Proposed Information Security Policy

[Approved by the Data Oversight Committee on 5/24/07. The policy is awaiting ratification by the Officers.The University is currently operating under this policy pending ratification.]

The purpose of this policy is to protect Notre Dame’s information resources from accidental or intentional unauthorized access or damage, while also preserving the open information sharing requirements of its academic culture. The Officers of the University expect University information in any form, and related assets to be accurate, available for authorized use, and protected from misuse or modification.

This policy lays the foundation for a common understanding of information security at Notre Dame based upon the generally accepted information security principles of confidentiality, integrity and availability. Confidentiality limits information access to authorized users. Integrity protects information against unauthorized modification. Availability ensures that information is accessible when needed. Together, these three principles ensure that University information can be used in support of the pursuit of the University’s goals of teaching, research, and service.

Information that Notre Dame or its agents use in the course of conducting University business is an institutional resource. Although individuals, offices, departments, programs, or schools may have responsibilities for creating and maintaining portions of University information and University records, the University itself retains ownership of, and responsibility for, the information.

Scope

This policy applies to faculty, staff, students, and all others granted use of University information or related assets and defines their responsibility for the protection and appropriate use of University information, applications, computer systems, and networks.

Requirements

University Officers will appoint Data Stewards [list, PDF], each charged with responsibility for a segment of University information, and with participating as members of the Data Oversight Committee. Data Stewards will assign information under their stewardship to one of four security classifications: public, internal, sensitive and highly sensitive. These classifications are based upon the information’s intended use and the expected impact if disclosed.

The Data Oversight Committee, chaired by the Chief Information Officer (CIO), will publish, at a minimum, the following:

• Information Handling Standards
• Security Configuration Standards (authentication required)
• Server Management Standards

These standards will specify controls to manage risks to the confidentiality, integrity and availability of University information and related assets. All individuals are responsible for complying with these controls. The University will conduct periodic risk assessments to determine the effectiveness of such controls, and perform audits to measure levels of compliance. The Data Oversight Committee will review any standards related to this policy on a regular cycle they determine to be appropriate.

The Data Oversight Committee will arbitrate disputes related to this policy. Appeals of Data Oversight Committee decisions can be made in writing to the Provost or Executive Vice President.

The Office of Information Technologies will maintain a formal information security awareness, training and education program, to ensure that all individuals are aware of their responsibilities.

The Office of General Counsel and Office of Information Technologies will review information technology product or service contracts. This review will include identification of risks related to information security.

The University’s policy is to comply with all applicable legislative, regulatory and contractual requirements concerning information security. University information security standards may exceed legally prescribed requirements.

Policy Enforcement

Enforcement

The Office of Information Technologies will investigate suspected violations, and may recommend disciplinary action in accordance with University codes of conduct, policies, or applicable laws. Sanctions may include one or more of the following:

• Suspension or termination of access
• Disciplinary action up to and including termination of employment
• Student discipline in accordance with applicable University policy
• Civil or criminal penalties

Reporting Violations

Report suspected violations of this policy to the Office of Information Technologies, or to the appropriate Data Steward. Reports of violations are considered Sensitive Information until otherwise classified.

Responsibilities

Chief Information Officer

• Nominates members of the Data Oversight Committee
• Serves as the chair of the Data Oversight Committee
• Acts as Data Steward for all University information not otherwise assigned

Data Oversight Committee

• Assigns responsibility for managing specific elements of University information to individual Data Stewards
• Approves information handling standards
• Recommends business process or control changes necessary for compliance with this policy, with the approval of the CIO
• Arbitrates disputes related to this policy or related standards
• Ensures that the University conducts periodic risk assessments
• Conducts periodic review of any standards related to this policy
• Conducts annual review of this policy

Data Steward

• Ensures the confidentiality, integrity and availability of University information
• Classifies all University information
• Defines access to and restrictions on use of the information for which he or she is responsible.

Faculty, Staff, Students

• Protect the privacy and security of University information, applications, computer systems, and networks under their control
• Adhere to all relevant information handling standards
• Report suspected violations of this policy to the Director of Information Security or to the appropriate Data Steward

Office of Information Technologies

• Implements this policy
• Maintains the information security awareness, training and education program
• Investigates suspected violations of the Information Security Policy
• Assists in creating and maintaining standards and procedures related to this policy

Definitions

Data Handling
Using, storing, processing, transferring, administering, aggregating, sharing, and/or maintaining University information

Information Security
The protection of the confidentiality, integrity, and availability of University information.

Information Technology Assets
Applications, computer systems, servers, networks and related devices owned by or entrusted to the University.

Security Classifications
Categories of University information based upon intended use and expected impact if disclosed.

• Public
  Information intended for public use that, when used as intended, would have no adverse effect on the operations, assets, or reputation of the University, or the University's obligations concerning information privacy.
• Internal
  Information not intended for parties outside the University that, if disclosed, would have minimal or no adverse effect on the operations, assets, or reputation of the University, or the University's obligations concerning information privacy.
• Sensitive
  Information intended for limited use within the University that, if disclosed, could be expected to have a serious adverse effect on the operations, assets, or reputation of the University, or the University's obligations concerning information privacy.
• Highly Sensitive
  Information intended for very limited use within the University that, if disclosed, could be expected to have a severe adverse effect on the operations, assets, or reputation of the University, or the University's obligations concerning information privacy.

University Information
All information that the University of Notre Dame or its agents use in the course of conducting University business, except those materials specifically excluded from University ownership as set forth in the University's Intellectual Property Policy.

University Records
Recorded information, in any form, created or received in the course of conducting University business and kept as evidence of such activity, excluding transitory work products.

Reference Documents

Notre Dame Documents:

• Archives and Records Management Policy
• Incident Response Policy and Procedures
• Information Handling Standards
• Information Management Policy
• Intellectual Property Policy
• Strong Password Standard
• Responsible Use of Information Technology Resources
• Security Configuration Standards (authentication required)
• Server Management Standards

Notable External Documents:

• Code of practice for information security management; ISO 17799
• Family Educational Rights and Privacy Act (FERPA)
• Gramm-Leach-Bliley Act (GLBA)
• Health Insurance Portability and Accountability Act (HIPAA)
• Indiana Disposal of Personal Information (Indiana Code 24-4-14)
• Payment Card Industry Data Security Standard (PCI DSS)

Contacts

Policy Clarification, Reporting Violations:
OIT Information Security
http://secure.nd.edu