ISPO-1.0 Information Security Policy
The purpose of this policy is to ensure the protection of the University of Kentucky's (UK) information assets from accidental or intentional unauthorized access or damage while also preserving and nurturing the open, information-sharing requirements of its academic culture.
This policy establishes the UK-wide strategies and responsibilities for ensuring the confidentiality, integrity and availability of the information assets that are accessed, managed, and/or controlled by UK. Information assets addressed by this policy include all UK data, information, information systems, computers, network devices and documents regardless of their medium and regardless of their location.
By implementing this policy, UK will:
- Establish a University-wide information security framework to appropriately safeguard access to information resources and services;
- Safeguard against unauthorized access to use or share restricted digital assets that could potentially result in harm to the university or to members of the university community;
- Safeguard against anticipated threats or hazards to the security of information assets;
- Comply with federal, state and local law, UK regulations, policies and agreements that require the university to implement applicable security safeguards binding the university.
This policy is applicable to all university students, faculty and staff and to all others granted use of UK information assets. Every user of any of UK’s information assets has some responsibility toward the protection of those assets; some offices and individuals have very specific responsibilities. This policy refers to all UK information assets whether individually-controlled or shared, stand-alone or networked. It applies to all computer and communication facilities owned, leased, operated or contracted by the university. This includes networking devices, laptops, tablets, personal digital assistants, telephones, smart phones, wireless devices, personal computers, gaming systems, workstations, mainframes, minicomputers and any associated peripherals and software, regardless of whether used for administration, research, teaching, healthcare or other purposes.
- Members of the UK community have individual and shared responsibilities to safeguard the information assets controlled or managed by the university in accordance with federal, state and local law, university regulations and agreements binding the university.
- Each university unit shall develop, maintain and implement an information security program or, in lieu of its own information security plan, shall follow ITS’s information security program as outlined in its ITS Information Security Policy & Procedures documents. Units implementing cyber security safeguards, policies and practices that are not explicitly addressed by the ITS Information Security Policy & Procedures shall reference and implement the SANS Critical Security Controls and/or the National Institute of Standards and Technology (NIST) cyber security policies, procedures, standards and guidelines (i.e., http://csrc.nist.gov/publications/PubsTC.html, http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.)
The program shall include (at least) the following:
- A list of laws and regulations to which the unit must comply that are in addition to the laws and regulations listed in the “Confidential” section of the ISS-6.1 Data Classification Standard,
- A description of any implemented administrative, physical or technical safeguards that are unique to the unit (i.e., safeguards or practices that are exceptions to ITS recommendations and used to safeguard restricted digital assets) and
- An annual program review.
- Each university unit shall identify and track restricted digital assets under its control. Accordingly, ITS’s data classification standards and guidelines, ISS-6.1 Data Classification Standard, shall be adhered to. Such data classifications are relative to the level of risk that their compromise may pose to the institution
- Each university unit shall periodically conduct risk assessments around its restricted digital assets. Risk assessments will prioritize risks and recommend appropriate mitigation strategies.
- Each university unit shall report and manage information security incidents in accordance with established policies and guidelines (i.e., the UK Information Security Incident Reporting Policy.)
- Each university unit shall implement safeguards that are appropriate to digital asset sensitivity, criticality and the level of risk identified in the risk assessment process.
- In lieu of policies, procedures, standards and guidelines that have been fully vetted and approved by university technology governance committees (per UK Administrative Regulation 10:2), draft policies, procedures, standards and guidelines that have been approved by either the university CISO or the unit’s chief administrative officer shall suffice as valid and appropriate.
IV. RESPONSIBILITIES FOR IMPLEMENTATION
University Deans and Directors are responsible for implementing and ensuring compliance with this policy. Responsibilities include:
- Communicating this policy to their community and ensuring appropriate education and training;
- Designating individuals to unit information security roles, ensuring they are properly trained and ensuring their ongoing participation in university-wide information security activities;
- Ensuring the implementation of information security plans within their units;
- Ensuring unit collaboration on the implementation of the university-wide Information Security Program.
The Chief Information Security Officer is responsible for:
- Directing and coordinating the University-wide Information Security Program;
- Developing, vetting, gaining approval for, and maintaining this and all supporting information security policies, procedures, standards, and guidelines.
- Determining unit-level compliance with this policy;
- Providing a focal point for oversight of serious security incidents as indicated in the UK Information Security Incident Reporting Policy;
- Establishing security metrics, tracking the progress of the Information Security Program and providing a University-wide risk profile;
- Assisting units in fulfilling their information security requirements; and
- Annually reviewing/assessing the UK information security program and making appropriate recommendations and changes.