Enterprise Information Security Program Plan
Overview | Control Areas | Related Policies
PART 1: OVERVIEW AND SECURITY PROGRAM OBJECTIVES
The University of Iowa’s program for information security is a combination of policy, security architecture modeling, and descriptions of current IT security services and control practices. When integrated, the overall program describes administrative, operational, and technical security safeguards that must be implemented for/in information systems involved in the processing and storage of sensitive or private information.
The Security Program provides business value by enabling the delivery of applications to more individuals, in a timelier manner, with integral data. Appropriate information security is crucial to this environment, in order to manage the risks inherent in a distributed, open computing environment.
The practice of “Defense in Depth” is utilized at the University of Iowa, providing several different layers of protection, each working to contribute to the overall protection of information assets:
- Information integrity and access controls
- Application logic, error checking, and data validation controls
- Server and client based logical and physical protections
- Internal and perimeter network level protections
- Employee policy, practices, and procedures
Business Owners, along with the University Information Security and Policy Office, are responsible for taking appropriate steps to assess internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of institutional data. Risks in a large and diversified computing environment may include, but are not limited to:
- Unauthorized access to sensitive or confidential institutional information
- Compromised computer system(s) integrity as a result of access by an intruder
- Interception of data traversing network(s)
- Physical loss of data center, infrastructure, facilities, or computer equipment
- Errors or other corruption introduced into computer systems or applications
- Inadequate system administration support practices
- Loss of system availability
Responsibility for managing the University Information Security Program is described in the Roles and Responsibilities for Information Security Policy(2). This program description will be reviewed and updated as necessary on an annual basis by the University Chief Information Security Officer. The revisions and reviews of this program will be recorded in the table included as Appendix A. In addition, documentation supporting the University’s compliance with regulatory controls, as appropriate, will be maintained by the Information Security and Policy Office. This may include audit reports, assessment reports, and other documents that are prepared.
Overview | Control Areas | Related Policies | Top of page
PART 2: SECURITY PROGRAM CONTROL AREAS
Risk Assessment and Planning
Risk assessments are performed on critical information technology assets of the University of Iowa on a regular basis by both the University of Iowa Internal Audit department, and by the Office of the State Auditor. Feedback includes a comprehensive report of actionable risk mitigation/remediation recommendations.
The Information Security and Policy Office also performs technical risk assessments, and/or penetration tests for management and business owners upon request, which are conducted and maintained in a strictly confidential manner. In addition, a formalized process for approving IT security plans for research, prior to (contract) agreements, grants, and other relationships or collaborations with the University of Iowa is available, which includes a security risk assessment phase.
The Information Security and Policy Office in conjunction with the Information Security Risk and Policy Governance Committee will, in addition, facilitate an entity wide security risk assessment, as necessary whenever significant changes to the computing environment are implemented, or minimally within five years.
Security must be a consideration from the very beginning of any project at the University rather than something that is added later. The Information Security and Policy Office is a resource available to assist with this effort throughout the planning phase of a project. In addition, a control review should be performed before implementation of computer systems which house or handle confidential institutional information. This may include a:
- technical security evaluation to ensure appropriate safeguards are in place and operational
- risk assessment, including a review for regulatory, legal, and policy compliance
- contingency plan, including the data recovery strategy
- review of on-going production procedures, including change controls and integrity checks
- penetration test to evaluate and ensure controls operate as expected
The University Network Vulnerability Scanning and Penetration Testing Policy describes the types of network based assessments conducted by the Information Security and Policy Office to determine the effectiveness of controls and management of systems connected to the University data network.
All IT policy, under the review and approval of the University Chief Information Officer, is included in the University Operations Manual via the Acceptable Use of Information Technology Resources Policy (5) which describes the expectations for all members of the user community for appropriate use of technology, protection of privacy, and protection of academic freedoms. The University of Iowa has developed a process for development, review, and approval of IT policy, which is documented at http://itsecurity.uiowa.edu/university-it-policy/enterprise-it-policy-development-and-approval-process
The University provides an annual campus e-mail notification to all members of the University community describing a selection of important IT policies. The notification also directs them to the IT policy repository as an additional educational measure, and includes key aspects of policy in the computer based security awareness program offered to campus personnel.
Organization of Information Security
The Role and Responsibilities for Information Security Policy (2) describes the overall organization at the University of Iowa. In addition, the information security architecture model below describes the local and enterprise level services, technologies, responsibilities and techniques in use.
All Information Technology Services personnel are required to sign a data confidentiality agreement at hire time, and annually thereafter via the Employee Self-Service web application. The statement is available at itconfidentialitystatement.pdf
The Information Security Framework Policy (1) Institutional Data Access Policy (3), data handling procedures, and the Roles and Responsibilities Policy (2) describe individual responsibilities for managing and inventorying our physical and logical assets.
A tool is available to assist business owners of institutional data to appropriately classify the sensitivity of their information. These guidelines are available at http://itsecurity.uiowa.edu/resources/everyone/institutional-data-classification-guidelines. Once a set of institutional data is classified, appropriate protections can be applied.
In addition, University Administration have developed a policy regarding the use and protection of Social Security numbers (14), regarded as highly sensitive data.
The University of Iowa has implemented a policy and program to perform Credential and Criminal Background checks (4) when filling all security sensitive positions, at point of hire. The policy includes the necessary consent documents and procedures.
A computer based, self enrolled, Computer Security Awareness Program is available to all University employees, through the Employee Self-Service Portal (https://hris.uiowa.edu) “My Training” resources.
A marketing campaign is conducted periodically to raise awareness of its availability, along with other directed reminders. In addition, security seminars are offered to campus IT staffs, as well as a “Security Day” training event. Poster and postcard campaigns are also used; with prominent links to the main IT Security website http://itsecurity.uiowa.edu.
Specialized training is also offered, for privacy issues related to standards and regulations such as Family Education rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA), and Payment Card Industry Data Security Standards (PCI-DSS).
The University Human Resources department maintains information related to the employee exit process (terminations and transfers), which includes policy and forms, at the following location: http://hr.uiowa.edu/hr-unit-reps/employee-exit-process
Automated provisioning and de-provisioning guidelines for University community members are available at http://its.uiowa.edu/statuschanges.
Physical Security Measures
The University Information Security Framework Policy (1) has a section under Information Access that describes physical security requirements. In addition, requirements for preventive measures, emergency operations, and mobile devices are outlined.
The Computer Data and Media Disposal Policy (7) describes the requirements for physical security of equipment and data when it leaves owner control. Best practices for the secure removal of data are at http://itsecurity.uiowa.edu/computerequipmentdisposal, and the Security Office offers a training program for IT staffs involved with transfers or disposals of equipment.
The Backup and Recovery Policy (6) describes requirements for backups, including off-site storage of media.
Communication and Operations Management
The Information Security Framework Policy (1) includes a section on information integrity controls which includes requirements for segregation of critical functions, maintenance of systems and applications software, change management procedures for applications, as well as anti-malware control requirements. In addition, automated operations and contractor access are outlined, as well as auditing and logging requirements and communications security requirements.
The Institutional Data Access Policy (3) describes data handling controls for various sensitivity levels of data, the Backup and Recovery Policy (6) outlines requirements for backups, and the Data and MeComputer dia Disposal Policy (7) describes requirements for secure disposal of information. The University Records Management Program at http://fmb.fo.uiowa.edu/records-management has information regarding the retention of university records.
| Top of page |
The Information Security Framework policy (1) outlines requirements for information access in the electronic access control section. In addition, the standard format for Login Identifiers (user names) is described in the Enterprise Login ID standard (10), and the policy requirements for authentication are in the Password Policy (9). The UI Policy describing the classification scheme for institutional data, and the data handling controls required for each level of data, is outlined in the Institutional Data Access policy (3). Requirements for systems attached to the University data network are described in the Network Citizenship Policy (11).
The University provides a Virtual Private Network (VPN) service for secure off-site access to university resources, which is described at http://its.uiowa.edu/vpn
Systems Development and Maintenance
Information Integrity Controls are described in the Information Security Framework Policy (1) and include separation of duties and functions, emergency access procedures, system and application management process, and software development change management procedures. Information regarding encryption is also described, with additional resources and assistance at the Encryption Support Center http://its.uiowa.edu/encryption
Disaster Recovery and Business Continuity Management
An enterprise level disaster recovery plan overview has been developed and is available at enterprise-it-disaster-plan.pdf This resource includes a methodology for developing unit-level disaster plans to compliment the university plan. A sample set of planning forms template is available for units at drbc-planner.xlsx
Preparing for emergency operations and business continuity is also described in the Information Security Framework Policy (1). The University of Iowa also maintains a Critical Incident Management Plan at http://opsmanual.uiowa.edu/administrative-financial-and-facilities-policies/critical-incident-management-plan
Information Security Incident Response
The University of Iowa has an incident response capability which is documented at the IT Security website http://itecurity.uiowa.edu/incidents/ along with a policy describing Security Incident Escalation Procedures (12) for security incident resolution. The University’s policy regarding Computer Security Breach Notification (13) is available. The Information Security and Policy Office has analysts available via our on-call process to assist with security incident response, forensic analysis, e-discovery requests, and to aid in controlling liability to the university in the event of a breach.
A university-wide Iowa Computer Security Incident Response Team (I-CIRT) program is described at http://itsecurity.uiowa.edu/i-csirt and is utilized in the event of a significant IT incident requiring campus wide coordination and response.
The Information Security and Policy Office provides continuous monitoring of the university data network for malicious activity, and reports problems as they arise to department network/security contacts (NSC’s) within each unit, who are liaisons to the Information Security and Policy Office for security and networking issues. The NSC program is described athttp://itsecurity.uiowa.edu/incidents/know-your-responsibilities-nsc In addition, the Information Security and Policy Office allows system owners to individually provide contact information in the event of problems, described at http:/itsecurity.uiowa.edu/usr/. A scanning service is also maintained to assist with determination of vulnerabilities in systems and applications.
The following regulations pertain to information security and privacy, to which all or part of the University’s electronic information applies:
- Family Education Rights and Privacy Act (FERPA) http://registrar.uiowa.edu/ferpa
- Health Insurance Portability & Accountability Act (HIPAA) http://itsecurity.uiowa.edu/university-it-policy/hipaa
- Gramm Leach Bliley Act (GLBA) http://counsel.cua.edu//fedlaw/glb.cfm
- Payment Card Industry Data Security Standards (PCI-DSS) https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml ; UI Policy on Credit Cards (8)
- Federal Information Security Management Act (FISMA) http://csrc.nist.gov/groups/SMA/fisma/overview.html
- Iowa Personal Information Security Breach Notification (Iowa Code, Title XVI, Chapter 715C)
The Information Security and Policy Office assists all University units and areas with assessments and testing methods to ensure compliance with all applicable privacy and security regulations.
PART 3: INFORMATION TECHNOLOGY POLICY - http://itsecurity.uiowa.edu/university-it-policy
- Information Security Framework http://itsecurity.uiowa.edu/policy-information-security-framework
- Roles and Responsibilities for Information Security http://itsecurity.uiowa.edu/policy-roles-and-responsibilities
- Institutional Data Access Policy http://itsecurity.uiowa.edu/policy-institutionaldataaccess
- Criminal Background and Credential Checks Policy http://opsmanual.uiowa.edu/human-resources/hiring-and-appointments/criminal-background-check-point-hire
- Acceptable Use of Information Technology Resources Policy http://opsmanual.uiowa.edu/community-policies/acceptable-use-information-technology-resources
- Backup and Recovery Policy http://itsecurity.uiowa.edu/policy-backup-recovery
- Computer Data and Media Disposal Policy http://itsecurity.uiowa.edu/computerequipmentdisposal
- Credit Card Policy http://treasury.fo.uiowa.edu/policies-and-procedures
- Password Policy http://itsecurity.uiowa.edu/enterprise-password
- Login ID policy http://itsecurity.uiowa.edu/enterprise-login-id-standard
- Network Citizenship Policy http://itsecurity.uiowa.edu/networkcitizenship
- Security Incident Escalation Policy http://itsecurity.uiowa.edu/it-security-incident-escalation
- Security Breach Notification Policy http://itsecurity.uiowa.edu/computer-security-breach-notification-policy
- SSN policy http://opsmanual.uiowa.edu/community-policies/social-security-numbers
- Network Vulnerability Scanning and Penetration Testing policy http://itsecurity.uiowa.edu/scan-pen-test
Appendix A – Security Program Review and Change Log
Security Program Revisions:
|Developed May 2003|
|Revised December 2004|
|Revised November 2006|
|Revised March 2009|
|Revised April 2010|
|Revised October 2010|
|Revised April 2013|
|Reviewed August 2014|
|Revised March 2016|