Santa Clara University

Information Security Office

Information Service Provider Security Standard

Revised


August 27, 2013

Purpose

All members of the university community share in the responsibility for protecting information resources for which they have access.  The purpose of this document is to establish minimum standards and guidelines to protect against accidental or intentional damage or loss of data, interruption of university business, or the compromise of sensitive information.

Additional Authority

  • Family Educational Rights and Privacy Act (FERPA)
  • Gramm Leach Bliley Act (GLBA)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Payment Card Industry Data Security Standard (PCI-DSS), Version 2.0
  • California SB 1386
  • Fair and Accurate Credit Transactions Act of 2003

Scope  


Applies to all students, faculty, staff, contractors, consultants, temporary employees, guests, volunteers and all other entities or individuals with access to sensitive information through Santa Clara University or its affiliates.

This standard applies to all university information resources, including those used by the university under license or contract.

Responsible Party  


Chief Information Security Officer, 408-554-5554

Standards


Information Service Providers (“Service Providers”)

Service Providers are those colleges, departments, individuals and ancillary organizations who manage significant information resources and systems for the purpose of making those resources available to others. This includes Information Services, the Alumni Association, Registrar, and Financial Aid, as well as other entities that operate at a college, division, department or sub-department level.

Service Providers face more extensive information security requirements than individuals. Beyond controlling access and protecting against physical threats, they must play a more proactive role implementing and enforcing security policies, standards, and procedures; auditing access, threats, and vulnerabilities; and developing or conforming to university access, authentication, and authorization standards and practices.

Service Provider Responsibilities


Establishing information security procedures:

Service providers must establish specific information security procedures governing the information resources they manage. These procedures must meet the minimum standards set by the Information Security Office (ISO) and must be consistent with other university policies and governing statutes and regulations. Service Providers must designate personnel to maintain and assure the integrity of the information resources, systems and networks for which they are responsible, or assign this responsibility to the ISO. Any local personnel who take on these responsibilities must work closely with the ISO to achieve the objectives of this standard.
Physical security:

Computer systems (servers, desktops, portable devices, etc.), network components (switches, routers, etc.), the cable infrastructure and other facilities must be physically protected commensurate with the level of risk faced by the university should they be compromised. Power, temperature, water and fire monitoring devices should be used where appropriate. Locks, cameras and alarms must be installed in technology centers and closets to discourage and alert personnel to unauthorized access. Service Providers are responsible for ensuring that components required to conduct mission critical business are incorporated into the physical planning component of the university’s strategic plan.
Computer security:

Service Providers must take steps to protect their servers and other systems from compromise from either internal or external individuals or entities.  They must select operating systems and other software that is securable and modify default passwords and configuration options to reduce potential vulnerabilities. Service Providers must ensure that security patches are consistently updated. They must periodically verify audit and activity logs, examine performance data, check for evidence of unauthorized access, the presence of viruses, or any other indicators of integrity loss. Service Providers must cooperate with and avail themselves of any central services providing support for and/or review of these activities as well as performing more sophisticated procedures such as penetration testing and real-time intrusion detection.
Service Providers who develop, maintain, or modify key applications relating to financial data, human resources, student records, etc., must deploy adequate procedures for change control, separation of test and production environments, and separation of responsibilities for staff involved in these functions. They must proactively cooperate with the ISO to ensure that standards are respected and that adequate procedures are in place.
Network security:

Service Providers who support authorized access to university information must implement designs, standards, and procedures that protect the integrity of those services. Network security should be maintained through a combination of technologies including switched networks, strong authentication requirements, encryption and firewalls. Network access, including remote access, must be implemented using university standards for hardware, software, authentication protocols, and access controls.

Because the loss of integrity of any device or server on the network provides a platform for launching attacks on the entire network, the Information Security Office, in concert with the Information Technology Office will periodically probe the network and network servers for vulnerabilities, using software tools designed for this purpose. Service Providers are expected to participate in and cooperate with this process, review reports, and take corrective actions where necessary.
Access Controls:

In granting individuals access privileges to information resources, Service Providers must adhere to policies established by the data custodians and the university. Protocols specifying access authorizations must be produced in a format conducive to auditing and audit trails must be maintained at appropriate levels. User identifiers must respect the centrally generated assignments, and systems and applications must support available university-wide standards and facilities supporting authentication, authorization, and single sign-on.

Shared, guest and anonymous accounts should be avoided. Guests must be incorporated into the central user identifier facility when possible. Any anonymous accounts must be restricted to servers containing unrestricted data and not residing within a zone protected by a firewall.

Service Providers shall periodically review user identifiers and access privileges and revise them as required by changes in job functions, transfers and employment status. Where university-wide facilities are deployed to aid user identifier management, individual systems and applications should interface with them whenever possible.
Passwords:

Service Providers should install password mechanisms that provide strong security while aiding users with the selection and management of strong passwords. Where independent password files must be maintained, they must be protected by encryption and access controls. Appropriate restrictions regarding password lengths and the use of personal data or dictionary words for passwords must be implemented, using software enforcement where possible.

Initial user passwords may deviate from this only if the user is required, by the software, to change the password upon first use. Administrators and help desk personnel should be able to reset passwords following established procedures, but never able to view them. The assignment of super user (root) access or similar capabilities must be strictly controlled and very limited. Passwords to accounts with privileges that may be needed in emergency recovery situations should be made available via lock boxes rather than distributed on an anticipatory basis.
Contingency planning:

Service Providers are responsible for ensuring the continued availability of university information resources and for planning for the resumption of mission critical business information services following the loss of equipment, data, and/or technology rooms due to flood, fire, equipment failure, natural disasters, etc. Inherent in this requirement is the need to provide effective procedures for backing up university data.

Appropriate schedules should be established for backing up servers and other devices containing important data, retaining copies, and refreshing media. Schedules and retention periods should support requirements for restoring data after accidental loss or corruption, natural disasters, and record keeping requirements as identified by the data custodians.

To ensure availability and functionality of backups, copies must be stored in secure, environmentally controlled, off- site locations. Encryption/decryption applications and copies of cryptographic keys must be stored in safe locations if they are required to restore backup data to useable form. Archived data is to be retained for legal/historical purposes and should be recopied periodically. When applications change, either the original application shall be retained so as to be able to usefully access the archived data or the archived data should be converted to a format and medium that is useable by the new or other available application.
Incident handling and reporting:

Service Providers must report suspected or known compromises of information resources to managers and the Information Security Office, who will proceed in accordance with the Incident Response Procedure. Reporting must occur on the same business day a Service Provider learns a compromise has occurred. They must preserve and protect evidence and cooperate with any investigation. Where appropriate, they must repair vulnerabilities and impose additional security measures to protect against future compromises.

Enforcement

Violations of this policy will be handled consistent with university disciplinary procedures applicable to the relevant individuals or departments. Failure to comply with this policy may also result in the suspension of access to network resources until policy standards have been met. Should Santa Clara University incur monetary fines or other incidental expenses from security breaches, the university may recoup these costs from the non-compliant department, school or auxiliary organization.


 Portions of this document are adapted with permission from Georgetown University & Boise State University

Information Security Office, 1-408-554-5554, iso@scu.edu