A security plan is to provide an overview of the security requirements of the system

Information security is essential to the mission of Iowa State University and is a university-wide responsibility. The Iowa State Information Technology Security Plan defines the information security standards and procedures for ensuring the confidentiality, integrity, and availability of all information systems resources and data under the control of Iowa State. The purpose of this security plan is to provide an overview of the security requirements of the IT system and describe the controls in place or planned for meeting those requirements. Furthermore, the university recognizes its responsibility to promote security awareness among the members of the Iowa State University community. The objective of the security plan is to improve protection of IT resources.

Scope

Iowa State University is responsible for protecting the confidentiality, integrity, and availability of University information assets. Unauthorized modification, deletion, or disclosure of information assets can compromise the integrity of the mission of Iowa State, violate individual privacy rights, and possibly constitute a criminal act. It is the collective responsibility of all users to ensure they are familiar with and adhere to Iowa State policies, including privacy, acceptable use of information technology resources, and other facilities and properties policies.

This plan applies to any use of the University’s computing or network resources as defined in the Acceptable Use of Information Technology Resources, and the other facilities and property policies. Additional standards and procedures may govern specific data or computer systems or networks provided or operated by Third-party service providers. This plan applies to all university personnel and entities and is to be read by all university technical support staff and information asset owners.

Definitions

ISU
Iowa State University

ITS
Information Technology Service

Audit
An independent, unbiased examination of an information system to verify that it is in compliance with its own rules; the process of collecting and evaluating evidence of an organization’s security practices and operations in order to ensure that an information system safeguards the organization’s assets, maintains data integrity, and is operating effectively and efficiently to meet the organization’s objectives.

Availability
Aproperty that assures that the system has the capacity to meet service needs. Is includes timeliness and usability. The property of availability protects against threats of denial of service.

Backup
The process of copying data onto electronic storage media (i.e., backing up) that may then be used to restore the data to its original form after the occurrence of a data loss event or data file corruption. Two backup types are referenced in this document:

1. Full–a complete backup of all data, whether or not changes have occurred
2. Incremental–a backup of only those files that have changed or been added since the last full or incremental backup was performed

Confidential Data or Records
A private, proprietary or otherwise sensitive nature.

Confidentiality
A property that assures information and systems are accessible only by authorized parties or entities. The property of confidentiality protects a system from the threat of disclosure. A disclosure threat is the possibility that data will be accessed by unauthorized parties or entities.

Criticality
A measure of the degree to which an organization depends on the information or information system for the success of a mission.

Data Classification
The data within a record dictates the level of security required during the management, storage, and ultimate disposition of a record. Data that is Moderate or higher classification per Iowa State Data Classification policy must be secured at all times, including the disposal process.

Data Corruption
The result of errors in computer data that occur during electronic writing, reading, storage, transmission, or processing, that introduce unintended changes to the original data. Generally, when data corruption occurs, the file containing the data becomes inaccessible and/or unusable.

Disaster

1. An emergency or other event resulting in the destruction, theft, or corruption of data.
2. An inability to access an information system and/or its data for longer than a reasonable period, the duration of which is determined by the criticality of the system resources and data.
3. Extensive damage inflicted on an information system, the availability of which is necessary for the maintenance of confidentiality, integrity, and availability of data required for the operation of an organization.

Disaster Recovery
The process, policies, and procedures preparing for recovery or continuation of the technology infrastructure critical to an organization after a natural or human-induced disaster. Disaster recovery includes planning for resumption of operating system and application software, data, hardware, and communications (networking).

Distributed System
An information system composed of multiple autonomous computers that communicate through a computer system.

Integrity
A property that assures that unauthorized changes in data cannot occur or can be detected if they do occur. The property of integrity protects against threats of modification and fabrication.

IT Security or Security in IT
The preservation of confidentiality, integrity, and availability of an information system and/or the data that resides on it.

IT Resources
All Iowa State computing systems, equipment, hardware, software, data, facilities, networks, and services that are used for the support of the teaching, research, and administrative activities of Iowa State.

Privacy
A subset of confidentiality. It concerns information about an entity and assures that this information is not made public or accessible by unauthorized parties or entities.

Restricted Data
Highly sensitive information intended for limited, specific use by individuals, workgroups, departments, or organizations with a legitimate “need to know.” On Iowa State Systems, data stored digitally that requires restrictions to its access and dissemination, as defined by federal or state law, or by Iowa State policies and standards.

Risk
The probability that a particular vulnerability or vulnerabilities in the Iowa State information system will be intentionally or unintentionally exploited by a threat which may result in the loss of confidentiality, integrity, or availability, along with the potential impact such a loss of confidentiality, integrity, or availability would have on Iowa State operations, assets, or individuals.

Stored Record
A record that has been retained for a definite period or permanently.

Threat
Any circumstance or event that has the potential to intentionally or unintentionally exploit a particular vulnerability in the Iowa State System, resulting in a loss of confidentiality, integrity, or availability.

Roles and Responsibilities

Chief Information Officer (CIO)
The Office of the Chief Information Officer has overall responsibility for the security of the university's information technologies. Implementation of security policies is delegated throughout the university to various university services; to colleges, departments, and other units; and to individual users of campus IT resources.

Director Information Security
This role responsible for ensuring various aspects of Iowa State’s cyber and information security:

• Ensuring that Iowa State’s staff, policies, processes, practices, and technologies proactively protect, shield, and defend the organization from cyber threats, and prevent the occurrence and recurrence of cybersecurity incidents commensurate with the organization’s risk tolerance.
• Ensuring that Iowa State’s staff, policies, processes, practices, and technologies monitor ongoing operations and actively hunt for and detect adversaries, and report instances of suspicious and unauthorized events as expeditiously as possible
• Ensuring that Iowa State’s staff, policies, processes, practices, and technologies are rapidly deployed to return assets to normal operations as soon as possible.
• Ensuring that Iowa State’s leadership, staff, policies, processes, practices, and technologies provide ongoing oversight, management, performance measurement, and course correction of all cybersecurity activities.

Director Endpoint Protection and Identity and Access Management
This role responsible for ensuring various aspects of Iowa State’s Endpoint Protection and Identity and Access management:

• Ensuring that Iowa State’s staff, policies, processes, practices, and technologies proactively protect, shield, and defend the organization from cyber threats, and prevent the occurrence and recurrence of cybersecurity incidents commensurate with the organization’s risk tolerance.
• Ensuring that Iowa State’s staff, policies, processes, practices, and technologies monitor ongoing operations and actively hunt for and detect adversaries, and report instances of suspicious and unauthorized events as expeditiously as possible
• Ensuring that Iowa State’s staff, policies, processes, practices, and technologies are rapidly deployed to return assets to normal operations as soon as possible.

IT Security and Policies Team
IT security and policies team is responsible for ensuring the security of the provided IT services. The security and policy team must make sure that all intellectual property and proprietary information are protected. This role is responsible for taking all necessary preventions to ensure the security of the services provided by Iowa State.

Data Protection Officer (DPO)
Responsibility for ensuring that their organization is compliant with GDPR. The DPO should:

• Provide advice and guidance to the organization and its employees on the requirements of the GDPR
• Monitor the organization’s compliance
• Be consulted and provide advice during Data Protection Impact Assessments
• Be the point of contact for data subjects and for cooperating and consulting with national supervisory authorities, such as the Information Commissioner’s Office
• DPOs should also take responsibility for carrying out data audits and oversee the implementation of compliance tools

Critical Incident Readiness Team (CIRT)
CIRT is responsible for providing for rapid, systematic, and coordinated early intervention in critical incidents. CIRT works with the President and other university leaders to address critical incidents.

Data Steward
University office represented by an executive officer. The data steward has policy-level and planning responsibilities for data owned by the university in their functional areas. Data stewards, as a group, are responsible for recommending policies, establishing procedures and guidelines for university-wide data administration activities. Data stewards may delegate the implementation of university policies, standards, and guidelines to data custodians.

Data Custodian
The data custodian is the individual or entity (including outsourced services) in possession or control of data and is responsible for safeguarding the data according to the policies and procedures established by the associated data steward. The appropriate level of protection is based on the Iowa State Data Classification policy and the Minimum Security Standards for Protected Data.

Data User
The data user, synonymous with user, is the individual, automated application or process that is authorized by the data steward to create, enter, edit, and access data, in accordance with the data steward's policies and procedures. Users have a responsibility to:

• Maintain the security of passwords, personal identification numbers (PINs), authentication tokens and certificates; and will be held accountable for any activities linked to their accounts
• Manage all forms of authentication and security controls to information processing systems based on the Minimum Security Standards for Protected Data
• Use the data only for the purpose specified by the data steward
• Comply with controls established by the data steward
• Prevent disclosure of confidential or sensitive data
• Report suspected security incidents that may have breached the confidentiality of data

Colleges, Departments, and Other Units
Colleges, departments, and other units are responsible for securing any information they create, manage, or store, and for any information they acquire or access from other university systems (e.g., student educational records, personnel records, business information). This responsibility includes completing periodic risk assessments, developing and implementing appropriate security practices, and complying with all aspects of this policy.

Individuals Using Personally-Owned Computers and Other Network Devices
Students, faculty, and staff who use personally-owned systems to access university resources are responsible for the security of their personally-owned computers or other network devices and are subject to the following:

• The provisions of the IT Security policy and the standards, procedures, and guidelines established by IT Services for university computing and network facilities.
• All other laws, regulations, or policies directed at the individual user.

Third Party Vendors
Third party vendors providing hosted services and vendors providing support, whether on campus or from a remote location, are subject to Iowa State University security policies and will be required to acknowledge this in the contractual agreements. The vendors are subject to the same auditing and risk assessment requirements as colleges, departments, and other units. All contracts, audits and risk assessments involving third party vendors will be reviewed and approved by the university Data Steward based on their area of responsibility.

Other Registered Entities
Any entity that is a registered user and connected to the university network is responsible for the security of its computers and network devices and is subject to the following:

• The provisions of the IT Security policy and the standards, procedures, and guidelines established by IT Services for university computing and network facilities.
• All other laws, regulations, or policies directed at the organization and its individual users.

Policies

Iowa State recognizes that IT system security is a crucially important aspect of any information system, as it is the only way to safeguard protected data and other sensitive information, to identify and eliminate security threats, and ensure compliance with mandated security requirements. Iowa State provides IT resources to a large and varied group, including faculty, staff, students, and guests. All members of this community are accountable for using these resources in an ethical and respectful manner that protects sensitive University information and follows the IT policies, standards, and procedures. Failure to comply with established policies and practices may result in loss of computing privileges and/or disciplinary action.

IT Security follows the policies, standards, and procedures below. Additional policies, standards, and procedures are available at:

• Iowa State Policy Library - Information Technology
• IT Standards & Policies

University Policy

Acceptable Use of Information Technology Resources
Iowa State’s Acceptable Use of IT Resources Policy (AUP) provides for access to IT resources and communications networks within a culture of openness, and integrity. In addition, Iowa State is committed to protecting itself and its faculty, staff, and students from unethical, illegal, or damaging actions by individuals using these systems.

Communication Technology
The university recognizes that the performance of certain job responsibilities may require the provision of additional communication technology devices or services as determined by the head of the employing unit and in accordance with university eligibility requirements. The purpose of this policy is to establish limitations and parameters for funding communication technology devices and services. This policy is also intended to preserve university resources and prevent misuse of funds.

Communication technology services shall be defined as cellular phone voice/text messaging service, cellular phone ISP (Internet Service Provider) data service associated with devices (e.g., smart phones and PDAs), and cellular wireless modems associated with devices (e.g., laptop computers).

Cell Phones
Cell phones are covered under the Communication Technology Policy as of July, 2009.

Copyright Ownership and Management of Software
The purposes of this policy are to:

• Facilitate scholarly collaborations
• Fairly balance the interests of authors of software and proper stewardship of university resources
• Protect the rights of sponsors of research
• Encourage effective and efficient distribution of rights in the software developed at Iowa State University.

Data Classification Policy
The Iowa State Data Classification policy provides the university with a method to categorize the information collected, stored, and managed by the university community. Using the data classification method will improve the ability of the university community to properly manage access to university information in compliance with federal and state laws and regulations, and other university policy requirements.

Data Classification Standards and Guidance
The Data Classification Standards and Guidance provide instructions for complying with the Data Classification Policy.

Domain Name System (DNS)
The Domain Name System (DNS) is a hierarchical naming system for computers, services, or any resource participating in the Internet. The DNS translates meaningful domain names to the numerical (binary) identifiers associated with networking equipment for the purpose of locating and addressing these devices worldwide.

Electronic Privacy
Iowa State is required by federal and state laws to keep certain information confidential. Privacy and confidentiality must be balanced with the need for the university to manage and maintain networks and systems against improper use and misconduct.

Employee Records
University Human Resources and the Office of the Senior Vice President and Provost are responsible for the establishment and maintenance of the official personnel records regarding the employee's employment relationship with the university.

Identification (ID) Card (ISUCard)
The ISUCard is the university's employee identification (ID) card. Each student is assigned a random university identification number on entry to the university. This number appears on the ISUCard that is provided to each student at the time of first registration.

Identity Theft Prevention
Iowa State extends, renews, and continues credit for student and employee accounts involving student loans, institutional loans, and payment for services received over time. Also, in some instances, Iowa State receives consumer reports from credit reporting agencies. Due to its involvement in these activities, Iowa State must comply with the "Red Flags Rule" established by the Federal Trade Commission (FTC) to help prevent identity theft. These regulations are part of the Fair and Accurate Credit Transactions Act of 2003 (FACTA).

It was also determined that, in certain cases, a university department does receive a consumer report from a credit reporting agency, and therefore is subject to the duties of users of consumer reports regarding address discrepancies. However, the task force also determined that the Iowa State card is not a debit or credit card but is a "stored value" card that cannot be processed through the regular financial debit/credit card network unless a student chooses to add the optional services from our third party servicer, US Bank. For that reason, Iowa State is not responsible for the Red Flag Rules regarding the duties of card issuers regarding changes of address and our contractual service provider, currently US Bank, would be responsible for compliance with the Red Flag Rule.

Information Disclosures
The Higher Education Opportunity Act of 2008 (HEOA) requires that postsecondary institutions participating in federal student aid programs make certain disclosures to enrolled and prospective students, parents, employees, and the public.

Social Security Number Protection
Iowa State recognizes that it collects and maintains confidential information relating to its students, employees, and individuals associated with the University and is committed to maintaining the privacy and confidentiality of an individual's Social Security Number (SSN). This policy applies to all individuals and University organizational units that have access to, collect, or use an individual's SSN.

Student Records
Iowa State University maintains various records concerning students, to document their academic progress as well as to record their interactions with university staff and officials. In order that their right to privacy is preserved and to conform with federal law, the university has established certain policies to govern the handling of student records. All policies conform with FERPA, the Family Educational Rights and Privacy Act (also known as the Buckley Amendment).

Student Cumulative Record Retention
Health records are a part of the school cumulative record, the working record used by school staff in understanding the student. The definition of the cumulative record is a continuous and current record of significant information on progress and growth. These records may be in various school locations. Examples of some components of the cumulative school record are school attendance, physical record, and health record

Video Cameras, Administrative Uses
Iowa State University’s administrative use of video cameras enhances the efficiency of operations and the safety of the university community. However, administrative use of video cameras is permitted on university property only where privacy and legal standards are met.

This policy regulates the university’s administrative use of video cameras for reasons of safety, security, or enhancement of business services that may capture human behavior and interaction without the subjects’ consent.

Equipment Reassignment or Disposal
The purpose of this policy is to ensure accountability in managing public assets and compliance with state, federal, Regents and NCAA requirements for the proper disposal of equipment and other university-owned materials. In addition, this policy promotes reuse of equipment/materials and is consistent with the university's sustainability goals and repurposing efforts. Equipment and materials purchased with university funds, including discretionary and Iowa State foundation funds, are university-owned and subject to this policy.

Export Controls
Export Administration Regulations (EAR) and International Traffic in Arms Regulations (ITAR) prohibit the export of specified technology and related technical information to certain foreign nations and their citizens. Office of Foreign Asset Control (OFAC) regulations prohibit economic activities with certain listed countries, entities and individuals. Federal law allows the imposition of both civil and criminal sanctions for violations.

The EAR and ITAR each list certain articles, materials, supplies, software and other items, together with technical information about those items, as restricted for export control purposes ("Export-Controlled Items"). What constitutes Export-Controlled Items is constantly changing as items are added to and dropped from the lists. As indicated below, certain offices on campus are designated to make determinations regarding whether export controls apply.

The law controls the transfer of Export-Controlled Items outside of the United States.  It also covers the transfer of technical information for Export-Controlled Items to foreign persons within the United States (a "Deemed Export"). For this reason, the determination in advance whether research, equipment or software is subject to export controls is vitally important to the university.

As an institution with many foreign visitors and with international collaborations both here and abroad, Iowa State University's compliance with export controls must be a priority. Because of the nature of our activities and the broad application of the law, compliance with regulations is a broadly shared responsibility on the campus.

E-mail, University Communications
Iowa State University must be able to communicate quickly and efficiently with faculty, staff, and students in order to conduct university business. E-mail is an acceptable and appropriate medium for such communications.

IT Security Incident Reporting Policy
Compromises in security can potentially occur at every level of computing from an individual's desktop computer to the largest and best-protected systems on campus. Incidents can be accidental incursions or deliberate attempts to break into systems and can be benign to malicious in purpose or consequence. Regardless, each incident requires a careful response at a level commensurate with its potential impact to the security of individuals and the campus as a whole.

For the purposes of this policy an "IT security incident" is any accidental or malicious act with the potential to:

• result in misappropriation or misuse of confidential information (social security number, grades, health records, financial transactions, etc.) of an individual or individuals
• significantly imperil the functionality of the information technology infrastructure of the Iowa State campus
• provide for unauthorized access to university resources or information
• allow Iowa State information technology resources to be used to launch attacks against the resources and information of other individuals or organizations.

In the case when an IT security incident is determined to be of potentially serious consequence, the responsibility for acting to resolve the incident and to respond to any negative impact rests with the university rather than individuals, colleges, departments, or units. The university has established procedures and identified an IT Security Response Team (ITSRT) as its authority in developing response plans to serious IT security incidents. As described below, reports of IT security incidents will be forwarded to ITSRT. The ITSRT follows protocols in determining what actions should be taken and depending upon the nature of the security incident will determine whether incidents should be handled within the purview of the department, college, or unit or by security specialists within ITSRT. In some cases, the ITSRT may escalate the incident to law enforcement, university counsel, or other university officers.

This document outlines the procedures individuals should follow to report potentially serious IT security incidents. University staff members whose responsibilities include managing computing and communications systems have even greater responsibilities. This document outlines their responsibilities in securing systems, monitoring and reporting IT security incidents, and assisting individuals, administrators, and other IT staff to resolve security problems.

Mail Services
Iowa Code, Section 721.2.5, prohibits use of university Postal and Parcel Services for any private purpose or personal gain.

Mailing Address Changes
This policy complies with the U.S. Postal Service Conditions of Delivery.

Minimum Security Standards and Guidance
This standard, in concert with the Data Classification Policy, implements the Data Protection Requirements section of the IT security plan. Adherence to these standards is an essential safeguard for the protection of electronic university data and systems. However, compliance does not assure complete security. These standards should be incorporated into a comprehensive security plan. Additional policies and laws may also apply.

Personal Use and Misuse of University Property
This policy provides clarification regarding personal use and misuse of university property. State law, specifically Section 721.2 of the Iowa Code, prohibits any state employee from using or permitting any other person to use, property owned by the state or any subdivision or agency of the state for any private purpose or for personal gain to the detriment of the state. Violation of this statute is a serious misdemeanor.

Public Records Exemption for Security-Related Information
Iowa law (Iowa Code §§ 22.7(50) and 22.8) allows non-disclosure of security-related information when the institution has a policy exempting such information or where the disclosure would not be in the public interest. Disclosure of certain information may increase risks to persons and facilities. This policy is intended to increase the safety and security of persons and property on the campus.

Records Retention
There are three guiding purposes for this records retention policy:

1. Accountability
   ;This policy is written to assure compliance with state , federal and other global laws as applicable to the University. As a public institution, the university has an obligation of accountability. By preserving university records, the institution documents its policies, actions, and determinations.
2. History
   Key records of the institution document its history and its character.
3. Efficiency
   An appropriate records retention policy assures maintenance of records needed for ongoing operations. Conversely, records that are no longer useful should be discarded or archived to increase efficiency.

This policy addresses the identification of records and the duration for retaining institutional records. The Records Retention Guidance and Schedule is a companion resource and an element essential to compliance with this policy.

Retention of Job Application
This policy applies to job applications that are solicited by Iowa State University.

Retention of Selling Department Records
This policy is established to comply with state records laws and to preserve documentation of sales transactions for legal and archival purposes.

Telecommunications
This policy clarifies campus standards for voice, data, and video communications.

Wireless
Iowa State’s wireless network enables mobile computing and provides network services in situations where wiring is extremely difficult to install, such as historical buildings and large open areas.

The purpose of the wireless policy and related standards and guidelines is to assure students, faculty, and staff access to a reliable, robust, and integrated wireless network and to increase the security of the campus wireless network to the extent possible.

This document provides policies, standards, and guidelines for best practice as they relate to providing and using Iowa State University's wireless network. Specifically, the policy identifies user and service provider responsibilities, lists the industry wireless standards supported on campus, addresses frequency issues, stresses the importance of security, and provides guidelines and best practices to improve security.

IT Policy

Backup Retention
Backing up digital communications, data, and other electronic files is an essential IT practice to ensure against the loss of valuable information. The purpose of back-ups is to restore a system to a current state (as of the date of the most recent back-up) in case of system failure or to restore individual files inadvertently deleted or lost. Backup media is not intended to serve as short or long-term storage of information. Retrieval or archive storage is a separate process used to remove or duplicate files from an active system to another system or digital media for short or long-term storage.

The purpose of this policy is to establish a limit on the length of time backups are maintained and to encourage units to distinguish between the purposes and practices of backing-up data vs. retrieval or archive storage of data.

Data Warehouse (eData)
Administrative data captured and maintained at Iowa State are a valuable university resource. The Iowa State eData warehouse contains integrated data from multiple operational areas to support institutional research, business analysis, reporting, budget planning, personnel planning, and decision-making.

The purpose of this policy is to establish uniform data management standards and to identify the shared responsibilities for assuring that the eData warehouse provides security, protects privacy and has integrity while it efficiently and effectively serves the needs of Iowa State.

Disposal of Equipment Acquired with Student Computer Fees
These guidelines have been established by the Computation Advisory Committee (CAC) to govern the transfer of assets purchased with student computer fee income.

Diversity Statement
As a service organization, Iowa State IT has daily interactions with a wide variety of faculty, staff, and students and it strives to treat them all equally and provide quality service that meets their needs. Iowa State IT believes that as a public institution, Iowa State has a responsibility to serve the public in a non-discriminatory manner that reflects our commitment to promoting a just environment.

Iowa State IT supports the educational goals of the university by providing teaching and learning accommodations to faculty, staff, and students. Further, it supports the diversity goals of the university through the understanding and application of federal, state, and local laws and the policies of Iowa State.

Mass E-mail and Effective Electronic Communication
Electronic communication (including e-mail, websites, listservs, and voice mail) is used extensively at Iowa State. In particular, e-mail is a powerful electronic communication tool when used effectively. The university seeks to enable the distribution of e-mail as efficiently as possible. Because of the high volume of e-mail as well as our dependence on its reliable delivery, it is important that we observe best practices to ensure effective use of e-mail in a manner that is beneficial to all. Objectives:

• University resources are used effectively.
• Preserve e-mail as an effective communication tool.
• Enable smooth delivery of mass e-mails.

Systems Development Life Cycle (SDLC)
The purpose of applying the Systems Development Life Cycle is to describe the requirements for developing and/or implementing new software and systems at Iowa State and ensure that all development work is compliant as it relates to any and all regulatory, federal, and/or state guidelines.

Software License Compliance
Iowa State faculty, staff, and students are responsible for using computer software legally and may be required to demonstrate that the software on their computers is appropriately licensed.

IT Standards, Procedures and Best Practices

Multifactor Authentication (MFA)

The Okta identity management platform selected by Iowa State may use multifactor authentication (MFA) for its portal/dashboard that gives users one-click access to their web-based programs and applications without additional logins.

MFA provides another line of defense against cyberattacks - from the thousands of daily attempts targeting university systems to individual users who fall prey to phishing attempts.

Endpoint Systems

In an effort to help protect endpoints and the data that resides on them, the following best practices should be followed. Even so, following these best practices does not guarantee complete protection of data. Any data that contains personal identifiable information should not be stored locally.

Best Practices for Endpoint Health and Protection:

• Do not store personal identifiable information on the device
  • Use only cloud based locations that are encrypted and have auditing enabled and are under contract with Iowa State University (e.g., Cybox)
  • Use only local file servers that have been identified as GDPR compliant
• Use whole disk encryption on the device (including any attached media)
  • Use Microsoft Bitlocker Administration & Monitoring for Windows Devices
  • Use FileVault/Jamf Pro for Macintosh Devices
  • Use LUKS for Linux
• Join desktops/laptops to the IASTATE domain
  • Inventory/Auditing
  • Apply Group Policy(GPO)settings
  • Manage User/workstation objects
• Manage and monitor devices using enterprise services
  • Systems Center Configuration Manager (SCCM) and Intune for Windows and Android devices.
  • Jamf Pro (Casper) for Macintosh and iOS devices
  • Satellite for Red Hat Enterprise Linux
• Ensure software is up-to-date according to manufacturer’s recommendations
  • Windows Server Update Service (WSUS)
  • Apple Software Updates
  • Printer firmware updates
• Assign users least privilege access
• Enable firewall
• Use antivirus/antimalware software with centralized management and monitoring
• Data sanitization on disposal(computers & printers with storage)
  • Physical destruction of storage device
  • Secure wipe of storage device
• Set password and encrypt mobile devices

Strong Password Guidelines

Passwords are one of the weak areas in computer security. A combination of the following methods can help increase password security:

• Make Your Password Difficult to Guess
• Complexity Adds Strength
• Longer Passwords Versus Short Ones
• Use Different Passwords for Different Accounts
• Change Passwords Periodically

Remote access and Virtual Private Network (VPN)

For all remote access, its strongly recommended to use Iowa State’s VPN. VPN provides remote access to campus network services from any computer, on or off campus, and offers safe, secure sign in to the university's network.

Web Standards and Best Practices

Iowa State University units are responsible for creating standards-compliant websites and applications.

To comply with web standards, websites and applications must have valid HTML, CSS, and JavaScript. They must also meet accessibility standards. Full compliance also includes valid RSS, metadata, XML, SVG, device APIs, and object and script embedding as well as proper settings for character encoding. Web pages should also be optimized for size and download speed.

Risk Assessment Tools

These are approved tools and documents for conducting risk assessments at Iowa State University. For further information or explanation contact the Director, IT Security and Policies in IT Services. This office is available to assist departments in understanding the risk assessment process and getting started on completing their forms.

IT Security Risks and University Impact

This table includes examples for each of the four IT security objectives (i.e., confidentiality, data integrity, availability, and authorized use) at each of the three levels of risk (low, moderate, high).

Risk Prioritization

Risk prioritization is done based on Impact and Likelihood of the occurrence of the Risk.

Payment Card Industry Self-Assessment

Information on the Payment Card Industry Data Security Standard (PCIDSS) can be found on the PCI Security Standard Council website. Every entity that processes, stores, or transmits credit card information will use the Payment Card Industry Self-Assessment form. The form is sent to the PCI compliance officer in the Treasurer's Office and a copy to the Director, IT Security and Policies, IT Services.

Additional Standards, Procedures, and Best Practices

• Exchange E-mail Best Practices
• File Sharing and Copyrighted Materials
• Foreign Travel Guideline
• InCommon Participant Operational Practices
• Mobile Security Guidelines
• Networked Printers, Copiers, and Multi-function Devices
• Sponsored Net-IDs
• System Administration

Compliance Requirements

Iowa State’s information security practices must comply with a variety of federal and state laws as well as Iowa State's and its own campus policies. These laws and policies are generally designed to protect individuals and organizations against the unauthorized disclosure of information that could compromise their identity or privacy. "Moderate or higher classified data" as defined by the Iowa State covers a variety of types including personally identifiable information (e.g., social security numbers), personal financial information (e.g., credit card numbers), health information and other confidential information.

Among the laws and regulations that mandate baseline privacy and information security controls, the Iowa State’s Information Security Program most notable include the following:

• Health Information and Privacy and Security Policy
  Designed to assure Iowa State's compliance with all applicable federal and state laws and regulations, such as Health Insurance Portability and Accountability Act (HIPAA), that require an individual's personal health information to be kept confidential and private. Protective Health Information (PHI) may be used and disclosed for Treatment, Payment, and Healthcare Operations (TPO). The information that is disclosed must meet the “Minimum Necessary” standard. This means the least information required to accomplish the intended purpose. Under all other circumstances except an emergency in a patient’s health, a signed authorization form must be completed by the patient or his legal representative.
• Family Educational Rights and Privacy Act (FERPA)
  20 U.S.C. S1232g; 34 CFR Part 99 - Protects the privacy of student education records and gives parents certain rights with respect to their children’s education records.
• Gramm-Leach-Bliley Act (GLBA)
  These requirements mandate the design, implementation, and maintenance of specific policies to protect customer information. The GLBA protects consumers’ personal financial information held by financial institutions.
• Federal Trade Commission Regulations
  16 CFR, Part 314, Standards for Safeguarding Customer Information; Final Rule, May 23, 2002 - Implements the safeguarding provisions of the Gramm- Leach-Bliley Act. Establishes standards for safeguarding customer information and calls for the establishment by organizations of information security plans to bring about compliance.
• Payment Card Industry (PCI) Data Security Standards
  A framework of standards and compliance-requirements designed to protect consumer payment card data. Additional laws and regulations apply in the wake of unauthorized disclosure of individuals' data, requiring the University to take specific actions if any protected data may have been disclosed either accidentally or maliciously to unauthorized parties. A detailed list of regulations and compliance requirements is included in Appendix B. Individuals who handle protected data are encouraged to speak with their managers or the Information Security Officer (ISO) to better familiarize themselves with relevant laws and regulations.
• General Data Protection Regulation (GDPR)
  The GDPR is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). The GDPR sets out the principles for data management and the rights of the individual, while also imposing fines that can be revenue-based. The General Data Protection Regulation covers all companies that deal with data of EU data subjects, so it is a critical regulation for compliance. GDPR will come into effect across the EU on May 25, 2018.

Data Protection Requirements

Data is a valuable asset to the university, and some data must be protected with a higher level of attention and caution. The level of protection is based on the method defined by the Data Classification Policy along with the Minimum Security Standards for Protected Data.

Physical security is the key to safe and confidential computing. Back up the data to a safe place in the event of loss or theft and ensure the laptop is encrypted if it contains sensitive information. Sufficient measures need to be in place to ensure data protection, ensuring it is difficult for someone to get access to sensitive data, communications facilities, critical hardware/software, and other facilities is essential.

Security Training and Awareness

All Iowa State faculty, staff, and students must be aware of, have access to, and comply with Iowa State information system security policies, standards, and procedures. Iowa State faculty, staff, and students may be required to have training, depending on job duties and access to restricted information.

Resources for Iowa State security training and awareness include:

• IT Security Website
• Iowa State Policy Library
• IT Standards and Policies

Evaluation and Revision of the Information Security Plan

The Information Security Plan will be evaluated and adjusted to reflect changing circumstances, including changes in the University’s business practices, operations or arrangements, or as a result of testing and monitoring the safeguards.