7.0 Access Control
8.0 System Development and Maintenance
9.0 Business Continuity Management
10.0 Compliance
11.0 Incident Management
12.0 Security Plans

Other information security policies to consider include:

• Acceptable Use Policy
• Risk Management Policy
• Remote Access Policy
• Email Security Policy
• Mobile Device Use and Protection Policy

See Sample Policies for an EDUCAUSE library collection of sample policies from colleges and universities, including policies on privacy, passwords, data classification, security, e-mail, and many more.

Review of Information Security Policy (ISO 5.1.2)

Most institutions of higher education will have an documented periodic policy review process in place (e.g., yearly) to ensure that ensure that policies are kept up to date and relevant.  In some institutions a Policy Manager would be the individual who would determine the need for a new policy or the update to an existing policy.  In other institutions, the role of policy manager may be played by the Business Owner (e.g., the Chief information Security Officer may be the owner/manager of the Information Security policy.)  

Policy Review and Update Drivers:

The information security policy owner or manager will review and update the policy at the required intervals or when external or internal drivers require the review and update of the policy. The following are the most common drivers that would prompt a review of the institution's information security policy.

• Changes in Federal or State laws and regulations
• Changes in technology (e.g., increased use of mobile devices on campus)
• Major information security project deployments (e.g., deployment of Mobile device Management (MDM)
• Audit findings
• Policy format changes (e.g., new policy management function and process)
• Increased reliance on third-party service providers (e.g., outsourcing, cloud)
• New business practices (e.g., online education, telecommuting, telemedicine)

 Policy Review and Update Process:

The process to review and update the information security policy should include the following steps:

1. Document needed changes
2. Make changes to a draft version of the policy
3. Are the changes significant or alter the intent of the original policy?
   1. If Yes, ensure the changes are vetted by impacted subject matter experts and business owners, information security, legal counsel, human resources if applicable, any other applicable steering committee
4. Publish, communicate, train, and implement 

#Top of page

Resources

#Top of page

---

Questions or comments? Contact us.

Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).