Information Security Standard Date: June 3, 2009
Virginia Commonwealth University
Information Security Standard
Scope: / This standard is applicable to all VCU faculty, staff, students, contractors, business partners, and IT service providers.Approval Date: / 6/3/2009: Approved by Senior Vice President for Finance and Administration and Provost
Effective Date: / July 1, 2009
Compliance Date: / January 1, 2010
Authority: / VCU Information Security Officer
Review Frequency: / Annually, or as needed
Table of Contents
1. Introduction 3
1.1. Intent 3
1.2. Information Security Roles and Responsibilities 4
1.3. Information Security Program Compliance 8
1.4. Exceptions to Information Security Requirements 9
2. Risk Management 10
2.1. Business Impact Analysis 10
2.2. IT System and Data Sensitivity Classification 11
2.3. Sensitive IT Systems Inventory and Definition 12
2.4. Risk Assessment 12
2.5. IT Security Audits 13
3. IT Contingency Planning 13
3.1. Continuity of Operations Planning 13
3.2. IT Disaster Recovery Planning 14
3.3. IT System and Data Backup and Restoration 15
4. IT Systems Security 16
4.1. IT System Security Plans 16
4.2. IT System Hardening 17
4.3. IT Systems Interoperability Security 17
4.4. Malicious Code Protection 18
4.5. IT Systems Development Life Cycle Security 20
5. Logical Access Control 22
5.1. Account Management 22
5.2. Password Management 24
5.3. Remote Access 25
6. Data Protection 26
6.1. Data Storage Media Protection 26
6.2. Encryption 27
7. Physical Security 27
7.1. IT Systems 28
7.2. Human, Natural, and Environmental Risks 28
7.3. Environmental Controls 28
7.4. Unauthorized Personnel 28
7.5. IT infrastructure Components 28
8. Personnel Security 28
8.1. Access Determination and Control 28
8.2. Information Security Awareness and Training 29
8.3. Acceptable Use 30
8.4. Email Communication 31
9. Threat Management 31
9.1. Threat Detection 32
9.2. IT Security Monitoring and Logging 32
9.3. Information Security Incident Handling 33
9.4. Data Breach Notification 34
10. IT Asset Management 36
10.1. IT Asset Control 37
10.2. Software License Management 37
10.3. Configuration Management and Change Control 37
11. Appendix A - Glossary of Information Security Definitions 38
12. Appendix B - Glossary of Information Security Definitions 47
13. Appendix C - Information Security Policy and Standard Exception Request Form 48
1. Introduction
1.1. Intent
The intent of the Information Security Standard is to establish the baseline for information security controls that include, but are not limited to, the requirements of applicable state and federal statutes, as well as ISO 27002. These controls will provide protection of Virginia Commonwealth University (VCU) information systems and data.
This Standard defines the minimum acceptable level of information security for VCU, and VCU must implement an information security program that complies with this Standard, in order to provide adequate protection of VCU’s information systems and data, commensurate with sensitivity and risk.
The VCU Information Security Program consists of the following components:
§ Risk Management
§ IT Contingency Planning
§ IT Systems Security
§ Logical Access Control
§ Data Protection
§ Facilities Security
§ Personnel Security
§ Threat Management
§ IT Asset Management
These components provide the organizational framework for this Standard.
This Standard recognizes that VCU may procure IT equipment, systems and services covered by this Standard from third parties. In such instances, VCU remains accountable for maintaining compliance with this Standard and VCU must enforce these compliance requirements through documented agreements with third party providers.
1.2. Information Security Roles and Responsibilities
This section defines the key information security roles and responsibilities included in the VCU Information Security Program. Individuals may be assigned multiple roles as long as there is adequate separation of duties, there is adequate protection against fraud, and it does not lead to a conflict of interests.
The roles are President, Chief Information Officer, Information Security Officer, Privacy Officer, Authoritative Unit Head, System Owner, Data Owner, System Administrator, Data Custodian, Information Technology Professional and Information System User.
1.2.1. President
The President is ultimately responsible for the security of VCU’s information systems and data. The President’s security responsibilities include the following:
§ Designate an Information Security Officer (ISO) for VCU and identify that individual to appropriate state and federal agencies.
§ Determine the optimal place of the information security function within the VCU hierarchy.
§ Ensure the resources and environment to enable employees to carry out their responsibilities for securing information systems and data.
1.2.2. Chief Information Officer
The Chief Information Officer (CIO) has operational responsibilities for the University’s information security program. The CIO’s security responsibilities include the following:
§ Oversee a VCU information security program that is sufficient to protect the agency’s information systems and that is documented and effectively communicated.
§ Establish a program of information security safeguards.
§ Ensure that information security awareness and training programs are available to students, faculty and staff.
§ Approve requests for exceptions to VCU’s information security standards based on risk, costs and compensating controls.
1.2.3. Information Security Officer (ISO)
The ISO is responsible for developing and managing VCU’s information security program. The ISO’s duties are as follows:
§ Develop and manage a VCU information security program that meets or exceeds the requirements of VCU information security policies and standards in a manner commensurate with risk.
§ Verify and validate that all VCU IT systems and data are classified for sensitivity.
§ Develop and maintain an information security awareness and training program for VCU faculty, staff, students, contractors, business partners, and IT service providers.
§ Implement and maintain the appropriate balance of protective, detective and corrective controls for VCU IT systems commensurate with data sensitivity, risk and systems criticality.
1.2.4. Authoritative Unit Head
An authoritative unit head is a dean or equivalent administrative officer (e.g. associate vice president/provost). The authoritative unit head has responsibility for the security of data, systems and technology under their direct management control. Authoritative unit heads may receive advice and input from the CIO and ISO regarding security issues but ultimately must manage their data and technology in accordance with these standards commensurate with risk and cost.
1.2.5. Privacy Officer
VCU must have a specified Privacy Officer if required by law or regulation, such as the Health Insurance Portability and Accountability Act (HIPAA), and may choose to have one where not required. Otherwise these responsibilities are carried out by the ISO. The Privacy Officer provides guidance on:
§ The requirements of state and federal Privacy laws.
§ Disclosure of and access to sensitive data.
§ Security and protection requirements in conjunction with IT systems when there is some overlap among sensitivity, disclosure, privacy, and security issues.
1.2.6. System Owner
The System Owner is the VCU manager responsible for operation and maintenance of a VCU IT system. With respect to information security, the System Owner’s responsibilities include the following:
§ Require that all IT system users complete required information security awareness and training activities prior to, or as soon as practicable after, receiving access to the system, and no less than annually, thereafter.
§ Manage system risk and developing any additional information security policies and procedures required to protect the system in a manner commensurate with risk.
§ Maintain compliance with VCU information security policies and standards in all IT system activities.
§ Maintain compliance with requirements specified by Data Owners for the handling of data processed by the system.
§ Designate a System Administrator for the system.
1.2.7. Data Owner
The Data Owner is the VCU manager responsible for the policy and practice decisions regarding data, and is responsible for the following:
§ Evaluate and classify sensitivity of the data.
§ Define protection requirements for the data based on the sensitivity of the data, any legal or regulatory requirements, and business needs.
§ Communicate data protection requirements to the System Owner.
§ Define requirements for access to the data.
1.2.8. System Administrator
The System Administrator is an analyst, engineer, or consultant who implements, manages, and/or operates a system or systems at the direction of the System Owner, Data Owner, and/or Data Custodian. The System Administrator assists VCU management in the day-to-day administration of a VCU IT system, and implements security controls and other requirements of the VCU information security program on an IT system for which the System Administrator has been assigned responsibility.
1.2.9. Data Custodian
The Data Custodian is an individual or organization in physical or logical possession of data for Data Owners. The Data Custodian is responsible for the following:
§ Protect the data in their possession from unauthorized access, alteration, destruction, or usage.
§ Establish, monitor, and operate IT systems in a manner consistent with VCU information security policies and standards.
§ Provide Data Owners with reports, when necessary and applicable.
1.2.10. Information Technology Professional
Information technology professionals are employees in faculty or classified positions who have responsibility for managing or supporting data or information technology programs and activities in an academic or administrative unit. IT professionals are responsible for the following:
§ Read, understand and comply with VCU information security standards and requirements.
§ Ensure that data, systems and technology in their area complies with VCU information security standards and requirements.
§ Interpret VCU information security standards and provide advice and guidance to end users in their area regarding appropriate information security practices.
§ Report breaches of information security, actual or suspected, to the VCU Information Security Officer.
1.2.11. Information System User
All users of VCU information systems, including faculty, staff, students, contractors, business partners, and IT service providers are responsible for the
following:
§ Read and comply with VCU information security program requirements.
§ Report breaches of information security, actual or suspected, to the VCU Information Security Officer.
§ Take reasonable and prudent steps to protect the security of IT systems and data to which they have access.
1.3. Information Security Program Compliance
In order to provide adequate protection of VCU’s information systems and data, compliance with information security policies, standards and procedures is critical.
1.3.1. AccountabilityAll information system users are responsible for complying with VCU information security standards. Individuals and academic/administrative units will be held accountable for non-compliance with information security policies, standards, procedures and initiatives. The authoritative unit head has responsibility for the proper application of information security standards for information systems and data under their immediate management control. Information technology professionals are responsible for knowing and understanding information security standards and practice and how to apply them to the technology and data under their or their users’ authority. When appropriate and warranted, an academic/administrative unit may be required to pay fees, charges, fines and expenses incurred or resulting from or related to non-compliance for which the academic/administrative unit is deemed in whole or in part responsible.
1.3.2. AuthorityThe ISO has the authority to perform or delegate the performance of risk assessments, audits, security scans and spot checks of all academic/administrative units, their IT resources, non-IT information resources and physical locations.The ISO has the authority to remove systems, suspend logical access, suspend physical access, monitor traffic, disable network service and take other action to eliminate threats to information resources and data or if there is failure to comply with requirements and requests. Unless there is threat of imminent exposure or loss of data or the disruption of critical services, the ISO will consult with the CIO and authoritative unit head prior to taking these actions.
1.3.3. Corrective Actions and SanctionsAppropriate sanctions will be imposed for non-compliance with information security policies, standards, procedures and initiatives. Sanctions will be commensurate with the actual and potential risk to information systems and data, the individual or academic/administrative unit’s role, the individual or academic/administrative unit’s history of non-compliance and the circumstances of the non-compliance.Violations of Information Security policies, standards, procedures and initiatives may result in action up to and including termination of employment, services or relationship with VCU. Violations of local, state, federal or other laws and regulations will be reported to the appropriate, respective authorities.Corrective actions and sanctions available include, but are not limited to:
§ Requirement to bring individual or unit into compliance
§ Mandating of corrective action
§ Requirement to obtain appropriate training
§ Temporary or permanent revocation of user accounts or logical access
§ Temporary or permanent revocation of physical access
§ Loss of access to data
§ Confiscation of equipment
§ Notification of supervisors and reporting to the Department of Assurance Services
§ Personnel actions including counseling, written notices, and disciplinary actions including suspension, transfer or demotion, and termination
1.3.4. Reporting Issues or IncidentsViolations of information security policies, standards, procedures and initiatives should be reported to the ISO. The ISO, in consultation with the CIO and authoritative unit head, will develop a corrective action plan and proposed sanctions based on actual or potential damage or risk to VCU technology and data. The authoritative unit head is responsible for implementing the corrective action plan and sanctions.
1.4. Exceptions to Information Security Requirements
Exceptions to this Standard require the approval of the Information Security Officer. For each exception, the requesting academic/administrative unit shall document:
§ The business or technical need
§ The scope and extent
§ Mitigating safeguards
§ Authoritative Unit Head approval
If the Information Security Officer denies a request for an exception to this Standard, the academic/administrative unit requesting the exception may appeal the denial to the VCU Chief Information Officer through the Information Security Officer. The form that academic/administrative units must use to document such exception requests is included as the Appendix to this document.
2. Risk Management
Risk Management delineates the steps necessary to identify, analyze, prioritize, and mitigate risks that could compromise IT systems. This section defines requirements in the following areas: