Information Security Training
Table of Contents
You have been redirected to this page to complete the last step of the security training.
This page contains Calvin's Information Security Policy. It is expected that you will read this policy in its entirety. It is critical that you are aware of the policies enacted by Calvin to ensure that all users of Calvin's IT assets abide by the prescriptions regarding the security of digital data. Once you have read the policy, you can close this page to complete the training. By closing this page, you are acknowledging that you have read and understood Calvin's Information Security Policy.
If you have any questions or concerns about the content of this policy, please contact the聽HelpDesk at helpdesk@calvin.edu or 616.526.8555.
Table of contents
I. Purpose
The 黄大仙高手论坛 Board of Trustees, Administration, and Faculty Governors believe that the valuable information the聽University produces and has been given stewardship over should be protected from serious threats. Risks to this information's confidentiality, integrity and availability should be addressed and appropriate effort taken to reduce harm and negative impacts of these risks to the聽University and its constituents.
This policy addresses information security risk by establishing an information security data framework and related responsibilities.
II. Philosophy
Information security is the discipline of protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. This goal is commonly expressed as protecting the confidentiality, integrity, and availability of information.
Information security enables safe sharing of information. This is accomplished by making necessary and appropriate information available to authorized people.
Information security is a responsibility shared by all and, therefore, must be cultivated and infused into the life and culture of the University.
The information security concepts articulated by this policy are meant to be consistent with information security best practices and College obligations, both contractual and regulatory. 聽
III. Scope
This policy covers all information infrastructure and information assets that are owned by the聽University or used by the聽University under license or contract, whether electronic, print, or other.
This policy applies to all students, faculty, staff, contractors, consultants, temporary employees, guests, volunteers, and vendors with access to聽University information resources.
IV. Definitions
Information Asset: Data in any media format created, processed and/or used by the business. Media formats may vary from paper copies (memos, letters, check stock, etc.), to electronic files stored on hard drives, USB flash memory devices, CD's, DVD's, back-up tapes, etc.
Information Infrastructure: Computing and telecommunications equipment, software, processes, facilities.
Physical Security:聽Physical barriers and control procedures applied as preventive measures or countermeasures against threats to resources and sensitive information. Door locks, guards, fire sprinklers and exit doors are examples of physical security measures.
Regulations with Information Security Impact:
- FERPA - Family Education Rights and Privacy Act
- HIPAA - Health Insurance Portability and Accountability Act
- GLBA - Gramm Leach Bliley Act
- FACTA - Fair and Accurate Credit Transactions Act
- PCI-DSS - Payment Card Industry Data Security Standard
- Michigan Identity Theft Protection Act 445.61 2004
- Michigan Library Privacy Act 455
V. Data Framework Classification and Roles
A. Data Classification Model
There are two general categories of information the聽University gathers during the normal course of institutional operation: Sensitive Information and Public Information:
- Sensitive information: Information in this category may not be distributed without consideration of its sensitive nature.
- Private information is personal information, including personal intellectual property, which is accessible only by its owner and those to whom the owner directly entrusts it, except under exceptional circumstances.
Examples: Intellectual property, email - Confidential information is institutional information normally handled in the same manner as private information, but may be accessed by other authorized members of the聽University community under limited additional circumstances.
Examples: social security number, credit card information, date of birth, medical records, education record, financial record, library record聽聽 - Community information is institutional information that is intended for distribution within the聽University community.
Examples:聽 listserv, internal mailings
- Private information is personal information, including personal intellectual property, which is accessible only by its owner and those to whom the owner directly entrusts it, except under exceptional circumstances.
- Public Information: Information in this category is distributed without restriction.
Examples: marketing materials, public facing website
B. Roles
Information Users 鈥 An Information User is anyone who has access to a college information asset or infrastructure, and the ability to consume, use, or manipulate it.
Users are responsible for protecting information resources by adhering to聽University policies and exercising good judgment in the protection of information resources. Users may only access and use information for which they have been given authorization or that their job duties require.Users must also follow information usage procedures, standards and guidelines established by Information Owners, Stewards, or the Information Security Officer.聽
Users must alert College authorities of misuse, mishandling, or abuse of information (See聽Incident Response section of this policy). Non-compliance with this policy could lead to disciplinary action (See Enforcement聽section of this policy).
Information Owners - An Information Owner is someone who has chief responsibility over particular information. The responsibility includes how information is classified, used, maintained, protected, accessed, and disposed of.聽
Private Information is the responsibility of the information creator. Confidential information and community information is the responsibility of an upper level management representative, such as a Vice President. In order to execute these responsibilities, the Information Owner may delegate particular responsibilities to Information Stewards.
Information Stewards 鈥 An Information Steward is an individual or group that has delegated responsibility from the Information Owner over particular information classified as College confidential information or community information.
Stewards assist the Information Owner in carrying out the day to day care of their information, especially authorizing, revoking, and auditing access to and use of the information they have stewardship over.聽
Information Security Officer (ISO) 鈥 The Information Security Officer is tasked with oversight and execution of the College Information Security Program. The ISO is an advisor to the聽University and provides guidance and expertise in the discipline of Information Security.
The ISO has the authority to develop, monitor, and enforce policies, procedures, standards, and guidelines pertaining to information security and data privacy.
Information Custodians 鈥 Information Custodians are typically information technology professionals, engineers, and technical support staff. Vendors and other 3rd parties may also be contracted with to provide information custodianship. Custodians are responsible for the protection and maintenance of information assets.
Custodians work with systems, processes, and infrastructure to make information available for use.
VI. Responsibilities
A. Information Handling
- Unauthorized disclosure of sensitive information is prohibited.
- Unauthorized tampering or alteration of sensitive information is prohibited.
- Unauthorized destruction or disposal of sensitive information is prohibited. Laws and policies governing information retention must be complied with.
- When confidential information is being transported or stored, it must be protected from unauthorized disclosure, modification, or destruction.
- When possible, confidential information must be protected with sufficient publicly vetted encryption algorithms while in transit and at rest. If encryption is not possible appropriate compensating controls must be considered and implemented.
- Before access is granted to confidential information, a signed non-disclosure agreement must be on file for that individual or organization. When appropriate, criminal and reputational background checks must be conducted.
- Confidential information being transported to or stored with a third party outside of the聽University's network or physical premise must be approved by the Information Security Officer and Information Owner / Information Steward. Particular attention should be given to risk assessment, audit of the third party鈥檚 security controls, and contractual agreements.
- Confidential information, both digital and physical, must be disposed of properly to prevent unauthorized disclosure.
- Use of sensitive information outside of the parameters established by Information Owners / Information Stewards is prohibited.
B. Identity and Access
- Anonymous identities (usernames, UIDs) should be avoided, and are prohibited when accessing confidential information unless an exception is granted by the Information Security Officer and Information Owner / Information Steward. Exceptions must be documented, logged, and regularly reviewed.
- Information Users will be given the minimum level of access to systems and information that their duties require.
- No single employee with access to confidential data may be given total control of College identified critical or sensitive transactions. When appropriate, separation of duties or checks and balances must be implemented.
- Managers and Supervisors must report change of an employee鈥檚 employment status or role to Human Resources or the Student Employment Office.
- Remote access to the聽University network or systems is only allowed by authorized individuals via methods which employ appropriate access control, encryption, and logging methods.聽
- Passwords,聽passphrases, and private keys (physical and private digital) must be protected, must comply with established College standards, and may not be shared.
- Usage of physical keys providing access to confidential data storage locations must be detected and logged. The identity of key holders must be documented and regularly reviewed.
C. Information Compromise
- If it is suspected that "sensitive" data has been accessed by an unauthorized party or has been used improperly by an authorized party, the discovering individual must report the incident immediately (See the聽Incident Response section of this policy).
- If a password, passphrase, or key is believed to have been compromised, it must be changed immediately. If that password authorizes access to sensitive information, the incident must be reported (See the聽Incident Response section of this policy).
D. Information Infrastructure
- Unauthorized eavesdropping, redirection, sniffing, and tapping of network traffic or systems is prohibited. Law enforcement, the Information Security Officer or authorized custodians may use these methods for judicial, criminal, incident investigation, or system administration purposes.聽
- Information infrastructure must be protected from theft, intrusion, malicious code, and abuse.
- Information infrastructure must be implemented, and maintained according to a documented standard.
- Information infrastructure must be regularly patched for security and stability.
- Locations that house digital and paper copies of聽confidential聽data must employ appropriate聽physical preventative, detective, and deterrent controls.
- Availability of critical information and infrastructure must be reinforced with appropriate redundancy, backup, and disaster recovery plans and technologies.
- A 鈥渄efense in depth鈥 or layered security strategy must be applied to College information, network, and system architecture and design whenever possible, especially pertaining to sensitive information.
E. Assessment and Compliance
- Risk assessments must be regularly conducted to reveal security posture, and to identify vulnerabilities and weaknesses in software, infrastructure, policy, procedure, practices and personnel.
- All employees must participate in information security awareness training that is provided by the University.聽
- In addition to this policy, all security requirements found in state law, federal law, and other College contractual obligations, such as FERPA, HIPAA, GLBA, FACTA, PCI-DSS (not an exhaustive list) must also be considered and complied with.
VII. Incident Response
In the case of a sensitive data breach, or misuse/abuse of sensitive information, contact the Information Security Officer (ISO) or the Chief Information Officer (CIO), immediately.
The ISO or CIO will execute an incident response plan to address the Incident appropriately.
VIII. Enforcement
Violations of this policy will be handled consistent with College disciplinary procedures applicable to the relevant persons or departments.聽 The聽University may temporarily suspend, block or restrict access to information and network resources in order to protect the integrity, security, or functionality of聽University resources or to protect the聽University from liability. The聽University may routinely monitor network traffic to assure the continued integrity and security of聽University resources in accordance with applicable聽University policies and laws. The聽University may also refer suspected violations of applicable law to appropriate law enforcement agencies.
IX. Policy Review
This Policy will be reviewed and updated annually, and as otherwise needed, by the Information Security Officer.