Table of Contents
- #Overview | #Standards | #Getting Started | #Resources
- Management Direction for Information Security (ISO 5.1)
Overview
Adoption of one or more information security policies is how an institution of higher education expresses intent with regards to information security requirements and expectations. Policy governance involves a Board of Trustees or the executive management of an institution showing evidence of their intent to secure information, to provide guidance and governance of the information security program, and of the institution's core belief in the importance of efforts to secure information.
Within such a policy, institutional leaders are able to set a clear plan for information security, describing its important role in supporting organizational goals, as well as compliance with relevant laws and regulations. It can additionally set out operating plans and processes to arrive at the institution's goals for information security. The policy can also establish required standards, behaviors and outcomes, depending on the specificity sought.
In the context of higher education, the overarching security policy document is often (though not always) arrived at through a consensus building process; with solicitation and feedback from parties within an institution's governance structure. Once established, effectively communicating, maintaining and updating the security policy ensures that the stated intent and corresponding community expectations are consistent and maintain their relevancy over time to reflect changes in technology, laws, organizational approach, and other factors.
#Top of page
Standards
27002:2013 Information Security Management |
800-53: Recommended Security Controls for Federal |
APO01.03 |
Req 12 |
ID.GV-1 |
45 CFR 164.316(a) |
#Top of page
Getting Started
Prepare a summary document of the impact that the information security policy will have on the institution. The document should:
- Describe the policy
- Communicate the reason or business justification for the policy as well as the risks and negative impact of not implementing the policy
- Identify regulatory, technical, cultural, and organizational dependencies for implementation of the policy
- Identify milestones and possible roadblocks of implementation, compliance, and enforcement
- Identify impacted stakeholders
Useful resources for those just getting started with an information security policy, or IT policies in general.
- A Framework for IT Policy Development: EDUCAUSE Review article suggesting that "colleges and universities should adopt a more holistic framework that takes into account considerations of law, values, ethics, and morality."
- Outline of Model Security Policy Elements: Provides examples of security policy and procedures that may be edited to fit the needs of institutions of higher education.
- Making the Case for IT Policy: An event kit for campuses seeking to host a workshop where they can develop IT policy through facilitated discussion and collaboration.
- Sample Policies: EDUCAUSE library collection of sample policies from colleges and universities, including policies on privacy, passwords, data classification, security, e-mail, and many more.
#Top of page
Management Direction for Information Security (ISO 5.1)
Objective: Management should define a set of policies to clarify their direction of, and support for, information security. The governing entity at every institution needs to establish security policy, targets, processes, and various procedures related to their risk management and information security improvements to deliver results in accordance with stated objectives.
- Define what information security means to the institution,
- Express leadership support for the role of information security in the carrying out of the institution's missions,
- Define roles and responsibilities
- Describe mechanisms for ensuring the appropriate security of institutional information resources including the management and mitigation of risks, and
- Outline the standards and procedures to be followed.
NOTE: A careful balance must be reached to ensure that the policy enhances organizational security by providing enough detail that community members understand their expected role & contribution, but not so much detail that the organization is exposed to unnecessary risk.
#Top of page
Policies for Information Security (ISO 5.1.1)
If a policy is a statement of intent (according to most definitions), then a policy for information security can be defined as a formal high-level statement that embodies the course of action adopted by an institution regarding the use and safeguarding of institutional information resources. The policy statement should clearly communicate the institution's beliefs, goals, and objectives for information security.
To be effective an information security policy should:
- Focus on desired behaviors (e.g., acceptable use) and outcomes
- Require compliance (i.e., it should be mandatory to the intended audience)
- Be enforceable. (i.e., failure to comply should result in disciplinary actions)
- Be defined and informed by standards, best practices, and guidelines
Organizational Drivers:
Since most information security practitioners would agree that it is impossible to protect everything the same way all the time, institutions should identify the business and technical drivers that will guide the creation and implementation of the information security policy as well as assist in its vetting, approval, and socialization. These drivers can be high-level statements that convey the institution's priorities and direction and help stakeholders make the right decisions regarding what standards to require, what technology to deploy, and how to build the architecture required to implement the policy.
The information security CIA triad exemplifies the highest level driver - to preserve the confidentiality, integrity, and availability of institutional information resources. More specific examples include:
- Uniquely identify and authenticate all users and entities affiliated with the institution.
- Provide users the least access required to perform their job function
- Adopt information security industry standards where appropriate.
- Implement mitigating controls proactively and based on risk and cost of risk mitigation
- Classify institutional data and safeguard it based on risk
- Balance the business need to offer and deploy new applications and services against the security risks it might pose to the institution
Review of Information Security Policy (ISO 5.1.2)
Most institutions of higher education will have an documented periodic policy review process in place (e.g., yearly) to ensure that ensure that policies are kept up to date and relevant. In some institutions a Policy Manager would be the individual who would determine the need for a new policy or the update to an existing policy. In other institutions, the role of policy manager may be played by the Business Owner (e.g., the Chief information Security Officer may be the owner/manager of the Information Security policy.) The information security policy owner or manager will review and update the policy at the required intervals or when external drivers, organizational changes or business practices require the review and update of the policy. =
Policy Review and Update Drivers:
- Changes in Federal or State laws and regulations
- Changes in technology (e.g., increased use of mobile devices on campus)
- Major information security project deployments (e.g., deployment of Mobile device Management (MDM)
- Audit findings
- Policy format changes (e.g., new policy management function and process)
- Increased reliance on third-party service providers (e.g., outsourcing, cloud)
If changes are made to existing policy, these policies should be obtained by the appropriate governing entity.
#Top of page
Resources
EDUCAUSE Resources
- Information Policies
- Security Policies
- EDUCAUSE/Cornell Institute for Computer Policy and Law
- EDUCAUSE Policy Initiatives
- Federal Privacy Law
- FERPA
- Gramm-Leach-Bliley (GLB) Act
- Higher Education Act
- Higher Education Compliance Alliance Matrix
- HIPAA
- ID Theft Red Flags
- Outline of Model Security Policy Elements
- PCI DSS
- Policy and Law
- Policy and Law: Campus
- Policy and Law: Federal
- Policy and Law: State
Initiatives, Collaborations, & Other Resources
- Higher Education Compliance Alliance
- SANS Information Security Policy Templates (Note: These templates may need customization for the higher education environment.)
- Toolkit to Support Federal Agencies Implementing Bring Your Own Device (BYOD) Programs (includes several sample policies)
Questions or comments? 
Contact us.
Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).