The University of Iowa - CIO Office

POLICY TITLE: Information Security Framework

POLICY #: IT - 18

DATE DRAFTED: 01/02/03

DATE POSTED for Review: 05/06/03

APPROVED DATE: 04/12/05

REVISION DATE: 07/06/04

BRIEF DESCRIPTION: The purpose of this policy is to identify and disseminate the University of Iowa’s framework and principles that guide institutional actions and operations in generating, protecting, and sharing confidential information.

Introduction | Policy Scope | Principles | Related Policies | IT Policy Index

Introduction:

Information assets of the University of Iowa, in all its forms and throughout its life cycle, will be protected through information management policies and actions that meet applicable federal, state, regulatory, or contractual requirements and support the University of Iowa’s mission, vision, and values.

Scope:

The purpose of this policy is to identify and disseminate the University of Iowa’s framework and principles that guide institutional actions and operations in generating, protecting, and sharing confidential information. This policy applies to all confidential (i.e., internal, restricted, or restricted-health) information assets of the University of Iowa. Each faculty and staff member, trainee, student, vendor, volunteer, contractor, or other affiliate of the University of Iowa with access to confidential institutional information is subject to and has responsibilities under this policy.

Principles

Access to University of Iowa confidential information assets may only be granted to Authorized Data Users (hereinafter collectively “Users”) on a need-to-know basis. The Business Owner of the data (e.g., department/unit director) must approve and verify such access.
All Users shall receive education on the expectations, knowledge, and skills related to information security.
Every User must maintain the confidentiality of University of Iowa information assets even if technical security mechanisms fail or are absent. A lack of security measures to protect the confidentiality of information does not imply that such information is public.
If a User elects to place confidential information onto personally owned media or storage devices (e.g., PDAs, floppy disks, case logs, note cards) or maintain a personal database, s/he is responsible for ensuring that its security, confidentiality, and integrity are maintained in accord with this policy. The User is personally responsible for any breaches that occur as a result of his/her actions.
A Data Custodian must be identified for each University of Iowa information asset. A Data Custodian is the technical official responsible for capture, maintenance, and dissemination of these information assets.
Everyone has an obligation to report instances of non-compliance to the institution’s Privacy Officer. Users who access data for which they do not have a need to know and/or commit breaches of confidentiality may be subject to disciplinary action up to and including discharge, termination of contract/relationship, and/or liability to civil and criminal penalties.
Everyone must comply with all applicable federal and state regulations (e.g., FERPA, HIPAA) governing the access and use of data.

Roles

Responsibility for The University of Iowa’s comprehensive enterprise information security program is delegated to the following groups and individuals as defined in the Roles and Responsibilities for Information Security Policy:

Data Steward - The enterprise VP or top-level executive having policy-level responsibility for a particular set of information assets.
Information Security Committee (ISC) – The group responsible for governance and oversight of the enterprise information security program.
Information Technology Security Officer – The official responsible for directing implementation of the enterprise information security program.
Business Owner - The senior executive within a college or departmental unit (or his/her designee) accountable for managing information assets.
Department Security Liaison – The departmental liaison to the IT Security Officer responsible for coordinating resolution of security matters.
Data Custodian - The technical official (and his/her staff) that has operational-level responsibility for the capture, maintenance, and dissemination of a specific segment of information, including the installation, maintenance, and operation of hardware and software platforms.
Authorized Data User - Individuals who have been granted access to specific information assets in the performance of their assigned duties are considered Authorized Data Users (Users). Users include, but are not limited to faculty and staff members, trainees, students, vendors, volunteers, contractors, or other affiliates of the University of Iowa.

Information Assessment

Business Owners will assess risks and threats to data under their control and accordingly classify and protect their data as described in the Institutional Data Access Policy using the following classifications:

Public - granted to any approved requestor
Internal - accessed as part of job responsibility (role-based), as authorized by Business Owner of the data
Restricted - controlled from creation to destruction, accessed only as required with individual authorization, may be legally restricted
Restricted-Health - same as restricted, with additional data handling control requirements

Information Access

Physical and electronic access to confidential information is controlled. The level of control will depend on the classification of the data and the level of risk of loss or compromise.

Physical Access Control

The level of physical access control for any area that contains institutional information is determined by the level of risk and exposure. Data centers and other locations where restricted information is housed must be protected at all times by physical access controls such as keys or card swipe.
Physical access to data center areas must be monitored and logged through a sign-in sheet, electronic logging, or other tracking mechanism. Visitors and other maintenance personnel will be escorted by authorized operations staff when accessing the data center.
Electronic or hardcopy media that contains restricted information must be secured during transportation and disposal.

Electronic Access Control

Access control will be regulated by the following University of Iowa Policies: University Login ID Standard, Enterprise Authentication, and the Enterprise Password Policy. In addition,

Criteria must be established by the Business Owner for account eligibility, creation, maintenance, and expiration.
Data Custodians must periodically review User privileges and modify, remove, or inactivate accounts when access is no longer required.
Procedures must be documented for the timely revocation of access privileges and return of institutionally owned materials (e.g., keys, ID Cards), for terminated employees and contractors.
Inactivity time-outs must be implemented, where technically feasible, for terminals and workstations that access restricted information. The period of inactivity shall be no longer than 20 minutes in publicly accessible areas.

Access to Data for Automated Operations (Generic Access)

Generic access to information stored in databases is allowed only for non-interactive tasks. A non-interactive task is one that is scheduled to run automatically or one that is triggered by a series of events. A User does not directly initiate the task, nor is a User the direct recipient of the information. This includes automatic downloads and other linkages for data transfer.

Requests for generic access to information stored in databases for automated operations are made to the Business Owner, and if approved, will be executed by the Data Custodian.
Generic account passwords must be protected from unauthorized disclosure. Hard coded passwords that reside on a client machine or in an application must be afforded reasonable protection commensurate with risk and the available platform or application security features.
Information access via generic accounts must be limited to the specific task required.

University of Iowa systems administered by contractors

An on-site Data Custodian must be identified to oversee administrative duties performed by contractors to ensure their compliance with security policies and standards. Contractor activities will be controlled and monitored as follows:

Contractor user accounts must not allow more system or network privileges than necessary to meet contract requirements.
Secure authentication of contractors is required.
Logging and auditing of system accesses and activity is required.

Audits

Data Custodians must be able to audit access and access attempts to restricted information. To the extent technologically practical, Data Custodians shall maintain ongoing internal audit processes that record system activity such as log-ins, file accesses, and security incidents.
Audit records shall be kept at least six months, and Business Owner and/or Data Custodian shall periodically review the audit records for evidence of violations or system misuse. Investigation will be conducted when unauthorized accesses and attempts are identified.
All Users shall be made aware that access audits may be conducted. If evidence of improper data access is discovered, it may result in disciplinary action.

Communication Security

Institutional information transmitted outside the organization requires additional safeguards. Security provisions employed will depend upon the identified risk and threats, regulatory requirements, and the technical mechanisms available.

The Business Owner is responsible for making decisions regarding appropriateness of external transmission and access.
Sharing protected health information (classified as “restricted-health”) requires the completion of a Business Associate Agreement unless the communication is authorized for the purpose of treatment, payment or health care operations.
The Information Security Officer will review and approve technical security mechanisms and services for remote access and external transmission.
Electronic communication of and exchange of restricted institutional information that occurs over open networks such as the Internet must include strong authentication, and may require encryption (with effective administration of keys and passwords for encryption), depending on the nature of the communication, and associated risk assessment.
Encryption must be employed for all external transmissions of restricted institutional information via electronic mail, except as authorized by the subject of the data.

Information Integrity Controls

Information must remain consistent, complete and accurate. Integrity errors and unauthorized or inappropriate duplications, omissions and intentional alterations will be investigated and reported to the Business Owner of the affected data.

Separation of duties and functions

To protect the integrity of data, tasks involved in critical business processes must be performed by separate individuals. Where feasible, responsibilities of programmers, system administrators and database administrators must not overlap.

Systems and Application software

System and application software must be tested before installation in a production environment.
System and application software must be protected from unauthorized changes.

Change controls

Configuration management ensures that changes do not introduce any new vulnerability to systems or processes, and that changes do not remove important existing features. A system for change control management must be implemented for systems handling confidential information, to monitor and control hardware and software configuration changes, including the following steps:

requesting change
approval of the change
documentation
testing and presentation of results (quality assurance)
implementation
final report (log the change)

Anti-virus controls

All systems connected to the network will have virus protection where technologically feasible.
The most recent version of anti-virus software must be implemented and maintained with current virus signature/patterns.

Preventive Measures, Backup and Recovery

Processes are necessary to prevent loss of vital information, to provide backup and recovery, and provide continuous operation consistent with the business needs of the institution.

Prevention
Annual testing of preventive methods as they apply to fire, utility services and other environmental hazards must occur.

Backup
All information must have sufficient backup and be fully recoverable. Responsibilities are described for the regular backup and safe recovery of systems in the Backup and Recovery Policy.

Emergency Mode of Operation
Alternate modes of operation, that may include manual methods, must be documented to ensure continuity of critical services in the event a natural disaster, fire, act of vandalism, or act of terrorism occur.

Disaster Recovery Planning

All data centers and computerized systems critical to the University of Iowa must have written and operationally tested disaster recovery plans.
Business Owners will prioritize the recovery of applications and associated databases to ensure critical services are recoverable in a timely fashion.

Related Policies, References and Attachments:

This collection of University of Iowa Information Technology policies and procedures contain acceptable use, security, networking, administrative, and academic policies that have been developed to supplement and clarify University of Iowa policy.

They are incorporated into the University of Operations Manual (http://www.uiowa.edu/~our/opmanual/index.html) by reference, per the Policy on Acceptable Use of Information Technology Resources (http://www.uiowa.edu/~our/opmanual/ii/19.htm)

Chief Information Officer at The University of Iowa