AD95 Information Assurance and IT Security

To establish an institution-wide security program designed to ensure the confidentiality, integrity, and availability of The Pennsylvania State University’s (“Penn State“ or “the University”) information assets from unauthorized access, loss, alteration, or damage while supporting the open, information-sharing needs of our academic culture.

DEFINITIONS:

Availability - ensuring that information is ready and suitable for use.

Chief Information Security Officer (CISO) - oversees the Office of Information Security, and is responsible for developing and implementing an information security program, which includes policies, standards, and procedures designed to protect enterprise communications, systems and assets from both internal and external threats.

Confidentiality - ensuring that information is not disclosed to unauthorized individuals.

Data - unstructured facts and figures without added organization, interpretation or analysis.

Data Owner - Individual responsible for University information.

Information - contextualized, categorized, calculated and condensed data.

Information Classifications:

• Restricted - access and use is strictly controlled and restricted by laws, regulations, or contracts. Unauthorized access, use, disclosure, or loss will have significant legal consequences, including civil and criminal penalties, loss of funding, inability to continue current research, and inability to obtain future funding or partnerships.
• High - unauthorized access, use, disclosure, or loss is likely to have significant and severe adverse effects for individuals, groups, or the University. These adverse effects could include, but are not limited to, social, psychological, reputational, financial, or legal harm.
• Moderate - unauthorized access, use, disclosure, or loss is likely to have adverse effects for individuals, groups, or the University, but will not have a significant impact on the University. These adverse effects could include, but are not limited to, social, psychological, reputational, financial, or legal harm.
• Low - Unauthorized access, use, disclosure, or loss is likely to have low or no risk to individuals, groups, or the University. These adverse effects may, but are unlikely to, include limited reputational, psychological, social, or financial harm. Low Risk Information may include some non-public information.

Information Assets - any Penn State-owned data, information, software or hardware that is used in the course of business activities. This includes information that is processed or resides on privately owned devices that are used for University purposes.

Integrity of Data - ensuring accuracy, completeness, and consistency.

Institutional Data -information created, collected, maintained, transmitted, or recorded by or for the University to conduct University business, including, but not limited to, information in paper, electronic, audio, or visual formats.

Security Incident – is an adverse, or potentially adverse event/action in an information system and/or a network that poses a threat to computer or network security in respect to the confidentiality, integrity, and availability of information (e.g. unauthorized disclosure of sensitive information, theft or loss of equipment that contains potentially sensitive information, malware traffic, denial of service attacks, attempts (either failed or successful) to gain unauthorized access to a system and/or its information, etc.).

Security Staff - Penn State employees who have information security listed as part of their official duties.

Unauthorized Access or Access in Excess of Authorization- viewing, modifying or destroying information without proper authorization/approval and/or legitimate business need.

SCOPE:

This policy is applicable to all members of the Penn State community, and applies to all locations and operations of the University, except for Penn State Health and The Pennsylvania College of Technology, which will follow separate policies. Specifically, the scope of this policy includes:

• Faculty, staff, students, workforce members, visitors to the University, including, but not limited to, visiting scholars, lecturers/instructors, and/or all units and other persons who are acting on, for, or on behalf of the University;
• All institutional data, including but not limited to administrative, teaching and learning, clinical, licensed, or any other data related to the University;
• Third-party vendors who collect, process, share, transmit or maintain university institutional data, whether managed or hosted internally or externally; and
• All devices that access or maintain institutional data.

POLICY:

I. GENERAL INFORMATION SECURITY:

This policy establishes University-wide strategies and responsibilities for protecting the confidentiality, integrity, and availability of information assets that are created, accessed, managed, and/or controlled by the University. Information Assets addressed by the policy include data, information systems, computers, network devices, as well as paper documents.

With this policy and corresponding standards, the University will:

• Establish and maintain a unified institution-wide information assurance program and cybersecurity risk management framework;
• Establish and maintain institution-wide security policies, guidelines, and standards which provide boundaries within which individuals and units will operate;
• Protect institutional data, systems, resources, and services against unauthorized access and other threats or attacks that could potentially result in financial, legal, or reputational harm to the University, members of the University community, or third parties to which the University owes a reasonable duty of care;
• Educate faculty, staff, students, and units on the need for appropriate cybersecurity, and protecting themselves against breach of their systems and unauthorized access to their personal information;
• Establish an exception process for individuals and units with unique needs;
• Support compliance with applicable federal, state or local laws or regulations, and University policies, guidelines, contracts and agreements that obligate the University to implement security safeguards; and
• Ensure Penn State's core mission is not impeded while ensuring the confidentiality, integrity, and availability of university information assets, and reducing and better managing cybersecurity risks.

II. GUIDING PRINCIPLES OF INFORMATION SECURITY:

All faculty, staff, students, and units have an obligation to protect institutional data in accordance with this policy and its supplemental Guidelines and Standards, which take into consideration the University's mission, as well as the level of sensitivity and criticality of the information. The University promotes, supports and adopts an institutional culture that elevates the importance of its overall information security posture by implementation of the following principles:

• One Enterprise Information Assurance Program: The University will remain consistent and adopt one unified approach to information assurance across all campuses and units. It will incorporate security, privacy, risk management, and disaster recovery best practices throughout the information life-cycle, including, but not limited to, the University's enterprise architecture, system and application development, research projects, clinical applications, and IT hardware and software.

The University recognizes that it is organizationally and functionally complex and that campus units, research programs, and clinical care settings will have unique needs, as well as different threats and risk tolerances. Consequently, variation in how this policy and its supporting Guidelines and Standards are implemented will be managed and tracked by the Office of Information Security (OIS) through an exception process.

• Shared Responsibilities: All members of the University community have individual and shared responsibilities to protect the University's information assets and comply with applicable federal and state laws and regulations, and University policies.
• Information Centric: Required security controls are based on the sensitivity of the information. Systems with information classified as "Restricted" or "High" will have much more restrictive controls, while the University will tolerate more risk with information classified as "Moderate" or "Low." Security controls are determined by the highest classification level of information present on the system.
• Location Independence:Information will be hosted by central IT organizations, unit IT organizations and third party cloud providers. Regardless of where the information resides, the same standards will apply to University data.
• Appropriate Use: Faculty, staff, students, and units will act in accordance with the principles included in AD96, Acceptable Use of University Information Resources.
• Risk Management and Acceptance: The Office of Information Security will establish, implement, and maintain a University-wide cybersecurity risk management framework based upon widely accepted national standards. The University, individual units, and, where appropriate, research environments will be responsible for ensuring faculty, staff, students, and units are educated in the area of risk level and management, and conducting annual risk assessments of information systems and applications which store, process, or transmit information classified as "High" and "Restricted." These assessments help to identify risk and appropriately prioritize mitigation strategies that reasonably protect critical infrastructure and services. Having appropriately trained faculty, staff, students, and units allows the University to appropriately allocate resources to reduce information security risk to a level deemed appropriate by University leadership.
• Standards-based: The University will leverage nationally recognized security standards where appropriate and in compliance with applicable state and federal laws and regulations.
• Privacy: The University will balance its cybersecurity obligations with the reasonable privacy expectation of its faculty, staff, students, and units in relation to their personally identifiable information, with the exceptions referenced in AD53, Privacy Policy. Penn State's Privacy Officer will collaboratively develop and maintain privacy policies, standards, guidelines, and best practices to meet legal and compliance obligations.
• Continuous Monitoring: The University will monitor, on an ongoing basis, the security technologies and controls that support this policy, compliance with applicable state and federal requirements, and changes to the University's information systems and technology environment.

III. CLASSIFICATION OF INFORMATION:

The University will use Information Classification to develop Policies, Guidelines and Standards for risk-based protection of information and systems. Information Classifications are based upon the expected risk of harm to individuals and the University if the information were to be subject to unauthorized access or disclosure. Harm may encompass negative psychological, reputational, financial, personal safety, legal, and/or other ramifications to individuals or the University. The classification of information determines the baseline security protections and controls that are appropriate. The University's identified/designated Data Owners are primarily responsible for the implementation of appropriate safeguards and controls, and the safeguards for the highest classification of information applies. Definitions and basic principles of Information Classification are provided below and further supplemented in the supporting Standards.

Note that the examples provided are illustrative, rather than exhaustive. The University, faculty, staff, students, and units will interact with many more specific types of information. In the event that a specific type of information is not listed as an example, the Information Classification will be based upon the Definition of each Classification.

• Payment Card Industry Data Security Standard (PCI-DSS) Data
• Data subject to Federal Information Security Management Act (FISMA) moderate or high standards

• Personally Identifiable Information (PII) as defined in Privacy Policy AD53
• Health Insurance Portability and Accountability Act (HIPAA) data

• Non-PII student records
• Personnel records

• Data made freely available by public sources
• Published data
• Educational data
• Initial and intermediate Research Data

Instructions on handling information classification levels can be located in the standards listed in Section V. OIS will work with Data Owners to determine appropriate classification, as necessary. The CISO will make the final determination when the Data Owner and OIS cannot agree. For informational questions regarding your information classification, please contact security@psu.edu.

IV. USE OF APPROVED IT SERVICES:

Approved information technology infrastructure, services, staff training and facilities are a key method to securing information at the University. Faculty, staff, students, or units, should give preference to utilization of approved IT services where such services are available and appropriate to meet the individual's needs. These approved IT services will be designed to follow specific, level-appropriate information security requirements based on the strategic risk the information represents as well as regulatory and contractual compliance requirements.

V. ADHERENCE TO IT SECURITY STANDARDS AND REQUIREMENTS:

This policy also recognizes the need to accommodate unique research, teaching, and clinical needs that may not be feasible to accomplish through the use of approved IT services. If an approved IT service is not appropriate to meet the needs of faculty, staff, students, or units, level-appropriate information security requirements must be implemented per University Standards. Implementation for each Standard can be located below (click on the link):

• Access, Authentication, and Authorization Management
• Disaster Recovery Planning for Information Systems and Services
• Electronic Data Disposal and Media Sanitization
• Encryption
• Information Assurance and IT Security Awareness, Training, and Education
• Information Security Risk Management
• Network Security
• Physical Security
• Requests for Exception to Information Security Policy
• Secure Coding and Application Security
• Security of Enterprise Application Integration
• Security Log Collection, Analysis, and Retention
• Third Party Vendor Security and Compliance
• Vulnerability Management

This Information Security Policy is supported and supplemented by specific operational, procedural, and technical Guidelines and Standards. These Standards will be enforced in the same manner as this policy.

Each Standard will be owned by a Standard Working Group. The Working Group will be representative of the standard stakeholders and will be led by an OIS staff member and will include members of faculty and/or staff. The Standard Working Groups will be chartered by the CISO. The Standard Working Groups will review their Standard at least quarterly, incorporating input from the University community, changes in the threat, compliance standards, technology and industry best practices.

VI. CERTIFICATION OF UNIT-BASED SYSTEM SECURITY:

Any unit or individual that operates IT systems and/or applications that process information classified as High or Restricted under this policy must have Authority to Operate granted by the Office of Information Security. OIS will grant this authority after performing proper due diligence confirming that the information is properly secured and meeting any compliance requirements. Prior to obtaining the Authority to Operate, a unit or individual may have provisional Authority to Operate by informing OIS and certifying to OIS that the information is properly secured and meeting compliance requirements. OIS is responsible for the processes that grant Authority to Operate and provisional Authority to Operate.

VII. ACCEPTABLE USE:

To create a secure environment in which faculty, staff, students, and units may feel free to create and collaborate without fear that the products of their efforts will be violated by misrepresentation, tampering, destruction, or theft, all individuals must follow AD96, Acceptable Use of University Information Resources.

VIII. SECURITY LIAISON:

Each unit at the University will appoint a Security Liaison. This person will be a conduit for communication between the Office of Information Security (OIS) and the unit. This person does not have to be a security specialist or an IT specialist. However, if the unit has dedicated security staff or an individual who has security duties, then they are the preferred liaison. OIS will maintain a list, complete with contact information. OIS will provide training to all Security Liaisons.

RESPONSIBILITIES:

This matrix spells out the responsibility of high level groups for high level functions. Other more detailed responsibilities may be specified in the Guidelines and Standards.

Functions:

• Risk: The identification, categorization, and oversight of the risk toleration of the University.
• Strategy and Policy: The long term direction for how the University will allocate its resources to meet the appropriate risk level.
• Identification: Knowing and reporting the location, type and sensitivity of information assets in the area of responsibility.
• Protection: Implementation of the safeguards required to adequately protect the information in the area of responsibility.
• Detection: Detecting attempts, unauthorized access, or misuse of information or other cybersecurity event.
• Response: Conduct appropriate actions in response to a cybersecurity event.
• Recovery: Conduct the appropriate activities to restore any capabilities impacted by a cybersecurity event and take appropriate corrective measures.

• University Leaders: Senior Administrators who determine strategy for the University.
• Deans, Chancellors, Unit Directors and Principal Investigators: Leaders who lead a college, campus, academic or administrative unit. These are the Data Owners.
• CISO/OIS: Chief Information Security Officer and the Office of Information Security.
• Unit Security Staff: Staff who are fully or partially responsible for information security in their unit.
• IT Leaders: Leaders responsible for IT in a unit or one of the administrative units whose mission is IT. Includes the University CIO. In the case of IT units, the IT Leader may also be the Data Owner.
• Governance: The committees that provide advice to IT leaders and the CISO. Examples are the President's Council, Academic Leadership Council, Faculty Senate, CISO Advisory Committee, among others. Faculty are strongly represented in Governance.
• Data Owner: Individual responsible for University information.

Responsibilities:

All University faculty, staff, students, and units when acting on behalf of the University, and others granted use of University information are expected to:

• Follow the University’s AD96, Acceptable Use of University Information Resources.
• Understand this Information Assurance and IT Security Policy.
• Be aware of the type of information they store, transmit, process, or otherwise handle and ensure that appropriate action is taken to protect the information in accordance with Penn State Policies and Guidelines.

OVERSIGHT OF THE INFORMATION SECURITY PROGRAM

The CISO will convene a CISO Advisory Committee representative of stakeholders across the University. This committee will be the primary governance mechanism for the Information Security Program. In addition, the CISO will engage appropriate leaders and governance groups for advice on the Information Security Program.

REPORTING SECURITY INCIDENTS:

If any Penn State department or unit reasonably suspects/believes a security incident has occurred, they must immediately notify their local IT staff and the Office of Information Security (security@psu.edu). The local IT staff and OIS will partner to assess the potential implications of the incident, notify the appropriate stakeholders, and take any remedial and necessary actions.

EXCEPTIONS AND EXEMPTIONS:

Exceptions to, or exemptions from, any provision of this Policy or supplemental IT Guidelines and Standards must be approved by the Office of Information Security in accordance with the Requests for Exception to Information Security Policy Standard.

Any questions about the contents of this policy or supplemental IT Guidelines and Standards should be referred directly to the CISO and the Office of Information Security (security@psu.edu) who has the responsibility to interpret the Security Standards.

POLICY VIOLATIONS:

Any Penn State department or unit found to operate in violation of this Policy may be held accountable for remediation costs associated with a resulting information security incident or other regulatory non-compliance penalties, including but not limited to financial penalties, legal fees, and other costs.

Faculty, staff, students, or units who violate this policy and supplemental IT Guidelines and Standards may be subject to disciplinary action.

FURTHER INFORMATION:

For questions, additional details, or to request change to this Policy, please contact the Office of Information Security at security@psu.edu.

CROSS REFERENCES:

Other Policies may also be referenced, especially the following:

AD96- Acceptable Use of University Information Resources

Most recent changes:

• November 23, 2020 - Updated links to Standards (documents moved from Box to SharePoint).

Revision History (and effective dates):

• July 26, 2019 - Updated link to Request for Exception to Information Security Policy Standard under the EXCEPTIONS AND EXEMPTIONS section.
• June 26, 2019 - Updated links to Encryption and Exception to Information Security Policy under the ADHERENCE TO IT SECURITY STANDARDS AND REQUIREMENTS section.
• May 30, 2018 - Updates to include definition of Security Incidents and language pertaining to Reporting a Security Incident.
• September 12, 2017 - Editorial change. Added "/or" to first bullet point under Scope section.
• July 17, 2017 - Policy AD20 is being retired and this policy has been created to to reflect current Information Security standards and best practices.
• July 17, 2017 - New policy