XAVIER UNIVERSITY
Information Security Policy
Effective: 10/1/2015
Last Updated: 9/16/2015
Responsible University Office: Information Security Office
Responsible Executive: Associate Provost and Chief Information Officer
Scope: This policy applies to all University owned information that is present on
or transmitted through University owned systems and networks. University
owned information assets can take the form of electronic and hard copy
information.
A. REASON FOR POLICY
This document defines the Information Security policy for Xavier University. Xavier
University is committed to protecting the confidentiality, integrity and availability of
information assets from all threats including unauthorized access, modification or
damage while also providing for the open information sharing requirements of academic
freedom. The purpose is to establish the University’s approach to information security
and define the appropriate controls that are required to prevent compromises to
information assets. This document demonstrates Xavier’s commitment to properly
protect both student and University information and creates administrative, technical
and physical safeguards to protect sensitive information.
Ownership, Review and approval
The Associate Provost and Chief Information Officer owns this policy. The Information
Security policy is approved as defined by the Policy Development Process at Xavier
University. It is reviewed and updated as needed by the Information Security Office.
Statement on Academic Freedom
Information resources at Xavier help to facilitate the free exchange of ideas among
members of the University community and the wider community. As an academic
institution, all of us at Xavier place great value on freedom of thought and expression.
The University community encompasses a wide array of opinions, views, approaches,
and temperaments.
Audience
The Terms apply to all individuals
that have access to Xavier’s
information resources, including
but not limited to: all faculty,
staff, students, alumni, retirees, temporary workers, library patrons, visitors, contractors
and vendors using University information resources, whether on‐ or off‐site (hereafter
collectively referred to as “Users”).
B. POLICY
Responsibilities
The following defines the information security roles and responsibilities at Xavier.
Data Custodians: The Data Custodian is the department head or their designee that is
responsible for overseeing the division’s information. Responsibilities include:
 Authorize access to departmental information based on need to know.
 Oversee the proper handling of information.
 Define information assets that are sensitive in nature.
 Assist users in applying the appropriate security controls to information assets.
 Recertify user access to information on a periodic basis.
 Understand information use and the associated risks including improper
disclosure.
 Work with Information Technologies to define controls to protect the
confidentiality, integrity and availability of information assets.
 Ensure that the department operates in compliance with the Information Security
Policy.
 Ensure that information assets are protected in a manner that is commensurate
with regulatory mandates.
Information Security Office: The Information Security office responsibilities include:
 Oversee Information Security initiatives at the University.
 Stay abreast of current threats and information security best practices.
 Perform vulnerability and risk assessments and provide recommendations.
 Coordinate third party security assessments.
 Develop and implement security policies, standards and guidelines.
 Coordinate incident response activities.
 Report any identified security deficiencies to the Associate Provost and Chief
Information Officer and appropriate Data Custodian.
 Coordinate security awareness training.
Information Technologies: Information Technologies has physical or logical
possession of information. Responsibilities include:
 Provide support of systems.
 Use physical and logical access controls to protect information from unauthorized
access, usage, modification or destruction.
 Administer access to information assets.

Monitor systems for
malicious events.
Users: Information users are
personnel that are granted
access to University and/or
student information. User
responsibilities include:
 Comply with the University Information Security Policy.
 Use the appropriate security controls for protecting information based on the
associated risk.
 Reporting any suspicious activity.
 Reporting any lost, stolen or disclosed sensitive information.
 Use information only for the intended purpose.
 Ensure that non-public information is only distributed to authorized persons.
 Disposing of information in a secure manner.
 Access only information that they are authorized to access.
Information Classification
Information classification determines the sensitivity, value and criticality of a given piece
of information so that it can be protected appropriately. The classification helps to
determine the appropriate controls for safeguarding the information. Xavier University’s
information is comprised of three classifications:
Public: Public information is defined as information that is generally available to anyone
within or outside of the University. Access to this information is unrestricted and may be
shared internally or externally without prior approval. Public information includes, but is
not limited to, marketing materials, public web site contents, University statistics or any
other information that has been approved by management for public release.
Internal use. Internal use information is defined as University information that is to be
used within Xavier. Internal use information should be shared only with internal users
unless approved by the Data Custodian. Access to this data may be limited to specific
departments and cannot be distributed outside of Xavier. Internal use information is less
sensitive than Confidential information, but if exposed could have an adverse impact to
the University. Internal use information includes, but is not limited to strategic plans or
other non-public information as dictated by the Data Custodian. All information not
otherwise classified will be assumed to be internal use. Users may not disclose internal
use information to anyone who is not an authorized user without prior consent of the
Data Custodian.
Confidential. Confidential information is defined as personal or University information
that may be considered potentially damaging if released and is only accessible to
authorized users. Confidential information includes, but is not limited to, medical/health
information, legally privileged information, contractual information, payment card
information, personally identifiable information, protected health information and
protected student information. Users may only share confidential information with
people that have a definite need to know. Sensitive HIPAA and FERPA information is
considered confidential and should only be shared on an as needed basis.
Protection of Non-Public
Information
All University systems that store,
process or transmit non-public
student and University information must be protected with a complex password. Access
to information resources is granted based on a user’s need to know based on the theory
of least privilege. Hard copy non-public information must be secured when not in use.
Electronic non-public information must be encrypted while in transit over unsecured
networks. Users must avoid saving sensitive information to laptops and other portable
media unless it is encrypted with industry standard encryption. Non-public information
must be saved to University file servers and databases and should be encrypted, where
appropriate. If remote access is needed, the University provided Virtual Private Network
must be used. Confidential information must not be sent outside of Xavier’s network via
unencrypted email. Confidential information must only be stored on secured drives and
must not be stored on a collaborative drive such as the Q drive.
Due to the open nature of Xavier’s campus and the inability to physically secure all work
areas, Confidential information must not be left out in the open in work areas. To the
extent possible, users of sensitive information must not leave sensitive information
unsecured when unattended.
As Xavier’s system of record, Banner holds a large amount of sensitive information.
When possible, users should leave sensitive information in Banner, and avoid exporting
sensitive information unless similar controls can be applied.
Remote access
Xavier provides remote access to the University network as a service through a Virtual
Private Network. Remote users are to be held to the same security standard as users
that are on campus. If working in a public place, users must remain vigilant about
“shoulder surfing” and avoid displaying sensitive University information when others are
nearby.
Encryption
In an effort to maintain confidentiality, Confidential and Internal Use information must be
encrypted while in transit across insecure communication networks. Confidential
information should be encrypted using industry standard encryption or password
protected when at rest wherever possible.
Security Incident Reporting and Response
Information security incidents have the ability to cause a negative impact to the
University’s reputation and finances. All users must remain vigilant against violations of
this policy. Users are encouraged to report violations as an Information Security
incident. Incidents can be reported to the Associate Provost and Chief Information
Officer or the Information Security Office. Users that wish to anonymously report a
security incident can do so by calling EthicsPoint at 855-481-6238. In the event of an
Information Security incident, Xavier should follow the documented Information
Technologies Incident Response
Plan. In order to protect the
University during an Information
Security incident, Information
Technologies reserves the right to
take actions up to and
including making systems
inaccessible at the discretion
of the Director, Technology
Infrastructure. All security
incidents will be handled confidentially. Any significant Information Security incidents will
be reviewed by the Information Technology Leadership team and Legal Counsel, as
needed. Examples of security incidents include, but are not limited to:
 Unauthorized use of a system or account
 Physical theft or loss of a system, electronic or hard copy information
 Noncompliance with University policies
 Execution of malicious code
 Unauthorized attempts to gain access to a system or information
 Unauthorized system changes
 Denial of service
 Unauthorized theft, loss or exposure of information
Information Retention and Destruction
Some information assets may need to be retained to support regulatory requirements.
The document retention policy should be referenced to determine the length of time
documents need to be retained. Retained non-public information must be stored in a
secure manner. Information that is no longer needed must be destroyed in a secure
manner. Hard copies should be shredded. Hard disks must be securely wiped,
degaussed or destroyed when no longer needed.
Physical security
Information assets are necessarily associated with the physical devices on which they
reside. Information is stored on systems and transmitted on the University's physical
network infrastructure. In order to secure University data, thought must be given to the
security of the University's physical Information Technology (IT) resources to ensure
that they are protected from standard risks.
Users are responsible for preventing others from obtaining physical access to their
technology resources and to ensure that both electronic and paper files in their care are
safeguarded, especially if they contain sensitive data about individual students,
employees, or others. Specific recommendations to maintain physical security include
the following:
 Log off or lock the workstation when leaving one’s desk.
 Back up data regularly.
 Destroy drives, CDs, and other electronic media when they are no longer usable.
 Lock flash drives, CDs, and other electronic media in a desk or in a fire‐resistant
cabinet.
 Secure small portable devices (such as laptops and tablets), which can be easily
lost or stolen.
All faculty and staff must
stolen technology resources to
Desk. Access to areas with
physically restricted.
immediately report lost or
Xavier Police and the Help
sensitive information should be
Security Areas
At a minimum, Xavier will maintain standard security controls, such as locks on exterior
doors, security cameras and/or an alarm system, to secure the University's assets. In
addition to this, the University must provide security in layers within both public and
private (restricted / secure) areas. Access controls are necessary to restrict entry to the
University’s secure area premises to only approved persons. Access will be granted
based on job function.
Certain physical precautions must be taken to ensure the integrity of Xavier's data.
Computer screens should be positioned where sensitive information on the screens
cannot be seen by outsiders. Confidential information should not be displayed on a
computer screen where the screen can be viewed by those not authorized to view the
information. Network ports that are not in use in public areas must be disabled.
Entry Security
It is the University’s policy to provide a safe environment as well as to secure its
information assets. Monitoring those who enter and exit the premises is a good security
practice in general, but is particularly true for minimizing risk to University systems and
data. The guidelines below are intended to be specific to the University's information
technology assets and must conform to the University's overall security policy.
Identification (ID) badges are useful to identify authorized persons on the University’s
premises. Xavier has established the following guidelines for the use of ID badges.
 Non-employees/Visitors: Visitors to secure areas such as a data center must be
escorted at all times. It is the responsibility of the associated employee to escort
visitors and ensure their departure from a secured area.
 Initial badge generation will be done only at the direction of Human Resources
for new hires or users changing jobs. Users must show photo identification for
identity verification.
The University must maintain a sign-in log (or similar device) in the lobby or entry into a
secure area. Visitor logs must be stored for at least three months unless otherwise
restricted by law.
Mobile Device Use
In the spirit of productivity, Xavier recognizes that some users will use personally owned
devices to conduct University business. Personally owned devices are outside of the
control of the University and therefore confidential information must not be stored on
personally owned IT resources. Users should take special precautions to protect
information that is stored on portable devices. Encryption should be used where
appropriate. Portable devices that house sensitive University information (including
email) must be PIN or password
protected. Users should be
mindful of all applications that are
run on personally owned
devices that also house University
information. Users should only
use wireless devices to conduct
University business on trusted
wireless networks. All devices,
where possible, must enable
automatic lockout if University information is stored on the device. In the event that an
employee separates from the University, Information Technologies reserves the right to
perform a remote wipe of University email from the personally owned device. Users
must take adequate precautions regarding physical security of the device. Device
operating systems and applications should be kept current. Mobile device tracking
software is recommended in the event of a lost device. Mobile devices that house nonpublic University information should not be “rooted” or “jailbroken”. All mobile devices
that house sensitive University information must be securely wiped before being traded
in.
It should be noted that in the event of litigation, personally owned devices may be
subject to discovery and/or a legal hold if they contain University email and documents.
Cloud Computing
While cloud computing providers provide value through increased expertise, efficiency
and lowered costs, they may introduce some additional risks the University should be
aware of. Before implementing cloud based solutions, users must ensure that the
relationship is managed, monitored and reviewed. The review should ensure that the
cloud provider has the financial and operational ability to fulfill the specified contractual
obligations. The provider must be able to demonstrate how sensitive University
information will be secured. University management must perform a due diligence
review of the cloud provider before entering into a contract. The Information Security
Office and Office of General Counsel must be involved in the review, as needed. The
Xavier Technology Committee makes the final determination on cloud computing
decisions. When evaluating a cloud service provider, the University should review
considerations such as the following:
 Service availability and reliability
 Service agreement and Service Level Agreement
 Regulatory compliance
 Support for incident forensics
 Authentication and authorization
 Encryption requirements
 Intrusion detection/prevention technology
 Backup and Disaster Recovery capability
 Responsibility for breach notification and follow-up
 Logging and log review for user and administrative sessions
 Incident response capabilities
 Vulnerability management practices
 An SSAE 16 or similar third party audit report
 The University’s right to audit the cloud provider
 Contractual language showing clear ownership of the information
 Isolating Xavier data from that of other clients



Choice of law and
The use of a private cloud
User privacy and data
jurisdiction
mining
The University must take HIPAA
and FERPA into consideration
when evaluating a cloud provider. Federal and state laws may affect the cloud
computing relationship, as the cloud provider may reside in another state or country.
Preference should be given to cloud service providers that house data in the United
States due to complications with international laws. Consideration should be made to
contractually exclude the ability to mine any data for the benefit of the vendor or
vendor’s agents (advertisers, etc.) Before entering into any contract for cloud services,
the data elements to be housed in the cloud should be reviewed by the Data Custodian,
Office of General Counsel and the Information Security Office.
When contracting for cloud based services, the University must consider an exit
strategy in case the relationship terminates. This would include a strategy to retrieve the
information from the vendor.
Confidential information may only be stored in University provided cloud storage and
may not be stored in personal cloud storage. Internal use information is allowed to be
stored in the cloud. By nature, public information may be stored in the cloud. Users
must ensure that they only share non-public information with users that have a need to
know. All data at rest and in transit between a cloud provider and the end user must be
encrypted using industry standard algorithms. A confidentiality agreement must be in
place with any cloud service provider.
Wireless Networking Policy
Xavier provides wireless network access, with varying security profiles and access
restrictions, for different campus constituents. Xavier reserves the right to extend or
restrict wireless network access on campus. Users are responsible for any actions that
are performed on their wireless device. By connecting to the wireless network, you are
responsible for the security of that device and must abide by University policies.
Operating a wireless device that interferes with wireless network service is prohibited.
Rogue wireless access points, and other wireless devices that broadcast networks,
create interference and connectivity problems for users on Xavier’s wireless
networks. Information Technologies will periodically scan for rogue wireless devices,
and will remove them from the network. Wireless access points may be installed only
by the Information Technologies department.
Virus and Malware Protection
Xavier provides anti-malware software for Windows based workstations, laptops and
servers. All University-provided Windows based user workstations and servers must
have current antivirus/anti-malware software installed. The anti-malware software must
be configured to receive automatic signature updates and perform automatic scheduled
malware scans. Patches, updates, and antivirus signature file updates must be installed
in a timely manner. Software must be set to automatically install updates whenever
practical. The antivirus solution must be capable of detecting and removing all known
threats. Antivirus software must
generate audit logs sufficient to
Incident Response. Users must
malware software from Xavier
software is recommended for Mac
are not required to run anti-malware software.
be able and configured to
recreate events in support of
not disable or uninstall antiowned systems. Anti-malware
devices. Unix based systems
Software Development Life Cycle
The goal of the system development life cycle process is to define steps to guide
Xavier’s System Administrators and application developers when creating and/or
altering Xavier’s information systems and the models and methodologies that are used
to develop these systems. Due to the growing use of networking, intruders now use the
external facing application layer as a means to penetrate an organization’s
infrastructure. Therefore, it is necessary to address security at all the various layers of
the system as a whole. Xavier operates under an internally defined SDLC model, as
defined by the Director of Application Services.
It is important that security be a consideration throughout all stages of the
SDLC(Systems Development Life Cycle) from requirements through operations and
maintenance of the application. Also, any outsourced software development must be
required to also follow Xavier’s SDLC policies and guidelines.
Vendor Management
The vendor management policy is designed to properly manage any risk that Xavier
faces as a result of outsourcing technology and other services which are provided by
outside Vendors.
The objective of this Policy is to establish guidelines for the following:
 Identifying the importance of the function of the Vendor to the University and the
inherent risk of the service.
 Properly performing due diligence in Vendor selection.
 Properly documenting the Vendor relationship.
 Establishing procedures to monitor vendors.
To fulfill our objectives of executing good management of Vendors, the Policy
establishes the following:
1. Xavier must complete a Vendor Assessment which assigns a risk classification to
each vendor.
2. All Vendors must be assigned to a Xavier point of contact. In those cases where
the services are used by more than one department, the primary responsibility for
the Vendor will be assigned to the department that uses the service most.
3. All Vendors must go through a process of Due Diligence.
4. All contracts or agreements with Vendors must be previously approved by
authorized personnel.
5. Obtain authorization of any exception to the Policy from Information Technologies.
Security Awareness & Training
A security awareness program
should be implemented that
will detail Xavier’s Information
Security program to all users
covered by the policy, as well as
the importance of information
security. The training program
should cover, among other
topics, the appropriate handling of confidential data. Employees must sign off on the
receipt of, and in agreement to, the user-oriented policies upon hire and annually.
Security awareness training should be performed upon hire and periodically thereafter.
Audit Log & Monitoring
The logging of certain events is an important component of good network management
practices. Logs contained on application servers, network devices, and critical systems
may all contain different data, but all contain valuable information that the University
should record. Logging on network-level devices should be enabled to the appropriate
level, based on resource constraints. No passwords must be contained in logs. Security
related logs should be reviewed at an appropriate frequency.
A member of Information Technologies should review logs on critical and high-security
devices on a regular basis. Logs must be retained in accordance with the University's
Retention Policy.
The University must secure audit trails such that they cannot be altered. Audit trails
must be retained for an adequate period to allow for reconstruction of events in support
of Incident Response and forensics.
Removable Media
Removable media covers any USB drive, flash drive, memory stick or other removable
data storage media that could be connected to Xavier systems. If provided by Xavier,
any confidential University data stored on these devices must be encrypted using
industry standard encryption. Confidential Xavier data is never to be stored on
personal removable media.
Vulnerability Management
A vulnerability management process should be part of the University’s effort to control
information security risks. This process will allow Xavier to obtain a continuous overview
of vulnerabilities in the IT environment and the risks associated with them. Only by
identifying and mitigating vulnerabilities in the IT environment can the University prevent
attackers from penetrating their environment.
Roles and responsibilities must be defined within the IT organization between the
Information Security Office and other internal teams in order to assume adequate
vulnerability management processes are being followed. External and internal
vulnerability assessments should be performed annually, and after any significant
infrastructure or application upgrade or modification. Penetration testing should be
performed at both the network and application layers.
Security Configuration
Hardening Standards
A comprehensive security
configuration hardening
standard is necessary for the
security of systems and
network devices throughout the IT
infrastructure. A detailed
baseline configuration standard
should be used by Xavier,
leveraging industry best practice such as NIST, CIS, etc. All systems and network
devices should be configured using these best practices in order to guarantee a more
secure, hardened, and robust system for the IT environment.
Security configurations standards should be developed, documented, and audited
against.
Clean Desk Policy
Due to open nature of Xavier’s campus and the inability to physically secure all
buildings, Xavier emphasizes the importance of a work area that is secure. Employees
should ensure that all confidential information in hardcopy or electronic form is secure in
their work area at the end of the day and when they are expected to be gone for an
extended period. Any confidential information should be removed from the desk and
locked in a drawer when the desk is unoccupied and at the end of the work day. File
cabinets containing confidential information should be kept closed and locked when not
in use or when not attended. Keys used for access to confidential information must not
be left at an unattended desk. Passwords may not be left on sticky notes posted on or
under a computer, nor may they be left written down in an accessible location. Printouts
containing confidential information should be immediately removed from the printer.
Enforcement
It is the responsibility of all users to comply with the Information Security Policy. Any
user in violation of the Information Security Policy may be subject to disciplinary actions.
Exceptions to Policy
Exceptions to this policy are strongly discouraged and should be temporary in nature.
Policy exceptions must be approved in writing by the Associate Provost and Chief
Information Officer. If for some reason a business process cannot comply with the
Information Security Policy, the designated Data Custodian should work with the
Information Security Office to address compensating controls and residual risk.
F. HISTORY
Version
2015
Review/Approval
New document
Name
Jim Miller
Date
1/27/2015
Other applicable policies
and/or resources:
This document is part of the University’s cohesive set of security policies. Other policies
may apply to the topics covered in this document and, as such, the applicable policies
should be reviewed as necessary. Please refer to the other Xavier security policies
below for further information:
•
Acceptable Use Policy
•
Technology Services Website – Accounts & Password
•
User Account Policy
•
Web Privacy Policy
•
Information Technologies Change Management Policy