Information Security Program: University Technology Services

Information Security Program - USC

Overview
revised 28-Apr-2011

Introduction

Information Security is the job of all members of the University community. Many of us handle sensitive data routinely, and all of us use University resources, so we should all understand the associated risks to the confidentiality, integrity, and availability of these data and resources. Establishing and following security-conscious procedures is critical to reduce these risks.

Designated as the University's "Information Security Program," this website is intended to guide the executives and managers responsible for establishing IT Procedures, to help them define such Procedures with respect to Information Security, to be consistent with the Policies of the University, the security of the University's IT assets, and the safety of the University community.

Definitions

The following abbreviations are used in this website:

UISIRT - University Information Security Incident Response Team. This team is charged by the University to manage any information security incident that might arise within the University. Currently the UTS IT Security Office is designated to perform this role.
UISO - University Information Security Office. This office is appointed by the University to implement University-wide information security strategy. Currently the UTS IT Security Office is designated to perform this role.
OU - Organizational Unit. This is an administrative unit such as a College, School, Department, Office, or Team within the University.

What are Policies, Standards, Guidelines, and Procedures?

Policy framework for the University is organized into the following hierarchy:

click here for a detailed illustration

Policies are University-wide rules established at the executive level. They represent the intention and direction of the University, formally expressed by management.
Standards are University-wide rules established by those authorities who are designated in University Policies. These tend to be broad, setting standards for conduct and process within the OUs. Standards must conform to applicable Policies.
Guidelines are documents created by subject-matter authorities who are designated in University Policies. These documents contain recommendations to assist in the creation of related Procedures. Guidelines must conform to applicable Policies and Standards.
Procedures are documents created by OU administrators, with specific directions for conducting business and operations at the University. Procedures must conform to applicable Policies and Standards, and should also adhere to applicable Guidelines where practical.

Provisions of University Policy IT 3.00

Policy IT 3.00 defines the University's stance and infrastructure for implementing Information Security. Sections chartering this document, and establishing responsibility and accountability pertaining to it, are paraphrased below.

UISO Must Develop Information Security Program (IT 3.00, II.A.1) - The UISO is charged with the responsibility to develop the University-wide Information Security Program (this website).
UISO Must Develop Incident Response Procedure (IT 3.00, II.A.2) - The UISO is charged with the responsibility to develop and implement the University-wide Information Security Incident Response Procedure (see the "Incident Response Procedure" section near the bottom of this page).
Management Must Ensure Security (IT 3.00, II.A.5) - The management staff of each OU is responsible for ensuring the security of its IT assets.
Management Must Establish Security Contact (IT 3.00, II.A.7) - The management staff of each OU must designate a security contact as a liaison to the UISO, and make the identity of that contact known to its users and to the UISO.
Users Are Accountable (IT 3.00, II.A.6) - All users are accountable for ensuring the security of the data and IT assets they use.
Reporting Compromise (IT 3.00, II.A.4) - If a user sees signs of a compromise of his/her computer, he/she must immediately contact his/her designated security contact, Help Desk, or UISO.
Disconnection of Compromised Assets (IT 3.00, II.A.3) - In the course of responding to an information security incident, the UISIRT has the authority to order the disconnect of compromised assets from the network.

http://www.sc.edu/policies/it300.pdf

Procedure Development

In brief, these are the guidelines for developing Procedures:

Who should develop procedures?

If an OU has no superior OU apart from the University, it should design and publish Procedures for all of the categories listed below.
If a Procedure designed by a superior OU does not adequately address the specific environment of the subordinate OU, the subordinate OU should design and publish a more specific Procedure, compliant with the superior OU's Procedure.
In some cases a Procedure category may be further divided into multiple related subordinate Procedures (e.g. "Software Patching, Macintosh" and "Software Patching, Windows").

How should Procedures be developed and published?

Consult the applicable Guidelines below.
Consult the applicable Procedures published by superior OUs.
Consult subject matter experts within your OU.
When writing the Procedure, cite superior Procedures as needed, and detail the more specific parts of the Procedure that will apply to your OU.
The language used within a Procedure should not be overly specific, lest it lose its relevancy to some environments within its scope (e.g. specifying that Windows Updates must be applied to all computers, when an OU or its subordinate OUs may also have Macintosh or Linux computers in use).
A Procedure should be approved by an OU manager with authority over the Scope of the Procedure.
A Procedure should be published where it will remain accessible to all persons responsible for its implementation, and advertised to these persons when it is created or revised.

Procedure Guidelines

The Guideline documents below are organized by Procedure categories. Each is contained on a separate web page. Click on the category title to see the document.

In-Processing / Out-Processing - Recommends in-processing steps for new employees and out-processing steps for terminated/transferred employees, with regard to information security. [revised 22-Mar-2011]

Data/System Access Agreement - Recommends a process for establishing an agreement with employees, contractors, and vendors, to ensure they are aware of Policies and Procedures. [revised 26-Apr-2011]

Procurement and Contracts - Recommends provisions to include during procurement process and contract negotiation of software and services. [revised 22-Mar-2011]

Project Management Security - Recommends a process to be integrated with project management and system development, to include provisions for information security. [revised 12-Apr-2011]

Data System Development Practices - Recommends security best practices for development of data systems and software applications. [revised 26-Apr-2011]

Security Risk Assessment - Recommends a process for performing a Security Risk Assessment for projects or systems. [revised 14-Apr-2011]

Password Practices - Recommends best practices for password complexity, usage, and protection. [revised 22-Mar-2011]

Server Security - Recommends best practices for secure server configuration, usage, and maintenance. [revised 11-Apr-2011]

Workstation Security - Recommends best practices for secure workstation/desktop/portable computer configuration, usage, and maintenance. [revised 11-Apr-2011]

Mobile Device Security - Recommends best practices for secure configuration, usage, and maintenance of mobile devices. [revised 11-Apr-2011]

Software Patching - Recommends best practices for updating any software, including operating systems, applications, and firmware. [revised 11-Apr-2011]

Logging Practices - Recommends best practices for logging and review of security-related events. [revised 22-Mar-2011]

Travel Security - Recommends secure processes for traveling with a computer: preparing for travel, during travel, and following travel. [revised 11-Apr-2011]

Compromised Computer Cleaning - Recommends a process for safely cleaning malicious software from a computer. [revised 24-Mar-2011]

Sensitive Data Security - Recommends a process for properly securing sensitive data while in use, and properly disposing at the conclusion of usage, to include auditing its usage and retention. [revised 28-Apr-2011]

Media Security - Recommends a process for properly securing data storage media while in use, and properly purging or destroying such media before transferring possession, to prevent accidental leakage of sensitive information or violation of licensing terms. [revised 22-Mar-2011]

Exemption - Recommends a process for creating an exemption to a Procedure. [revised 22-Mar-2011]

Incident Response Procedure

The documents below illustrate the University-wide Information Security Incident Response Procedure. Sub-Procedures within the overall process are maintained with the respective organizational units.

Incident Response Management Overview - Diagrams the management hierarchy and duties for incident response. [revised 23-Jul-2008]

Incident Response Procedure Swimlanes - Swimlanes diagram of the Procedure for sensitive data incident response. [revised 29-Mar-2011]

Opt-In Procedures

These documents by themselves have no authority over any entity or system. The UTS IT Security Office (ITSO) makes these opt-in Procedures available for use by authors of any University Policy, Standard, Guideline, Procedure, or process documents. Such documents may require, recommend, or quote these Procedures in whole or in part, as suited to their purposes. By recommending or requiring these Procedures, a document lends its authority to the applicable provisions of these Procedures.

Data System Security Procedure - This document establishes a process for designing, implementing, and maintaining data systems, with regard to information security. [revised 11-Apr-2011]

Sensitive Data Discovery Procedure - This document establishes a process for locating sensitive data on data systems and media. [revised 28-Apr-2011]

Data Steward Standards Template

This document is a Guideline to assist Data Stewards in the development of their Standards documents.

Data Steward Standards Template - [revised 11-Apr-2011]