Section: Information Technology
Policy Number: 901Responsible Office: Information Technology
Effective Date: 5/1/19Revised: 5/1/19; 6/11/20
St John’s University (St. John’s) publishes and maintains a formal information security policy that clearly establishes management commitment to information security and sets out the University’s approach to managing information security within the University IT enterprise.
St. John’s adheres to the commitment of safeguarding its critical information in alignment with St. John's mission. St. John’s is aware that individuals’ roles and responsibilities are crucial in securing the confidentiality, integrity and availability of information assets.
This policy applies to the University Community. Adherence to this policy helps safeguard the confidentiality, integrity and availability of St. John's information assets, and protects the interest of St. John's, its customers, personnel, and business partners
St. John’s Information Security Policy defines the role of information security in supporting St. John’s mission, while fostering an environment to protect St. John’s community from all internal, external, deliberate or accidental information security threats that may compromise the confidentiality, availability, privacy, and integrity of all information assets.
St. John’s Information Security policy ensures the following:
All Members of the Campus Community
Department of Information Technology and Information Security Governance Sub Committee
Information Security Office
The following are the definitions relevant to the policy:
Maintaining Information Security Policy for all Personnel
St. John’s establishes, publishes, maintains and disseminates this security policy to all relevant personnel (including vendors and business partners). The policy is reviewed at least annually, and changes/updates are made when St. John’s environment changes.
St. John’s ensures that an annual risk-assessment process is performed to:
Acceptable Use policies for critical technologies throughout St. John's are implemented and proper use of the technologies is defined.
St. John's reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. Instances of non-compliance are presented to, reviewed, and approved by the CIO, the Director of Information Security, or the equivalent officer(s).
All breaches of information security, actual or suspected, are reported to and investigated by the CIO and the Information Security Director.
Those who violate security policies, standards, or security procedures are subject to disciplinary action up to and including loss of computer access and appropriate disciplinary actions as defined by St. John’s Human Resources department.
St. John’s adheres to the establishment of its information security policies, standards, or procedures in conformance with various applicable regulations and laws. All St. John's departments, units or groups review and provide an assessment of the security posture of St. John’s environment. To ensure an effective information security program is maintained, reliance upon uniform and conscientious compliance with the regulations and laws is mandatory. All faculty and staff cooperate, helps facilitate, and supports the efforts of the compliance processes.
The Payment Card Industry Data Security Standard is an information security standard for organizations that processes, transmits or stores payment card information from the following card brands:
The PCI Standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council (PCI SSC).
St. John’s implements a formal security awareness program to ensure that all personnel is aware of the security measures necessary for cardholder data. All personnel is educated upon hire and at least annually for protecting cardholder data.
Third-party service providers that provide services under the remit of PCI DSS requirements are monitored for PCI DSS compliance status at least annually. A review of which PCI DSS requirements are managed by each service provider, and which are managed by St. John's are performed at least annually.
For any incidents to cardholder data environment, St. John’s implements an incident response plan to respond immediately to system/service failures and potential security breaches. Incident response plans are reviewed and tested at least annually. A designated individual is available 24/7 to monitor and respond to alerts.
The Gramm-Leach-Bliley Act (GLBA), which became effective on May 23, 2003, addresses the safeguarding and confidentiality of customer information held in the possession of financial institutions such as banks and investment companies. GLBA contains no exemption for colleges or universities. As a result, educational entities that engage in financial activities, such as processing student loans, are required to comply.
GLBA and other emerging legislation could result in standards of care for information security across all areas of data management practices both electronic and physical (employee, student, customer, alumni, donor, etc.). Therefore, St. John’s has adopted an Information Security Program for certain highly critical and private financial and related information. This Security Program applies to customer financial information (covered data) St. John’s receives during business as required by GLBA as well as other confidential financial information St. John’s has voluntarily chosen as a matter of policy to include within its scope. Details are in St. John’s University GLBA Compliance Program.
The GDPR took effect on May 25, 2018 to protect and securely handle EU residents’ personal data.
In compliance with the GDPR, St. John’s: