Introduction

Information technology (IT) permeates all aspects of IT Security. Safeguarding information and information systems is essential to preserving the ability of the corporate to perform its missions and meet its responsibilities to students, faculty, staff, and the citizens whom it serves. We as an Digital Edge practices this with real IT Terminologies that been driven by IT Experts and yet they remain the best practices too.

• The purpose of the policy is to:
• Define terms that relate to the IT Security policy
• Communicate the objectives of IT security
• Specify the scope of IT resources to which the IT Security policy applies
• Indicate the responsibilities of the corporatre for maintaining IT security and reporting security breaches
• Assure appropriate IT risk and impact assessments occur
• We do recommend an IT Security Feasibilities may explore many initial requirements that a firm has not thought about it

Definitions

Familiarity with the following terms will help users of information technology to better understand their responsibilities for IT security.

Impact

The degree to which a security failure has the potential to result in harm or loss. The impact of a potential risk may be identified by the responses to the following questions:

• What are the ramifications of the loss of confidentiality, integrity, availability, or authorized use of systems?
• Will physical harm to any individual result?
• Will the strategic mission of the Organization be affected?
• Will personal information be compromised?
• Will large segments of the community be inconvenienced?
• Will the reputation of the organization suffer?
• Who will need to resolve the security incident?
• What is the magnitude of resources required to resolve the security incident?

Low Impact

Incidents that cause limited damage to operations or assets and that do not involve risk for individuals. These incidents require minor corrective actions or repairs within the designated custodial structure and communication is frequently required only within the affected unit.

Moderate impact

Incidents that cause short-term degradation or partial loss of the Organization's mission capability; that affect or disadvantage only subsets of the Organization community; or result in limited loss or damage to significant assets. These incidents require corrective actions or repairs that can normally be handled within the designated custodial structure, usually involves only internal communications, and normally will not require the involvement of high-level administration.

High impact

Incidents that cause an extensive loss of the Organization's mission capability; result in a loss of major assets; pose a significant threat to the well-being of large numbers of individuals or to human life; or damage the reputation of the Organization. These incidents require substantial allocation of human resources to correct; may require communication to external agencies or law enforcement and the public; and often require the involvement of high-level administration within the Organization.

Risk

A source of danger; a possibility of incurring loss or damage. In general, risk is a composite of three factors: threats, vulnerabilities, and impact (see definitions of these terms in this section).

Risk assessment

In information technology security, a systematic process used to determine the potential for any given information system to be subject to loss and to assess the impact of that loss. Risk assessment involves determining potential for and impact of a negative event by evaluating the nature of the information and information systems.

Risk factors

Factors used to determine the level of risk include the effect of the loss on the Organization's strategic missions; the extent of loss to major information systems; the potential for injury or damage to individual(s); the inconvenience or loss of productivity for subsets of the Organization community; the potential for damage to the Organization's reputation; the level of administrative involvement required; and the level at which the security problem can be resolved.

Risk mitigation

Action taken to reduce risk to an acceptable level. An analysis evaluating costs, benefits, and impacts to the Organization will be critical in determining what, if any, action should be taken. Some options to reduce risk include:

Risk assumption:

Accepting the potential risk and continuing operations of the IT system.

Risk avoidance:

Risk mitigation by eliminating a risk cause and/or consequence.

Risk limitation:

Risk mitigation by implementing controls reducing the negative impact of a threat exercising a vulnerability.

Risk transfer:

Risk mitigation by using other options to compensate for a loss due to a security incident.

Security

The state of being free from unacceptable risk. IT security focuses on reducing the risk of computing systems, communications systems, and information being misused, destroyed, or modified, or for information to be disclosed inappropriately either by intent or accident.

Security incident :

An accidental or malicious act that exercises a vulnerability resulting in the potential of a negative impact.

Threats:

Actions or events that potentially compromise the confidentiality, integrity, availability, or authorized use.
These threats may be human or non-human, natural, accidental, or deliberate. Examples:-
Acts of malice by individuals or groups; purposeful or malicious use of information or information systems.Natural or physical disasters such as fire, flood, hardware failures. Unintentional oversight, action, or inaction; data left open to unauthorized access; accidental deletion of data files; inadequate data backup procedures.

Vulnerabilities :

Security exposures that increase the potential for a failure of security. A narrow technical definition includes only those exposures created by software or hardware design. However, a broader definition includes exposure that can be inherent to an activity or practice. Examples:
Software or hardware that allows unauthorized access to information or information systems.
Business practices such as collecting and storing personal information that could, if revealed, be damaging to individuals.
Personal practices or procedures such as improperly protecting one's password or providing inadequate physical environments for IT systems.

Objectives

All faculty members, staff, students, and others using Organization-owned and affiliated IT systems have the responsibility to protect information and resources as indicated by the following objectives:

Confidentiality

Confidentiality provides protection of information from either intentional or accidental attempts to access personal or Organization information by unauthorized entities. Confidentiality covers data in storage, during processing, and in transit. State and federal laws and regulations require the Organization to take reasonable steps to ensure security of some classifications of data (e.g., FERPA, HIPAA, GLBA).

Integrity

Integrity requires protection against either intentional or accidental attempts by unauthorized entities to alter data or modify information systems to impede it from performing its intended function. Integrity requires maintaining the Organization's reputation to manage the resources entrusted to it.

Availability

Availability ensures timely and reliable access to and use of data and information technology resources to carry on the mission of the Organization. These resources include assets such as intellectual property, research and instructional data and systems, and physical assets.

Authorized Use

Authorized use guards against use of Iowa State Organization systems and infrastructure for malicious acts against its own systems as well as attacks against other individuals and organizations.

Scope

The above IT security objectives apply to a broad range of Organization assets and activities. The following assets and activities are within the scope of the IT Security policy:

Computer systems

The hardware, software, and IT infrastructure assets of the Organization represent significant monetary investments. The value of these assets is not only in their purchase costs, but also in the personnel time spent to develop them into functioning systems.

Data storage, transmittal, and use

Information can include personal records about students, employees, alumni, or others; financial and business information; archives of historic significance; critical, classified, and irreproducible research data; and other information of critical significance to the operation and prestige of the Organization. Legal and policy guidelines impact the security practices that must be exercised for various types of data.

Procedures

Procedures include the processes, steps, and forms that guide the activities and interactions of faculty, staff, and students. Included are the procedures used by IT support staff and management personnel with regard to systems, data, physical assets, and communication information.

Physical assets

These assets include premises occupied by IT personnel and equipment.

Environment

The environment includes environmental controls, power, physical security devices, etc.

Communications systems

Communications systems include communication equipment, personnel, transmission paths, and adjacent areas.

Policy Statement

Security Roles and Responsibilities

Chief Information Officer (CIO)

The Office of the Chief Information Officer has overall responsibility for the security of the Organization's information technologies. Implementation of security policies is delegated throughout the Organization to various Organization services (noted below); to colleges, departments, and other units; and to individual users of campus IT resources

Organization Services

Service units within the Organization are charged with the primary responsibility and authority to ensure that Iowa State Organization meets external and internal requirements for privacy and security of specific types of confidential and business information (e.g., student educational records, personnel records, health records, financial transaction data). These units are responsible for other general security issues and for assisting in the development of Organization IT security policies, standards and best practices in the areas of their responsibility. They are also responsible for advising colleges, departments, units, and individuals in security practices relating to these areas:

• Financial information and transactions (Treasurer's Office)
• Health information (Health Information Privacy Officer)
• Infrastructure, communications, and systems security (Information Technology Services)
• Law enforcement information (ISU Police)
• Legal issues (Office of Organization Counsel)
• Library circulation records (Organization Library)
• Personnel information and confidentiality (Human Resource Services)
• Physical building security (Facilities Planning and Management)
• Research information, confidentiality, and compliance (Office for Responsible Research)
• Security audits (Office of Internal Audit)
• Student loan information (Office of Student Financial Aid)
• Student record information and confidentiality (Office of the Registrar)

Colleges, Departments, and Other Units

Colleges, departments, and other units are responsible for securing any information they create, manage, or store, and for any information they acquire or access from other Organization systems (e.g., student educational records, personnel records, business information). This responsibility includes completing periodic risk assessments, developing and implementing appropriate security practices, and complying with all aspects of this policy.

Third Party Vendors

Third party vendors providing hosted services, sometimes referred to as Application Service Providers, and vendors providing support, whether on campus or from a remote location, are subject to Iowa State Organization security policies and will be required to acknowledge this in the contractual agreements. The vendors are subject to the same auditing and risk assessment requirements as colleges, departments, and other units. All contracts, audits and risk assessments involving third party vendors will be reviewed and approved by the Organization service units based on their area of responsibility.

Individual IT System Users

Every member of the Organization community is responsible for protecting the security of Organization information and information systems by adhering to the objectives and requirements stated within published Organization policies. In addition, individuals are required to comply with the additional security policies, procedures, and practices established by colleges, departments or other units. Failure to comply with established policies and practices may result in loss of computing privileges and/or disciplinary action.

Individuals Using Personally-Owned Computers and Other Network Devices

Students, faculty, and staff who use personally-owned systems to access Organization resources are responsible for the security of their personally-owned computers or other network devices and are subject to the following:The provisions of the IT Security policy and the standards, procedures, and guidelines established by IT Services for Organization computing and network facilities.All other laws, regulations, or policies directed at the individual user.

Other Registered Entities

Any entity that is a registered user and connected to the Organization network is responsible for the security of its computers and network devices and is subject to the following:
The provisions of the IT Security policy and the standards, procedures, and guidelines established by IT Services for Organization computing and network facilities.All other laws, regulations, or policies directed at the organization and its individual users.

Reporting of Security Incidents (All Users)

Reporting security breaches or other security-related incidents is an ethical responsibility of all members of the Iowa State Organization community. A critical component of security is to address security breaches promptly and with the appropriate level of action. The IT Security Incident Reporting Policy outlines the responsibilities of colleges, departments, units, and individuals in reporting as well as defining procedures for handling security incidents.

Risk Assessment

The purpose of risk assessment is to help ensure that threats and vulnerabilities are identified, the greatest risks are considered, and appropriate decisions are made regarding the risks to assume and those to mitigate through security controls. Risk assessments will be conducted at various levels as found under Security Roles and Responsibilities.
The following key factors will guide the process to insure a successful risk assessment program: A Organization department or unit will be designated as responsible for conducting a risk assessment and at a prescribed frequency in the Schedule of Risk Assessments for Information Security. Risk assessments will involve both the administrative department responsible for the business operation and the technical staff supporting the systems. Final sign-off by the department head of the organization doing the risk assessment indicating agreement with risk acceptance and risk reduction decisions. Documentation of risk assessments and resulting actions will be placed on file for audit and accountability purposes.

Education

All units-from the Organization level through the college, department, and unit level-must provide opportunities for individuals to learn about their roles in creating a secure IT environment. Creating a heightened awareness of the importance of information technology security is an important component in establishing an environment in which each individual feels both responsible and empowered to act in their own and the community's best interests.

BELOW ARE OUR SECURITY SOLUTIONS HINDERING AND CONCEPTS WHICH WE FOLLOW

• Access Control NEW!
• Email Security
• Firewalls
• Malware
• Network Access Control
• Vulnerability Scanning NEW!
• Security Audit
• Spyware
• VPN
• Entire range of the maintenance contract quaries can be send to info@digtialedgeme.com White Papers For: More ›

A Hidden Security Threat

When Ex-Employees Represent a Security Risk Former employees can do some serious damage if you don't protect your business properly.

Portable Panic

Take control of the removable media threat by enforcing removable device usage policies.

A The Authenticated Network Architecture

A new security approach that addresses the increased mobility and diversity of today’s network users.

When Less is More

Why small companies should think outside the (red/yellow) box for protecting endpoints.

Employee Web Use and Misuse

Companies, Their Employees and the Internet Develop a bulletproof employee Web-use strategy with these tips.

SAMPLE OF THE IT SECURITY POLICY
IT Security Policy redefined