Executive Summary for the Georgetown University Information Security Policy
The objective of the University Information Security Policy is to foster an environment that will secure information within the Georgetown University community from threats against privacy, productivity, reputation, or intellectual property rights, in recognition of the vital role that information plays in the University's educational, research, operational, and medical advancement missions. The policy comprehensively applies to all individuals in the community and all forms of information resources. It details each community member's responsibilities to prevent unauthorized access to physically available information (analog), and increasingly, electronic information (digital). It is designed to be consistent with University policies and governmental laws that regulate specific types of information. And the policy defines and outlines the responsibilities of those who are responsible for implementing, enforcing and abiding by this policy. Summaries of the classifications of information and definitions of responsibilities follow.
Classifications of Information
The various information resources used in the university's educational, research, and operational missions require different levels of security and protection mechanisms. All information is covered by one of the following 3 classifications:
- 1. Confidential Information:
- Requires the highest level of protection from any unauthorized access or tampering. It covers sensitive information about students, faculty, staff, users of University services and facilities, and the University. However, more specific policies govern certain types of information, such as the Family Educational Rights and Privacy Act (FERPA), which protects personal information about current and former students, the Health Insurance Portability and Accountability Act (HIPAA), which governs the use of protected health information, and others.
- 2. Internal-use-only:
- Warrants moderate protection from unauthorized access or tampering. Stewards limit the distribution of these documents. Examples of Internal-use-only information are internal memos, correspondence, and other documents whose distribution is limited as intended by the steward.
- 3. Unrestricted information:
- Warrants basic protection from unauthorized tampering. This type of information can be freely disseminated to anyone.
Information security is a responsibility shared by the community. Most responsibilities are assigned to the four roles below and most individuals take on multiple roles, for example, as a Steward and User. In addition to the responsibilities listed, each role is responsible for various degrees of incident reporting and handling. Stewards, Managers and Information Service Providers are responsible for establishing security policies and procedures. Users are expected to be aware of and to adhere to these and other University policies.
- Have primary responsibility for information resources. While all information covered by this policy has a Steward, the Steward does not necessarily own legal title to the information, for example, campus librarians or stewards of information resident in the University's Enterprise Information Systems. Faculty are considered Stewards of their own research and course materials; students are considered the Stewards of their own work. Stewards are responsible for setting the right level of security on information. They classify information, determine who is authorized to access it, and, for confidential information, document and retain records of the information until it is disposed.
- Every University community member is an information resource User. Users are responsible for information protection. They are expected to prevent unauthorized access and tampering to all analog and digital communications devices in their possession, including but not limited to securing devices and enclosures, information storage, backup storage, distributed and transmitted data and the proper disposal of devices and stored information. Users shall prevent access to digital information, including but not limited to using stable and secure operating systems, installing access controls such as passwords and remote access authentication, installing updated patches and running an updated virus scanner. Backups and records retention shall comply with applicable University policies and must be secured.
- Managers (of Users):
- Are community members with management or supervisory responsibilities. They take on all responsibilities of Users and, where information resources originate, Stewards. First, managers acquire authorization rights from information Stewards. Then, Managers authorize Users to access appropriate information. They also encourage information security through User training and awareness.
- Information Service Providers:
- Manage significant information resources and systems for the purposes of making those resources available to others, including campuses, schools, departments and individuals. They designate Local Information Security Personnel as appropriate. Service Providers are held to the highest information security standards and must play a pro-active role in implementing and enforcing security policies, procedures, and business continuity plans. They must install and monitor physical, technical, and administrative access controls to computer systems and network infrastructure. They shall prevent unauthorized access to devices, and must apply and periodically review access controls to each individual User in accordance to policies set by Stewards and the University. For business continuity purposes, they must back up critical information at an offsite location and at appropriate schedules as identified by Stewards. They shall collaborate with the University Information Security Office, Internal Audit, and Management Analysis Department on periodic vulnerability scans, and shall repair vulnerabilities and/or install necessary security measures.
A few individuals within the University will have one of the institutional responsibilities below.
- University Information Security Officer:
- Is designated by the Vice President and Chief Information Officer. The individual must stay abreast of security related news, policies and best practices in government, at other organizations and in higher education so that the policies of this University may be revised to account for Policy weaknesses. This person's responsibilities include but are not limited to working with Managers to train Users; overseeing University network security; investigating Policy violations; recovering from incidents; and coordinating responses and disciplinary actions with appropriate University members, offices and departments.
- Local Information Security Personnel:
- Are appointed by Information Service Providers to protect organizational systems and networks and train personnel. They will work closely with the University Information Security Officer to implement and consistently enforce this Policy. They must handle incidents in a fashion similar to the University Information Security Officer and report to this individual all incidents and actions taken.
- Internal Audit and Management Analysis Department:
- Determines whether actual security practices conform with or deviate from this Policy through periodic audits.
- University Counsel:
- Ensures that this Policy is consistent with applicable laws and University policies, and informs the University Information Security Officer of any inadequacies. University Counsel will report criminal offenses to the appropriate law enforcement agency.
The policy will be periodically reviewed and updated based on recommendations of the University Information Security Officer.
March 31, 2003