Transcription
2020Information Security HandbookInformation Security HandbookUniversity of North Texas SystemUniversity of North TexasUniversity of North Texas Health Science CenterUniversity of North Texas at Dallas2020
This Page Intentionally Left BlankThis Page Intentionally Left BlankUNT System Information Security Handbook – Updated August 31, 2020Page 1
INFORMATION SECURITY HANDBOOK . 0INTRODUCTION . 61.1.1.2.1.3.1.4.EXECUTIVE SUMMARY . 6GOVERNANCE . 6SCOPE AND APPLICATION . 6ANNUAL REVIEW. 6INFORMATION SECURITY DEFINITIONS. 72.1.DEFINITIONS . 7STRUCTURE OF THE INFORMATION SECURITY HANDBOOK . 123.1.REFERENCE . 12RISK MANAGEMENT AND ASSESSMENT . 124.1.4.2.4.3.PURPOSE . 12REQUIREMENTS . 12REFERENCE . 13INFORMATION SECURITY PROGRAM . 135.1.5.2.5.3.PURPOSE . 13INFORMATION SECURITY PROGRAM REVIEW. 14REFERENCE . 14ORGANIZATIONAL STRUCTURE OF INFORMATION SECURITY . 156.1.6.2.6.3.6.4.PURPOSE . 15INTERNAL ORGANIZATION . 15EXTERNAL ORGANIZATION . 16REFERENCE . 17HUMAN RESOURCE SECURITY . 177.1.7.2.7.3.7.4.7.5.7.6.PURPOSE . 17ACCESS AGREEMENTS . 17PRIOR TO EMPLOYMENT . 18DURING EMPLOYMENT. 18TERMINATION OR CHANGES OF EMPLOYMENT . 18REFERENCE . 19UNT System Information Security Handbook – Updated August 31, 2020Page 2
ASSET MANAGEMENT . 198.1.8.2.8.3.8.4.8.5.PURPOSE . 19RESPONSIBILITY FOR INFORMATION AND INFORMATION RESOURCE ASSETS . 19INFORMATION CLASSIFICATION AND HANDLING . 20INFORMATION SAFEGUARDS . 21REFERENCE . 22ACCESS CONTROL. 229.1.9.2.9.3.9.4.9.5.9.6.9.7.9.8.PURPOSE . 22USER ACCESS MANAGEMENT . 22USER RESPONSIBILITIES . 24OPERATING SYSTEM ACCESS CONTROL . 26APPLICATION ACCESS CONTROL . 27INFORMATION ACCESS CONTROL . 28MOBILE COMPUTING AND TELEWORKING . 28REFERENCE . 28CRYPTOGRAPHIC CONTROLS . 2910.1. PURPOSE . 2910.2. REQUIREMENTS . 2910.3. REFERENCE . 28PHYSICAL AND ENVIRONMENTAL SECURITY . 3011.1.11.2.11.3.11.4.11.5.PURPOSE . 30SECURE AREAS. 30EQUIPMENT SECURITY . 31EQUIPMENT MAINTENANCE . 31REFERENCE . 32OPERATIONS SECURITY . 3212.1.12.2.12.3.12.4.12.5.12.6.12.7.12.8.PURPOSE . 32OPERATIONAL PROCEDURES AND RESPONSIBILITIES . 32SYSTEM PLANNING AND ACCEPTANCE . 34PROTECTION AGAINST MALWARE, MALICIOUS, OR UNWANTED PROGRAMS . 34BACK-UP . 36MEDIA HANDLING . 36ELECTRONIC COMMERCE . 37MONITORING . 37UNT System Information Security Handbook – Updated August 31, 2020Page 3
12.9. INTERNET WEBSITE AND MOBILE APPLICATIONS. 3812.10. REFERENCE . 38COMMUNICATIONS SECURITY . 3813.1.13.2.13.3.13.4.PURPOSE . 38NETWORK SECURITY MANAGEMENT . 39INFORMATION TRANSFER . 40REFERENCE . 41INFORMATION SYSTEM ACQUISITION, DEVELOPMENT, TESTING, AND MAINTENANCE . 4214.1.14.2.14.3.14.4.14.5.14.6.14.7.PURPOSE . 42SECURITY REQUIREMENTS OF INFORMATION SYSTEMS . 42CORRECT PROCESSING IN APPLICATIONS . 43SECURITY IN DEVELOPMENT AND SUPPORT PROCESSES . 44VULNERABILITY MANAGEMENT . 45INFORMATION SYSTEM MAINTENANCE . 47REFERENCE . 48VENDOR RELATIONSHIPS . 4815.1.15.2.15.3.15.4.15.5.15.6.PURPOSE . 48INFORMATION SECURITY IN VENDOR RELATIONSHIPS . 48DOCUMENTATION REQUIREMENTS FOR INITIATING VENDOR RELATIONSHIPS . 49VENDOR SERVICE DELIVERY MANAGEMENT. 50CHANGES TO VENDOR SERVICES . 50REFERENCE . 51INFORMATION SECURITY INCIDENT MANAGEMENT . 5116.1.16.2.16.3.16.4.PURPOSE . 51REPORTING INFORMATION SECURITY EVENTS AND WEAKNESSES . 51MANAGEMENT OF INFORMATION SECURITY INCIDENTS AND IMPROVEMENTS . 52REFERENCE . 52BUSINESS CONTINUITY MANAGEMENT . 5317.1.17.2.17.3.17.4.PURPOSE . 53DEVELOPMENT OF BUSINESS CONTINUITY AND DISASTER RECOVERY PLANS . 53REQUIREMENTS . 53REFERENCE . 54UNT System Information Security Handbook – Updated August 31, 2020Page 4
COMPLIANCE WITH LEGAL REQUIREMENTS . 5418.1.18.2.18.3.18.4.18.5.PURPOSE . 54DATA PROTECTION LAWS . 54ACKNOWLEDGEMENT OF SECURITY RESPONSIBILITIES . 54INFORMATION SYSTEMS AUDIT CONSIDERATIONS . 55REFERENCE . 55PRIVACY . 5519.1.19.2.19.3.19.4.PURPOSE . 55RESPONSIBILITIES . 56PRIVACY AND INSTITUTIONAL WEBSITES . 56REFERENCE . 57GENERAL SECURITY EXCEPTIONS . 5720.1. PURPOSE . 57SANCTIONS FOR VIOLATIONS . 57APPENDIX A: SYSTEM ADMINISTRATOR CODE OF ETHICS . 58APPENDIX B: HANDBOOK REFERENCES . 60APPENDIX C: DOCUMENT VERSION LOG . 62UNT System Information Security Handbook – Updated August 31, 2020Page 5
Introduction1.1.Executive SummaryThe University of North Texas System (“UNT System”) Information SecurityHandbook establishes the information security program framework for the SystemAdministration and Institutions. The UNT System Information Security Handbookcontains procedures and standards that support adherence to UNT SystemInformation Security Regulation 6.100. The UNT System is committed to establishingan information security program designed to protect the confidentiality, integrity,and availability of information and information resources. Implementation of aninformation security program supports business continuity, management of risk,enables compliance, and maximizes the ability of the System Administration andInstitutions to meet their goals and objectives. The Information Security Handbookshall comply with federal and state laws related to information and informationresources security, including, but not limited to the Texas Administrative Code(“TAC”) Title 1 §§ 202 and 203 and the information security framework establishedin International Standards Organization (“ISO”) 27001 and 27002.1.2.GovernanceThe UNT System Information Security Handbook is governed by applicablerequirements set forth in 1 TAC §§ 202 and 203 and the information securityframework established in ISO 27001 and 27002. Refer to 1 TAC §§ 202 and 203 andISO 27001 and 27002 if a topic is not addressed in the handbook or if additionalguidance is needed.1.3.Scope and ApplicationThe requirements established in the Information Security Handbook apply to allusers of information and information resources of the System Administration andInstitutions, including students, faculty, staff, guests, contractors, consultants, andvendors.1.4.Annual ReviewAs required by 1 TAC § 202.70, the information security program for the SystemAdministration and Institutions shall be reviewed annually and revised for suitability,adequacy, relevance, and effectiveness as needed; this review shall be performed bya party independent of the information security program. This party shall bedesignated by the Associate Vice Chancellor and Chief Information Officer andapproved by the Chancellor for the System Administration and President of eachInstitution or their designees.UNT System Information Security Handbook – Updated August 31, 2020Page 6
Information Security Definitions2.1.Definitions2.1.1.Access. The physical or logical capability to interact with, or otherwisemake use of, information and information resources.2.1.2.Asset. Anything of value to an organization, including information.2.1.3.Breach. An incident that results in the compromise of confidentiality,integrity, or availability of information or information resources.2.1.4.Business Continuity Planning. The process of identifying mission-criticalinformation systems and business functions, analyzing the risks andprobabilities of service disruptions and outages, and developingprocedures to continue operations during outages and restore thosesystems and functions.2.1.5.Category I Confidential Information. Information that requires protectionfrom unauthorized disclosure or public release based on state or federallaw (e.g. the Texas Public Information Act, and other constitutional,statutory, and judicial requirements), legal agreement, or informationthat requires a high degree of confidentiality, integrity, or availability.2.1.6.Category II Proprietary Information. Information that is proprietary to anInstitution or has moderate requirements for confidentiality, integrity, oravailability.2.1.7.Category III Public Information. Information with low requirements forconfidentiality, integrity, or availability and information intended forpublic release as described in the Texas Public Information Act.2.1.8.Change Management. The process responsible for controlling the lifecycle of changes made to information resources that are implementedwhile maintaining the confidentiality, integrity and availability of theinformation resource.2.1.9.Confidential Information. Information that must be protected fromunauthorized disclosure or public release, based on state or federal law(e.g., the Texas Public Information Act, and other constitutional,statutory, judicial, and legal agreement requirements).UNT System Information Security Handbook – Updated August 31, 2020Page 7
2.1.10.Configuration Management. A collection of activities focused onestablishing and maintaining the integrity of information technologyproducts and information systems, through control of processes forinitializing, changing, and monitoring the configurations of thoseproducts and systems throughout the system development life cycle.2.1.11.Custodian. A person responsible for implementing the InformationOwner-defined controls and access to information and informationresource. Custodians are responsible for the operation of an informationresource. Individuals who obtain, access, or use information provided byInformation Owners, for the purpose of performing tasks, also act asCustodians of the information and are responsible for maintaining thesecurity of the information. Custodians may include employees, vendors,and any third party acting as an agent of, or otherwise on behalf of, theSystem Administration and Institutions.2.1.12.Disaster Recovery. The process, policies, and procedures related topreparing for recovery or continuation of technology infrastructurecritical to an organization after a natural or human-induced disaster.2.1.13.Enterprise Information Resource. An information resource that isadministered by Information Technology Shared Services (“ITSS”).2.1.14.High Impact Information Resource. An Information Resource whose lossof confidentiality, integrity, or availability could be expected to have asevere or catastrophic adverse effect on organizational operations,organizational assets, or individuals. Such an event could:2.1.15.2.1.14.1.Cause a severe degradation in or loss of mission capability toan extent and duration that the organization is not able toperform one or more of its primary functions;2.1.14.2.Result in major damage to organizational assets;2.1.14.3.Result in major financial loss; or2.1.14.4.Result in severe or catastrophic harm to individuals involvingloss of life or serious life threatening injuries.Incident. A security event that results in, or has the potential to result in,a breach of the confidentiality, integrity, or availability of information oran information resource. Security incidents result from accidental ordeliberate unauthorized access, loss, disclosure, disruption, ormodification of information or information resources.UNT System Information Security Handbook – Updated August 31, 2020Page 8
2.1.16.Information Owner. A person with operational authority for specifiedinformation and who is responsible for authorizing the controls forgeneration, collection, processing, access, dissemination, and disposal ofthat information.2.1.17.Information Resources. The procedures, equipment, and softwareemployed, designed, built, operated, and maintained to collect, record,process, store, retrieve, display, and transmit information and associatedpersonnel including consultants and contractors.2.1.18.Information Security. The protection of information and informationresources from threats in order to ensure business continuity, minimizebusiness risks, enable compliance, and maximize the ability of the SystemAdministration and Institutions to meets their goals and objectives.Information security ensures the confidentiality, integrity, and availabilityof information and information resources.2.1.19.Information Security Officer. The Information Security Officer isresponsible for developing and administering the operation of aninformation security program. The Associate Vice Chancellor and ChiefInformation Officer, or his or her designee, shall appoint an InformationSecurity Officer for the System Administration. The President of eachInstitution, or his or her designee, shall appoint an Information SecurityOfficer for the Institution. In addition to their administrative supervisors,Information Security Officers will report to and comply with directivesfrom the Associate Vice Chancellor and Chief Information Officer for allsecurity related matters.2.1.20.Information Security Program. A collection of controls, policies,procedures, and best practices used to ensure the confidentiality,integrity, and availability of System Administration and Institution ownedinformation and information resources.2.1.21.Institution. A degree-granting component of the UNT System.2.1.22.Integrity. The security principle that information and informationresources must be protected from unauthorized change or modification.2.1.23.Least Privilege. The security principle that requires application of themost restrictive set of privileges needed for the performance ofauthorized tasks. The application of this principle limits the damage thatcan result from accident, error, or unauthorized use.UNT System Information Security Handbook – Updated August 31, 2020Page 9
2.1.24.Mission Critical. A function, service, or asset vital to the operation of theInstitution, which if made unavailable, would result in considerable harmto the Institution and the Institution’s ability to fulfill its responsibilities.2.1.25.Network Devices. Hardware components or software services running oncommon desktop or information resources that communicate over theinstitution’s network.2.1.26.Patch. An update to an operating system, application, or other softwareissued to correct specific problems.2.1.27.Patch Management. The systematic notification, identification,deployment, installation, and verification of operating system andapplication software patches.2.1.28.Penetration Test. A series of activities undertaken to identify and exploitsecurity vulnerabilities.2.1.29.Personally Identifying Information. Information that alone or inconjunction with other information identifies an individual, including anindividual's:2.1.30.2.1.29.1.Name, social security number, date of birth, or governmentissued identification number;2.1.29.2.Mother's maiden name;2.1.29.3.Unique biometric data, including the individual's fingerprint,voice print, and retina or iris image;2.1.29.4.Unique electronic identification number, address, or routingcode; and2.1.29.5.Telecommunication access device as defined by Section32.51, Penal Code.Privileged Access. An escalated level of resource access that allowschanges to information systems and could affect the confidentiality,integrity, or availability of information or information resources.Privileged access is granted to users that are responsible for providinginformation resource administrative services such as systemmaintenance, data management, and user support.UNT System Information Security Handbook – Updated August 31, 2020Page 10
2.1.31.Recovery Point Objective (RPO). The maximum tolerable period in whichdata might be lost from an IT service due to a major incident. (i.e.,amount of potential data loss).2.1.32.Recovery Time Objective (RTO). The duration of time and a service levelwithin which a business process must be restored after a disaster (ordisruption) in order to avoid unacceptable consequences associated witha break in business continuity.2.1.33.Removable Media. Any device that electronically stores information andcan be easily transported. Examples of removable media include USBflash drives, CD-ROM, DVD-ROM, external or portable hard drives, laptopcomputers, tablets, or any other portable computing device with storagecapabilities.2.1.34.Residual Risk. The risk that remains after security controls have beenapplied.2.1.35.Risk. The effect on the mission, function, image, reputation, assets, orconstituencies considering the probability that a threat will exploit avulnerability, the safeguards already in place, and the resulting impact.2.1.36.Risk Assessment. The process of identifying, evaluating, and documentingthe level of impact that may result from the operation of an informationsystem on the System Administration or an Institution's mission,functions, image, reputation, assets, or individuals. Risk assessmentincorporates threat and vulnerability analysis and considers mitigationsprovided by planned or in-place security controls.2.1.37.Security Exception. An exception granted by the Chief InformationSecurity Officer in response to non-compliance resulting from an inabilityto meet the requirements of an information security policy, standard, orprocedure.2.1.38.System Administration. The central administrative component of the UNTSystem.2.1.39.Transaction Risk Assessment. An evaluation of the security and privacyrequirements for an interactive web session providing public access to aninstitution’s information and services.2.1.40.University of North Texas System. The System Administration and themember Institutions combined to form the UNT System.UNT System Information Security Handbook – Updated August 31, 2020Page 11
2.1.41.User. An individual or automated application authorized to accessinformation or information resources in accordance with the InformationOwner-defined controls and access rules.2.1.42.Vulnerability Assessment. A documented evaluation assessing the extentto which an information resource or data processing conducted by theUNT System Administration or Institutions or by a third-party isvulnerable to unauthorized access or harm, is subject to attack, and theextent to which electronically stored information is vulnerable toalteration, damage, erasure, or inappropriate use.Structure of the Information Security HandbookThe structure of the Information Security Handbook is based on the framework establishedin ISO 27001 and 27002. In addition, requirements of the handbook are consistent with theInformation Security Standards established in 1 TAC §§ 202 and 203, as amended.3.1.Reference3.1.1.UNT System Information Security Regulation 6.1000Risk Management and Assessment4.1.PurposeRisks to information resources must be managed. The expense of securitysafeguards shall be commensurate with the value of the assets being protected andthe liability inherent in regulations, laws, contractual obligations, or otheragreements governing the assets. Failure to respond to risks could result inaccidental or intentional acceptance of institutional risk by an unauthorizedindividual.4.2.Requirements4.2.1.The UNT System Associate Vice Chancellor and Chief Information Officerwill commission a system-wide security risk assessment of informationresources consistent with UNT System Administration and Institutionalcompliance and risk assessment plans.4.2.2.Risk assessments of mission critical and high-risk information resourcesshall be conducted annually. All information resources shall be assessedbiennially.4.2.3.The risk assessment process must consider the immediate and futureimpact of a risk to organizational operations.UNT System Information Security Handbook – Updated August 31, 2020Page 12
4.3.4.2.4.Risk assessments must use a standard methodology compatible with 1TAC § 202.75. Identified risks shall be accepted, rejected, mitigated, ortransferred using a defined and documented plan.4.2.5.The Chancellor for System Administration and the President of eachInstitution or t
Aug 31, 2020 · Administration and Institutions. The UNT System Information Security Handbook contains procedures and standards that support adherence to UNT System Information Security Regulation 6.100. The UNT System is committed to establishing an information security pr
