Information Systems Security Policy
Information Systems Security Policy
Background
This policy establishes the requirements, roles, and responsibilities for ensuring the confidentiality, integrity, and availability of Davidson IT Services accessed, managed, or controlled by Davidson College (“Davidson”).
Purpose
The purpose of this policy is to ensure the protection of Davidson College’s information technology services, including applications, computing equipment, networks, servers, licensed third party software and systems, telecommunications systems, other technology or communications platforms, and other resources and the data stored in or on any such technology (collectively, “Davidson IT Services” or “IT Services”) from unauthorized access or alteration, as well as damage, intrusion, and misuse.
By implementing this policy, Davidson will:
- Establish standards for ensuring the security and confidentiality of Davidson’s IT Services.
- Establish administrative, technical, and physical safeguards to protect against unauthorized access or use of Davidson’s IT Services.
- Assign responsibility for the security of departmental, administrative, and other critical Davidson IT Services.
This policy applies to all employees (faculty and staff) or, as relevant, students who create or are responsible for Davidson IT Services or which collect, process, transact or transmit Davidson College data as defined in the Data Security Policy. All such individuals must maintain the IT Services for which they are responsible in accordance with this policy and other Davidson policies and regulations.
Policy
1. Framework for Institutional Information Security Decisions
Establishment of Ownership
“Information Security” for the purpose of this policy means the protection of information against unauthorized disclosure, transfer, modification, or destruction, whether accidental or intentional. Davidson’s Information Security Program Manager (ISPM), reporting to the Chief Information Officer (CIO) or his or her designee, has the principal obligation for Information Security. This includes, but is not limited to, the execution of Davidson college’s Information Security Plan.
The ISPM will develop policies, standards, procedures, and guidelines with input and review from campus stakeholders, based upon best practices in information security, and in accordance with applicable laws and regulations.
Policies, standards, procedures, and guidelines set minimum requirements and expectations under which Davidson operates and protects the Services. These will be regularly reviewed and updated to properly reflect changing risk conditions and mitigation techniques. At a minimum, information security policies, standards, procedures, and guidelines will be reviewed annually and updated as required.
The ISPM will collaborate with campus leadership and department management to develop information security policies that appropriately address Davidson’s needs. Departments must notify the ISPM of issues requiring attention through policy, as well as any needed policy changes.
Approval
Davidson’s information security policies, standards, procedures, and guidelines shall be consistent with existing laws, regulations, Davidson culture, and support the Davidson mission to develop, educate, and serve its community. Policies will be reviewed and approved according to Davidson’s Policy on Policies (Davidson login required) prior to implementation. As part of implementation, faculty, staff, and students will be notified of the policies.
Exceptions
Individuals or units within Davidson that cannot comply with the requirements of the information systems security program established pursuant to this policy or related security policies must submit a written exception request to the ISPM for review and consideration. Exception requests must include the scope and duration of the exception, business justification, and for exceptions that are temporary, a committed remediation plan to achieve compliance. The ISPM will review the request to ensure proper consideration has been given to the business needs and benefits, and weighed against the security risk to the institution. Requests for policy exceptions must be submitted to and approved by the ISPM or the CIO prior to implementation of the requested exception.
In the event of an emergency, the CIO acting with input from members of Davidson’s Senior Leadership Team has the authority to temporarily suspend a specific information security policy in order to recover from a service outage or incident. The ISPM should be notified of the temporary policy suspension so that efforts can be considered and undertaken, as necessary, to mitigate the risks of any increased security threat.
2. Information Security Roles and Responsibilities
Information Security Program Manager (ISPM)
Davidson’s Information Security Program Manager is responsible for coordinating and overseeing compliance with this policy including investigating and evaluating any incident that may violate this or other policies or information security best practices and, with input from the Vice President and General Counsel, outside counsel, consultants and other resources, determining if a security breach occurred under applicable law.
Technology & Innovation (T&I)
The Technology & Innovation division (T&I) has the primary operational responsibility for Davidson IT Services that receive, create, store, handle, or discard information. T&I shall be responsible for:
- Implementing information security technologies, controls, and services to protect IT Services and data as required by the Information Systems Security Program.
- Granting and revoking user rights and privileged access to IT Services as directed by the ISPM or Product Owners.
- Ensuring availability and recovery of IT Services.
- Abiding by the requirements of the Information Systems Security Program.
Product Owners
Each information technology system, application, server or other service used at Davidson (“IT Service”) must have a designated Product Owner, a named individual maintained on file in the Technology & Innovation division. This individual is responsible for ensuring that each such IT Services comply with this policy, and the Product Owner must report any discovered non-compliance or possible security events promptly to the Information Security Program Manager. Product Owner designations are determined at the Vice President or division head level, and VPs/division heads must promptly name a new Product Owner upon reassignment or the departure of a Product Owner from Davidson employment.
All information and data at Davidson, including that which is stored, processed or transmitted by IT Services, is regulated by the College’s Data Security Policy. Product Owners are responsible for ensuring their IT Services are compliant with the Data Security Policy.
For student-developed IT Services in use at Davidson, a student may be the Product Owner under the supervision of an authorized faculty or staff member, but the faculty or staff member or relevant department or division must name a Product Owner upon the student’s graduation or termination of enrollment from Davidson. The supervising faculty or staff member will become the Product Owner by default if a new Product Owner is not named.
End Users of IT Services (Faculty, Staff, Students)
End Users shall be responsible for abiding by the Davidson College Technology Terms of Service when using IT Services at Davidson.
Third-Party (Vendor) Access
Third parties executing business on behalf of Davidson, in lieu of or in addition to Davidson employees, must agree to follow the information systems security policies. Third parties are expected to be contractually obligated to protect Davidson IT Services to the same degree expected from Davidson employees.
Third parties may only access Davidson IT Services where there is a business need, only with approval of Product Owners, and only with the minimum access needed to accomplish the business objective. A copy of the relevant information security policies and the third party’s role in ensuring compliance must be formally delivered to the third party prior to access being granted, with provisions made to grant the access in a secure manner. In these cases, third parties shall be subject to the same policies and practices as other members of the Davidson community, unless an exception is granted by the ISPM.
Security Obligations in Contracts for Outsourced Services
Contracts with third parties for outsourced information technology services (e.g. SaaS solutions) must include provisions that govern the handling and proper security of all Davidson IT Services. These provisions should clearly define requirements of the third party for protection of Davidson information, and where possible, should provide Davidson the ability to audit the third party as needed in order to ensure information is appropriately protected. Use of the Davidson Technology Contact Addendum is recommended for this purpose.
Davidson offices and departments must provide oversight of all outsourced information technology service providers to ensure their policies and practices regarding information security are consistent with Davidson’s policies.
Third parties may be audited as needed in order to ensure compliance. Davidson data must be protected whether used, housed, or supported by Davidson employees or by third parties.
The policy provisions will be addressed on a go-forward basis for new and renewed contracts. There is no expectation that existing contracts will be renegotiated ahead of their renewal dates to comply with these requirements.
3. Human Resources Security
All employees of Davidson College, whether regular or temporary, full or part-time, and any third parties, contractors, volunteers, or vendors who receive access to IT Services must be aware of, understand, and fulfill their information security responsibilities and requirements for any IT Services that they access.
Davidson’s Human Resources division completes a criminal background check on all prospective employees that must be completed before the first day worked and access to IT Services begins. Faculty/staff sponsoring any access by third parties, contractors, volunteers, or vendors who will access Restricted or Confidential data, as defined in the Data Security Policy, in Davidson IT Services must contact Human Resources to request a criminal background check prior to access to such data being granted.
All employees, students, and third parties sponsored for account access are required to review and accept the Davidson College Technology Terms of Service before completing the self-service account registration process.
The manager or supervisor of employees and third parties (e.g., authorized or approved vendors or contractors) who have access to Davidson IT Services is responsible for ensuring that all such individuals are aware of and fulfill their information security responsibilities. Employee disciplinary processes will include provisions addressing violations of information security policies.
4. Information Systems Access Control
Access to Davidson IT Services that store, process or transmit Restricted or Confidential data as defined in the Data Security Policy will only be provided to End Users based on business requirements, job function, responsibilities, or need-to-know, and such access must be approved by the manager/supervisor, Product Owner, or data steward, as appropriate.
To the greatest extent technically possible, Product Owners will use group membership data derived from Human Resources systems data (such as department or division affiliation or role) to automatically grant and revoke access to IT Services.
All IT Services must use Davidson-authorized single-sign on (SSO) and multifactor authentication, unless an exception has been approved by the Chief Information Officer.
Access to Davidson IT Services will be revoked, and assets, including assigned laptop or desktop and peripherals, must be returned upon termination of employment with the College. If an employee accepts a new position at the College, the outgoing division’s manager is responsible for deactivating access to IT Services no longer needed in the employee’s new role.
Authorized T&I divisional staff with superuser/root level to high-risk systems (such as domain administrator roles) are required to use a unique, separate account from their regular campus account to perform such roles, and must only use it for such system administration tasks. Any service accounts, root level passwords, or equivalent that cannot be disabled due to the nature of the relevant system must be stored in T&I’s secure credential enclave or a privileged account management system.
5. Information Security Awareness and Training
The ISPM will develop, implement and manage an information security awareness program to be delivered periodically to Davidson faculty, staff, and certain other authorized users of Davidson IT Services.
To demonstrate basic competency in information security best practices, designated faculty and staff must complete this training as part of the onboarding process, approximately annually thereafter, or as required by the ISPM. Training requirements for Davidson employees are based on job role, division of employment, and scope of data and IT Services access, among other factors; as such, employee information security awareness training needs must be reassessed by managers and supervisors following any change in employee job role or responsibilities.
The Information Security Program Manager will:
- Develop or acquire information security training and test materials.
- Update and revise training and test materials at least annually to reflect current threats and information security best practices.
- Provide the ability to collect feedback regarding the content and efficacy of the training program.
- Track, record, and report training/testing completion rates and other program statistics.
- Ensure compliance with training mandates across the College.
The information security awareness program will review security awareness best practices including information classification and handling and how to identify different forms of social engineering attacks (e.g. phishing, phone scams, impersonation calls); it will also include simulated non-malicious phishing email to assess End User readiness and identify knowledge gaps and areas for continuous improvement.
Training in information security threats and safeguards for T&I staff and Product Owners is mandatory, with the extent of technical training to reflect the individual’s responsibility for configuring and maintaining information security safeguards.
6. IT Service Acquisition, Development, and Maintenance
Acquisition of IT Services, including all technology devices, equipment and peripherals, must be either approved by the Chief Information Officer or purchased by T&I, as specified in the Davidson College Technology Terms of Service.
The Product Owner is responsible for any IT Services written, coded, built or otherwise developed by Davidson staff, including ensuring that the IT Products and their subcomponents (including application stack elements) are free from known security vulnerabilities and follow best practices. Product Owners should be aware that virtually all homegrown/developed software and IT Services will require review and updates on a periodic basis, potentially as frequently as monthly or weekly.
7. Information Systems Operations Security
All Product Owners must coordinate and cooperate with the Information Security Program Manager and other T&I staff to ensure that Davidson IT Services are operationally secure. This includes:
- Ensuring all IT Services meet information security standards for approval at acquisition and on an ongoing basis (for vendor-hosted solutions (Davidson login required), this typically involves review of the EDUCAUSE HECVAT questionnaire submitted by the vendor and ongoing review of vendor security reports);
- Ensuring IT Services (Davidson login required) hosted by Davidson on-campus or in the cloud are configured for routine network and application vulnerability scans and are public accessed only through appropriate security measures (such as the web application firewall);
- Resolving any vulnerabilities or risks associated with an IT Product when reported by vulnerability scans, vendor notices, industry or government warnings, etc., including evaluating IT Services for the presence of risky code, modules or components;
- For Davidson-hosted IT Services, using servers and other infrastructure components that are subject to standard configuration and management by T&I to ensure ongoing updates, patches and maintenance;
- Resolving IT Product errors or problems caused by required updates to supporting infrastructure (such as a server operating system security patch causing a problem with the operation of an IT Product);
- Ensuring that IT Services implement data retention schedules for Restricted and Confidential data to ensure that Restricted and Confidential data are not maintained for longer than the business need requires;
- Ensuring that backups of business critical data are captured and maintained in accordance with industry best practices;
- Verifying that Davidson IT Services utilize industry standard encryption methods (Davidson login required), where appropriate, in order to protect the confidentiality and integrity of information, both in transit and at rest;
- Understanding relevant data security and privacy legal requirements such as those of the Gramm-Leach-Bliley Act, the Federal Educational Rights and Privacy Act, the North Carolina Identity Theft Act, the European Union General Data Protection Directive, and other applicable laws and regulations, sufficient to know whether their IT Product(s) must comply with such regulations and ensuring that they do comply if required;
- For any IT Product that collects, processes or transmits credit card information as regulated by Payment Card Industry (PCI) standards, ensuring that only Davidson-authorized security technologies (typically P2PE) are used to avoid bringing other Davidson IT services and the network into compliance scope, and coordinating with third-party vendors to ensure they complete a PCI Attestation of Compliance (AoC) annually.
8. Passwords and Multi-factor Authentication
To protect the confidentiality and integrity of Davidson College data, all Davidson account passwords should follow industry best practices for length, complexity, age, password history, dictionary checks, etc. Additionally, to further strengthen the Davidson environment, multi-factor authentication should be used where possible in line with industry standards and best practices (e.g., following National Institute of Standards and Technology recommendations), and must be used for administrator and superuser access except by approval of the ISPM.
9. Risk Assessment and Management
To ensure information security is implemented and operated as required in Davidson’s policies, standards, procedures, and guidelines, T&I will perform a risk assessment, or other industry standard practices, at planned intervals to assess the institution’s security posture as stated in the Information Security Plan. T&I additionally routinely performs regular automated security vulnerability assessments and participates in processes such as penetration testing as needed to assess possible risks and current remediations, and participates in the College’s financial audits and related processes. Updates on cybersecurity including the ISPM or CIO’s assessment of known risks shall be reported to the College’s Senior Leadership Team, or as appropriate or upon request, to the Davidson College Board of Trustees.
10. Incident Response
The response to information security incidents that threaten the confidentiality, integrity, and availability of Davidson IT Services are managed by Davidson's Incident Response Plan. This internal document identifies the Incident Response Team, roles and responsibilities, and appropriate steps needed to detect, contain, eradicate, and recover from a security incident.
11. Physical and Environment Security
To protect Davidson IT Services from physical threats, access to facilities housing servers and or network equipment is limited to authorized personnel only. Visitors must be escorted at all times while accessing these areas. Reasonable safeguards should be implemented to protect Davidson equipment from environmental threats, including, but not limited to water, fire, power failures, and surges.
All technology equipment that is end of life (servers, network equipment, laptops/desktops, etc.) should be disposed of in accordance to the latest industry standard recommendations depending on the potential data elements present.
12. Network Management Security
All networking equipment must be properly configured and maintained at all times. All relevant security updates must be applied in a timely manner to prevent exploitation or compromise. All default user accounts and passwords on network equipment must be changed prior to implementation. Network devices should have a hardened system configuration that includes disabling all unnecessary services. Management interfaces should only be accessible from the Davidson network or with the use of a virtual private network (VPN).
13. Business Continuity and Disaster Recovery
To ensure adequate plans and procedures are in place to enable Davidson to avoid or minimize interruption to any critical functions during and after major failures or disasters, Davidson College will develop and document an appropriate and resilient Business Continuity and Disaster Recovery Plan. This plan will address interruptions to Davidson business activities and to protect critical business processes from the effects of major failures or disasters. This plan should be tested periodically based on industry best practices and reviewed at least annually.
Administration of Policy
The CIO shall oversee this policy and review it at least once every two years. Changes to this policy shall be made in accordance with the college’s Policy on Policies.
Last Revised: April 2022
Appendix: Definitions
Each term listed below shall carry the associated meaning in the policy unless otherwise defined.
- access - The ability to view, use, or change information in Davidson IT Services.
- availability - The degree to which information and critical Davidson IT Services are accessible for use when required.
- confidentiality - The degree to which confidential Davidson information is protected from unauthorized disclosure.
- control - Safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. Controls help to reduce the risk of damage or loss by stopping, deterring, or slowing down an attack against an asset.
- End User - The person that a software program or hardware device is designed for and who uses the software or hardware after it has been fully developed, marketed, and installed. End Users include students, faculty, staff, contractors, consultants, and temporary employees.
- IT Services - Davidson College’s information technology services, including applications, computing equipment, networks, servers, licensed third party software and systems, telecommunications systems, other technology or communications platforms, and other resources and the data stored in or on any such technology
- Information Security - The protection of information against unauthorized disclosure, transfer, modification, or destruction, whether accidental or intentional. The focus is on the confidentiality, integrity, and availability of data.
- integrity - The degree to which the accuracy, completeness, and consistency of information is safeguarded to protect the business of the Institution.
- Product Owner - Individual with primary responsibility for overseeing the collection, storage, use, and security of a particular IT Service.
- risk - A probability or threat of damage, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through preemptive action.
- security breach - An unauthorized intrusion into a Davidson IT Service where unauthorized disclosure, modification, or destruction of confidential information may have occurred.
- security incident - An attempted or successful unauthorized access, use, disclosure, modification, or destruction of information; interference with IT Service operation; or violation of information security policy.
- threat - An event or condition that has the potential for causing the loss of confidentiality, integrity, and accessibility of Davidson IT Services or data.