The initial process in developing an information security policy is to identify which laws, regulations, and information security drivers are applicable to your institution.
|
Top of page
The adoption of one or more information security policies is the first step that institutions of higher education take to express their commitment to the protection of institutional information resources and the information entrusted to them by constituencies and partners. The policy statement should clearly communicate the institution's beliefs, goals, and objectives for information security.
The information security policy also provides institutional leaders with an opportunity to set a clear plan for information security, describe its role in supporting the missions of the institution, and its commitment to comply with relevant laws and regulations. The policy should be brief, clear to understand, enforceable and focused on desired behaviors and outcomes, and most importantly, balanced in affording security while enabling and preserving productivity.
At institutions of higher education, the overarching information security policy document is often (though not always) drafted through a consensus building process with solicitation and feedback from all identified stakeholders. Once approved and published, its effective communication and periodic reviewing and updating ensures that the policy stated intent and corresponding expectations are consistent and relevant over time to reflect changes in technology, laws, business practices, and other factors.
Prior to starting the policy development process, it is important to understand the difference between policies, procedures, guidelines, and standards. Institutional policies are typically broad, short statements that reflect the philosophies, attitudes, or values of an organization related to a specific issue. Procedures are more detailed and generally mandatory, describing how to accomplish a task or reach a goal. Guidelines, sometimes referred to as best practices, contain information about how to accomplish a task or reach a specific goal, but may not be mandatory. Standards establish a rule from a recognized authority, with no deviation allowed. More details can be found in A Primer on Policy Development for Institutions of Higher Education.
Top of page
Objective: Executive Management should define a policy or set of policies to clarify their direction of, and support for, information security. |
If a policy is a statement of intent (according to most definitions), then a policy for information security can be defined as a formal high-level statement that embodies the course of action adopted by an institution regarding the use and safeguarding of institutional information resources. The policy statement should clearly communicate the institution's beliefs, goals, and objectives for information security.
To be effective an information security policy must:
Also, the information security policy should:
A careful balance must be reached to ensure that the policy enhances institutional security by providing enough detail that community members understand their expected role and contribution but not so much detail that the institution is exposed to unnecessary risk.
See Making the Case for IT Policy: An event kit for campuses seeking to host a workshop where they can develop IT policy through facilitated discussion and collaboration.
Top of page
There are a number of standards that can be used as a foundation for an institution's information security policy framework. The Standards box below lists a few popular industry standards. Choosing the right policy framework is all about what will work best for the institution and its missions. Institutions of higher education should consider the following when selecting a framework for their information security policy:
See A Framework for IT Policy Development, which supports the ideas expressed in an EDUCAUSE Review article that suggested "colleges and universities should adopt a more holistic framework that takes into account considerations of law, values, ethics, and morality."
It is important to keep in mind that one of the main goals of an information security policy is to issue directives. The difficult part is deciding on the appropriate level of control to exert. The appropriate level should be informed by the following facts:
Organizational Drivers
Since most information security practitioners would agree that it is impossible to protect everything the same way all the time, institutions should identify the business and technical drivers that will guide the creation and implementation of the information security policy as well as assist in its vetting, approval, and socialization. These drivers can be high-level statements that convey the institution's priorities and direction and help stakeholders make the right decisions regarding what standards to require, what technology to deploy, and how to build the architecture required to implement the policy.
The information security CIA triad exemplifies the highest level driver - to preserve the confidentiality, integrity, and availability of institutional information resources. More specific examples include:
Review of Information Security Policy
Most institutions of higher education will have a documented periodic policy review process in place (e.g., annually) to ensure that ensure that policies are kept up to date and relevant. In some institutions, a policy manager would be the individual who would determine the need for a new policy or the update to an existing policy. In other institutions, the role of policy manager may be played by the Business Owner (e.g., the Chief information Security Officer may be the owner/manager of the information security policy.)
Policy Review and Update Drivers
The information security policy owner or manager will review and update the policy at the required intervals or when external or internal drivers require the review and update of the policy. The following are the most common drivers that would prompt a review of the institution's information security policy.
Policy Review and Update Process
The process to review and update the information security policy should include the following steps:
Top of page
Information Security Policies In an effort to assist in developing important security policy, below you will find institutional policies identified as examples of good policies for the topics corresponding to the chapters of the Information Security Guide. |
Risk Management
Organization of Information Security
General Information Security Resources
Information Services Privacy
Institutional Data Protection
Policy Creation, Review, and Exceptions
Portable Computing
Human Resources Security
Acceptable Use Policy
Security Training
Social Media
Asset Management
Roles and Responsibilities
Acquisition of Technology
Data Classification
Access Control
Access Control/Data Access (see also Network Access)
Administrative / Special Access
Authentication Requirements (Framingham)
Identity Management Access Structure
Passwords
Cryptography
Encryption
Physical and Environmental Security
Data Center Security
Disposal of Computers, Hard Drives
EDUCAUSE Guidelines for Data Media Sanitization and Disposal
University of Texas Health Science Center at San Antonio Storage Media Control Policy
Physical Access
Operations Security
Backup and Data Recovery
Computer Configuration
Copiers/Printers
Desktop Management
Log Management
Security Monitoring
Server/Network Device Hardening
Communications Security
DNS Policies
E-mail (bulk) Approvals
File Sharing
Firewall Maintenance
Instant Messaging (IM)
Internet Use
Network Access
Network Configuration
VPN Usage
Web Applications
System Acquisition, Development and Maintenance
Change Management
Data File Security (Confidentiality)
SQL Databases and Proxy Servers
Supplier Relationships
Academic Applications Hosting
Administrative Application Hosting
Application Service Provider
Cloud Computing
Research Application Hosting
Third-Party Application Hosting
Information Security Incident Management
Incident Management
Information Security Aspects of Business Continuity Management
Compliance
Federal Laws and Guidelines
Copyright Section
DMCA Policies
PCI
Software Licensing
SSN’s
See the EDUCAUSE library collection of sample policies from colleges and universities, including policies on privacy, passwords, data classification, security, e-mail, and many more.
Top of page
Top of page
27002:2013 Information Security Management | 800-53: Recommended Security Controls for Federal | APO01.03 | Req 12 | ID.GV-1 | 45 CFR 164.316(a) |
Top of page
Questions or comments? Contact us.
Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).