POLICY: INFORMATION SECURITY POLICY EFFECTIVE: 03‐2016 CONTENTS 1.0 Introduction ............................................................................................................................................................... 3 2.0 Purpose ......................................................................................................................................................................... 3 3.0 Scope .............................................................................................................................................................................. 3 4.0 Implementation ........................................................................................................................................................ 4 5.0 Roles and Responsibilities .................................................................................................................................... 4 6.0 Information and System Classification ............................................................................................................ 5 7.0 Provisions for Information Security Standards ........................................................................................... 5 7.1 Access Control (AC) ............................................................................................................................................ 5 7.2 Awareness and Training (AT) ........................................................................................................................ 6 7.3 Audit and Accountability (AU) ....................................................................................................................... 6 7.4 Assessment and Authorization (CA) ............................................................................................................ 6 7.5 Configuration Management (CM) ................................................................................................................. 6 7.6 Contingency Planning (CP) .............................................................................................................................. 7 7.7 Identification and Authentication (IA) ....................................................................................................... 7 7.8 Incident Response (IR) ...................................................................................................................................... 7 7.9 Maintenance (MA) ............................................................................................................................................... 7 7.10 Media Protection (MP).................................................................................................................................... 7 7.11 Physical and Environmental Protection (PE) ........................................................................................ 8 7.12 Planning (PL) ...................................................................................................................................................... 8 7.13 Personnel Security (PS) .................................................................................................................................. 8 7.14 Risk Assessment (RA) ..................................................................................................................................... 8 New York Six Liberal Arts Consortium Colgate University, Hamilton College, Hobart & William Smith Colleges St. Lawrence University, Skidmore College, Union College 1 of 12 7.15 System and Services Acquisition (SA) ...................................................................................................... 8 7.16 System and Communications Protection (SC) ...................................................................................... 9 7.17 System and Information Integrity (SI) ..................................................................................................... 9 7.18 Program management (PM) ......................................................................................................................... 9 8.0 Enforcement ............................................................................................................................................................... 9 9.0 Privacy ........................................................................................................................................................................ 10 10.0 Exceptions .............................................................................................................................................................. 10 11.0 Disclaimer ............................................................................................................................................................... 10 12.0 References .............................................................................................................................................................. 10 13.0 Related Policies .................................................................................................................................................... 11 14.0 Policy Authority ................................................................................................................................................... 11 15.0 Revision History ................................................................................................................................................... 12 16.0 Approvals ................................................................................................................................................................ 12 New York Six Liberal Arts Consortium Colgate University, Hamilton College, Hobart & William Smith Colleges St. Lawrence University, Skidmore College, Union College 2 of 12 1.0 INTRODUCTION The purpose of this Policy is to assist the University in its efforts to fulfill its responsibilities relating to the protection of information assets, and comply with regulatory and contractual requirements involving information security and privacy. This Policy framework consists of eighteen (18) separate Policy statements, with supporting Standards documents, based on guidance provided by the National Institute of Standards and Technology (NIST) Special Publication 800‐53. Although no set of policies can address every possible scenario, this framework, taken as a whole, provides a comprehensive governance structure that addresses key controls in all known areas needed to provide for the confidentiality, integrity and availability of the institution’s information assets. This framework also provides administrators guidance necessary for making prioritized decisions, as well as justification for implementing organizational change. 2.0 PURPOSE The purpose of this Information Security Policy is to clearly establish the University’s role in protecting its information assets, and communicate minimum expectations for meeting these requirements. Fulfilling these objectives enables St. Lawrence University to implement a comprehensive system‐wide Information Security Program (See “New York Six Information System Management System (ISMS) guidelines” document). 3.0 SCOPE The scope of this policy includes all information assets governed by the University. All personnel and service providers who have access to or utilize information assets of the Institution, including data at rest, in transit or in process shall be subject to these requirements. This Policy applies to all information assets operated by the University; All information assets provided by University through contracts, subject to the provisions and restrictions of the contracts; and all authenticated users of St. Lawrence University information assets. All third parties with access to the Institutions’ non‐public information must operate in accordance with a service provider contract containing security provisions consistent with the requirements promulgated under, but not limited to the Gramm‐Leach‐Bliley Act (GLBA), Family Educational Rights and Privacy Act (FERPA), New York State Information Security Breach and Notification Act, and the Payment Card Industry Data Security Standard (PCI‐DSS). New York Six Liberal Arts Consortium Colgate University, Hamilton College, Hobart & William Smith Colleges St. Lawrence University, Skidmore College, Union College 3 of 12 4.0 IMPLEMENTATION St. Lawrence University needs to protect the availability, integrity and confidentiality of data while providing information resources to fulfill our academic mission. The Information Security Program must be risk‐based. Implementation decisions must be made based on addressing the highest risk first. The University’s administration recognizes that fully implementing all controls within the NIST Standards is not possible due to organizational limitations and resource constraints. Administration must implement the NIST standards whenever possible, and document exceptions in situations where doing so is not practicable. 5.0 ROLES AND RESPONSIBILITIES The university has identified the following roles and responsibilities: 1) University President: The President is accountable for the implementation of the Information Security Program including: a) Security Policies, Standards, and procedures b) Security Compliance including managerial, administrative and technical controls. The President is to be informed