NSU's Information Security Policy

Purpose:

By information security we mean protection of the University's data, applications, networks, and computer systems from unauthorized access, alteration, or destruction.

The purpose of the information security policy is:

  • To establish a University-wide approach to information security.
  • To prescribe mechanisms that help identify and prevent the compromise of information security and the misuse of University data, applications, networks and computer systems.
  • To define mechanisms that protect the reputation of the University and allow the University to satisfy its legal and ethical responsibilities with regard to its networks' and computer systems' connectivity to worldwide networks.
  • To prescribe an effective mechanism for responding to external complaints and queries about real or perceived non-compliance with this policy.

Responsibility:

The director of the Computing and Telecommunications Department (C&T) is responsible for implementing the policy and must see to it that:

  • The information security policy is updated on a regular basis and published as appropriate.
  • Appropriate training is provided to data owners, data custodians, network and system administrators, and users.
  • Qualified personnel are appointed to be responsible for security implementation, incident response, periodic user access reviews, and education of information security policies including, for example, information about virus infection risks.

General Policy: 

Required Policies

The University will use a layered approach of overlapping controls, monitoring and authentication to ensure overall security of the University's data, network and system resources.

Security reviews of servers, firewalls, routers and monitoring platforms must be conducted on a regular basis. These reviews must include monitoring access logs and results of intrusion detection software, where it has been installed.

Recommended Practices

  • Vulnerability and risk assessment tests of external network connections should be conducted on a regular basis. At a minimum, testing should be performed annually, but the sensitivity of the information secured may require that these tests be done more often.
  • Education should be implemented to ensure that users understand data sensitivity issues, levels of confidentiality, and the mechanisms to protect the data. This should be tailored to the role of the individual, network administrator, system administrator, data custodian, and users.
  • Violation of the Information Security Policy may result in disciplinary actions up to termination, separation.

Data Classification Policy:

It is essential that all University data be protected. There are, however, gradations that require different levels of security. All data should be reviewed on a periodic basis and classified according to its use, sensitivity, and importance. We have specified three classes below:

High Risk - Information assets for which there are legal requirements for preventing disclosure or financial penalties for disclosure. Data covered by federal and state legislation, such as FERPA, HIPAA or the Data Protection Act, are in this class. Payroll, personnel, and financial information are also in this class because of privacy requirements. This policy recognizes that other data may need to be treated as high risk because it would cause severe damage to the University if disclosed or modified. The data owner should make this determination. It is the data owner's responsibility to implement the necessary security requirements.

Confidential - Data that would not expose the University to loss if disclosed, but that the data owner feels should be protected to prevent unauthorized disclosure. It is the data owner's responsibility to implement the necessary security requirements.

Public - Information that may be freely disseminated.  All information resources should be categorized and protected according to the requirements set for each classification. The data classification and its corresponding level of protection should be consistent when the data is replicated and as it flows through the University.

  • Data owners must determine the data classification and must ensure that the data custodian is protecting the data in a manner appropriate to its classification.
  • No University-owned system or network subnet can have a connection to the Internet without the means to protect the information on those systems consistent with its confidentiality classification.
  • Data custodians are responsible for creating data repositories and data transfer procedures which protect data in the manner appropriate to its classification.
  • High risk data must be encrypted during transmission over insecure channels.
  • Confidential data should be encrypted during transmission over insecure channels.
  • All high risk data should be backed up, and the backups tested periodically, as part of a documented, regular process (except servers maintained by the college of Optometry)
  • Backups of data must be handled with the same security precautions as the data itself. When systems are disposed of, or repurposed, data must be certified deleted or disks destroyed consistent with industry best practices for the security level of the data.
  • All servers must be housed in the C&T’s machine room.

Data Access Control Policy:

  • Data must have sufficient granularity to allow the appropriate authorized access. There is a delicate balance between protecting the data and permitting access to those who need to use the data for authorized purposes. This balance should be recognized.
  • Access to the network and servers and systems should be achieved by individual and unique logins, and should require authentication.
  • Users must not share usernames and passwords, nor should they be written down or recorded in unencrypted electronic files or documents. All users must secure their username or account, password, and system access from unauthorized use.
  • All users of systems that contain high risk or confidential data must have a strong password. Empowered accounts, such as administrator, root or supervisor accounts must be changed frequently.
  • Passwords must not be placed in emails unless they have been encrypted.
  • Minimum password should be six characters or more and must contain letters and numbers.
  • Default passwords on all systems must be changed after installation. All administrator or root accounts must be given a password that conforms to the password selection criteria when a system is installed, rebuilt, or reconfigured.
  • Logins and passwords should not be coded into programs or queries unless they are encrypted or otherwise secure.
  • Terminated employee access must be reviewed and adjusted as found necessary. Terminated employees should have their accounts disabled upon transfer or termination. Since there could be delays in reporting changes in user responsibilities, periodic user access reviews should be conducted.
  • Transferred employee access must be reviewed and adjusted as found necessary.
  • Monitoring must be implemented on all systems including recording logon attempts and failures, successful logons and date and time of logon and logoff.
  • Activities performed as administrator or superuser must be logged where it is feasible to do so.
  • Personnel who have administrative system access should use other less powerful accounts for performing non-administrative tasks. There should be a documented procedure for reviewing system logs.

Virus Prevention Policy:

  • The willful introduction of computer viruses or disruptive/destructive programs into the University environment is prohibited, and violators may be subject to prosecution.
  • All desktop systems that connect to the network must be protected with an approved, licensed anti-virus software product.
  • All servers and workstations that connect to the network and that are vulnerable to virus or worm attack must be protected with an approved, licensed anti-virus software product that it is installed and updated by C&T employees.
  • Virus scanning logs must be maintained whenever email is centrally scanned for viruses.

Intrusion Detection Policy:

  • Intrusion detection must be implemented between University’s network and the Internet.
  • Operating system and application software logging processes must be enabled on all host and server systems. Where possible, alarm and alert functions, as well as logging and monitoring systems must be enabled.
  • Server, firewall, and critical system logs should be reviewed frequently. Where possible, automated review should be enabled and alerts should be transmitted to the administrator when a serious security intrusion is detected.

Internet Security Policy

  • All connections to the Internet must go through a properly secured connection point to ensure the network is protected when the data is classified high risk and confidential.

System Security Policy

  • All systems connected to the Internet should have a vendor supported version of the operating system installed.
  • All systems connected to the Internet must be current with security patches.
  • System integrity checks of host and server systems housing high risk University data should be performed.

NetNotes Home Page
Frequently Asked Questions
The Latest NET Happenings
Campus Wide Email Groups
NetNotes Historical Data
Do It Yourself - Self Help Tutorials
The Web or NetNotes
Service Interruptions
Online Forms
Fun N Useful Stuff
I Need Assistance NOW!