Policy 901 - Information Security Policy

Section: Information Technology
Policy Number: 901
Responsible Office: Information Technology
Effective Date: 5/1/19
Revised: 5/1/19

Policy Statement

St John’s University (St. John’s) publishes and maintains a formal information security policy that clearly establishes management commitment to information security and sets out the University’s approach to managing information security within the University IT enterprise. 

St. John’s adheres to the commitment of safeguarding its critical information in alignment with the University’s mission. St. John’s is aware that individuals’ roles and responsibilities are crucial in securing the confidentiality, integrity and availability of information assets.

Scope and Applicability

This policy applies to the University Community. Adherence to this policy helps safeguard the confidentiality, integrity and availability of the University’s information assets, and protects the interest of the University, its customers, personnel and business partners

Policy

The St. John’s University Information Security Policy defines the role of information security in supporting the mission of the University, while fostering an environment to protect the University community from all internal, external, deliberate or accidental information security threats that may compromise the confidentiality, availability, privacy, and integrity of all information assets.  

The University’s Information Security policy ensures that:

  • Establishment of acceptable uses of computing resources at St. John’s – see 902 Acceptable Use Policy for more information.
     
  • Protection of information against unauthorized access – see 903 Access Control Policy for more information.
     
  • Managing risks from user authentication and access to St. John’s information assets – see 904Identification and Authentication Policy for more information.
     
  • Availability of information for business processes are maintained – see 906 Business Continuity Policy for more information.
     
  • Development, maintenance and testing of contingency plans are in place – see 906 Business Continuity Policy for more information.
     
  • Implementation of a secure use of electronic messaging – see 907 Email Policy for more information.
     
  • Protection of internal and external exchange of information – see 910 Communications Management and Data Exchange Policy for more information.
     
  • Legislative and regulatory requirements are met – see 911 Compliance Management Policy for more information.
     
  • Appropriate training and controls for individuals who have access to University information – see 912 Personnel Security Policy for more information.
     
  • Appropriate procedures for acquiring, registering, installing and developing Applications/Software within St. John’s – see 913 Application Development Security Policy for more information.
     
  • Protection of St. John’s information assets during remote working/access arrangements with employees and/or 3rd party vendors – see 914 Remote Access Policy for more information.
     
  • Security controls for mobile devices used within St. John’s –see 915 Bring Your Own Device Policy for more information.
     
  • Establishment of a set of rules to enhance security best practices of passwords – see 916 Password Policy for more information.
     
  • Confidentiality of information is assured, and integrity of information is maintained– see 917 Cryptography Policyfor more information.
     
  • A formal change control process – see 918 Change Management Policy for more information.
     
  • Securing St. John’s network from malicious codes that damages the university’s information assets – see 919 Malicious Code Policy for more information.
     
  • Mitigating and managing risks associated with Third Party vendors – see 920 Third Party Services Policy for more information.
     
  • Implementation of physical and environmental security controls to secure St. John’s sensitive information – see 921 Physical and Environmental Security Policy for more information.
     
  • Risk assessment and management to identify threats and vulnerabilities and mitigate the impact – see 922 Risk Assessment and Management Policy for more information.
     
  • All actual and suspected information security breaches are reported and properly investigated – see 923 Information and Cyber-Security Incident and Response Policy for more information.
     
  • Protection of all St. John’s assets according to their value and sensitivity – see 924 Asset Management Policy for more information.
     
  • Information security training, awareness and education are available to all employees – see 925 Security Awareness & Training Policy for more information.
     
  • Identify sensitive information and monitor and place security measures for St. John’s assets – see 926 Information Classification Policy for more information.
     
  • Establishment of mandatory requirements for the installation, configuration and implementation of information technology systems throughout St. John’s – see 927 Configuration Management Policy for more information. 
     
  • Monitoring and logging of all system events to protect information assets from suspicious incidents – see 928 Audit Logging & Reporting Policy for more information.
     
  • Retention and disposal plan of St. John’s information assets – see 929 Record Retention and Data Disposal Policy for more information. 
     
  • End user computing protection – for more information, see 930 End User Computing Policy.
     
  • Rules for network protection and maintenance of St. John’s IT infrastructure – see 931 Network Security Policy for more information. 
     
  • Safeguarding St. John’s vulnerabilities with periodic vulnerability scans, pen tests and patches and updates – see 932 Vulnerability and Patch Management Policy for more information.

Roles & Responsibilities

All Members of the Campus Community

  • All campus members including contractors and guests are expected to comply with all federal, state, and local laws pertaining to the protection of confidential information as well as campus policies meant to protect the security of information systems.  
     
  • In general, the responsibility of every campus user includes being aware of and practicing safe computing habits. 
     
  • Information resources for authorized purposes are being used in accordance with 902 - Acceptable Use Policy and Standards.
     
  • Situations that could cause a potential security incident are reported to the service desk.
     
  • Pay attention to unexplained system behavior and unsolicited requests for information.
     
  • Watch for inappropriate conduct from all employees and visitors.
     
  • All campus members including contractors and guests are expected to comply with the specified information security procedures.

Department of Information Technology and Information Security Governance Sub Committee

  • All Information Technology personnel are expected to comply with all responsibilities of campus users.
     
  • Provide clear direction, review, and approval of the Information Security Policy and Standards.
     
  • Ensure that the Information Security Policy and Standards meet an acceptable level of business risk at St. John’s
    .
  • Provide and publicly demonstrate support for and commitment to the information security program.
     
  • Be accountable to the executive management, organizational stakeholders, and customers for effective business operation by providing the appropriate protection to the information and information resources.
     
  • Invoke more stringent information security controls where appropriate.
     
  • Limit access privileges for all employees to those necessary for their job function.
     
  • Modify all employees’ access privileges when their role changes.
     
  • Manage the user account and authentication management processes

Information Security Office

  • Provide leadership in developing, reviewing, and recommending direction for the Information Security Policy and Standards.
     
  • Provide recommendation to CIO for setting the overall strategic and operational direction of St. John’s information security program and its implementation strategies.
     
  • Ensure maintenance of the Information Security Policy and Standards.
     
  • Establish standards for assessing compliance with the Information Security Policy and Standards.
     
  • Serve as the central point of contact for all information security issues.
     
  • Ensure resources are made available from the functional business areas for completing security tasks.
     
  • Monitor and analyze security alerts and distribute information to appropriate information security and business unit management personnel.
     
  • Create and distribute security incident response and escalation procedures.

Human Resources

  • Play a key role in an information security program through involvement in staff hiring and termination, policies and procedures, organizational policy management, and administering staff training and development.
     
  • Assist with the implementation, communication, and enforcement of the Information Security Policy.
     
  • Assist with the administration of an ongoing information security awareness, training and education program required for all employees. 
     
  • Help maintain accurate and effective user account information by working with departments on notification procedures when there is a change to an employee’s employment status. 
     
  • Communicate the Information Security Policy and Standards to employees and assist them in understanding how they relate to their everyday job functions.
     
  • Ensure that transferring or terminating employees are processed according to the Employee Manual.

Definitions

The following are the definitions relevant to the policy:

  • Policy: A broad statement of principles that presents management’s position for each defined control area. Policies are mandatory and interpreted and supported by standards, guidelines, and procedures. Policies are intended to be long-term and guide the development of rules to address specific situations.
     
  • Standard: An enterprise-wide, mandatory directive that specifies a particular course of action. Standards support the Information Security Policy and outline a minimum baseline for policy compliance.
     
  • Guideline: An enterprise-wide recommended course of action. While not mandatory, it is highly encouraged that guidelines be reviewed for applicability to particular environments and implemented as appropriate for the business environment. Guidelines support the Information Security Policy and security standards.
     
  • Computing Resources: All University information processing resources including all University owned, licensed, or managed computing services, hardware, software, and use of the University network via physical or wireless connection regardless of the ownership of the computer or device connected to the network.
     
  • Institutional Data: All data owned or licensed by the University
     
  • University Community: Includes faculty, administrators, staff, student workers, graduate/technical assistants, alumni, interns, guests or agents of the administration, external individuals and organizations accessing University network services, and other authorized users.
     
  • Payment Card Industry (PCI) Data Security Standards (DSS): PCI is a standard that all organizations, including online retailers, must follow when storing, processing and transmitting credit/debit card data. The DSS was developed and the standard is maintained by the PCI Security Standards Council (SSC).
     
  • Payment Card Industry Security Standards Council (PCI SSC): the governing organization and open forum responsible for the development, management, training/education and PCI Security Standards awareness.
     
  • General Data Protection Regulation (GDPR): a regulation by which the European Parliament, the European Council and the European Commission intend to strengthen and unify data protection for individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The primary objectives of the GDPR are to give citizens back control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. GDPR took effect on May 25th, 2018, and it replaced the data protection directive (officially Directive 95/46/EC) from 1995. 
     
  • Gramm-Leach-Bliley Act (GLBA): a federal law enacted in the United States to control the ways that financial institutions deal with the private information of individuals. The Act consists of three sections: 
    • The Financial Privacy Rule, which regulates the collection and disclosure of private financial information; 
    • The Safeguards Rule, which stipulates that financial institutions must implement security programs to protect such information; 
    • The Pretexting provisions, which prohibit the practice of pretexting (accessing private information using false pretenses). 

Information Security Office

Maintaining Information Security Policy for all Personnel

St. John’s establishes, publishes, maintains and disseminates this security policy to all relevant personnel (including vendors and business partners). The policy is reviewed at least annually, and changes/updates are made when St. John’s environment changes. 

St. John’s ensures that an annual risk-assessment process is performed to:

  • Identify critical assets, threats and vulnerabilities
  • Document a formal documented analysis of risk.

Acceptable Use policies for critical technologies throughout the university are implemented and proper use of the technologies is defined. 

The University reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. Instances of non-compliance are presented to and reviewed and approved by the CIO, the Director of Information Security, or the equivalent officer(s).

All breaches of information security, actual or suspected, are reported to and investigated by the CIO and the Information Security Director. 

Those who violate security policies, standards, or security procedures are subject to disciplinary action up to and including loss of computer access and appropriate disciplinary actions as defined by the University’s Human Resources department.

Regulatory Compliance

St. John’s adheres to the establishment of its information security policies, standards, or procedures in conformance with various applicable regulations and laws. All University departments, units or groups review and provide an assessment of the security posture of St. John’s environment. To ensure an effective information security program is maintained, reliance upon uniform and conscientious compliance with the regulation and law is mandatory. All faculty and staff cooperates, helps facilitate, and supports the efforts of the compliance processes.

Payment Card Industry Data Security Standard (PCI SSS)

The Payment Card Industry Data Security Standard is an information security standard for organizations that processes, transmits or stores payment card information from the following card brands: 

  • Visa 
  • Mastercard
  • American Express
  • JCB and, 
  • Discover Network

The PCI Standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council (PCI SSC).

St. John’s implements a formal security awareness program to ensure that all personnel is aware of the security measures necessary for cardholder data. All personnel is educated upon hire and at least annually for protecting cardholder data. 

Third-party service providers that provide services under the remit of PCI DSS requirements are monitored for PCI DSS compliance status at least annually. A review of which PCI DSS requirements are managed by each service provider, and which are managed by the university are performed at least annually. 

For any incidents to cardholder data environment, St. John’s implements an incident response plan to respond immediately to system/service failures and potential security breaches. Incident response plans are reviewed and tested at least annually. A designated individual is available 24/7 to monitor and respond to alerts. 

Gramm-Leach-Bliley Act (GLBA) 

The Gramm-Leach-Bliley Act, (GLBA) that became effective on May 23, 2003, addresses the safeguarding and confidentiality of customer information held in the possession of financial institutions such as banks and investment companies. GLBA contains no exemption for colleges or universities. As a result, educational entities that engage in financial activities, such as processing student loans, are required to comply. 

GLBA and other emerging legislation could result in standards of care for information security across all areas of data management practices both electronic and physical (employee, student, customer, alumni, donor, etc.). Therefore, the University has adopted an Information Security Program for certain highly critical and private financial and related information. This security program applies to customer financial information (covered data) the University receives during business as required by GLBA as well as other confidential financial information the University has voluntarily chosen as a matter of policy to include within its scope. Details are in St. John’s University GLBA Compliance Program.

General Data Protection Regulation (GDPR)

The GDPR took effect on May 25th, 2018 to protect and securely handle EU residents’ personal data. 

In compliance with the GDPR, St. John’s:

  • Processes personal data fairly, lawfully and in a transparent manner.
     
  • Obtains personal data only for one or more specified and lawful purposes and to ensure that such data is not processed in a manner that is incompatible with the purpose or purposes for which it was obtained.
     
  • Ensures that personal data is adequate, relevant and not excessive for the purpose or purposes for which it is held.
     
  • Ensures that personal data is accurate and, where necessary, kept up-to-date.
     
  • Ensures that personal data is not kept for any longer than is necessary for the purpose for which it was obtained.
  • Ensures that personal data is kept secure.
     
  • Ensures that personal data is not transferred to a country outside the European Economic Area unless the country to which it is sent ensures an adequate level of protection for the rights (in relation to the information) of the individuals to whom the personal data relates.
     
  • Ensures to provide a request for information, request to exercise the right to be forgotten/erasure (such right may not be absolute) and right to recertification (with evidence supporting data inaccuracy).  

Related Policies, Standards or Regulations

  • Information Security Management Program
     
  • General Data Protection Regulation
     
  • Gramm-Leach-Bliley Act
     
  • Payment Card Industry Data Security Standard
     
  • STD-IS-002 Mobile Computing Standard
     
  • STD-IS-003 Teleworking Standard
     
  • 902 - Acceptable Use Policy
     
  • 903 - Access Control Policy
     
  • 904 - Identification & Authentication Policy
     
  • 905 - Business Continuity Policy
     
  • 906 - Email Policy
     
  • 907 - Compliance Management Policy
     
  • 908 - Personnel Security Policy
     
  • 909 - Application Development Security Policy
     
  • 910 - Remote Access Policy
     
  • 911 - Bring Your Own Device (BYOD) Policy
     
  • 912 - Password Policy
     
  • 913 - Cryptography Policy
     
  • 914 - Change Management Policy
     
  • 915 - Malicious Code Policy
     
  • 916 - Third Party Services Policy
     
  • 917 - Physical and Environmental Security Policy
     
  • 918 - Risk Assessment and Management Policy
     
  • 919 - Information and Cyber-Security Incident Response Policy
     
  • 920 - Asset Management Policy
     
  • 921 - Security Awareness & Training Policy
     
  • 922 - Information Classification Policy
     
  • 923 - Configuration Management Policy
     
  • 924 - Audit Logging & Reporting Policy
     
  • 925 - Record Retention and Data Disposal Policy
     
  • 926 - End User Computing Policy
     
  • 927 - Network Security Policy
     
  • 928 – Vulnerability and Patch Management Policy