Cyberspace is a dangerous place. St. George’s University is committed to protecting its information assets and technological resources—and those of all members of the SGU community—from damage or compromise. All of us should become familiar with these security policies and exercise responsibility when conducting the business of the University. We must all aim to maintain the confidentiality and integrity of information while maintaining reliable access to it.
The Executive Director of Information Technology will establish an Information Security Program and collaborate with academic and administrative officials to foster compliance with it.
Information Security Officers, appointed by the Executive Director for each campus, are responsible for local compliance.
Deans, department chairs, and appropriate administrative officials are responsible for establishing specific security procedures.
All SGU community members are responsible for the protection of their passwords, card access keys, or other access controls. Don’t share these credentials without proper authorization.
Personnel who manage, operate, and support University Resources, including individuals who manage their own systems, are expected to follow all applicable SGU policies, follow departmental procedures, and use appropriate professional practices in providing for the security of the systems they manage.
Systems personnel should accurately classify and document the nature of the information resources being managed and ensure the implementation of security measures appropriate to that classification. They should also document and communicate to support personnel procedures for action in response to security incidents or other emergency events.
Please familiarize yourself with these requirements. Some may not apply to you directly, but if everyone knows how the system works, we all will be better equipped to deal with emergencies and attacks on our computing resources.
NOTE: The following terms used in this bulletin are defined specifically in Appendix A:
Electronic Information Resource
Restricted Information or Data
3.1 Administrative Workforce Controls
3.2.1. Passwords and other authentication credentials
3.2.2. Session protection
3.2.3. Privileged access
3.2.4. Backup and retention
3.2.5. System protection
3.2.6. Patch management
3.2.7. System and applications software development
3.2.8. Network Security
3.2.9. Change Management
3.2.10. Audit Logs
4.3.1. Reporting Restricted Information
4.3.2. Reporting Security Breaches Involving Personal Information
4.3.3. Specific Responsibilities
220.127.116.11. Supervisors and department heads
18.104.22.168. Employees, contractors or consultants
22.214.171.124. Resource Proprietors
126.96.36.199. Resource Proprietor or Custodian
188.8.131.52. Resource Proprietors
7.1. Access Control
7.2. Encrypted Authentication
7.3. Patch Management Practices
7.4. Malicious Software Protection
7.5. Removal of Unnecessary Services
7.6. Host-based Firewall Software
7.7. Authenticated Email Relay
7.8. Authenticated Network Proxy Servers
7.9. Session Timeout
Each campus will develop a Security Plan and Security Breach Notification Plan. The Information Security Officer will send a copy of the plan—and any subsequent changes to it—to the Executive Director of Information Technology. The plan should contain, at a minimum, the following components:
Each Campus Information Security Officer will act as the lead authority responsible for reporting to the Executive Director of IT. The ISO will ensure that Campus incident response and notification procedures are followed and coordinate with Campus counsel. The ISO may delegate responsibilities to other personnel, when appropriate.
The Information Security Officers should:
Units or departments should:
After completing a risk assessment, the unit or department involved should develop an information security plan that considers the acceptable level of risk for systems and processes and identifies cost-effective strategies for mitigating that risk. The security plan should account for the management, use, and protection of information that has some level of confidentiality, and identify the procedures and controls necessary to enhance security for information assets.
The unit should select appropriate mechanisms, including administrative, operational, technical, physical and environmental measures, to safeguard information. See Appendix C for a list of selected threats and vulnerabilities, the risks they pose, and selected security controls.
Resources classified as Restricted require the highest level of protection; resources classified as Essentialmust be included in emergency and disaster recovery planning.
Who needs to access Resources in order to perform assigned tasks? A discussion of the knowledge and skills necessary to maintain security—and the responsibility for it—should be part of the employment process for any position that requires IT skills. Make it clear that all members of our workforce should:
A. act to ensure the confidentiality and integrity of data against unauthorized access, modification, or destruction;
B. comply with license agreements, terms and conditions, and laws pertaining to intellectual property, and with identified security procedures.
SGU may deem some positions with job responsibilities requiring access to Restricted or EssentialResources as Critical Positions. Campuses should ensure that candidates for these posts undergo applicable background checks as part of the selection process.
Where there is a concern that access to Restricted or EssentialResources endangers the integrity of such Resources, management should act to restrict, suspend or terminate access of staff working in critical positions in the event of disciplinary action or termination.
Campuses should establish a strategy that ensures accurate identification of authorized University community members and provides secure, authenticated access to network-based services. University access control measures should include secure and accountable means of authorization and authentication.
Authorization is the process of determining whether or not an identified individual or class has been granted access rights to an information and determining what type of access is allowed, e.g., read-only, create, delete, and/or modify.
Authentication is the process of confirming that a known individual is correctly associated with a given electronic credential, for example, by use of passwords to confirm correct association with a user or account name.
Administrators should assign responsibility for systems and application security to a Resource Proprietor knowledgeable about the information technology used in the system and in providing security for such technology. This individual should determine security plans as appropriate to the supported systems, applications, and data.
Appropriate measures should safeguard against unauthorized access to data whenever a Resource manages or contains information classified as having a high Security Impact. This includes not only the primary operational copy of the information, but also data extracts and backup copies.
Campuses should ensure the timely maintenance of access controls to ensure that authentication credentials, such as passwords or authentication keys, meet Campus standards and that access privileges are revoked in a timely manner.
The right of access to modify data should be granted according to procedures that ensure data integrity. Exceptions may be made on a case-by-case basis but should always be performed in a controlled manner and with the knowledge of the Resource Proprietor.
Restricted Data: The proliferation of data greatly increases risks of unauthorized access, particularly when data is stored in ad hoc analysis tools such as spreadsheets and desktop databases. When a unit or department copies data for analysis or research, it should delete Restricted Data whenever possible or “de-identify” it by removing data elements that, in combination with other data, would result in the identification or description of an individual. If it is not possible to delete Restricted Data, the user should implement adequate security measures. Note that Restricted Data is one form of Restricted Resources,as defined in Appendix A.
Do not transfer Restricted Data to another individual or system without approval of the Resource Proprietor. Before Restricted Data is transferred to a destination system, the Resource Proprietor should establish agreements to ensure that Authorized Individuals implement appropriate security measures.
See Appendix B, Guidelines for Restricted Information, for additional information.
These guidelines do not require the employment of any specific technological control, but the selected method should be adequate to ensure sufficient protection of the electronic information resource.
The Campus Program should identify appropriate password management conventions, including periodic identification of weak passwords, password encryption, and other security measures as deemed appropriate. Campus password management conventions should take into account the increased risk if passwords are used to access multiple applications, such as by means of a Campus Single Sign-on (NetID). Passwords and other authentication credentials are considered “restricted” information and require the highest level of security protection whether in storage or transit.
Passwords to individual accounts should never be shared with other individuals unless specifically approved and documented as an exception to policy by the Resource Proprietor responsible for the Resource being accessed.
If it is determined that passwords need to be shared in a specific instance, the Resource Proprietor should record who accessed the Resource or other in some other way provide an audit trail.
Secure screensavers, automatic logout, and/or other means of session protection minimize the risk of unauthorized users gaining control of the working session if an individual leaves a computer unattended. Use such measures on all devices with access to Restricted Resources. Also see Section 7, Minimum Requirements for Network Connectivity.
System administrators routinely require access to Resources to perform such vital system functions as installing or modifying applications; programming; establishing user IDs, accounts, or passwords and maintaining authorization for those accounts; correcting problems; and other broadly-defined system or electronic information resource functions. Such “superuser,” “root,” or “administrative” access is privileged and may be used only for authorized purposes.
As privileged accounts are especially sensitive, Campuses should establish procedures to ensure that abuse will not occur and fully inform personnel assigned privileged accounts on the appropriate access and disclosure of information. Procedures should include an agreement to be reviewed or signed and filed, as appropriate to the needs and function of the Resource.
For additional guidelines on logging, refer to Audit and System Logs at the end of this section.
Sound professional system administration practices require the implementation of routine backup of applications and data. These backup requirements extend to Essential or Restrictedapplications and data stored on personal computers as well as on shared systems.
Administrators should deploy measures to limit access to systems that host Restricted or Essential Resources and to protect systems from “malicious software.”
The term “malicious software” (or “malware”) poses serious threats, not only to the specific computer where the software has been installed, but potentially to other networked devices. Malware includes such programs as viruses, worms, Trojan horses, and spyware. They are usually installed on a device under false pretenses and without an individual’s knowledge and can potentially affect any type of computer or server on the network. Malicious programs may damage or consume resources, use devices to infect other networked devices, or expose information or user credentials.
Systems personnel should, in a timely manner, update versions of the operating system and application software when security patches become available.
Developers should analyze how personal information should be collected, stored, shared, and managed for any application that will be used to process personal information. In order to obtain advice on establishing proper controls, campuses should involve Campus Internal Audit and/or the Executive Director of IT early in the process of developing administrative systems.
Each campus should deploy firewalls and Intrusion Detection/Prevention Systems (IDS/IPS) at the campus border to augment normal system security measures and especially to limit access to systems that host Restricted or Essential Resources. The aim is to prevent denial of service attacks, malicious code, or other traffic that threatens systems within the network or violates campus information security policies.
All modifications to a system should follow a planned, supervised management process, particularly in the case of any Restricted or Essential Resource. Personnel making changes to a system should:
Most components of an IT infrastructure are capable of producing logs chronicling their activity over time. These logs often contain very detailed information about the activities of applications and the layers of software and hardware that support them. With proper management, these logs can be of great benefit in a variety of scenarios to enhance security, system performance and resource management, to monitor access controls, to reconstruct security incidents, and to achieve regulatory compliance.
SGU urges campuses to develop a management infrastructure for log records. In particular, a log management infrastructure can capture information and aid analysis about access, change monitoring, cost allocation, malfunction, resource utilization, security events, and user activity. Campuses should manage audit logs in a manner that promotes these benefits while protecting the confidentiality and integrity of the logged information.
When appropriate, employ suitably strong encryption measures for information in storage and during transmission. Encryption is not, however, a substitute for other security measures required in this bulletin.
Information stored in encrypted form is useless in the event of the loss of the encryption key. When using encryption, therefore, consider the nature of the information and the University’s requirements for its timely or continual availability. Appropriate University officials must have access at all times to:
RestrictedInformation should be encrypted during transmission through measures strong enough to minimize the risk of the information’s exposure if it is intercepted or misrouted.
Store at least one copy (the authoritative copy) of any such information in a known location in unencrypted form. If the information is encrypted, make the means to decrypt it available to more than one person.
Retain RestrictedInformation on portable equipment only if protective measures safeguard the confidentiality and integrity of the data in the event of theft or loss of the portable equipment.
Users who control and manage encryption keys and key management software and hardware must be conscious of their unique role. Campuses shall conduct applicable background checks for such employees and implement encryption key management plans that:
See Appendix B for current encryption strategies.
Hurricane, earthquake, fire, flood, power outage, theft, damage. Each campus needs to establish procedures for the physical protection of its Resources against catastrophic failure. In particular, campuses should develop procedures to protect departmental or central facilities containing Resources that support Restricted or Essential systems or data. All such facilities should conform to the following recommended guidelines.
Implement appropriate locking or other physical security mechanisms for all equipment vulnerable to unauthorized removal. Use combination locks, key locks, badge readers, manual sign in/out logs, verification of identification, etc., as appropriate to track all individuals logging on and off. Limiting physical access to facilities may also include technical mechanisms, such as use of proximity card readers. In those instances, technical access control guidelines apply. Maintain records of access events consistent with audit log guidelines.
Make sure that equipment being reassigned or disposed has been stripped of Restricted or other sensitive information as appropriate. Shred, overwrite a disk, or employ professional data destruction services. Alternately, use sufficiently strong disk encryption. If electronic media or hardware is subject to a litigation hold, be sure that relevant data is not lost.
RetainRestricted Information on portable equipment (laptop computers, PDAs, Smart Phones, memory sticks, CD ROMs, etc.) only if you have used protective measures, such as encryption, in the event of theft or loss of the equipment.
If a campus is considering notification of a security breach, it should coordinate with the Office of General Counsel.
It is a violation of University policy for individuals to attempt to gain unauthorized access to Resources or in any way willfully damage, alter, or disrupt the operations of Resources. This includes capturing or tampering with passwords, encryption keys, or any other mechanisms that could permit unauthorized access.
Further, it is a violation of University policy for an unauthorized person to acquire unencrypted, computerized personal information and compromise its security, confidentiality, or integrity. Good faith acquisition of personal information by a University employee or agent for University purposes does not constitute a security breach, provided that the personal information is not used or subject to further unauthorized disclosure.
Personal information includes an individual’s first name or first initial and last name, in combination with any one or more of the following:
The list of data elements considered personal information may be expanded based on departmental risk assessments.
In the case of a security breach, all campuses must follow the systemwide procedures presented here. In addition, campuses may develop detailed local guidelines based upon the steps in these systemwide procedures.
The Campus Information Security Officer or the ISO’s delegate shall report immediately in writing to the Executive Director of IT any security breach involving Restricted Information. If it is possible that the security breach involves medical or health insurance information, consult the Dean of the School of Medicine.
The ISO shall report in writing to the Executive Director of IT when the incident is closed. Include a description of the incident, including the number of individuals impacted; a copy of any notifications; a summary of how the incident was handled and what actions were taken to prevent further breaches of security.
Mitigation or notification requirements may differ, depending on governmental statutes, the nature of the information at risk in the event of a security breach, or contractual agreements. For example, a breach of confidentiality of electronic Protected Health Information (ePHI) requires mitigation, to the extent practicable, of “harmful effects,” and business associate agreements may require notification to governmental agencies.
As soon as possible, notify individuals whose personal information is reasonably believed to have been acquired by an unauthorized person. Delay notification only when a law enforcement agency feels notification will impede a criminal investigation or when necessary to discover the scope of the breach and restore the integrity of the system.
In coordination with campus counsel, campuses may determine the language to be used in the notification, which may be either a written, hard copy notice or an e-mail.
If sufficient contact information is not available for direct hard copy or e-mail notice, use a substitute method, such as prominent display on the campus’s website or other commonly used website for at least forty-five days. Consult both campus counsel and the campus community relations or public information office to develop the substitute notice.
184.108.40.206. Supervisors and department heads are responsible for promptly reporting any known or suspected policy violations to the Resource Proprietor or Custodian, the Internal Security Audit department, the Locally Designated Official, or the Executive Director of IT.
220.127.116.11. Employees, contractors or consultants who become aware of the occurrence of any violation should report the violation promptly to their supervisor (or their client within the University in the case of contractors or consultants), department head, or the Internal Audit department. Resource Proprietors or Custodians should be notified of such violations in accordance with departmental procedures.
18.104.22.168. Depending on the nature of the violation and the likelihood of a recurrence, the Resource Proprietor or Custodian should act promptly to prevent future violations to the extent feasible, and/or remove the means by which the violation occurred. Depending on the nature of the violation, the Resource Proprietor or Custodian shall consult with other Campus authorities in accordance with policies governing potential disciplinary action.
22.214.171.124. In the event of security breaches involving possible unlawful action, Resource Proprietors should notify the employee’s immediate supervisor, Executive Director of IT, or other appropriate official. Notification should occur before any action is taken, unless prompt emergency action is required to prevent bodily harm, significant property loss or damage, evidence of one or more violations of law or of University policy, or significant liability to the University or to members of the University community.
The University reserves the right to revoke access to any Resource for any individual who violates the provisions of this bulletin.
It is important that all members of the University community receive appropriate security awareness training. Department heads and supervisors should see that training programs include a review of security policy, procedures, and standards at University-wide, campus and departmental levels.
Training materials should include topics such as password management and use, best practices for protecting restricted information, incident reporting, and security reminders regarding current threats to technical environments in which individuals are working.
Training must conform to regulations governing specific categories of Restricted Information, such as student data subject to FERPA, personal information as defined in Section D above, financial data subject to the Financial Services Modernization Act of 1999 (Gramm-Leach-Bliley Act), electronic Protected Health Information subject to HIPAA, and credit card holder information subject to the Payment Card Industry Data Security Standards.
When campuses or departments establish agreements with contractors, consultants, or external vendors, they must include assurances that the contracting party will safeguard information in accordance with the law and University policies. Units engaging non-University contractors or consultants to work on Restricted or Essential Electronic Information Resources must perform applicable background checks and consider limiting outside vendor access to those Resources.
When providing access to or passing Restricted Information to a third party agent of the University, include in the written contractual agreements terms and conditions that:
Security measures on destination systems should be commensurate with security measures on the originating system.
Agreements should include requirements regarding retention or disposition of data after the data is no longer needed on the destination system.
The Campus or department should terminate access when contractual obligations have been completed.
Allow only authorized individuals access to networked devices. Passwords are typical access controls. Shared-access systems must enforce password or other authorization/authentication standards whenever possible. In situations where systems ship with default passwords for network accessible devices, change those passwords upon first use.
7.2. Encrypted Authentication
Ensure timely update of security patches. Networked devices must run versions of operating system and application software for which security patches are made available. Install these as soon as possible, except when patches may compromise the usability of critical applications following Campus exception procedures. SGU may grant exceptions but require additional management measures.
7.4. Malicious Software Protection
Protect networked devices from malicious software, such as viruses, spyware, and other types of malware. Keep anti-virus and malware software when readily available, running and up-to-date, and have current virus definition files installed on all network devices.
7.5. Removal of Unnecessary Services
When host-based firewall software is readily available for specific operating systems, run it and configure it to limit network communications to only those services requiring to access to network devices.
7.7. Authenticated Email Relay
Prevent unauthorized third parties from relaying e-mail messages. Devices shall not provide an active SMTP service that allows unauthorized individuals to send or relay e-mail messages, i.e., to process an e-mail message where neither the sender nor the recipient is a local user.
7.8. Authenticated Network Proxy Servers
Prevent unauthorized access to Internet-based Resources. Network proxy servers should employ authentication to protect devices that allow unauthenticated access from SGU locations.
7.9. Session Timeout
Do not leave devices that access Restricted or Essentialservices unattended for an extended period of time. Employ such measures as session timeouts or lockouts that require re-authentication before users return to interactive use.
A University employee, student, contractor, or other individual affiliated with the University who has been authorized by a Resource Proprietor (or his or her designee) to access a Resource for the purpose of performing job duties or other functions directly related to the individual’s affiliation with the University. The Resource Proprietor grants authorization for a specific level of access to a Resource, unless the level is otherwise defined by University policy.
Electronic Information Resource (Resource)
A resource used in support of University activities that involves the electronic storage, processing or transmitting of data, as well as the data itself. These resources are valued information assets of the University. Electronic Information Resources include but may not be limited to application systems, operating systems, tools, communications systems, data (in raw, summary, and interpreted form), other electronic files, and associated computer servers, desktops (workstations), portable devices (laptops, PDAs, Smart phones, etc.) or media (CD ROM, memory sticks, flash drives).
Encryption is the process of converting data into a cipher or code in order to prevent unauthorized access. The technique obfuscates data in such a manner that a specific algorithm and key are required to interpret the cipher. The keys are binary values that may be interpretable as the codes for text strings, or they may be arbitrary numbers. Appropriate management of these keys allows one to store or transmit encrypted data “in plain sight” with little possibility that it can be read by an unauthorized entity. For example, encryption can protect the privacy of Restricted Data that is stored on a laptop computer, even if that laptop computer is stolen. Similarly, it can protect data that is transmitted over a network, for example, even if that network is tapped by an unauthorized third party.
The University designates a Resource as Essential if its failure to function correctly and on schedule could result in (1) a major failure by a Campus to perform a mission-critical function, (2) a significant loss of funds or information, or (3) a significant liability or other legal exposure to a Campus.
A person authorized by the University to have physical or logical control over a specific Electronic Information Resource. This includes, for example, central Campus information technology departments with maintenance responsibility for an application; departmental system administrators of a local area network; and database administrators for Campus-wide or departmental databases. Resource Custodians provide a service to a Resource Proprietor.
Resource Proprietor (may also be referred to as Resource Guardian)
The individual assigned responsibility for the information and the processes supporting a specific University function. Resource Proprietors are responsible for ensuring compliance with governmental statutory regulation or University policy regarding the release of information according to procedures established by the University, a Campus, or a department, depending on the situation.
Responsibilities of Resource Proprietors may include, for example: specifying the uses for a departmentally-owned server; establishing the functional requirements during development of a new application or maintenance of an existing application; and determining which individuals may have access to an application or to data accessible via an application. All Electronic Information Resources are University resources, and Resource Proprietors are responsible for ensuring that these Resources are used in ways consistent with the mission of the University as a whole.
Restricted Information or Data
Restricted Information or Data describes any confidential or personal information that is protected by law or policy and that requires the highest level of access control and security protection, whether in storage or in transit.
A Resource that supports the storage, transmission, or processing of Restricted Information.
Restricted data should be encrypted whenever it is stored in or transmitted across an untrusted environment.
You don’t need to protect data you don’t have. Restricted data should be retained only when necessary.
“Whole Disk” Encryption
The priority for implementation of “whole disk” encryption should be 1) mobile devices and media, then 2) other devices and media for which appropriate physical security is not provided.
Campuses should promulgate recommended tool sets to facilitate file encryption.
Backup and Archiving
Assess backup procedures to ensure that backup copies of restricted data are appropriately protected by physical and/or technical means, particularly when sent off-site.
Interactive sessions that transmit restricted data should be encrypted. Note that login passwords should often be considered to be restricted, even when no other restricted data is transmitted.
Application Scenario Recommendations
When encrypted files are transmitted, transmit the keys via a method other than that used for the encrypted files themselves.
The X.509 certificates installed on servers should be acquired from Certificate Authorities that are included in common browser distributions.
Campuses should promulgate recommended tools for sending encrypted data through electronic mail. This is likely to include the tool set identified under “File Encryption.”
Network Printer Communication
Resource Custodians for departmental and campus print services should assess the secure printing needs of their communities and provide solutions and education, as appropriate.
Remote File Services
Resource Custodians for departmental and campus file service organizations should assess the need to protect restricted data on their servers and implement encrypted protocols (and provide user education) as appropriate.
Use SOAP with HTTPS or some other commonly-available encrypted protocol to transmit restricted data when possible. When not possible, use a Virtual Private Network to transmit the data.
Virtual Private Network (VPN)
Implement VPNs to protect restricted information when other methods are not feasible.
When it is necessary to implement encryption within an application, utilize a suitably strong, well-tested encryption algorithm, preferably from an “off the shelf” library.
Be careful to use an appropriately strong algorithm. For commonly-deployed encryption algorithms, this implies a key length of 128 to 256 bits.
Campuses should implement key management services to ensure appropriate controls have been applied.