Information Security Management Policy: A Template

advertisement
Information Security Management Policy: A Template
The following template is provided to help EDUCAUSE member institutions quickly develop their own Information
Security Management Policy. The template was developed by the Model Policy Sub-Committee of the Internet 2
Task Force on Security. It is available on the Model Policy Wiki at
https://wiki.internet2.edu/confluence/display/secguide/Security+Policies+and+Procedures)
Outline of Information Security Management Policy
1.0 Management Commitment
The Why: Philosophy underlying the policy. We need to unpack the elements of this?
The What: Protect Confidentiality, Integrity and Availability of Information and the Reputation of the
Organization
2.0 Information security infrastructure
2.1 Organization and Governance
2.1.1 Information security coordination
2.1.2 Allocation of information security roles and responsibilities
Roles to include: data stewards, users, managers, service providers, auditor, Office of counsel, local IS
personnel, University Information Security Office and boundary with the campus police.
2.1.3 Management information security forum
2.1.4 Authorization process for information processing facilities
2.1.5 Specialist information security advice
2.1.6 Co-operation between organizations
2.1.7 Independent review of information security
3.0 Security of third party access, business agreements - identification of risks from third party access,
Security requirements in third party contracts
4.0 Outsourcing - security requirements in outsourcing contracts
5.0 Risk analysis and assessment
The Policy Title: Information Security Policy
1.0 Management Commitment: Statement of Responsibility and Commitment. The University considers
information to be a strategic asset that is essential to its core mission and business operations. Furthermore, the
University values the privacy of individuals and is dedicated to protecting the information with which it is entrusted.
Therefore, the University is committed to providing the resources needed to ensure confidentiality, integrity, and
availability of its information as well as reduce the risk of exposure that would damage the reputation of the
university. Information Technology Policy shall be established that supports the following core security values:
Support University mission. The Policy is designed to support the missions of the University, notably the creation
and dissemination of new knowledge, by protecting the University’s resources, reputation, legal position, and ability
to conduct its operations. It is intended to facilitate activities that are important to the University.
Consistent with institutional policies, contracts, and laws. The Policy is consistent with and serves to enforce
relevant University policies, contracts and license agreements governing software, copyrighted files, and other forms
of intellectual property; and laws and policies governing student, employee and patient information, health care and
research information, other sensitive information, and records retention laws and policies.
Privacy. Information Privacy is covered in the University Privacy Policy stated below [link this to your institutional
privacy policy].
Appropriate and cost-effective. Not all University resources require the same level of protection. Policy
requirements are formulated with the objective that the application of measures be commensurate with the
sensitivity and value of resources and the actual threats to those resources. The intent is not to dictate requirements
106730476
Page 1 of 4
whose implementation would impose unnecessary costs.
Best practices. The Policy articulates requirements that are intended to be consistent with the best practices at
institutions of higher education.
Shared responsibility. All members of the University community share in the responsibility for protecting University
resources for which they have access or custodianship. The Policy recognizes that people will need adequate
information, training, and tools to exercise their responsibilities and that these responsibilities must be made explicit.
Accountability. The Policy intends that members of the University community be accountable for their access to and
use of University resources.
Flexible and adaptable. The Policy aims to mandate specific procedures and practices only where necessary to
provide adequate protection. The goal is that members of the University community be able to exercise their
discretion and best judgment when determining how to protect resources for which they have responsibilities,
subject to legal and other obligations and policies of the University. Where procedures and practices are required,
they are meant to be flexible enough to change as circumstances change.
Emergency preparedness. It is not possible to prevent all incidents affecting information technology. The Policy is
designed to ensure that appropriate measures are taken to prepare for possible incidents, including implementation
of business continuity measures to protect critical information systems and processes.
Reassessment. The Policy recognizes that revisions may be required and that reassessment of the Policy is valuable.
Notes
A number of university policy statements express management’s commitment to information security and the value
they place on information security. A number of these also explained briefly why they felt information security was
important. These typically took one of the following two approaches.

Information is a valuable strategic/organizational asset/resource that is essential to the business of the
University. Therefore, the University is obligated to manage, control, and protect its information resources
as it would other strategic assets. (This version was by far the most prevalent.)
 Information security is an enabling process or a management opportunity for a University operating an
environment defined by a constant flow of threats and risks.
Also, note a number of common action phrases. These may be helpful as one reviews and revises the general policy
statement.
 committed to, dedicated to, strives to, actively seeks to
 values, promotes
 demonstrates support for
 acknowledges an obligation to ensure
 makes every reasonable effort to
1.1 The Security Mandate. The University will protect the confidentiality, integrity, and availability of university
information as well as reduce the risk of information exposure that would damage the reputation of the university.
This we will call the ‘security mandate’ of the university
2.0 Information Security Infrastructure
2.1 Organization and Governance. In order to promote the security mandate of the university, (fill in some
governing body) shall:
1. Oversee risk management and compliance programs pertaining, to information security such as Sarbanes-Oxley,
HIPAA, Gramm-Leach-Bliley, and PCI.
2. Approve and adopt broad information security program principles and approve assignment of key managers
responsible for information security.
3. Strive to protect the interests of all stakeholders dependent on information security.
4. Review information security policies regarding strategic partners and other third-parties.
5. Strive to ensure business continuity.
6. Review provisions for internal and external audits of the information security program.
106730476
Page 2 of 4
7. Collaborate with management to specify the information security metrics to be reported to the board.
Notes: These points taken from www.educause.edu/ir/library/word/SWR0514.doc
2.1.1 Information Security coordination. In order to promote the security mandate of the university, management
shall:
1. Establish information security management policies and controls and monitor compliance.
2. Assign information security roles, responsibilities, requires skills, and enforce role-base information access
privileges.
3. Assess information risks, establish risk thresholds and actively manage risk mitigation.
4. Ensure implementation of information security requirements for strategic partners and other third-parties.
5. Identify and classify information assets.
6. Implement and test business continuity plans.
7. Approve information systems architecture during acquisition, development, operations, and maintenance.
8. Protect the physical environment.
9. Ensure internal and external audits of the information security program with timely follow-up.
10. Collaborate with security staff to specify the information security metrics to be reported to management.
Notes: These points taken from www.educause.edu/ir/library/word/SWR0514.doc
2.1.2 Allocation of information security roles and responsibilities. In order to promote the security mandate of
the university, the following management roles shall be assigned in writing by the university executive council and
appropriate boundaries should be set between these roles; note that some roles could either be combined into one
person or be filled by consultants:
Chief Information Security Officer (CISO) has responsibility for the design, implementation, and management of
the university's Information Security Program. The CISO promotes a strategic vision for information security,
oversees information security policy development and compliance, provides direction on user awareness and
education programming, manages large-scale projects and initiatives as needed, and advises senior management on
the risks to university information in the context of regulatory, legal, audit, contractual, and other applicable
requirements. The CISO provides direction to security policy. The CISO role does not usually include …
Chief Information Officer (CIO) is a senior executive with responsibility for university information as an asset,
including information technology. The CIO provides leadership and strategic vision for management including
security management of information throughout the whole organization.
Chief Security Officer – Coordinates (or oversees) all security programs and staff for the entire organization. It
includes physical security and almost always includes information security. Some recent security programs have
been made part of a broader risk management program and could include business continuity as well.
Information Security Officer – See Chief Information Security Officer
Information Privacy Officer – Protects information about individuals from unreasonable intrusion and lack of due
process.
Auditor – Responsible for an independent review and examination of information system records and activities that
test for adequacy of systems controls, compliance with established policy and operational procedures, and
recommend any indicated changes in controls, policy, and procedures.
Office of Counsel – Responsible to offer legal advice to the University. Some counsels manage risk compliance
and also security policy.
Notes: Many policy experts recommend that the Office of Counsel not have final authority on what policy is
adopted. This is because the goal of good policy may not be coincident with policy that avoids the fewest legal
actions.
106730476
Page 3 of 4
Data Stewards – Those persons responsible to see, within their area of assigned responsibility, that University
Information is used with appropriate and relevant levels of access and with sufficient assurance of its confidentiality
and integrity in compliance with existing laws, rules, and regulations.
2.1.3 Management information security advisory council
Policy: An information security advisory council will be established by appointment of university executives to
advise the ISO on policy issues, functional security issues, issues developing in the member areas of focus, to
resolve issues, and liaison with the broader university community.
2.1.4 Authorization process for information processing facilities
Policy: The establishment of information processing facilities, whether comprised of single or multiple servers or
services, will have the express approval of the ISO and be accountable to the ISO
2.1.5 Specialist information security advice
Policy: Contracts or relationships with outside vendors that involve university data or information must be reviewed
(or approved) by the ISO.
2.1.6 Cooperation between organizations
Policy: A comprehensive and effective information security program requires the coordination of all security efforts
within the larger institution. All organizations that provide IT services must work collaboratively to effect security
solutions that are compatible with each other. They must also coordinate their technical and policy decisions with
the institutional security program and with the Information Security Officer.
2.1.7 Independent review of information security
Policy: Annual information security audits will be performed by external auditors, either as part of existing financial
audits or as established by the ISO. Results of the audit will be presented to the ISO and the Internal Auditor who
will promote corrective action within the organization.
3.0 Security of Third Party Access (Business agreements)
Policy: Third party access may put information at risk without careful security management. Third parties requesting
access to electronic networks, devices and data will assure compliance to all laws, university policies, and standards
such as confidentiality, integrity, and availability, to protect the systems and information. The ISO examine for risk
the proposed access by the third party before approving any access. The granting of access is usually for a limited
time and is revocable.
4.0 Outsourcing - security requirements in outsourcing contracts
Policy: Responsibility for overseeing outsourced relationships resides with senior management including the ISO.
The over all vendor “program” should include framing to identify, measure, monitor, and control the risks associated
with outsourcing. The contract with third parties includes the service provider’s responsibility for: security and
confidentiality of the university’s resources, the protection against unauthorized use, disclosing breaches in security
and intrusions, compliance with regulatory requirements, and business continuity plans. The contract also includes
university approval rights for any changes to services, systems, controls, key project personnel and locations of
service, audits, periodic independent control review reports such as penetration testing, intrusion detection, reviews
of firewalls and proper controls.
5.0 Risk analysis and assessment
Policy: An information risk analysis and assessment must be performed at the direction of the ISO and will become
the basis of an Information Security Program or series of Programs.
106730476
Page 4 of 4
Download