Information Security Service Requirements
Effective date: 07/01/2021
Last updated: 09/24/2021
The Information Security Service Requirement defines and describes the responsibilities and required practices for all members of the community with respect to information security and the protection of University data and information. This service requirement applies to all faculty, staff, students, third-party agents and other University affiliates who utilize Duquesne University information, data, and computing environments.
Duquesne University relies on a wide range of computing environments to meet its educational, community engagement, financial and operational requirements. It is therefore imperative that computer data, hardware, networks, and software be adequately protected and safeguarded against alteration, damage, theft, or unauthorized access & use.
Organizational and Functional Responsibilities
University Community Members
It is the responsibility of University Community Members to:
- Protect University information and resources, including passwords,
- Report suspected information/computer security incidents to one or more of the following: the information owner, CTS Help Desk, the Director for Information Security and Chief Information Security Officer or General Counsel.
- Follow all university policies and CTS service requirements. Individuals can find a list of the IT-related policies and service requirements at http://duq.edu/about/campus/computing-and-technology/policies.
Vice President for Information Technology and Chief Information Officer (VP for IT & CIO)
The VP for IT & CIO has overall responsibility ensuring the implementation, enhancement, monitoring and enforcement of the Information Security Program.
VP for IT & CIO will ensure that the organizational structure is in place for:
- Coordinating and implementing information security policies, standards and procedures;
- Assigning information security responsibilities;
- Implementing an information security awareness program;
- Responding to IT security incidents;
- Leading major initiatives to enhance IT security;
- Monitor significant changes in the exposure of information assets to major threats, legal or regulatory requirements.
Assistant Vice President and Chief Information Security Officer (AVP & CISO)
The AVP/CISO, under the direction of the VP for IT & CIO, is responsible for developing and managing a comprehensive cyber-security program the provides:
- University-wide information security policies, standards and procedures;
- An information security awareness program; monitoring significant changes in the exposure of information assets to major threats;
- Response plan for IT security incidents;
- Investigations of all alleged information security violations;
- Development and implementation of major initiatives to enhance information security at Duquesne University.
Information Security Team
The Information Security staff have responsibility for daily operations and support of Information Security systems and services.
- Develop, maintain and enforce information security processes, policies and requirements.
- Monitor and alert on security threats and risks to the University.
- Provide training awareness programs to the University community.
- Implement and support security solutions and technology.
- Operate and enforce the University incident response plan.
Information Technology (IT) Support Staff
IT support staff have responsibility for managing the information data and computing environments at Duquesne University. It is their responsibility to support the Information Security Program and provide resources needed to enhance and maintain a level of information security consistent with industry best practices to protect the University. These individuals and organization have the following responsibilities to ensure information security environment at Duquesne University:
- Oversee and validate that the proper security controls are implemented for which the University has assigned ownership responsibility, based on the University's classification designations.
- Validate that appropriate information security requirements for user access to automated information are defined for files, databases, and physical devices assigned within various areas of responsibility at the University.
- Confirm that critical data and recovery plans are backed up and the associated recovery plans are developed jointly with data owners.
Information Security Service Requirements
- All stored and transmitted electronic information regardless of form or format is an asset and must be protected from its creation, through its useful life, and to its authorized disposal. It must be maintained in a secure, accurate and reliable manner and be readily available for authorized use. Information must be classified and protected per the CTS Data Governance Service Requirements (http://duq.edu/about/campus/computing-and-technology/policies).
- Information is one of the University's most valuable assets and the University relies upon that information to support our mission. The quality and availability of that information is central to the University's ability to carry out its mission. Therefore, the security of the University's information, and of the technologies and systems that support it, is the responsibility of everyone concerned. Each authorized user of University information has an obligation to preserve and protect University information assets in a consistent and reliable manner. Information security controls provide the necessary physical, logical and procedural safeguards to accomplish those goals.
- Confidentiality / Integrity / Availability: All University information must be protected from unauthorized access to help ensure the information's confidentiality and maintain its integrity. Information owners will secure information within their jurisdiction based on the information's value, sensitivity to disclosure, consequences of loss or compromise, and ease of recovery.
- Individual Accountability: Individual accountability is the cornerstone of any information security program. Without it, there can be no information security. Individual accountability is required when accessing all University resources and includes:
- Access to University computer systems and networks must be provided through the use of individually assigned unique computer identifiers, known as user-IDs;
- Individuals who use University computers must only access information assets to which he or she is authorized;
- Authentication tokens associated with each user-ID, such as a password, must be used to authenticate the person accessing the data, system or network. Passwords, tokens or similar technology must be treated as confidential information, and must not be disclosed. Transmission of such authentication information must be made only over secure mechanisms;
- Each individual is responsible to reasonably protect against unauthorized activities performed under his or her user-ID;
- User-ids and passwords (or other tokens or mechanisms used to uniquely identify an individual) must not be shared except where approved for group/shared small group accounts.
Incident Management Process and Procedures
- Information Security incidents will be logged and used by the University for regulatory purposes and to determine appropriate remediation and controls to limit the potential of future incidents.
- Incident Response Plan. The Director for Information Security & CISO is responsible for developing and publishing an Incident Response Plan (IRP) for the University. That plan is available from CTS via a request to email@example.com by University members.
- Incident Response Team. The Incident Response Plan (IRP) will establish an Incident Response Team (IRT). This team is responsible for handling reported information security incidents for the University.
- Reporting of Information Security Incidents. Campus community members are to report any suspected or confirmed Information Security incident to the information owner, CTS Help Desk (firstname.lastname@example.org or 412-396-4357), the Director for Information Security & CISO or General Counsel. This includes but is not limited to viruses, spyware, malicious attack and activity, denial of service, breaches of confidentiality or the disclosure of restricted University data.
Gramm-Leach-Bliley Act (GLBA) Security Requirements:
- Overview: As mandated by the Federal Trade Commission's Safeguards Rule and the Gramm- Leach-Bliley Act ("GLBA") this document describes the elements pursuant to which Duquesne University intends to (i) ensure the security and confidentiality of covered records, (ii) protect against any anticipated threats or hazards to the security of such records, and (iii) protect against the unauthorized access or use of such records or information in ways that could result in substantial harm or inconvenience to customers.
- Designation of Representatives: The AVP/CISO is designated as the Officer who shall be responsible for coordinating and overseeing GLBA compliance for Duquesne University. The AVP/CISO may designate other representatives to oversee and coordinate particular elements of GLBA compliance for the University.
- Scope of GLBA: GLBA compliance applies to any record containing nonpublic financial information about a student or other third party who has a relationship with the Institution, whether in paper, electronic or other form, that is handled or maintained by or on behalf of the Institution or its affiliates. For these purposes, the term nonpublic financial information shall mean any information (i) a student or other third party provides in order to obtain a financial service from the Institution, (ii) about a student or other third party resulting from any transaction with the Institution involving a financial service, or (iii) otherwise obtained about a student or other third party in connection with providing a financial service to that person.
- Risk Identification and Assessment. Duquesne University intends to identify and assess external and internal risks to the availability, confidentiality, and integrity of nonpublic financial information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information. Duquesne University will establish procedures for identifying and assessing such risks in each relevant area of operations, including:
- Employee training and management. The AVP/CISO will coordinate with representatives in the Enrollment Management Group and Academic Affairs to evaluate the effectiveness of the Institution's procedures and practices relating to access to and use of student records, including financial aid information. This evaluation will include assessing the effectiveness of the Duquesne's current policies and procedures in this area, including University TAP's.
- Information Systems and Information Processing and Disposal. The AVP/CISO will coordinate with representatives of the Institution's Enrollment Management Group and Academic Affairs to assess the risks to nonpublic financial information associated with the Institution's information systems, including network and software design, information processing, and the storage, transmission and disposal of nonpublic financial information. This evaluation will include assessing Duquesne's current policies and procedures. The AVP/CISO will also coordinate with technology staff to assess procedures for monitoring potential information security threats associated with software systems and for updating such systems by, among other things, implementing patches or other software fixes designed to deal with known security flaws. n
- Detecting, Preventing and Responding to Attacks. The AVP/CISO will coordinate with technology staff to evaluate procedures for and methods of detecting, preventing and responding to attacks or other system failures and existing network access and security policies and procedures, as well as procedures for coordinating responses to network attacks and developing incident response teams and policies. In this regard, the AVP/CISO may elect to delegate to a representative the responsibility for monitoring and participating in the dissemination of information related to the reporting of known security attacks and other threats to the integrity of networks utilized by Duquesne University.
- Designing and Implementing Safeguards. The risk assessment and analysis described above shall apply to all methods of handling or disposing of nonpublic financial information, whether in electronic, paper or other form. The AVP/CISO will, on a regular basis, implement safeguards to control the risks identified through such assessments and to regularly test or otherwise monitor the effectiveness of such safeguards. Such testing and monitoring may be accomplished through existing network monitoring and problem escalation procedures.
- Overseeing Service Providers. The AVP/CISO shall coordinate with those responsible for the third-party service procurement activities to raise awareness of, and to institute methods for, selecting and retaining only those service providers that are capable of maintaining appropriate safeguards for nonpublic financial information of students and other third parties to which they will have access. In addition, the AVP/CISO will work with Legal Affairs, Shared Services, and Procurement and Payment Services to develop and incorporate standard, contractual protections applicable to third party service providers, which will require such providers to implement and maintain appropriate safeguards. Any deviation from these standard provisions will require the approval of Legal Affairs. These standards shall apply to all existing and future contracts entered into with such third-party service providers.
The unauthorized or improper use of Duquesne University's technology environment, including the failure to comply with these service requirements, constitutes a violation which may result in the loss of access, University disciplinary actions and/or legal prosecution under federal, state and local laws, where applicable. Users are expected to adhere to T.A.P. 26 - Computing and Ethics Guidelines which can be found at http://www.duq.edu/taps.
The University reserves the right to amend these service requirements at any time without prior notice and to take such further actions as may be necessary or appropriate to comply with other published policies and with applicable federal, state, and local laws.