(A)
Policy statement
The university of Toledo places the
utmost importance on the privacy rights of its students, patients, faculty,
staff, and community members and takes the security of information very
seriously. To protect the confidentiality, integrity, and availability of
stakeholder information, the university has implemented a framework for an
effective and efficient information security program, and supports the
framework through a comprehensive body of technology policies and procedures
that serve to:
(1)
Promote the public trust;
(2)
Ensure continuity
of university services;
(3)
Recognize and mitigate risks and threats to the
institution and its stakeholders;
(4)
Comply with legal
and contractual requirements;
(5)
Protect sensitive
information and technology assets from loss of confidentiality, integrity, and
availability.
(B)
Purpose
The university of Toledo information
security program is designed to identify and mitigate threats to information
security and privacy. This policy and its supporting policies and procedures
provide a foundation for the program. The requirements described in this policy
and its subordinate policies and procedures are intended to ensure that due
diligence is exercised in the protection of information, systems and services,
and that the university's information security program meets certain
requirements enforced by law. This policy describes fundamental practices of
information security that must be applied by university organizations under the
guidance of the university's information security office to ensure that
protective measures are implemented and maintained.
(C)
Scope
The scope of this information
technology policy applies to all university operating units, and includes
university computer and telecommunications systems and the employees,
contractors, temporary personnel and other agents of the university who use and
administer such systems.
(D)
Definitions
(1)
Access control
list. A list of entities and their authorized access rights to an information
resource.
(2)
Authentication. The process or action of proving the
identity of an entity (such as a person, computer, system or process) based on
one or more factors.
(3)
Authorization. A grant to a requesting entity
(computer, system, person or process) for access to a protected system and its
resources.
(4)
Availability. The assurance that information and
services are delivered when needed.
(5)
Biometrics.
Biological characteristics such as fingerprint, face or retinal blood vessel
patterns used by authentication devices to allow an individual access to
information, services or other resources.
(6)
Cardholder data.
Cardholder data "CHD" means the subset of sensitive data comprised of the
university's identifiable payment card information (e.g., credit cards, debit
cards, and stored value cards related information).
(7)
Confidentiality.
The assurance that information is disclosed only to those systems or persons
who are intended to receive the information.
(8)
Custodian.
Custodians are the named individuals or job titles responsible for making
access control decisions.
(9)
Data. Electronically coded representation of
quantities, objects and actions. The word, "data," is often used
interchangeably with the word, "information," in common usage and in this
policy.
(10)
Device. As used in this policy, "Device" shall retain
its meaning as defined in paragraph (D) of rule
3364-65-05 of the Administrative
Code (technology asset management).
(11)
Digital
certificate. An electronic document used for security purposes to authenticate
the sender or recipient of information, or to authenticate the contents of the
information itself.
(12)
Electronic protected health information. Electronic
protected health information "ePHI" means protected health information
accessed, stored, processed, transmitted, or received in electronic format.
Protected health information "PHI" means the subset of sensitive data comprised
of the university's patient data and other identifiable health information, for
which the university is obligated to maintain confidentiality, integrity, and
availability under the Health Insurance Portability and Accountability Act of
1996 and subsequent laws and regulations.
(13)
The Family
Educational Rights and Privacy Act of 1974 "FERPA," as amended is a federal law
that protects the privacy of education records of all students enrolled in
schools beyond the high school level. Schools are required to maintain that
privacy, primarily by restricting release of records and the access provided to
those records. Any educational institution that receives funds under any
program administered by the U.S. secretary of education is bound by FERPA
requirements. Institutions that fail to comply with FERPA may have funds
administered by the secretary of education withheld. The U.S. department of
education maintains a website with information about FERPA.
(14)
Firewall. Either
software or a combination of hardware and software that implements network
security policy with respect to communication between two or more networks or
network segments.
(15)
Integrity. The assurance that information is not
changed by accident or through a malicious or otherwise criminal
act.
(16)
Information technology asset. Information technology
assets "IT assets" shall retain their meaning as defined in paragraph (D) of
rule 3364-65-05 of the Administrative
Code (technology asset management policy).
(17)
Least-privilege.
A model for assigning privileges in a system with the objective that only those
privileges necessary to perform a required function are assigned, and ensure
that other privileges are not assigned and cannot be improperly
accessed.
(18)
Malicious software. Malicious software "malware" is a
collective term for program code or data that is intentionally included in or
inserted into an information system for unauthorized purposes without the
knowledge of the user. Examples include viruses, logic bombs, ransomware,
trojan horses and worms.
(19)
Multi-factor authentication. Authentication of an
entity based on two or more distinct elements.
(20)
Payment card
industry data security standards. Payment card industry data security standards
"PCI-DSS" means the body of legal and contractual requirements placed on the
university relating to the security and privacy of cardholder
data.
(21)
Personally identifiable information. Personally
identifiable information "PII" refers to information that may be used, on its
own or in combination with other information, to uniquely identify a natural
person, regardless of any obligation (or lack thereof) for the university to
maintain confidentiality, integrity, or availability.
(22)
Risk assessment.
A process for analyzing threats to and the vulnerabilities of information
systems as well as determining the potential impact that the loss of
information or system capabilities would have on the
organization.
(23)
Risk management. A discipline concerned with the
planning, implementing and monitoring of processes for the identification,
measurement, control and minimization of security risks to information systems
at a level commensurate with the value of the assets to be
protected.
(24)
Security token. A portable, physical device that
enables pre-approved access to data or systems. An example is a
security-enabled key fob.
(25)
Sensitive data.
Sensitive data is data for which the university has an obligation to maintain
confidentiality, integrity, or availability.
(26)
Technology
asset. Technology assets shall retain their meaning as defined in paragraph (D)
of rule 3364-65-05 of the Administrative
Code (technology asset management).
(27)
Threat. An
event, whether artificial or natural, with the potential to cause harm to a
technology asset.
(28)
Two-factor authentication. Authentication of an entity
based on two distinct elements.
(29)
Users.
Employees, students, contractors, temporary personnel and other affiliates of
the university who administer or use privately-owned (if authorized) or
university-owned computer and telecommunication systems on behalf of the
university.
(30)
Vetting process. A verification process used to
validate the identity and trustworthiness of a person who is seeking access to
computer systems and networks.
(31)
Workstation. As
used in this policy, "workstation" shall retain its meaning as defined in
paragraph (D) of rule
3364-65-05 of the Administrative
Code (technology asset management).
(E)
Policy
Under the direction of the information
security officer, the university will establish and maintain an information
security program to carry out the security and privacy objectives of the
institution. University organizations must exercise due diligence to ensure
that technology assets that conduct or support the university's mission are
reasonably secure, and that the information contained within those assets is
protected from unauthorized disclosure, modification or destruction, whether
accidental or intentional.
(1)
Program administration. The university has established
an administrative structure to support the information security program.
(a)
Organizational
structure.
(i)
Executive sponsorship. The vice president, chief information
officer/chief technology officer "CIO/CTO" serves as the chief executive for
university technology and is the principal sponsor of the information security
program.
(ii)
Information security office. Reporting to the vice
president, CIO/CTO, the information security officer "ISO" serves as the
university's lead cybersecurity official, directs the functions of the
university's information security office, and coordinates information security
activities across university organizational lines. For purposes of the Health
Insurance Portability and Accountability Act and related law and regulation
(collectively, "HIPAA"), and the Family Educational Rights and Privacy Act
(collectively, "FERPA"), the ISO is also designated as the security official
for the university's covered entity components.
(iii)
Assurance. The
senior director, internal audit and chief compliance officer serves as the
principal examiner of the security program to assure that it is in alignment
with the university's requirements.
(b)
Management
process. The ISO is responsible for developing, implementing, managing, and
maintaining an information security framework, based on industry best
practices, legal, and contractual requirements. The information security
framework is intended to identify, prevent and protect against, detect and
contain, respond and recover from security threats, risks, and incidents.
Elements of the framework include:
(i)
Risk analysis. The ISO will establish procedures to
conduct assessments of risks and vulnerabilities to the confidentiality,
integrity, and availability of sensitive data.
(ii)
Risk management.
In partnership with the university's risk management function, the ISO will
implement an adequate security program to manage risks and vulnerabilities
identified through risk analysis to sensitive data. These risk management
measures may include risk avoidance, risk mitigation, risk transfer, and
acceptance of risk.
(iii)
Continuous improvement. The ISO improves the security
program based on outcomes from incidents and investigations, and internal and
external assessments.
(2)
Program
principles. The following general principles provide the foundation for
university security policy development:
(a)
Accountability.
While the ISO guides the overall direction of the information security program,
technology asset owners within university organizational units retain ultimate
responsibility for the confidentiality, integrity, and availability of
data.
(b)
Risk orientation. The vice president, CIO/CTO ensures
that the information security program aligns with the university's strategic
objectives and to the university mission. To achieve this alignment, the ISO
coordinates with university organizational units to apply risk management
techniques in order to balance the need for security measures against these
strategic objectives in proportion to the risk presented.
(c)
Least privilege
to sensitive data. Security measures provide an adequate level of access to
sensitive data necessary to accomplish the legitimate purposes of the
organization, but no more access than is necessary. University organizations
must provide sensitive data only to those that are authorized and have a valid
institutional need for the information.
(d)
Confidentiality,
integrity and availability. University organizations shall ensure that their
security practices address the basic security elements of confidentiality,
integrity and availability to an appropriate degree, as determined by risk
analysis. To this end, university organizations must:
(i)
Ensure the
confidentiality of information to a reasonable degree, such that it is not
accessible beyond legally permissible or university accepted
limits.
(ii)
Ensure the integrity of information and services to a
reasonable degree, so that it is not altered beyond legally permissible or
university accepted limits.
(iii)
Ensure that
information and services are available to a reasonable degree, and within the
parameters prescribed by legally permissible or university accepted limits
described in applicable rule
3364-65-09 of Administrative
Code (technology backup, disaster readiness and recovery).
(3)
Program activities. The information security office
carries out the following activities:
(a)
Identify risks,
threats, and vulnerabilities. The information security officer directs program
activities related to identification and assessment of security risks, threats,
and vulnerabilities.
(i)
Discovery and identification. The security program
relies on technical and non-technical means to discover, identify, and classify
technology assets and security risks, threats, and vulnerabilities to
technology assets.
(ii)
Assessment and evaluation. The security program relies
on quantitative and qualitative assessment and evaluation techniques to gauge
the relative harm presented by an identified risk, threat, or vulnerability,
and recommends measures to manage the risk, threat, or
vulnerability.
(iii)
Policy and procedure reviews. The security program
reviews the body of security-related university of Toledo IT policies and
procedures, and implements updated provisions as required.
(b)
Prevent and protect the university from identified threats
and risks.
(i)
Preventative controls.
The security program implements and
maintains controls intended to prevent the exploitation of vulnerabilities and
the realization of security risks.
(ii)
Protective
controls.
The security program implements and
maintains controls intended to protect against threats, natural and
artificial.
(c)
Detect security
incidents.
Detective controls. The information
security program implements and maintains controls to detect when system assets
are safe and when they are threatened. These controls include activity
monitoring and auditing of technology assets at appropriate
intervals.
(d)
Respond to security incidents.
Incident readiness and response. The
information security program implements and maintains safeguards intended to
prepare for and identify, classify, and respond to technology
incidents.
(e)
Recover from security incidents.
Incident recovery. The information
security program implements and maintains protocols/procedures designed to ease
the recovery from a technology incident and to incorporate new lessons learned
into future incident response procedures.
(4)
Administrative
safeguards. To carry out the information security program, these administrative
safeguards are required to ensure that human and process controls exist to
protect sensitive data.
(a)
Risk management. Under the direction of the ISO, the
university conducts security risk management activities to permit informed
decision-making with respect to its ongoing technology activities and to limit
overall risk to acceptable levels.
(i)
Risk analysis. The ISO is responsible for performing a
periodic risk assessment to gauge the overall security posture of the
institution. The ISO provides the findings of the risk analysis to the
university's privacy and security committee not less than
annually.
(ii)
Risk assessment. Upon discovery of an adverse event
that could constitute the material breach of sensitive information, an incident
response team is formed as described in rule
3364-65-10 of the Administrative
Code (technology incident response). Guided by the ISO's findings, the incident
response team performs an analysis of the risk of loss of confidentiality,
integrity, or availability.
(iii)
Security
evaluations. Under the direction of the ISO, the university performs technical
and nontechnical evaluations of the security program and of the university's
operating environment. These evaluations may include invasive physical and
logical testing of the university's technology assets.
(iv)
Risk management.
Based on the findings of the university's various security risk assessment and
evaluation activities, the ISO will coordinate an appropriate strategy to
manage the risk, such as risk avoidance, risk transfer, risk mitigation, or
risk acceptance.
(b)
Identity and
access management. The university relies on an identity and access management
system based on unique user account identification to assign technology
resources to the appropriate entity.
(i)
Unique
identification. User accounts must be unique and identifiable to an individual
person or entity. Except as otherwise excepted, the university of Toledo active
directory "UTAD" account name will serve as the unique identifier for access to
technology resources.
(ii)
Identity verification. User identities must be
validated before issuing user IDs and other credentials. Validation procedures
are established for maintaining and managing system user IDs, including
procedures for establishing new user accounts, validating existing user
accounts, and terminating former user accounts.
(iii)
Account
integrity. Except as required by law or regulation, the university does not
guarantee the integrity of accounts or account credentials. Reasonable measures
to protect sensitive data from unauthorized access and alteration are
implemented to the necessary degree identified through risk
analysis.
(iv)
Role based access controls. Where appropriate or
otherwise required by law or regulation, the identity and access management
system provides identity information sufficient to restrict access to sensitive
data based on the functional role of the user.
(c)
Authentication.
The university has established authentication requirements for technology
assets, which prompt the user to present one or more credentials before
granting access to sensitive data.
(i)
Authentication factors. Except as directed by the vice
president, CIO/CTO or the ISO, at least one authentication factor must be
provided to access a technology asset. The UTAD account password serves as the
default authentication factor for access to technology assets except as
otherwise accepted based on a risk analysis.
(ii)
Multi-factor
authentication. Based on risk analysis activities, the university may require
two or more authentication factors before user being granted access to a system
or service that processes, transmits, or receives sensitive data. These factors
may include:
(a)
Passwords, passphrases, PINs, secret codes ("something
you know")
(b)
Tokens, smart cards, digital certificates ("something
you have")
(c)
Biometric factors ("something you are")
(iii)
Integrity of authentication credentials. The information
security office oversees the development and maintenance of procedures to
manage the integrity of security credentials, such as authentication tokens and
passwords. It is a violation of rule
3364-65-01 of the Administrative
Code (technology responsible use), to disclose authentication factors (such as
passwords), without authorization.
(iv)
Passwords. The
ISO establishes and maintains procedures and standards for password strength,
based on a risk analysis. Except as otherwise directed by the vice president,
CIO/CTO, ISO, or delegate, technology assets that create, store, process,
transmit, receive, or destroy sensitive data and rely solely on the use of
password authentication.
(v)
Recovery of authentication credentials. The ISO
establishes and maintains procedures and standards for recovery of
authentication credentials, based on a risk analysis. Except as otherwise
directed by the by the vice president, CIO/CTO, ISO, or delegate, a user may be
required to re-validate their identity before being allowed to recover
authentication credentials.
(vi)
Digital
signatures. Digital signatures may be used for identification and
authentication pursuant to university policy and rule
123:3-1-01
of the Administrative Code.
(d)
Authorization and
supervision. Not all entities will have access to all university data. The
university has established authorization requirements for technology assets,
which implement logical and physical authorization policies and procedures to
protect sensitive data and to address the management of permissions to access
the various system components.
(i)
Authorization. Users must be authorized to access
sensitive data before being granted any access to the data. This authorization
may be granted or revoked by either a manual or automatic process, and may
extend to either an individual or a particular class of users (e.g., based on
job role). Authorization records may be maintained by manual or automated
processes.
(ii)
Supervision. Ongoing authorization for user access to
sensitive data may be required. Some technology assets may require ongoing
authorization certifications or approvals by the university entity responsible
for the data.
(iii)
Role-based access. Where appropriate as determined by a
risk analysis, or otherwise required by law or regulation, access to sensitive
data may be strictly limited to users based on their individual user role, in
accordance with the least-privilege principle.
(iv)
Technology
assets which access, create, process, transmit, receive, or destroy sensitive
data must be configured to deny unauthorized transactions by any user.
Unauthorized attempts to access sensitive data are logged and may be escalated
for further investigation.
(e)
Accounting and
security audit logging controls. To maintain a consistent and reliable record
of system activity, security audit logging capabilities on technology assets
that access, create, process, transmit, receive, or destroy sensitive data are
required.
(i)
Audit records. The ISO establishes and maintains security
audit features for technology assets and configures the audit features to
sufficiently identify the user accessing the asset, the time and location of
the access, attempts and failures to access the asset, and identify violations
of university policy.
(ii)
Review of audit records. The ISO establishes and
maintains appropriate processes to review and analyze activity logs
commensurate with the risk associated with the source system.
(iii)
Security of
audit records. Audit logs shall be protected from tampering and available for
review. The ISO must ensure the confidentiality, integrity, and availability of
audit information commensurate with the risk associated with the source
system.
(iv)
Separation of duties. Where possible, the ISO enforces
a separation of duties between personnel administering and authorizing access
controls functions and those administering security audit logging functions. If
these functions cannot be separated, where necessary university organizations
must document the reasons and develop a process to address conflict of interest
concerns.
(v)
Retention of audit logs. The ISO determines an
appropriate data collection scheme and retention schedule for audit logs
sufficient to associate specific users with logged events, based upon a
deliberate assessment of the legal and organizational requirements, asset
capabilities, administrative burden, and overall risk. Logs subject to an
investigation must be preserved as long as needed.
(f)
Human resources.
The university will establish and maintain appropriate security measures to
manage security risks sourced from internal actors:
(i)
Clearance
procedures. Before being granted access to sensitive data, the requesting user
must be cleared by the university officer responsible for the data being
requested. Where clear documentation of clearance requirements exist and has
been established by the custodian in advance, this clearance procedure may be
delegated, as appropriate, to a university staff member responsible for
provisioning user access to the data.
Where required by law or regulation,
individuals with access to sensitive data may be subjected to a vetting process
that is commensurate with the type of data.
(ii)
Termination
procedures. The university user accounts with access to sensitive data are
subject to procedures which result in termination of such access after the user
is no longer affiliated with the university or when the user's affiliation with
the university changes.
(iii)
Awareness and training. The ISO oversees the creation
of security awareness and training materials. These materials include basic
security topics, such as:
(a)
General notices and reminders. Upon the discovery of
significant new security threats, the ISO may send appropriate communications
to the university community. To maintain a high degree of security awareness,
the ISO also initiates periodic communications concerning common security
topics and general computing tips and best practices.
(b)
Malicious
software. Security awareness and training materials include information related
to malicious software, and the appropriate user response to a suspected malware
infection.
(c)
Login monitoring. Security awareness and training
materials include information related to ongoing user account and login
monitoring.
(d)
Password management. Security awareness and training
materials include information about proper password management
techniques.
(e)
Phishing and fraud. Security awareness and training
materials include information about e-mail phishing and fraud
techniques.
(iv)
Sanctions. Violations of university policy reported to
the university information security office are referred to the appropriate
university disciplinary authority.
(g)
Incident policies
and procedures. In anticipation of technology incidents, the university
maintains rule
3364-65-09 of the Administrative
Code (technology backup and disaster readiness and recovery policy). In the
event that a technology incident is detected, the university maintains an
information technology security incident response capability, described in rule
3364-65-10 of the Administrative
Code (technology incident response policy). Policies and procedures subordinate
to these must include the following requirements, as appropriate.
(i)
Response and
reporting. The response to incidents and the reporting of incidents are
conducted as described in the technology incident response
policy.
(ii)
Contingency plans. The university maintains adequate
contingency plans to deal with adverse technology events reasonably expected in
the course of the university's activities.
(a)
Backup plans.
Technology contingency plans include the provisions for backup of the
university's sensitive data in some circumstances. Backup of sensitive data is
conducted as described in the university's technology backup and disaster
readiness and recovery policy.
(b)
Disaster
readiness and recovery plans. Technology contingency plans include the
preparation for certain types of disasters reasonably foreseen by the
university. The creation and maintenance of disaster readiness plans is
conducted as described in the university's technology backup and disaster
readiness and recovery policy.
(c)
Emergency mode
operations plan. University business units which access, store, transmit, or
receive PHI must establish and maintain procedures to ensure continuity of
critical functions while operating in an emergency mode. While operating in
emergency mode, university units must continue to protect the security of
electronic health information.
(d)
Testing and
revision procedures. The contingency plans include testing and revision
procedures for certain types of incidents reasonably foreseen by the
university. These plans may include periodic or ad-hoc backup tests and
disaster readiness tests, the results of which are used to incrementally
improve existing procedures.
(e)
Application and
criticality analysis. The contingency plans for applications which access,
process, transmit, or receive PHI include a reasonably accurate analysis of the
criticality of the application.
(h)
Legal and
compliance. The information security program attempts to comply with all
applicable laws, regulations, contractual requirements, and best practices,
including:
(i)
Federal law and regulation.
(a)
The Family
Education Rights and Privacy Act of 1974, ("FERPA"); (20 U.S.C. ยง
1232g; 34 CFR Part 99).
(b)
FISMA. Federal
Information Security Management Act of 2002 (Public
Law 107-347, Dec. 17, 2002, 116 Stat.
2946)
(c)
The Health Insurance Portability and Accountability Act
of 1996, ("HIPAA");
Pub.L.
104-191, 110 Stat. 1936.
(d)
National
institute of standards and technology special publication 800-30, "Risk
management guide for information technology systems."
(ii)
State
law
(a)
Chapter 1306. of the Revised Code and Rule
123:3-1-01
of the Administrative Code specifically govern the use of legally binding
records and signatures in electronic formats and include companion security
requirements to this policy.
(b)
Chapter 1347. of
the Revised Code includes security provisions that require state agencies to,
among other things, "take reasonable precautions to protect personal
information in the system from unauthorized modification, destruction, use, or
disclosure."
(c)
Security records. Chapter 149. of the Revised Code
includes provisions with regard to records management requirements and public
records requirements. Section
149.433 of the Revised Code
specifically addresses IT security records.
(d)
Electronic
signatures. Chapter 1306. of the Revised Code and rule
123:3-1-01
of the Administrative Code specifically govern the use of legally binding
records and signatures in electronic formats and include companion security
requirements to this policy.
(iii)
Contracts.
(a)
Procurement agreements. The university maintains its
security requirements through written agreements with its vendors and
technology providers
(b)
Other contracts and agreements. The university requires
agreements to which it is a party to contain adequate measures to protect the
confidentiality, integrity, and availability of sensitive data.
(i)
Physical controls. In addition to the administrative
requirements described in this policy, technology assets must meet the physical
security requirements described in rule
3364-65-03
of the Administrative Code (technology physical safeguards), where
applicable.
(j)
Logical controls. In addition to the administrative
requirements of this policy, technology assets must meet the technical security
requirements described in rule
3364-65-04
of the Administrative Code (security access safeguards), where
applicable.
Notes
Ohio Admin. Code 3364-65-02
Effective:
3/11/2019
Promulgated Under:
111.15
Statutory
Authority: 3364
Rule Amplifies:
3364