Information security is essential to the mission of Iowa State University and is a university-wide responsibility. The Iowa State Information Technology Security Plan defines the information security standards and procedures for ensuring the confidentiality, integrity, and availability of all information systems resources and data under the control of Iowa State. The purpose of this security plan is to provide an overview of the security requirements of the IT system and describe the controls in place or planned for meeting those requirements. Furthermore, the university recognizes its responsibility to promote security awareness among the members of the Iowa State University community. The objective of the security plan is to improve protection of IT resources. Show
ScopeIowa State University is responsible for protecting the confidentiality, integrity, and availability of University information assets. Unauthorized modification, deletion, or disclosure of information assets can compromise the integrity of the mission of Iowa State, violate individual privacy rights, and possibly constitute a criminal act. It is the collective responsibility of all users to ensure they are familiar with and adhere to Iowa State policies, including privacy, acceptable use of information technology resources, and other facilities and properties policies. This plan applies to any use of the University’s computing or network resources as defined in the Acceptable Use of Information Technology Resources, and the other facilities and property policies. Additional standards and procedures may govern specific data or computer systems or networks provided or operated by Third-party service providers. This plan applies to all university personnel and entities and is to be read by all university technical support staff and information asset owners. DefinitionsISU ITS Audit Availability Backup
Confidential Data or Records Confidentiality Criticality Data Classification Data Corruption Disaster
Disaster Recovery Distributed System Integrity IT Security or Security in IT IT Resources Privacy Restricted Data Risk Stored Record Threat Roles and ResponsibilitiesChief Information Officer (CIO) Director Information Security
Director Endpoint Protection and Identity and Access Management
IT Security and Policies Team Data Protection Officer (DPO)
Critical Incident Readiness Team (CIRT) Data Steward Data Custodian Data User
Colleges, Departments, and Other Units Individuals Using Personally-Owned Computers and Other Network Devices
Third Party Vendors Other Registered Entities
PoliciesIowa State recognizes that IT system security is a crucially important aspect of any information system, as it is the only way to safeguard protected data and other sensitive information, to identify and eliminate security threats, and ensure compliance with mandated security requirements. Iowa State provides IT resources to a large and varied group, including faculty, staff, students, and guests. All members of this community are accountable for using these resources in an ethical and respectful manner that protects sensitive University information and follows the IT policies, standards, and procedures. Failure to comply with established policies and practices may result in loss of computing privileges and/or disciplinary action. IT Security follows the policies, standards, and procedures below. Additional policies, standards, and procedures are available at:
University PolicyAcceptable Use of Information Technology Resources Communication Technology Communication technology services shall be defined as cellular phone voice/text messaging service, cellular phone ISP (Internet Service Provider) data service associated with devices (e.g., smart phones and PDAs), and cellular wireless modems associated with devices (e.g., laptop computers). Cell Phones Copyright Ownership and Management of Software
Data Classification Policy Data Classification Standards and
Guidance Domain Name System (DNS) Electronic Privacy Employee Records Identification (ID) Card (ISUCard) Identity Theft Prevention It was also determined that, in certain cases, a university department does receive a consumer report from a credit reporting agency, and therefore is subject to the duties of users of consumer reports regarding address discrepancies. However, the task force also determined that the Iowa State card is not a debit or credit card but is a "stored value" card that cannot be processed through the regular financial debit/credit card network unless a student chooses to add the optional services from our third party servicer, US Bank. For that reason, Iowa State is not responsible for the Red Flag Rules regarding the duties of card issuers regarding changes of address and our contractual service provider, currently US Bank, would be responsible for compliance with the Red Flag Rule. Information Disclosures Social Security Number Protection Student
Records Student Cumulative Record Retention Video Cameras, Administrative Uses This policy regulates the university’s administrative use of video cameras for reasons of safety, security, or enhancement of business services that may capture human behavior and interaction without the subjects’ consent. Equipment Reassignment or Disposal Export Controls The EAR and ITAR each list certain articles, materials, supplies, software and other items, together with technical information about those items, as restricted for export control purposes ("Export-Controlled Items"). What constitutes Export-Controlled Items is constantly changing as items are added to and dropped from the lists. As indicated below, certain offices on campus are designated to make determinations regarding whether export controls apply. The law controls the transfer of Export-Controlled Items outside of the United States. It also covers the transfer of technical information for Export-Controlled Items to foreign persons within the United States (a "Deemed Export"). For this reason, the determination in advance whether research, equipment or software is subject to export controls is vitally important to the university. As an institution with many foreign visitors and with international collaborations both here and abroad, Iowa State University's compliance with export controls must be a priority. Because of the nature of our activities and the broad application of the law, compliance with regulations is a broadly shared responsibility on the campus. E-mail, University Communications IT Security Incident Reporting Policy For the purposes of this policy an "IT security incident" is any accidental or malicious act with the potential to:
In the case when an IT security incident is determined to be of potentially serious consequence, the responsibility for acting to resolve the incident and to respond to any negative impact rests with the university rather than individuals, colleges, departments, or units. The university has established procedures and identified an IT Security Response Team (ITSRT) as its authority in developing response plans to serious IT security incidents. As described below, reports of IT security incidents will be forwarded to ITSRT. The ITSRT follows protocols in determining what actions should be taken and depending upon the nature of the security incident will determine whether incidents should be handled within the purview of the department, college, or unit or by security specialists within ITSRT. In some cases, the ITSRT may escalate the incident to law enforcement, university counsel, or other university officers. This document outlines the procedures individuals should follow to report potentially serious IT security incidents. University staff members whose responsibilities include managing computing and communications systems have even greater responsibilities. This document outlines their responsibilities in securing systems, monitoring and reporting IT security incidents, and assisting individuals, administrators, and other IT staff to resolve security problems. Mail Services Mailing Address Changes Minimum Security Standards and Guidance Personal Use and Misuse of University Property Public Records Exemption for Security-Related Information Records Retention
This policy addresses the identification of records and the duration for retaining institutional records. The Records Retention Guidance and Schedule is a companion resource and an element essential to compliance with this policy. Retention of Job Application Retention of Selling Department Records Telecommunications Wireless The purpose of the wireless policy and related standards and guidelines is to assure students, faculty, and staff access to a reliable, robust, and integrated wireless network and to increase the security of the campus wireless network to the extent possible. This document provides policies, standards, and guidelines for best practice as they relate to providing and using Iowa State University's wireless network. Specifically, the policy identifies user and service provider responsibilities, lists the industry wireless standards supported on campus, addresses frequency issues, stresses the importance of security, and provides guidelines and best practices to improve security. IT PolicyBackup Retention The purpose of this policy is to establish a limit on the length of time backups are maintained and to encourage units to distinguish between the purposes and practices of backing-up data vs. retrieval or archive storage of data. Data Warehouse (eData) The purpose of this policy is to establish uniform data management standards and to identify the shared responsibilities for assuring that the eData warehouse provides security, protects privacy and has integrity while it efficiently and effectively serves the needs of Iowa State. Disposal of Equipment Acquired with Student Computer Fees Diversity Statement Iowa State IT supports the educational goals of the university by providing teaching and learning accommodations to faculty, staff, and students. Further, it supports the diversity goals of the university through the understanding and application of federal, state, and local laws and the policies of Iowa State. Mass E-mail and Effective Electronic Communication
Systems Development Life Cycle (SDLC) Software License Compliance IT Standards, Procedures and Best PracticesMultifactor Authentication (MFA)The Okta identity management platform selected by Iowa State may use multifactor authentication (MFA) for its portal/dashboard that gives users one-click access to their web-based programs and applications without additional logins. MFA provides another line of defense against cyberattacks - from the thousands of daily attempts targeting university systems to individual users who fall prey to phishing attempts. Endpoint SystemsIn an effort to help protect endpoints and the data that resides on them, the following best practices should be followed. Even so, following these best practices does not guarantee complete protection of data. Any data that contains personal identifiable information should not be stored locally. Best Practices for Endpoint Health and Protection:
Strong Password GuidelinesPasswords are one of the weak areas in computer security. A combination of the following methods can help increase password security:
Remote access and Virtual Private Network (VPN)For all remote access, its strongly recommended to use Iowa State’s VPN. VPN provides remote access to campus network services from any computer, on or off campus, and offers safe, secure sign in to the university's network. Web Standards and Best PracticesIowa State University units are responsible for creating standards-compliant websites and applications. To comply with web standards, websites and applications must have valid HTML, CSS, and JavaScript. They must also meet accessibility standards. Full compliance also includes valid RSS, metadata, XML, SVG, device APIs, and object and script embedding as well as proper settings for character encoding. Web pages should also be optimized for size and download speed. Risk Assessment ToolsThese are approved tools and documents for conducting risk assessments at Iowa State University. For further information or explanation contact the Director, IT Security and Policies in IT Services. This office is available to assist departments in understanding the risk assessment process and getting started on completing their forms. IT Security Risks and University ImpactThis table includes examples for each of the four IT security objectives (i.e., confidentiality, data integrity, availability, and authorized use) at each of the three levels of risk (low, moderate, high).
Risk PrioritizationRisk prioritization is done based on Impact and Likelihood of the occurrence of the Risk. Payment Card Industry Self-AssessmentInformation on the Payment Card Industry Data Security Standard (PCIDSS) can be found on the PCI Security Standard Council website. Every entity that processes, stores, or transmits credit card information will use the Payment Card Industry Self-Assessment form. The form is sent to the PCI compliance officer in the Treasurer's Office and a copy to the Director, IT Security and Policies, IT Services. Additional Standards, Procedures, and Best Practices
Compliance RequirementsIowa State’s information security practices must comply with a variety of federal and state laws as well as Iowa State's and its own campus policies. These laws and policies are generally designed to protect individuals and organizations against the unauthorized disclosure of information that could compromise their identity or privacy. "Moderate or higher classified data" as defined by the Iowa State covers a variety of types including personally identifiable information (e.g., social security numbers), personal financial information (e.g., credit card numbers), health information and other confidential information. Among the laws and regulations that mandate baseline privacy and information security controls, the Iowa State’s Information Security Program most notable include the following:
Data Protection RequirementsData is a valuable asset to the university, and some data must be protected with a higher level of attention and caution. The level of protection is based on the method defined by the Data Classification Policy along with the Minimum Security Standards for Protected Data. Physical security is the key to safe and confidential computing. Back up the data to a safe place in the event of loss or theft and ensure the laptop is encrypted if it contains sensitive information. Sufficient measures need to be in place to ensure data protection, ensuring it is difficult for someone to get access to sensitive data, communications facilities, critical hardware/software, and other facilities is essential. Security Training and AwarenessAll Iowa State faculty, staff, and students must be aware of, have access to, and comply with Iowa State information system security policies, standards, and procedures. Iowa State faculty, staff, and students may be required to have training, depending on job duties and access to restricted information. Resources for Iowa State security training and awareness include:
Evaluation and Revision of the Information Security PlanThe Information Security Plan will be evaluated and adjusted to reflect changing circumstances, including changes in the University’s business practices, operations or arrangements, or as a result of testing and monitoring the safeguards. What is the purpose of a security plan?A security plan is aimed at reducing risk. It will therefore have at least three objectives, based on your risk assessment: Reducing the level of threat you are experiencing; ◆ Reducing your vulnerabilities; ◆ Improving your capacities.
What is a system security plan?Definition(s):
Formal document that provides an overview of the security requirements for an information system and describes the security controls in place or planned for meeting those requirements.
What are the 4 objectives of planning for security?Four goals of security. Confidentiality.. Integrity.. Availability.. Non-repudiation. Accomplishing these is a management issue before it's a technical one, as they are essentially business objectives.. What are the three main components of a security plan?Elements of a Security Plan. Physical security. Physical security is the physical access to routers, servers, server rooms, data centers, and other parts of your infrastructure. ... . Network security. ... . Application and application data security. ... . Personal security practices.. |