Section: Information Technology
Policy Number: 901Responsible Office: Information Technology
Effective Date: 5/1/19Revised: 5/1/19; 6/11/20; 5/23/22
St. John’s University (St. John’s) publishes and maintains a formal information security policy that clearly establishes management commitment to information security and sets out the University’s approach to managing information security within the University Information Technology (IT) enterprise.
St. John’s policy adheres to the commitment of safeguarding its critical information in alignment with the University’s mission. St. John’s is aware that individuals’ roles and responsibilities are crucial in securing the confidentiality, integrity, and availability of information assets.
This policy applies to the St. John’s University community. Adherence to this policy helps safeguard the confidentiality, integrity, and availability of the University’s information assets, and protects the interest of the University, its customers, personnel, and business partners.
The St. John’s University Information Security Policy defines the role of information security in supporting the mission of the University, while fostering an environment to protect the University community from all internal, external, deliberate, or accidental information security threats that may compromise the confidentiality, availability, privacy, and integrity of all information assets.
The University’s Information Security Policy ensures the following:
All Members of the Campus Community
Department of Information Technology and Information Security Governance Subcommittee
Information Security Office
Office of Human Resources
The following are the definitions relevant to the policy:
Policy: This is a broad statement of principles that presents management’s position for each defined control area. Policies are mandatory and interpreted and supported by standards, guidelines, and procedures. Policies are intended to be long-term and guide the development of rules to address specific situations.
Standard: This is an enterprise-wide, mandatory directive that specifies a particular course of action. Standards support the Information Security Policy and outline a minimum baseline for policy compliance.
Guideline: This is an enterprise-wide recommended course of action. While not mandatory, it is highly encouraged that guidelines be reviewed for applicability to particular environments and implemented as appropriate for the business environment. Guidelines support the Information Security Policy and security standards.
Computing Resources: All St. John’s information processing resources, including all St. John’s owned, licensed, or managed computing services, hardware, software, and use of St. John’s network via physical or wireless connection, regardless of the ownership of the computer or device connected to the network
Institutional Data: All data owned or licensed by St. John’s
University community: Includes faculty, administrators, staff, student workers, graduate/technical assistants, alumni, interns, guests or agents of the administration, external individuals and organizations accessing St. John’s network services, and other authorized users
Payment Card Industry (PCI) Data Security Standards (DSS): PCI is a standard that all organizations, including online retailers, must follow when storing, processing, and transmitting credit/debit card data. The DSS were developed and are maintained by the PCI Security Standards Council (SSC)
Payment Card Industry Security Standards Council (PCI SSC): The governing organization and open forum responsible for development, management, training/education, and PCI Security Standards awareness
General Data Protection Regulation (GDPR): This is a regulation by which the European Parliament, the European Council, and the European Commission intend to strengthen and unify data protection for individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The primary objectives of the GDPR are to give citizens back control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. The GDPR took effect on May 25, 2018, and it replaced the data protection directive (officially Directive 95/46/EC) from 1995.
Gramm-Leach-Bliley Act (GLBA): This is a federal law enacted in the United States to control the ways that financial institutions deal with the private information of individuals. The Act consists of three sections:
The Financial Privacy Rule, which regulates the collection and disclosure of private financial information.
The Safeguards Rule, which stipulates that financial institutions must implement security programs to protect such information.
The Pretexting provisions, which prohibit the practice of pretexting (i.e., accessing private information using false pretenses).
Maintaining Information Security Policy for All Personnel
St. John’s establishes, publishes, maintains, and disseminates this security policy to all relevant personnel (including vendors and business partners). The policy is reviewed at least annually, and changes/updates are made when St. John’s environment changes.
St. John’s ensures that an annual risk-assessment process is performed to
Acceptable Use policies for critical technologies throughout the University are implemented and proper use of the technologies is defined.
The University reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. Instances of non-compliance are presented to, reviewed, and approved by the Chief Information Officer (CIO), the Director of Information Security, or the equivalent officer(s).
All breaches of information security, actual or suspected, are reported to and investigated by the CIO and the Information Security Director.
Those who violate security policies, standards, or security procedures are subject to disciplinary action up to and including loss of computer access and appropriate disciplinary actions as defined by the University’s Office of Human Resources.
St. John’s adheres to the establishment of its information security policies, standards, or procedures in conformance with various applicable regulations and laws. All University departments, units, or groups review and provide an assessment of the security posture of St. John’s environment. To ensure an effective information security program is maintained, reliance upon uniform and conscientious compliance with the regulations and laws is mandatory. All faculty, administrators, and staff cooperate, help facilitate, and support the efforts of the compliance processes.
Payment Card Industry Data Security Standard (PCI DSS)
The Payment Card Industry Data Security Standard is an information security standard for organizations that processes, transmits, or stores payment card information from the following card brands:
The PCI Standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council (PCI SSC).
St. John’s implements a formal security awareness program to ensure that all personnel are aware of the security measures necessary for cardholder data. All personnel are educated upon hire, and at least annually, for protecting cardholder data.
Third-party service providers that provide services under the remit of PCI DSS requirements are monitored for PCI DSS compliance status at least annually. A review of which PCI DSS requirements are managed by each service provider, and which are managed by the University, are performed at least annually.
For any incidents to cardholder data environment, St. John’s implements an incident response plan to respond immediately to system/service failures and potential security breaches. Incident response plans are reviewed and tested at least annually. A designated individual is available 24/7 to monitor and respond to alerts.
In accordance with PCI DSS, the requirements detailed in Requirement 12 of the standard will be adopted by St. John’s. These will be reviewed on an annual basis and when any change to the environment is made which affects the Cardholder Data Environment (CDE). For details of what is included within the CDE, please see the organization’s Network Diagram.
Gramm-Leach-Bliley Act (GLBA)
The Gramm-Leach-Bliley Act (GLBA), which became effective on May 23, 2003, addresses the safeguarding and confidentiality of customer information held in the possession of financial institutions such as banks and investment companies. GLBA contains no exemption for colleges or universities. As a result, educational entities that engage in financial activities, such as processing student loans, are required to comply.
GLBA and other emerging legislation could result in standards of care for information security across all areas of data management practices both electronic and physical (e.g., employee, student, customer, alumni, donor, etc.). Therefore, the University has adopted an Information Security Program for certain highly critical and private financial and related information. This security program applies to customer financial information (covered data) the University receives during business as required by GLBA, as well as other confidential financial information the University has voluntarily chosen as a matter of policy to include within its scope. Details are in St. John’s University GLBA Compliance Program.
General Data Protection Regulation (GDPR)
The GDPR took effect on May 25, 2018, to protect and securely handle EU residents’ personal data.
In compliance with the GDPR, St. John’s