Information Security Service Requirements
Effective Date: 11/21/2017
Responsible Officer: Charles Bartel, Assistant Vice President and Chief Information Officer
The Information Security Service Requirement defines and describes the responsibilities and required practices for all members of the community with respect to information security and the protection of University data and information. This service requirement applies to all faculty, staff, students, third-party agents and other University affiliates who utilize Duquesne University information, data, and computing environments.
Duquesne University relies on a wide range of computing environments to meet its educational, community engagement, financial and operational requirements. It is therefore imperative that computer data, hardware, networks, and software be adequately protected and safeguarded against alteration, damage, theft, or unauthorized access & use.
2. Organizational and Functional Responsibilities:
A. Computing and Technology Services (CTS). CTS has overall responsibility ensuring the implementation, enhancement, monitoring and enforcement of the Information Security Program. The Assistant Vice President/Chief Information Officer (CIO) will ensure that the organization structure is in place for:
i. Coordinating and implementing information security policies, standards and procedures;
ii. assigning information security responsibilities;
iii. implementing an information security awareness program;
iv. responding to IT security incidents;
v. leading major initiatives to enhance IT security;
vi. monitoring significant changes in the exposure of information assets to major threats, legal or regulatory requirements.
b. Director of Information Security. The Director of Information Security under the direction of the Assistant Vice President/Chief Information Officer (CIO) is responsible developing and managing a comprehensive cyber-security program. The Director of Information Security is responsible for directing and coordinating the University-wide information security polices, standards and procedures; implementing an information security awareness program; monitoring significant changes in the exposure of information assets to major threats; responding to IT security incidents; investigating all alleged information security violations; leading major initiatives to enhance information security.
c. Information Technology (IT) Support Staff. IT support staff have responsibility for managing the information data and computing environments at Duquesne University. It is their responsibility to support the Information Security Program and provide resources needed to enhance and maintain a level of information security consistent with industry best practices to protect the University. These individuals and organization have the following responsibilities in relation to information security:
i. ensuring processes, policies and requirements are identified and implemented relative to information security requirements defined by the University;
ii. ensuring the proper security controls are implemented for which the University has assigned ownership responsibility, based on the University's classification designations;
iii. ensuring that appropriate information security requirements for user access to automated information are defined for files, databases, and physical devices assigned to their areas of responsibility;
iv. ensuring that critical data and recovery plans are backed up and the associated recovery plans are developed jointly with data owners.
d. University Community Members. It is the responsibility of University Community Members to protect University information and resources, including passwords, and to report suspected information/computer security incidents to one or more of the following: the information owner, CTS Help Desk, the Director of Information Security or General Counsel. University Community Members are expected to follow all university policies and CTS service requirements. Individuals can find a list of the IT related policies and service requirements at http://duq.edu/about/campus/computing-and-technology/policies.
3. Information Security Service Requirements:
a. All stored and transmitted electronic information regardless of form or format is an asset and must be protected from its creation, through its useful life, and to its authorized disposal. It must be maintained in a secure, accurate and reliable manner and be readily available for authorized use. Information must be classified and protected per the CTS Data Governance Service Requirements (http://duq.edu/about/campus/computing-and-technology/policies).
b. Information is one of the University's most valuable assets and the University relies upon that information to support our mission. The quality and availability of that information is central to the University's ability to carry out its mission. Therefore, the security of the University's information, and of the technologies and systems that support it, is the responsibility of everyone concerned. Each authorized user of University information has an obligation to preserve and protect University information assets in a consistent and reliable manner. Information security controls provide the necessary physical, logical and procedural safeguards to accomplish those goals.
c. Confidentiality / Integrity / Availability: All University information must be protected from unauthorized access to help ensure the information's confidentiality and maintain its integrity. Information owners will secure information within their jurisdiction based on the information's value, sensitivity to disclosure, consequences of loss or compromise, and ease of recovery.
d. Individual Accountability: Individual accountability is the cornerstone of any information security program. Without it, there can be no information security. Individual accountability is required when accessing all University resources, and includes:
i. access to University computer systems and networks must be provided through the use of individually assigned unique computer identifiers, known as user-IDs;
ii. individuals who use University computers must only access information assets to which he or she is authorized;
iii. authentication tokens associated with each user-ID, such as a password, must be used to authenticate the person accessing the data, system or network. Passwords, tokens or similar technology must be treated as confidential information, and must not be disclosed. Transmission of such authentication information must be made only over secure mechanisms;
iv. each individual is responsible to reasonably protect against unauthorized activities performed under his or her user-ID; v. User ids and passwords (or other tokens or mechanisms used to uniquely identify an individual) must not be shared except where approved for groups/shared small group accounts.
4. Incident Management Process and Procedures:
a. Information Security incidents will be logged and used by the University for regulatory purposes and to determine appropriate remediation and controls to limit the potential of future incidents.
b. Incident Response Plan. The Information Security Director is responsible for developing and publishing an Incident Response Plan (IRP) for the University. That plan will be posted and available at http://duq.edu/about/campus/computing-and-technology/policies.
c. Incident Response Team. The Incident Response Plan (IRP) will establish an Incident response team (IRT). This team is responsible for handling reported information security incidents for the University.
d. Reporting of Information Security Incidents. Campus community members are to report any suspected or confirmed Information Security incident to the information owner, CTS Help Desk (firstname.lastname@example.org or 412-396-4357), the Director of Information Security or General Counsel. This includes but is not limited to viruses, works, spyware, malicious attack and activity, denial of service, breaches of confidentiality or the disclosure of restricted University data.
The unauthorized or improper use of Duquesne University's technology environment, including the failure to comply with these service requirements, constitutes a violation which may result in the loss of access, university disciplinary actions and/or legal prosecution under federal, state and local laws, where applicable. Users are expected to adhere to T.A.P. 26 - Computing and Ethics Guidelines which can be found at http://www.duq.edu/taps.
The University reserves the right to amend these service requirements at any time without prior notice and to take such further actions as may be necessary or appropriate to comply with other published policies and with applicable federal, state, and local laws.