ITS Security Framework

Introduction

Information assets of Davenport University, in all its forms and throughout its life cycle, will be protected through information management policies and actions that meet applicable federal, state, regulatory, or contractual requirements and support DU’s mission, vision, and values. The purpose of this policy is to identify and disseminate DU’s framework and principles that guide institutional actions and operations in generating, protecting, and sharing institutional data. Questions and concerns regarding this policy can be directed to Davenport's CIO: Steve Roth via email: kzsroth@davenport.edu or phone (616)451-3511x1104.

Scope

This policy applies to all institutional data owned by Davenport University. Each faculty and staff member, trainee, student, vendor, volunteer, contractor, or other affiliates of Davenport University with access to institutional data is subject to and has responsibilities under this policy.  

Information Access

Physical and electronic access to institutional data must be controlled. The level of control will depend on the classification of the data and the level of risk associated with loss or compromise of the information.

Physical Access Control

• The level of physical access control for any area that contains institutional data is determined by the level of risk and exposure. Data centers and other locations where confidential data is housed must be protected at all times by physical access controls such as keys or card swipe.
• Physical access to data centers or any area with confidential data must be monitored and logged through electronic logging or tracking mechanism.  Visitors and other maintenance personnel must be escorted by authorized operations staff when in a data center.
• Media that contains confidential data must be secured during transportation and disposal.

Electronic Access Control

• Administrative Data Access Policy
• Information Technology Use Policy
• Email Usage Policy
• Password Policy

Access to Data for Automated Operations

Generic access to information stored in databases is allowed only for non-interactive tasks. A non-interactive task is one that is scheduled to run automatically or one that is triggered by a series of events. It is automatically initiated, and the output is automatically handled by software. This includes automatic downloads and other linkages for data transfer.

• Requests for generic access to information stored in databases for automated operations are made to the Business Owner, and if approved, will be executed by the Data Custodian.
• Generic account passwords must be protected from unauthorized disclosure. Hard coded passwords that reside on a client machine or in an application must be reasonably protected commensurate with risk and the available platform or application security features.
• Information access via generic accounts must be limited to the specific task required.

Information Integrity Controls

The information must remain consistent, complete, and accurate. Integrity errors and unauthorized or inappropriate duplications, omissions, and intentional alterations will be investigated and reported to the Business Owner of the affected data.

Separation of duties and functions

• Tasks involved in critical business processes must be performed by separate individuals.
• Responsibilities of programmers, system administrators and database administrators must not overlap, unless authorized by the Business Owner of the data.

Systems and Application software

• System and application software must be tested before installation in a production environment.
• System and application software must be protected from unauthorized changes.
• All security updates must be applied in a timely manner, commensurate with the risk associated with the addressed vulnerability.

Change controls

•  Change Management Policy
• A system for change control management must be implemented for systems handling confidential institutional data, to monitor and control hardware and software configuration changes.
• Change control includes documentation of change requests, approvals, testing, and final implementation.

Anti-Malware controls

• All systems connected to the network will have virus protection where technologically feasible.
• The most recent version of anti-virus software must be implemented and maintained with current virus signature/patterns.

Backup and Recovery

Processes are necessary to prevent loss of vital information, provide backup and recovery, and provide continuous operation consistent with the business needs of the institution.  

• All data related to critical business processes will be backed up nightly. Other data will be backed up with a frequency based on the criticality of the data.
• Critical business data backups are stored off-site and available for disaster recovery. DR procedures are documented for all production systems and stored in multiple locations as specified in the disaster recovery procedural documents.