ITS Information Security Policy & Procedures

Information Security Policy Cross Reference


Purpose

The following is a list of information security policies, procedures, standards and guidelines have either already been develop, vetted, approved and implemented or ones that need to be developed, vetted, approved and/or implemented at the University of Kentucky (including documents that may only exist in draft format.) This list, the associated documents, external URLs and the documents being developed represent the UK Information Security Program and are proffered to give UK units guidance on how best to safeguard the institution’s information and digital assets.

Each University unit shall develop, maintain and implement an information security program or, in lieu of its own information security program, shall follow ITS’s information security program as outlined in its ITS Information Security Policy & Procedures documents. At no such time shall a University unit information security-related policy, procedure, standard or guideline be less stringent than those documentedin ITS’s information security program.

Units wanting to or required to implement information security safeguards, policies and practices that are not explicitly addressed by the ITS Information Security Policy & Procedures shall reference and implement the SANS Critical Security Controls and/or the National Institute of Standards and Technology (NIST) cyber security policies, procedures, standards and guidelines (i.e., http://csrc.nist.gov/publications/PubsTC.html, http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.)

In lieu of policies, procedures, standards and guidelines that have been fully vetted and approved by the UK information technology governance committees (per UK Administrative Regulation 10:2), draft policies, procedures, standards and guidelines that have been published bythe university CISO or approved by the unit’s chief administrative officer shall be considered valid andappropriate (and against which audits may be performed.)

Cross ReferenceStructure & Naming Conventions

This cross referenceand the ITS Information Security Policy & Procedures are organized into chapters similar to the NIST Cybersecurity Framework[1] categories and subcategories, NIST SP 800-53’s Family Names[2], and ISO 27002 Security Control Clauses[3] (which also closely resemble COBIT[4] control objectives.)

The policies, procedures, standards and guidelines that comprise the ITS Information Security Program are named and numbered according to their chapter and document type:

Policy ISPO <chapter #> <sequential number w/in the chapter> typically a high-level guiding principle
Procedure ISPR <chapter #> <sequential number w/in the chapter> document written to support a policy directive
Standard ISS <chapter #> <sequential number w/in the chapter> requirement in regard to a technical system
Guideline ISG <chapter #> <sequential number w/in the chapter> statement by which to determine a course of action

For example, the high-level guiding principle that justifies and describes the UK Information Security Program is ISPO-1.0 Information Security Policy.


[1] www.nist.gov/cyberframework/

[2] NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations. Revision 4, http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf, is the most recent version as of December 2014.

[3] ISO/IEC 27002Information technology — Security techniques — Code of practice for information security controls, www.iso27002security.com/html/27002.html

[4] COBIT (ControlObjectives for Information and Related Technology), www.isaca.org/COBIT

​Cross Referenceof ITS Information Security Policies, Procedures, Standards & Guidelines

Description

UKInformation

SecurityDocument

NIST Cybersecurity

Framework Subcategory

NIST SP 800-53“Family Name”

ISO 27002 Control
Information Security Policy ISPO-1.0 ID.GV: Organizational information security policy is established including the policies, procedures & processes to manage and monitor the organization’s regulatory, legal, risk, environmental and operational requirements. controls from all families A.5 Security Policy
Acceptable Use Policy UK Administrative Regulation 10:1

ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce are established

AC-1 Access Control Policy and Procedures

IA-1 Identification and Authentication Policy & Procedures

A.6.1.1 Mgmt Commitment

A.10.10 Monitoring

A.11 Access Control​

A.15.2 Compliance with security policies & standards, and technical compliance

Governance

UK Governing Regulations

UK Administrative Regulations

UK Administrative Regulation 10:1

UK Administrative Regulation 10:2

UK Office of General Counsel

UK Risk Management

UK Risk Management Advisory Committee

UKHC Corporate Compliance

UK Office of the Registrar

UK Records Program

ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce are established

ID.GV: The policies, procedures and processes to manage and monitor the organization’s regulatory, legal, risk, environmental and operational requirements are understood and inform the management of cybersecurity risk

AC-1 Access Control Policy and Procedures

IA-1 Identification and Authentication Policy & Procedures

 

AR-1 Governance and Privacy Program

A.6.1 Internal organization

A.10.10 Monitoring

A.11 Access Control

 

A.15.2 Compliance with security policies & standards, and technical compliance

Social Media Policies and Guidelines UK Administrative Regulation 10:4 ID.GV: The policies, procedures and processes to manage and monitor the organization’s regulatory, legal, risk, environmental and operational requirements are understood and inform the management of cybersecurity risk controls from all families A.15 Compliance
Compliance ISPO-1.1 ID.GV: The policies, procedures and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity riskcontrols from all families controls from all families A.15 Compliance
Peer-to-Peer File Sharing ISPO-1.2 ID.GV: The policies, procedures and processes to manage and monitor the organization’s regulatory, legal, risk, environmental and operational requirements are understood and inform the management of cybersecurity risk controls from all families A.15 Compliance
Copyright Infringement Complaint Procedures ISPR-1.3 ID.GV: The policies, procedures and processes to manage and monitor the organization’s regulatory, legal, risk, environmental and operational requirements are understood and inform the management of cybersecurity risk controls from all families A.15 Compliance
Access Control ISPO Chapter 2 PR.AC: Access to assets and associated facilities is limited to authorized users, processes, or devices and to authorize activities and transactions.

AC-1 Access Control Policy and Procedures

IA-1 Identification and Authentication Policy & Procedures

A.11 Access Control
Awareness & Training ISPO Chapter 3 PT.AT: The organization’s personnel and partners are provided cybersecurity awareness education and are adequately trained to perform their information security-related duties and responsibilities consistent with related policies, procedures and agreements. AT-1 Security Awareness and Training Policy and Procedures A.8.2.2 Awareness, Education & Training
Audit & Accountability ISPO Chapter 4

DE.CM: The information system and assets are monitored at discrete intervals to identify cybersecurity events & verify the effectiveness of protective measures.

AU-1 Audit and Accountability Policy and Procedures

A.10.10 Monitoring

A.15.3 Information Systems Audit Considerations

Assessment ISPO Chapter 5 ID.RA: The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets & individuals.

RA-1 Risk Assessment Policy & Procedures

PM-5 Information System Inventory

CA-2 Security Assessments

A.6.3 External Parties

A.15.2 Compliance with security policies & standards, and technical compliance

Applications Assessment/ Evaluation Guide ISG-5.1 ID.GV: The policies, procedures and processes to manage and monitor the organization’s regulatory, legal, risk, environmental and operational requirements are understood and inform the management of cybersecurity risk controls from all families A.15 Compliance
OWASP (The Open Web Application Security Project) Testing Guide OWASP Testing Guide ID.GV: The policies, procedures and processes to manage and monitor the organization’s regulatory, legal, risk, environmental and operational requirements are understood and inform the management of cybersecurity risk controls from all families A.15 Compliance
Configuration Management ISPO Chapter 6

ID.AM: The data, personnel, devices, systems and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy.

PR.IP: Security policies (that address purpose, scope, roles, responsibilities, management commitment and coordination among organizational entities), processes and procedures are maintained and used to manage protection of information systems and assets.

ID.BE-4: Dependencies and critical functions for delivery of critical services are established

CM-1 Configuration Management Policy and Procedures

A.7 Asset Management

A.10.1 Operational procedures & responsibilities

A.12.4 Security of system files

A.12.5 Security in development & support processes
Data Classification Standard ISS-6.1 ID.AM-5: Resources are prioritized based on their classification, criticality & business value RA-2 Security Categorization

A.7 Information Classification

A.10.9.3 Publicly available information

A.12.1.1 Security requirements analysis and specification

Server Standard ISS-6.2

ID.AM-1: Physical device and systems within the organization are inventoried.

ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders

RA-2 Security Categorization

A.7 Information Classification

A.12.1.1 Security requirements analysis and specification

Smart Phones and Mobile Storage Device Standard

ISS-6.3

ID.AM-1: Physical device and systems within the organization are inventoried.

ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders

RA-2 Security Categorization

A.7 Information Classification

A.12.1.1 Security requirements analysis and specification

Contingency Planning ISPO Chapter 7

ID.AM: The data, personnel, devices, systems and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy.

ID.BE: The organization’s mission, objectives, stakeholders and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities and risk management decisions.

PR.DS-4: Adequate capacity to ensure availability is maintained.

PR.IP-4: Backups of information are conducted, maintained & tested periodically.

PR.IP-9: Response plans (incident response and business continuity) & recovery plans (incident recovery and disaster recovery) are in place and managed.

CP-1 Contingency Planning Policy and Procedures A.14 Business continuity management
Identification & Authentication ISPO Chapter 8 PR.AC: Access to assets and associated facilities is limited to authorized users, processes, or devices and to authorize activities and transactions.

AC-2 Acct Mgmt

IA Family

A.8.3.3 Removal of access rights

A.11.2 User access management

A.11.4.2 User authentication for external connections

A.11.4.3 Equipment identification in networks

A.11.5 Operating system access control.
Electronic Signatures Policies and Procedures Administrative Regulation 10:5 ID.GV-3: Legal & Regulatory requirements regarding cybersecurity IA-5

A.10.8 Exchange of information

A.10.9 Electronic commerce services

Password Standard -current

Password Standard - proposed

ISS-8.1 - current

ISS-8.1 - proposed
ID.GV-3: Legal & Regulatory requirements regarding cybersecurity IA-5 A.11.2.3 User password management
Incident Response ISPO Chapter 9 RS.RP: Response processes & procedures are executed and maintained, to ensure timely response to detected/reported cybersecurity events. IR-1 Incident Response Policy and Procedures A.13 Information Security Incident Mgmt
Security Breach Notification Policy ISPO-9.0

RS.CO: Response activities are coordinated with internal and external stakeholders, as appropriate, to include external support from law enforcement and state agencies.

RS.AN: Analysis is conducted to ensure adequate response and support recovery activities

IR-1 Incident Response Policy and Procedures

SI-5 Security Alerts, Advisories, and Directives

A.13.2 Mgmt of information security incidents & improvements
Incident Response Procedure ISPR-9.1

RS.CO: Response activities are coordinated with internal and external stakeholders, as appropriate, to include external support from law enforcement and state agencies.

RS.AN: Analysis is conducted to ensure adequate response and support recovery activities

IR-1 Incident Response Policy and Procedures

SI-5 Security Alerts, Advisories, and Directives

A.13.2 Mgmt of information security incidents & improvements
Incident Response Policy ISPO-9.2

RS.CO: Response activities are coordinated with internal and external stakeholders, as appropriate, to include external support from law enforcement and state agencies.

RS.AN: Analysis is conducted to ensure adequate response and support recovery activities

IR-1 Incident Response Policy and Procedures

SI-5 Security Alerts, Advisories, and Directives

A.13.2 Mgmt of information security incidents & improvements
Incident Management Policy Service Now KnowledgeBase KB0010212

RS.CO: Response activities are coordinated with internal and external stakeholders, as appropriate, to include external support from law enforcement and state agencies.

RS.AN: Analysis is conducted to ensure adequate response and support recovery activities

IR-1 Incident Response Policy and Procedures

SI-5 Security Alerts, Advisories, and Directives

A.13.2 Mgmt of information security incidents & improvements
Maintenance ISPO Chapter 10 PR.MA: Maintenance and repairs of industrial assets are performed consistent with policies and procedures. MA-1 System Maintenance Policy & Procedures

A.9.2.4 Equipment maintenance

A.10.1.1 Documented operating procedures

A.10.2.3 Managing changes to third-party services

A.12.6.1 Control of technical vulnerabilities

A.13.1 Reporting information security events and weaknesses

A.15.2.1 Compliance with security policies and standards

Media Protection ISPO Chapter 11 PR.PT-2: Removable media is protected and its use restricted according to policy MP-1 Media Protection Policy & Procedures

A.7 Asset Mgmt, A.8.2.2 Awareness, education, and training

A.10.7 Media handling

Physical/Environmental ISPO Chapter 12

ID.AM-1: Physical devices and systems within the organization are inventoried

DE.CM-2: The physical environment is monitored to detect potential cybersecurity events.

PR.IP-5: Policy and regulations regarding the physical operating environment for organizational assets are met.
PE-1 Physical and Environmental Protection Policy and Procedures A.9 Physical and environmental security
Physical Security - McVey Hall Data Center ISPR-12.1

DE.CM-2: The physical environment is monitored to detect potential cybersecurity events.

PR.IP-5: Policy and regulations regarding the physical operating environment for organizational assets are met.
PE-1 Physical and Environmental Protection Policy and Procedures A.9 Physical and environmental security
Planning ISPO Chapter 13

ID.BE-3: Priorities for organizational mission, objectives and activities are established and communicated.

ID.GV-4: Governance and risk management processes address cybersecurity risks.

ID.RA-6: Risk responses are identified and prioritized.

PM-9 Risk Mgmt Strategy

PM-11 Mission/Business Process Definition

SA-14 Criticality Analysis
N/A
Planning

UK Governing Regulations

UK Administrative Regulations

The UK Strategic Plan

UK Office of Institutional Effectiveness

University Budget Office - Planning

UK Risk Management Advisory Committee

UK Administrative Regulation 10:2

ITS Strategic Plans

ID.BE-3: Priorities for organizational mission, objectives and activities are established and communicated.

ID.GV-4: Governance and risk management processes address cybersecurity risks.

ID.RA-6: Risk responses are identified and prioritized.

PM-9 Risk Mgmt Strategy

PM-11 Mission/Business Process Definition

SA-14 Criticality Analysis

A.6.1 Internal organization

A.10.10 Monitoring

A.11 Access Control

A.15.2 Compliance with security policies & standards and technical compliance

Personnel Security ISPO Chapter 14 PR.IP-11: Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening) PS-1 Personnel Security Policy and Procedures A.8 HR Security
Pre-employment Screening UK HR Policy # 11.0 PR.IP-11: Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening) PS-1 Personnel Security Policy and Procedures A.8 HR Security
System & Services Acquisition ISPO Chapter 15 N/A SA-1 System and Services Acquisition Policy & Procedures A.12 Information systems acquisition, development and maintenance
Systems Acquisition Administrative Regulation 10:3 N/A SA-1 System and Services Acquisition Policy & Procedures A.12 Information systems acquisition, development and maintenance
Applications Assessment/ Evaluation Guide ISG-5.1 N/A SA-1 System and Services Acquisition Policy & Procedures A.12 Information systems acquisition, development and maintenance
Business Procedures UK Business Procedures Manual N/A SA-1 System and Services Acquisition Policy & Procedures A.12 Information systems acquisition, development and maintenance
Systems & Communications ISPO Chapter 16 PR.AC-5: Network integrity is protected, incorporating network segregation where appropriate.

AC-4 Information Flow Enforcement

SC-1 System and Communications Protection Policy and Procedures

A.10.6 Network security management

A.10.8 Exchange of information
Network Policies

ITS Network Policies

General Responsibilities
PR.AC-5: Network integrity is protected, incorporating network segregation where appropriate.

AC-4 Information Flow Enforcement

SC-1 System and Communications Protection Policy and Procedures

A.10.6 Network security management

A.10.8 Exchange of information
System & Information Integrity ISPO Chapter 17 PR.DS: Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity and availability of information. SC-1 System and Communications Protection Policy and Procedures

A.10.4 Protection against malicious and mobile code

A.12 Information systems acquisition, development and maintenance
Digital Certificates Policy ISPO-17.1 PR.DS: Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity and availability of information. SC-1 System and Communications Protection Policy and Procedures

A.10.4 Protection against malicious and mobile code

A.12 Information systems acquisition, development and maintenance
Cellular Devices Cellular Devices Policy & Procedures PR.DS: Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity and availability of information. SC-1 System and Communications Protection Policy and Procedures

A.10.4 Protection against malicious and mobile code

A.12 Information systems acquisition, development and maintenance
Applications Assessment/ Evaluation Guide ISG-5.1 PR.DS: Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity and availability of information. SC-1 System and Communications Protection Policy and Procedures

A.10.4 Protection against malicious and mobile code

A.12 Information systems acquisition, development and maintenance
OWASP (The Open Web Application Security Project) Developer Guide OWASP Developer Guide PR.DS: Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity and availability of information. SC-1 System and Communications Protection Policy and Procedures

A.10.4 Protection against malicious and mobile code

A.12 Information systems acquisition, development and maintenance