Purpose
All members of the university community share in the responsibility for protecting information resources for which they have access. The purpose of this document is to establish minimum standards and guidelines to protect against accidental or intentional damage or loss of data, interruption of university business, or the compromise of sensitive information.
Additional Authority
- Family Educational Rights and Privacy Act (FERPA)
- Gramm Leach Bliley Act (GLBA)
- Health Insurance Portability and Accountability Act (HIPAA)
- Payment Card Industry Data Security Standard (PCI-DSS), Version 2.0
- California SB 1386
- Fair and Accurate Credit Transactions Act of 2003
Scope
Applies to all students, faculty, staff, contractors, consultants, temporary employees, guests, volunteers and all other entities or individuals with access to sensitive information through Santa Clara University or its affiliates.
This standard applies to all university information resources, including those used by the university under license or contract.
Responsible Party
Information Security Office (ISO)
Chief Information Security Officer, 408-554-5554
Standards
This document establishes information security roles and responsibilities for Administrative Users: data stewards, managers, the Information Security Office, audit, General Counsel and Information Services.
Data Stewards
Data stewards are those members of the university community who have primary responsibility for gathering, inputting, storing, managing or disposing of sensitive information. One becomes a data steward either by designation or by virtue of having acquired, developed, or created information resources for which no other party has stewardship. For example, for purposes of this standard, librarians have custody of library catalogs and related records, faculty have custody of their research and course materials, students have custody of their own work, and any individual who accepts a credit card number in the course of conducting university business is the steward of that information.
The term custody does not necessarily imply legal ownership. In fact, information housed on university computers or networks may be legally owned by an entity outside the university, as with licensed software.
Data Steward Responsibilities:
Establishing Information Security Procedures:
Data stewards must establish internal standards and procedures relating to the creation, retention, distribution and disposal of information in their care. These standards must meet the minimum standards set by the ISO, the university’s Data Classification Standard and Data Retention Standard, as well as other university policies, contractual agreements, and governing federal, state and local laws. Data Stewards may impose additional requirements to enhance security as long as they are consistent with the above authorities.
Determining Authorizations:
Data stewards must determine who is authorized to have access to their information. They must ensure that those with access have a need to know the information and understand the security requirements for that information. Where applicable, data stewards must ensure that those with access to sensitive information have signed a non-disclosure agreement covering the information for which they are responsible.
Recordkeeping:
Data stewards must keep records documenting the creation, distribution and disposal of all sensitive information.
Incident Reporting:
Data stewards must report suspected or known compromises of their information to their managers and the ISO on the same business day that they become aware of the compromise. The ISO will proceed in accordance with the Incident Response Procedure.
Managers
Managers are members of the university community who have management or supervisory responsibility, including deans, department chairs, directors, department heads, group leaders, or supervisors. Faculty who supervise teaching or research assistants are also included.
Managers have all the responsibilities of users, and where information resources originate, data stewards. Additionally, they share responsibility for information security with the employees they supervise.
Manager Responsibilities:
Establishing Information Security Procedures:
If managers elect to establish more restrictive information security practices for their employees, they must be consistent with the ISO’s standards, university policies, contractual agreements, and governing laws.
Managing Authorizations:
Managers must make sure their employees have the authorizations necessary to perform their jobs. The authorizations themselves are acquired from the stewards of the information resources. Managers must ensure that employee access is consistent with employee responsibilities and that requests to deactivate employee accounts are made within 24 hours of an employee’s separation.
User Training and Awareness:
Managers must promote security by ensuring that employees have the training and tools necessary to protect information.
Physical Security:
Managers must ensure the physical security of the information technology devices in their area. Doors should be locked to protect equipment when unattended. Portable equipment such as laptops, cell phones, and other mobile devices should be registered and regularly inventoried at the department level.
Incident Handling and Reporting:
Managers must report suspected or known compromises of information resources, including contamination of resources by computer viruses, to their supervisors and the ISO. Incidents must be reported on the same business day a manager learns a compromise has occurred. Managers must cooperate with the investigation of and recovery from security incidents, including taking any disciplinary action deemed necessary by the appropriate university authorities.
Information Security Office (ISO)
The ISO has primary responsibility for oversight of information security working in cooperation with Information Services and working with Human Resources to educate the university community about security responsibilities.
ISO responsibilities:
Approved Practices Oversight:
The ISO must stay abreast of current legislation and how it affects security practices and planning. Additionally, the ISO must monitor activities and best practices relating to security at other institutions and follow the activities of organizations in higher education such as NACUBO and EDUCAUSE.
User Training and Awareness:
Effective information security requires a high level of participation from all members of the university and all must be well informed of their responsibilities as data stewards, users, managers, and service providers. In cooperation with managers, Information Services, and Human Resources, the ISO is responsible for managing a university training and awareness program for all members of the university.
The ISO must manage efforts to ensure this standard as well as related approved practices, standards, and procedures are distributed to the university community, using training classes and materials to instill the importance of proper information handling and explain the implications of information security. Training should include specific information on the use of security precautions such as encryption, anti-virus tools, operating systems updates, and backup procedures.
Oversight authority for university networks and systems:
The ISO is responsible for overseeing network and system security for resources managed by or connected to any university computer or network.
Maintenance of Standards:
In cooperation with other members of the university, the ISO must periodically reassess this standard and the related approved practices, standards, and procedures to determine if revisions are needed to keep pace with the changing nature of information technology. If such revisions become necessary, the ISO will seek input from all relevant constituencies within the university and then propose recommended changes to the Vice Provost & CIO.
Incident Handling and Reporting:
If information resources are compromised, the university must take steps to remediate, respond to and recover from the incident. Depending on the nature of the incident, this could involve collecting and analyzing evidence, determining the responsible party, assessing damage, restoring data from backup files, closing security holes, installing stronger security measures, revising security guidelines and procedures, taking disciplinary action in accordance with university policies, reporting incidents to law enforcement, and interacting with the media. The ISO will further investigate incidents and work with the Incident Response Team in accordance with the Incident Response Plan.
Assessment Standards:
The ISO is responsible for determining whether information is being protected in conformance with this standard by conducting regular information security assessments.
University General Counsel
General Counsel is responsible for interpreting the laws that apply to this standard and ensuring that the standard is consistent with those laws and other university policies. Any inadequacies in this standard should be brought to the attention of the ISO. General Counsel will work in concert with the ISO and other parties deemed necessary to report any criminal offenses when necessary.
Information Services
Information Services is responsible for working with the ISO to develop standards consistent with other university policies, and state and federal law. Information Services will also work with the ISO to assist with training and compliance issues.
Enforcement
Violations of this standard will be handled consistent with university disciplinary procedures applicable to the relevant individuals or departments. Failure to comply with this standard may also result in the suspension of access to network resources until the standard has been met. Should Santa Clara University incur monetary fines or other incidental expenses from security breaches, the university may recoup these costs from the non-compliant department, school or auxiliary organization.
Portions of this document are adapted with permission from Georgetown University and Boise State University.