Information Security Policy
Introduction
Policy Statement
The
Rice University Information Security Policy describes the role of
information security in supporting the academic mission of the
university through the recognition of the growing importance of
securing electronic resources. Protecting and preserving these
resources and complying with applicable laws and regulations are
common, shared responsibilities for all members of the Rice community.
Scope
The
policy applies to anyone using Rice University information technology
resources, including, but not limited to, students, faculty, staff,
visitors, and guests.
Principles and Philosophies
The Information Technology Advisory Committee (ITAC) developed the following principles for the Information Security Policy:
- Protection of Shared Institutional IT Resources
- Develop
reasonable mechanisms to protect Rice University’s shared resources
while protecting individual resources and providing for intellectual
freedom.
- Develop levels of responsibility based upon risk generated by resource access.
- Academic and Intellectual Freedom
- Ensure
and facilitate access to and use of information and information
resources in a manner consistent with the security of shared resources.
- Prevent unauthorized access or modification to information and information resources, such as intellectual property.
- Access and Confidentiality
- Specify user’s expectations regarding access:
- IT staff will not read user-controlled data without direction from appropriate university officials.
- IT
staff will not modify individually-managed computer systems without
permission from the user or direction from appropriate University
officials.
- Provide
IT services to users in a manner that accords confidential treatment to
the information and intellectual property of the users.
- Trust, Ethics and Integrity
- Design, create and maintain systems that are trustworthy from both internal and external perspectives.
- Require
high ethical standards and integrity of those who maintain IT systems
or who have access to confidential and sensitive information.
- Maintain proper export control policies and procedures.
Related Information
Policies and Procedures
Appropriate Use of Computing Resources Policy (Rice Policy 832)
Protection of Personally Identifiable Information (Rice Policy 808)
Quarantine Process
http://www.rice.edu/vpit/quarantine.html
Definitions
IT Resource
IT
Resources are involved in the sharing and accessing of electronic
resources. This includes, but is not limited to, computers (desktops,
laptops, servers), PDA’s (Palms, PocketPCs), networking devices
(routers, switches) and printers.
User
A user is anyone who uses an IT Resource.
IT Support Provider
IT
Support Providers are groups or individuals responsible for the
installation, maintenance, and operation of IT Resources. This
includes positions such as Systems Administrators, Support Specialists,
Network Operators, and others that have similar responsibilities.
Users who manage their IT Resources independently also share in IT Support Provider responsibilities.
Manager
Managers
have management or supervisory responsibility, including Deans,
Department Chairs, Directors, Managers, and Supervisors, as well as
others with similar responsibility.
Collaboration Teams
Collaboration
teams are groups created and maintained for the purpose of providing
guidance and assistance to the Information Security Office. These
include the Information Technology Advisory Committee (ITAC), the
different Computer Incident Response Teams (CIRTs), and the various
Policies and Procedures Development Groups.
Roles and Responsibilities
User
Policies and Procedures
All
Users are expected to be familiar with and follow University policies,
guidelines and procedures related to information and network security.
Other
groups on campus, many at the department level, have group-specific
policies and guidelines. If these exist, the Users in those groups are
also expected to be familiar with and follow them as well.
University policies, procedures and guidelines are posted on the Information Technology website (http://it.rice.edu/security.aspx).
Data Protection
All
Users are responsible for the protection of confidential and other
University-related information entrusted to them. Therefore, Users are
to keep such information secure by working with IT Support Providers to
physically secure systems that house this information, use
appropriately complex passwords when storing the information and use
encryption to transmit the information when available.
When
systems change ownership, either through disposal or transfer, Users or
their designates are expected to ensure that data entrusted to them is
removed from the system before the change of ownership.
More
information on passwords, encryption and data removal are available on the Information Technology website (http://it.rice.edu/security.aspx).
System Protection
Working
with IT Support Providers, all Users are responsible for using systems
that are secure, currently supported by the software vendor and have
active anti-malware (virus scan, spyware, etc) software installed when
available. Users are also expected to apply system and anti-malware
updates when they become available in a timely manner to minimize risk
of compromise or infection.
These same expectations
apply to systems connecting to IT Resources remotely, such as home
computers and computers from non-Rice locations.
Computer Security Incidents
Users
are to report suspected computer security incidents, such as evidence
of “hacking” and other forms of compromise, to the proper IT Support
Provider immediately.
Self Administrators
Users
that administer their own systems, that is, Users solely responsible
for the maintenance and support for IT Resources independently of the
Information Technology Division, have IT Support Provider
responsibilities as well (see below).
Exceptions
On
rare occasions, situations arise that do not allow this policy to be
followed. The User and the IT Support Provider will document these
situations as they arise.
IT Support Provider
University IT Support Providers have the same responsibilities as other Users, with the following additions.
Policies and Procedures
In addition to being familiar with and following the University
polices, guidelines, and procedures, IT Support Providers are expected
to implement this security on systems for which they are responsible.
IT
Support Providers are also expected to work with any groups within
their User community to develop, document and implement any other
group-specific policies as needed.
IT Support
Providers also have the responsibilities of documenting deficiencies
when they are found and informing supported users when systems are not
in compliance.
Data Protection
As
the entity responsible for the implementation of information security
for systems across campus, the protection of confidential and other
University-related data is extraordinarily important. IT Support
Providers are responsible for working with their User communities to
determine the following:
- Where IT Resources are physically kept;
- On which IT Resources data is stored;
- Who is authorized to access this data;
- How Users should access to this data.
The IT Support Provider should also work with their User community to ensure data is removed from systems marked for disposal.
System Protection
IT
Support Providers are expected to ensure that systems for which they
are responsible are configured with the following in mind:
- Use appropriate physical security;
- Use appropriate passwords;
- Enable security logging for all capable IT Resources;
- Monitor system logs on servers;
- Keep periodic auditing and change logs on servers and other critical systems.
Occasionally,
limited exceptions to the policies and procedures are necessary. The
IT Support Provider is expected to document these exceptions and
maintain the security of them as best as possible.
Information Technology Code of Ethics
Everyone
acting in an IT Support Provider role is also responsible for
maintaining and protecting the confidentiality of data as defined by
the IT Code of Ethics. Specifically, IT Support Providers will not,
without authorization from an appropriate University official or
direction from a University policy or guideline, use elevated systems
administrator privileges to willfully access data to which they would
not otherwise have access.
Security Feedback and Participation
A
successful implementation of a campus information security program
depends on feedback and participation from those providing information
technology services.
Those providing these services
are expected to actively participate in the process of defining other
IT policies, procedures and guidelines.
Computer Security Incidents
IT
Support Providers are expected to report computer security incidents to
the IT Security Office immediately, as any computer security incident
potentially affects many others on campus.
Managers and Supervisors
Members of University management have the same responsibilities as other Users, with the following additions.
Policies and Procedures
Some
groups or departments have special information security needs, such as
more limited access or tighter physical security. If this is the case,
the management of that group or department should work with the
appropriate IT Support Provider or the IT Security Office to develop,
document and implement these policies.
These policies should reflect the nature and goal of existing University policies and procedures.
User Awareness and Training
Working
with the IT Security Office, management should participate in user
awareness and training programs to ensure that the Users they manage
have read and understand the policies and procedures that apply to them.
This is especially critical for new or transferring staff.
Computer Security Incidents
Management
is to report suspected computer security incidents, such as evidence of
“hacking” and other forms of compromise, to the proper IT Support
Provider immediately.
Information Technology Security Office (ITSO)
Policies and Procedures
Working
with representative groups on campus, develop, implement and review
University-wide information security policies, procedures, and
guidelines.
User Awareness and Training
The
IT Security Officer is to implement a University-wide security program,
including policy, procedure and best practice development, user
education and training and ongoing network and security risk analysis.
Computer Security Incidents
The
IT Security Officer will lead investigations and reporting of
information security incidents, acting as the point of contact when
working with other University groups.
Working Groups
ITAC Security Sub-Committee
ITAC
is an advisory group to IT consisting of faculty representatives from
the different schools at Rice University. The Security Sub-Committee
works with the ITSO to develop and maintain this and other University
information security policies.
ITAC will also help the ITSO in creating training and user awareness programs as appropriate.
Computer Incident Response Team (CIRT)
The
Computer Incident Response Team (CIRT) is responsible for providing the
initial investigation to a computer incident on campus. Members of
CIRT will be called upon as necessary and as available.
The
CIRT team consists of IT Support Providers in the Systems and Client
Services groups and is comprised of Unix, Linux, Windows and Macintosh
expertise.
The CIRT is continually trained on new and enhanced forensics and analysis processes and procedures.
Violations
Violations as related to this document are generally considered:
- Any
action of malicious intent (breaking into a system, purposefully
sending a virus or other piece of malicious software to other
computers, etc);
- Any action designed to circumvent
applied computer security (accessing data for which the User does not
have authorized access, disabling system and security logging, etc);
- Any action that scans, sniffs or logs systems or networks without authorization from the IT Security Office;
Failing
to maintain a secure system (failing to install critical updates,
relaxing recommended security measures, etc, subsequently putting other
Rice Users on the network at risk) may result in loss of network
connectivity.
Also, systems that appear to be infected
or compromised to the Security Office may be disconnected from the
network until the system is remedied. The IT Security Office will
attempt to notify the owner or IT Support Provider for the system when
it is taken offline.
Enforcement
Violations
of this and related policies will be handled according to University
disciplinary procedures based on the person or persons responsible for
the violation.
Violations of local, state, federal or other laws will be reported to the appropriate, respective authorities.
Other Resources
Review Cycle
This
document in its entirety will be reviewed by the Information Technology
Executive Committee (ITEC) and the Information Technology Advisory
Committee (ITAC) annually.
Other components of this document will be reviewed by IT Collaboration Groups listed above.