Transcription
Date of Last Review: 05-04-2015Information Systems SecurityPolicies/ProceduresStudent Affairs Information TechnologyNorthwestern University1 Page
Contents1.0Introduction . 11.1Purpose . 11.2Scope . 11.3Language . 12.0Definitions . 23.0SAIT Organization . 43.1 User Services and Support . 43.2 Infrastructure and Application Support . 43.3 Application Development . 44.0Applicable Requirements . 54.1Laws, Acts, and Regulations . 54.2Guidelines . 55.0Protection of Student Affairs Information . 65.1Information Classification . 65.2Data Access Management. 65.2.1Access Authorization. 65.2.1.1Eligibility for Data Access . 75.2.1.2Short-term Data Access Authorization . 75.2.1.3Changing Data Access Authorization . 75.2.1.4Revoking Data Access Authorization. 75.2.1.5Protocol for Exchange and Shared Responsibility for Institutional Data . 85.2.2Workforce Member Identification . 85.2.3Workforce Member Authentication . 85.2.3.1Software Applications Authentication . 85.2.3.2Authentication for Services Outside of the University Environment . 95.2.3.3Password Construction Requirements. 95.2.3.4Password Management . 105.2.45.3Shared Accounts . 10Confidentiality . 105.3.1Secure Handling of Social Security Numbers . 105.3.2Data Encryption. 11
5.3.2.1Devices . 115.3.2.2Disk Decryption . 125.3.3Data Search Utilities . 125.4Data Integrity . 125.5Data Backup and Recovery . 125.6Data/Equipment Destruction . 146.0Information Systems Acceptable Usage . 166.1Standard Equipment Configuration . 166.2Personal Computer Configuration . 186.3Software . 186.3.1Patches . 186.3.2Licensing . 196.3.3Reuse . 196.47.0Email. 20Network Security . 217.1Network Service Eligibility. 217.2Network User Rights . 217.3Network User Responsibilities . 227.4Firewalls . 247.4.1Necessity for Firewalls . 247.4.2Installation of Firewalls . 247.4.3PCI Firewall Requirements . 247.5Workstation and Network Access . 257.5.1Logging In . 257.5.2Login Attempts/Lockout . 257.5.3Inactivity . 257.6Network Time Protocol . 257.7Malware . 257.8Server Network Access . 267.9Transmission Security . 267.10Remote Access . 277.10.1Remote Network Access . 27
7.10.1.1VPN. 277.10.1.2SSL VPN . 277.10.2Remote Desktop Access . 277.11Wireless Access . 287.12Secure Web Applications and Coding . 287.13Accountability . 297.13.1Activity Monitoring . 297.13.2Computer, System, or Network Monitoring . 298.0Physical Security. 308.1Facility Security Plan . 308.1.1Physical Access Controls . 308.1.2Power and Environmental Controls . 308.1.3Facility Maintenance Records . 308.2Physical Security Incident Reporting. 308.3Emergency Mode Operation . 308.3.1Emergency Physical Access . 308.3.2Emergency Data Access . 318.4Disaster Recovery Planning . 318.4.1Applications and Data Criticality Analysis and Ranking . 318.4.2Evaluation of Contingency Plans . 318.4.3Testing Contingency Plans . 319.0Personnel Security . 329.1Hiring . 329.1.1Recruiting and Hiring Procedures . 329.1.2Clearances . 329.1.3Business Associates and Third Parties . 329.2Termination and Transfer . 339.2.1Procedure for Exiting Employees . 339.3Sanctions . 339.4Security Training and Awareness . 3310.010.1Information Systems Configuration Management . 34IT Acquisition, Development, and Deployment . 34
10.2Configuration Management. 3410.3Configuration Change Control . 3511.0Information Systems Security Risk Management . 3611.1Risk Identification. 3611.2Risk Analysis/Ranking . 3711.3Risk Mitigation . 3711.4Risk Reevaluation . 3711.5Incident Response and Reporting . 37
1.0IntroductionThis document constitutes an overview of the Student Affairs Information Technology (SAIT) policies andprocedures relating to the access, appropriate use, and security of data belonging to NorthwesternUniversity’s Division of Student Affairs. The policies herein are informed by federal and state laws andregulations, information technology recommended practices, and university guidelines published byNUIT, risk management, and related units.1.1PurposeThis policy is intended to provide a basic understanding of the safeguards instituted by SAIT to protectStudent Affairs data, and to serve as a guide to Student Affairs staff for conduct of business usingtechnology resources. Where applicable, references are provided for relevant university policies,websites, and forms.1.2ScopeThe policies laid out in this document apply to all departments within the Division of Student Affairs.Any person observing a violation of these policies must promptly notify their supervisor and one of thefollowing units: SAIT - sa-help@northwestern.edu, (847) 467-7248NUIT - consultant@northwestern.edu, security@northwestern.edu, (847) 491-4357Ethics and Compliance – www.northwestern.edu/ethics, (866) 294-3545Any request for exceptions to these policies can be submitted to SAIT using the contact informationabove. Requests will be reviewed in committee. Policy owners, data stewards, NUIT security staff, andother authorities may be contacted as necessary for consideration of the request.This document and the policies to which it refers are reviewed on a periodic basis for currency,incorporation of new technologies, and accordance with NUIT policies.1.3LanguageIn order to be inclusive of all members of the Student Affairs community, “they” and “their” will be usedthroughout this document as a gender-neutral singular pronoun.1 Page
2.0DefinitionsBelow are some definitions of key terms and abbreviations used in this document.TermDefinitionA & ASAudit and Advisory Services, the Northwestern office providingindependent assurance and consulting relating to risk management,control, and governance processes.A central identity management service developed by Microsoft forauthentication and authorization services.Active DirectoryCertificateAn electronic document used to verify the identity of originators of data.Certificate AuthorityAn authority in the network that issues and manages security credentialsfor message encryption.Data StewardThe individual(s) responsible for the administration of access to subsets ofinformation.EncryptionThe process of encoding messages to preserve the confidentiality and/orintegrity of data.Enterprise SystemAny central system used as the only delivery platform for an essentialservice, often serving a broad constituency spanning organizationalboundaries.Enterprise Risk Management, a comprehensive, organization-wide set ofprocesses and procedures used to document and manage risk.ERMFederatedAuthenticationAn NUIT service that allows faculty, staff, and students to login toexternally-hosted systems with their Northwestern NetIDs.FirewallHostAny hardware or software designed to examine network traffic usingpolicy statements to block unauthorized access while permittingauthorized communications to or from a network or electronic resource.A set of policy statements or instructions used by a firewall to filternetwork traffic.Any computer connected to a network.Host FirewallA firewall application that addresses a separate and distinct host.HTTP/HTTPSHypertext Transfer Protocol, the application protocol used for most datacommunication on the Web. HTTPS is a version of this protocol that usesSSL/TLS to provide encryption and secure identification of a server.Information Systems Security/Compliance, the Northwestern officeproviding leadership and coordination in the development of policies,standards, and access controls for the safe-guarding of universityinformation assets.Firewall RulesetISS/C2 Page
LDAPMalwareNetIDNetwork DeviceNetwork ExtensionNetwork FirewallNUITPortable Media orDevicesSAITSSL/TLSSSOUniversity NetworkWorkstationsLightweight Directory Access Protocol, a protocol allowing userauthentication against a centrally-maintained identity and passworddatabase.Any malicious piece of software that threatens the confidentiality,integrity, or availability of data on a computer system or network.A unique combination of letters and numbers created and managed byNUIT for use by staff as an electronic identity at Northwestern.Any physical equipment attached to the university network and designedto view, cause, or facilitate the flow of traffic within a network.Any physical equipment attached to the university network designed toincrease the number of available ports for network access.A firewall appliance attached to a network for the purpose of controllingtraffic flow to and from single or multiple hosts or subnets.Northwestern University Information Technology, the central IT unit atNorthwestern.Any transportable object capable of containing data, including but notlimited to cassettes, floppies, CDs, DVDs, SD cards, flash drives, zip drives,and external hard drives.Student Affairs Information Technology, the IT unit for Student Affairs andthe owner of this policy.Secure Sockets Layer and Transport Layer Security, two protocols used toauthenticate servers and clients and to encrypt messages between theauthenticated parties.Single Sign-On, a service offered by NUIT for restricting access to websitesor web-based applications via a single authentication service, requiringonly one credential entry from users to gain access to all participatingsites.All network infrastructure and associated devices provid
May 04, 2015 · The Infrastructure and Application Support team administers the Student Affairs server environment and provides technical support for server-hosted applications used by Student Affairs staff. The team delivers secure and reliable access to Student Affairs data and systems, and works with ven
