Policy 901 - Information Security Policy

Section: Information Technology
Policy Number: 901
Responsible Office: Information Technology
Effective Date: 5/1/19
Revised: 5/1/19; 6/11/20; 5/23/22

Policy Statement

St. John’s University (St. John’s) publishes and maintains a formal information security policy that clearly establishes management commitment to information security and sets out the University’s approach to managing information security within the University Information Technology (IT) enterprise.

St. John’s policy adheres to the commitment of safeguarding its critical information in alignment with the University’s mission. St. John’s is aware that individuals’ roles and responsibilities are crucial in securing the confidentiality, integrity, and availability of information assets.

Scope and Applicability

This policy applies to the St. John’s University community. Adherence to this policy helps safeguard the confidentiality, integrity, and availability of the University’s information assets, and protects the interest of the University, its customers, personnel, and business partners.

Policy

The St. John’s University Information Security Policy defines the role of information security in supporting the mission of the University, while fostering an environment to protect the University community from all internal, external, deliberate, or accidental information security threats that may compromise the confidentiality, availability, privacy, and integrity of all information assets. 

The University’s Information Security Policy ensures the following:

  • Establishment of acceptable uses of computing resources at St. John’s – see 902 Acceptable Use Policy.
  • Protection of information against unauthorized access – see 903 Access Control Policy for more information.
  • Managing risks from user authentication and access to St. John’s information assets – see 904Identification and Authentication Policy for more information.
  • Availability of information for business processes are maintained – see 905 Business Continuity Policy for more information.
  • Development, maintenance, and testing of contingency plans in place – see 905 Business Continuity Policy for more information.
  • Implementation of a secure use of electronic messaging – see 906 Email Policy for more information.
  • Protection of internal and external exchange of information – see 927 Network Security Policy for more information.
  • Ensuring that legislative and regulatory requirements are met – see 907 Compliance Management Policy for more information.
  • Appropriate training and controls for individuals who have access to University information – see 908 Personnel Security Policy for more information.
  • Appropriate procedures for acquiring, registering, installing, and developing Applications/Software within St. John’s – see 909 Application Development Security Policy for more information.
  • Protection of St. John’s information assets during remote working/access arrangements with employees and/or third-party vendors – see 910 Remote Access Policy for more information.
  • Security controls for mobile devices used within St. John’s – see 911 Bring Your Own Device (BYOD) Policy for more information.
  • Establishment of a set of rules to enhance security best practices of passwords – see 912 Password Policy for more information.
  • Ensuring the confidentiality of information and maintaining its integrity – see 913 Cryptography Policyfor more information.
  • A formal change control process – see 914 Change Management Policy for more information.
  • Securing St. John’s network from malicious codes that damage the University’s information assets – see 915 Malicious Code Policy for more information.
  • Mitigating and managing risks associated with third-party vendors – see 916 Third Party Services Policy for more information.
  • Implementation of physical and environmental security controls to secure St. John’s sensitive information – see 917 Physical and Environmental Security Policy for more information.
  • Risk assessment and management to identify threats and vulnerabilities and mitigate the impact – see 918 IT Risk Assessment and Management Policy for more information.
  • All actual and suspected information security breaches are reported and properly investigated – see 919 Information and Cyber-Security Incident Response Policy for more information.
  • Protection of all St. John’s assets according to their value and sensitivity – see 920 Asset Management Policy for more information.
  • Information security training, awareness and education are available to all employees – see 921 Security Awareness & Training Policy for more information.
  • Identify sensitive information and monitor and place security measures for St. John’s assets – see 922 Information Classification Policy for more information.
  • Establishment of mandatory requirements for the installation, configuration and implementation of information technology systems throughout St. John’s – see 923 Configuration Management Policy for more information.
  • Monitoring and logging of all system events to protect information assets from suspicious incidents – see 928 Audit Logging & Reporting Policy for more information.
  • Retention and disposal plan of St. John’s information assets – see 925 Record Retention and Data Disposal Policy for more information.
  • End user computing protection – see 926 End User Computing Policy for more information.
  • Rules for network protection and maintenance of St. John’s IT infrastructure – see 927 Network Security Policy for more information.
  • Safeguarding St. John’s vulnerabilities with periodic vulnerability scans, pen tests, patches, and updates – see 928 Vulnerability and Patch Management Policy for more information.

Roles & Responsibilities

All Members of the Campus Community

  • All campus members, including contractors and guests, are expected to comply with all federal, state, and local laws pertaining to the protection of confidential information, as well as campus policies meant to protect the security of information systems. 
     
  • In general, the responsibility of every campus user includes being aware of and practicing safe computing habits.
     
  • Information resources for authorized purposes are being used in accordance with 902 -Acceptable Use Policy and Standards.
     
  • Situations that could cause a potential security incident are reported to the service desk.
     
  • Pay attention to unexplained system behavior and unsolicited requests for information.
     
  • Watch for inappropriate conduct from all employees and visitors.
     
  • All campus members, including contractors and guests, are expected to comply with the specified information security procedures.

Department of Information Technology and Information Security Governance Subcommittee

  • All Information Technology personnel are expected to comply with all responsibilities of campus users.
     
  • Provide clear direction, review, and approval of the Information Security Policy and Standards.
     
  • Ensure that the Information Security Policy and Standards meet an acceptable level of business risk at St. John’s.
     
  • Provide and publicly demonstrate support for and commitment to the Information Security program.
     
  • Be accountable to the executive management, organizational stakeholders, and customers for effective business operation by providing the appropriate protection to the information and information resources.
     
  • Invoke more stringent information security controls where appropriate.
     
  • Limit access privileges for all employees to those necessary for their job function.
     
  • Modify all employees’ access privileges when their role changes.
     
  • Manage the user account and authentication management processes.

Information Security Office

  • Provide leadership in developing, reviewing, and recommending direction for the Information Security Policy and Standards.
     
  • Provide recommendations to the Chief Information Officer for setting the overall strategic and operational direction of St. John’s information security program and its implementation strategies.
     
  • Ensure maintenance of the Information Security Policy and Standards.
     
  • Establish standards for assessing compliance with the Information Security Policy and Standards.
     
  • Serve as the central point of contact for all information security issues.
     
  • Ensure resources are made available from the functional business areas for completing security tasks.
     
  • Monitor and analyze security alerts and distribute information to appropriate information security and business unit management personnel.
     
  • Create and distribute security incident response and escalation procedures.

Office of Human Resources

  • Play a key role in an information security program through involvement in staff hiring and termination, policies and procedures, organizational policy management, and administering staff training and development.
     
  • Assist with the implementation, communication, and enforcement of the Information Security Policy.
     
  • Assist with the administration of an ongoing information security awareness, training, and education program required for all employees.
     
  • Help maintain accurate and effective user account information by working with departments on notification procedures when there is a change to an employee’s employment status.
     
  • Communicate the Information Security Policy and Standards to employees and assist them in understanding how they relate to their everyday job functions.
     
  • Ensure that transferring or terminating employees are processed according to the Human Resources Policy Manual.

Definitions

The following are the definitions relevant to the policy:

  • Policy: This is a broad statement of principles that presents management’s position for each defined control area. Policies are mandatory and interpreted and supported by standards, guidelines, and procedures. Policies are intended to be long-term and guide the development of rules to address specific situations.

  • Standard: This is an enterprise-wide, mandatory directive that specifies a particular course of action. Standards support the Information Security Policy and outline a minimum baseline for policy compliance.

  • Guideline: This is an enterprise-wide recommended course of action. While not mandatory, it is highly encouraged that guidelines be reviewed for applicability to particular environments and implemented as appropriate for the business environment. Guidelines support the Information Security Policy and security standards.

  • Computing Resources: All St. John’s information processing resources, including all St. John’s owned, licensed, or managed computing services, hardware, software, and use of St. John’s network via physical or wireless connection, regardless of the ownership of the computer or device connected to the network

  • Institutional Data: All data owned or licensed by St. John’s

  • University community: Includes faculty, administrators, staff, student workers, graduate/technical assistants, alumni, interns, guests or agents of the administration, external individuals and organizations accessing St. John’s network services, and other authorized users

  • Payment Card Industry (PCI) Data Security Standards (DSS): PCI is a standard that all organizations, including online retailers, must follow when storing, processing, and transmitting credit/debit card data. The DSS were developed and are maintained by the PCI Security Standards Council (SSC)

  • Payment Card Industry Security Standards Council (PCI SSC): The governing organization and open forum responsible for  development, management, training/education, and PCI Security Standards awareness

  • General Data Protection Regulation (GDPR): This is a regulation by which the European Parliament, the European Council, and the European Commission intend to strengthen and unify data protection for individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The primary objectives of the GDPR are to give citizens back control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. The GDPR took effect on May 25, 2018, and it replaced the data protection directive (officially Directive 95/46/EC) from 1995. 

  • Gramm-Leach-Bliley Act (GLBA): This is a federal law enacted in the United States to control the ways that financial institutions deal with the private information of individuals. The Act consists of three sections: 

    • The Financial Privacy Rule, which regulates the collection and disclosure of private financial information. 

    • The Safeguards Rule, which stipulates that financial institutions must implement security programs to protect such information. 

    • The Pretexting provisions, which prohibit the practice of pretexting (i.e., accessing private information using false pretenses).

Information Security Office

Maintaining Information Security Policy for All Personnel

St. John’s establishes, publishes, maintains, and disseminates this security policy to all relevant personnel (including vendors and business partners). The policy is reviewed at least annually, and changes/updates are made when St. John’s environment changes.

St. John’s ensures that an annual risk-assessment process is performed to

  • Identify critical assets, threats, and vulnerabilities.
  • Document a formal analysis of risk.

Acceptable Use policies for critical technologies throughout the University are implemented and proper use of the technologies is defined.

The University reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. Instances of non-compliance are presented to, reviewed, and approved by the Chief Information Officer (CIO), the Director of Information Security, or the equivalent officer(s).

All breaches of information security, actual or suspected, are reported to and investigated by the CIO and the Information Security Director.

Those who violate security policies, standards, or security procedures are subject to disciplinary action up to and including loss of computer access and appropriate disciplinary actions as defined by the University’s Office of Human Resources.

Regulatory Compliance

St. John’s adheres to the establishment of its information security policies, standards, or procedures in conformance with various applicable regulations and laws. All University departments, units, or groups review and provide an assessment of the security posture of St. John’s environment. To ensure an effective information security program is maintained, reliance upon uniform and conscientious compliance with the regulations and laws is mandatory. All faculty, administrators, and staff cooperate, help facilitate, and support the efforts of the compliance processes.

Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard is an information security standard for organizations that processes, transmits, or stores payment card information from the following card brands:

  • Visa
  • Mastercard
  • American Express
  • JCB 
  • Discover Network

The PCI Standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council (PCI SSC).

St. John’s implements a formal security awareness program to ensure that all personnel are aware of the security measures necessary for cardholder data. All personnel are educated upon hire, and at least annually, for protecting cardholder data.

Third-party service providers that provide services under the remit of PCI DSS requirements are monitored for PCI DSS compliance status at least annually. A review of which PCI DSS requirements are managed by each service provider, and which are managed by the University, are performed at least annually.

For any incidents to cardholder data environment, St. John’s implements an incident response plan to respond immediately to system/service failures and potential security breaches. Incident response plans are reviewed and tested at least annually. A designated individual is available 24/7 to monitor and respond to alerts.

In accordance with PCI DSS, the requirements detailed in Requirement 12 of the standard will be adopted by St. John’s. These will be reviewed on an annual basis and when any change to the environment is made which affects the Cardholder Data Environment (CDE). For details of what is included within the CDE, please see the organization’s Network Diagram.

Gramm-Leach-Bliley Act (GLBA)

The Gramm-Leach-Bliley Act (GLBA), which became effective on May 23, 2003, addresses the safeguarding and confidentiality of customer information held in the possession of financial institutions such as banks and investment companies. GLBA contains no exemption for colleges or universities. As a result, educational entities that engage in financial activities, such as processing student loans, are required to comply.

GLBA and other emerging legislation could result in standards of care for information security across all areas of data management practices both electronic and physical (e.g., employee, student, customer, alumni, donor, etc.). Therefore, the University has adopted an Information Security Program for certain highly critical and private financial and related information. This security program applies to customer financial information (covered data) the University receives during business as required by GLBA, as well as other confidential financial information the University has voluntarily chosen as a matter of policy to include within its scope. Details are in St. John’s University GLBA Compliance Program.

General Data Protection Regulation (GDPR)

The GDPR took effect on May 25, 2018, to protect and securely handle EU residents’ personal data.

In compliance with the GDPR, St. John’s

  • Processes personal data fairly, lawfully, and in a transparent manner.
     
  • Obtains personal data only for one or more specified and lawful purposes, and to ensure that such data is not processed in a manner that is incompatible with the purpose or purposes for which it was obtained.
  • Ensures that personal data is adequate, relevant, and not excessive for the purpose or purposes for which it is held.
  • Ensures that personal data is accurate and, where necessary, kept up to date.
  • Ensures that personal data is not kept for any longer than is necessary for the purpose for which it was obtained.
  • Ensures that personal data is kept secure.
  • Ensures that personal data is not transferred to a country outside the European Economic Area, unless the country to which it is sent ensures an adequate level of protection for the rights (in relation to the information) of the individuals to whom the personal data relates.
  • Ensures to provide a request for information, request to exercise the right to be forgotten/erasure (such right may not be absolute), and the right to recertification (with evidence supporting data inaccuracy).

Related Policies, Standards or Regulations