Security of Texas State Information UPPS No. 04.01.01
Resources Issue No. 9
Effective Date: 06/08/2015
Review: April 1 E2Y
Sr. Reviewer: Chief Information Security Officer
01. POLICY STATEMENTS
01.01 Title 1, Part 10, Chapter 202, Texas Administrative Code, commonly known as TAC 202, requires the institution head of each Texas state agency and public institution of higher education to protect their institution’s information resources by establishing an information security program consistent with the TAC 202 standards. In compliance with TAC 202, this policy statement and its references reflect the policies, procedures, standards and guidelines comprising the information security program of Texas State University. The terms and phrases in this policy statement shall have the meanings ascribed to them in TAC 202.1, unless otherwise provided herein.
The Texas State information security program is positioned within the Office of the Vice President for Information Technology (VPIT) and administered by the university’s information security officer (ISO). The ISO’s Information Technology (IT) Security team implements the information security program in collaboration with all university constituents that use and support the university’s information resources (see TAC 202.70(3) and TAC 202.71(b)).
01.02 Information resources that support the operations of Texas State are strategic and vital assets belonging to the people of Texas. These assets must be available when needed and protected commensurate with their value. All members of the university community, regardless of position or role, share responsibility for protecting the university’s information resources. The Texas State community shall take appropriate measures to protect the university’s information resources against accidental or unauthorized disclosure, contamination, modification, or destruction, and to assure the confidentiality, authenticity, utility, integrity, and availability of university information (see TAC 202.70(3)).
01.03 All individuals are accountable for their use of the university’s information resources. Individuals shall comply with applicable laws, The Texas State University System (TSUS) Regents’ Rules, and all university policies in their use of these resources (see TAC 202.72).
In addition to this policy, the following university policies are particularly relevant and noteworthy:
a. UPPS No. 04.01.05, Network Use Policy (describes policy and procedures for administration, maintenance, and operation of the university’s network infrastructure);
b. UPPS No. 04.01.07, Appropriate Use of Information Resources (describes both intended and prohibited uses of information resources);
c. UPPS No. 04.01.09, Server Management Policy (describes policies and standards for administration, maintenance, and operation of the university’s computer servers);
d. UPPS No. 05.01.02, University Surplus Property (Equipment and Consumable Supplies) (provides guidance in the appropriate disposal of computer equipment and digital media); and
e. UPPS No. 05.02.06, Acquisition of Information Technology Products and Services (provides guidance regarding the purchase, rental, lease, or free acceptance of information technology products or services from third-party providers).
01.04 Information that is sensitive or confidential must be protected from unauthorized access or modification. Data that is essential to critical university functions must be protected from loss, contamination, or destruction (see NIST 800-53 AC-2).
01.05 Risks to information resources must be managed. The expense of security safeguards must be appropriate to the value of the assets being protected, considering value of the asset to the university, regulatory agencies, the public, potential intruders, and any other person or organization with an interest in the assets (see NIST 800-53 PM-9, RA-3).
01.06 The integrity of data, its source, its destination, and processes applied to it are critical to its value. Changes to data must be made only in authorized and acceptable ways (see TAC 202.70(5)).
01.07 Information resources must be available when needed. Continuity of information systems supporting critical university functions must be ensured in the event of a disaster or disruption in normal operations (see TAC 202.70(6)).
01.08 Security requirements shall be identified, documented, and addressed in all phases of development or acquisition of information resources (see NIST 800-53 SA-3).
01.09 Security awareness of employees must be introduced during the onboarding process, and continually emphasized and reinforced at all levels of management. All individuals must be accountable for their actions relating to information resources (see NIST 800-53 AT-2 and TAC 202.24(b)).
01.10 The information security program must be responsive and adaptable to changing vulnerabilities and technologies affecting information resources. Its components shall be reviewed and modified in a timely fashion to meet emerging and evolving threats (see TAC 202.71(e)).
01.11 The university must ensure adequate controls and separation of duties for tasks that are susceptible to fraudulent or other unauthorized activity (see NIST 800-53 AC-5).
02. INFORMATION SECURITY ORGANIZATION
02.01 The VPIT is the university’s information resources manager (IRM) as defined in the Information Resources Management Act (IRMA) (Tex. Gov't Code § 2054). The IRM oversees the acquisition and use of information technology within a state agency or university.
The IRMA and the Texas Administrative Code (see TAC, Title 1, Part 10, Chapter 211) establish rules and responsibilities for the designated IRM that include executive level oversight for security and risk management of the university’s information resources. Consequently, the Office of the VPIT directs the university’s information technology security function.
02.02 The ISO is the designated administrator of the Texas State information security program. As such, the ISO is responsible for all aspects of the university’s information security program (see TAC 202.71).
The ISO is specifically charged with the following responsibilities:
a. develop, recommend, and establish policies, procedures, and practices as necessary to protect the university’s information resources against unauthorized or accidental modification, destruction, or disclosure;
b. identify and implement proactive and reactive technical measures to detect vulnerabilities and to defend against external and internal security threats;
c. provide consulting and technical support services to owners, custodians, and users in defining and deploying cost-effective security controls and protections;
d. establish, maintain, and institutionalize security incident response procedures to ensure that security events are thoroughly investigated, documented, and reported; that damage is minimized; that risks are mitigated; and that remedial actions are taken to prevent recurrence;
e. establish and publicize a security awareness program to achieve and maintain a security-conscious user community;
f. document, maintain, and obtain ongoing support for all aspects of the information security program;
g. monitor the effectiveness of strategies, activities, measures, and controls designed to protect the university’s information resources;
h. assure executive management awareness of legal and regulatory changes that might impact the university’s information security and privacy policies and practices;
i. serve as the university’s internal and external point of contact for information security matters;
j. report frequently (at least annually) on the status and effectiveness of the information security program as directed by the VPIT (see TAC 202.73(a)); and
k. has authority for information security for the entire institution (see TAC 202.71(a)(2)).
02.03 As stated in Section 01.02, all members of the university community share responsibility for protecting the university’s information resources and, as such, are essential components of the university’s information security organization. Nonetheless, individual responsibilities can vary significantly according to an individual’s relationship with any given information resource. In recognition of those variances, the university has defined and assigns three generic roles with respect to the security of information resources: 1) the owner role; 2) the custodian role; and 3) the user role. Each individual assumes one or more of these roles with respect to each information resource they use, and as a result, are accountable for the responsibilities attendant to their roles. While each role is more fully described in Section 04., responsibilities associated with each role are noted throughout this policy.
03. RISK ASSESSMENT PROCEDURES
03.01 Risk assessment is a vehicle for systematically identifying and evaluating the vulnerabilities and threats of an information system and its data. The risk assessment is an essential component of any security and risk management program. Absolute security assures protection against all threats is unachievable. Risk assessment provides a framework for weighing losses that might occur in the absence of an effective security control against the costs of implementing the control. Risk management is intended to ensure that reasonable measures are employed to protect against the most probable and impactful threats.
03.02 Owners and their designated custodians shall annually complete or commission a comprehensive risk assessment of their assigned information resources, including departmentally-administered computing resources that store, process, and access information. The assessment must include a classification of their information according to its need for security protection (i.e., its need for confidentiality, integrity, and availability) (see Section 04.08, Data Classification).
The assessment should also identify reasonable, foreseeable, internal, and external risks to the security, confidentiality, integrity, and availability of those resources. Owners and custodians should assess the sufficiency of safeguards in place to control these risks and document their level of risk acceptance (i.e., the exposure remaining after implementing appropriate protective measures, if any). They should also take mitigating measures to protect the resources from unacceptable risks. The risk assessment should include consideration of employee training and management, information systems architecture and processes, business continuity planning and prevention, detection and response to intrusion and attack. The assessment results shall be documented in a written report, protected from unauthorized disclosure, modification, or destruction, and retained until superseded by a subsequent documented assessment, plus one year (see TAC 202.73).
03.03 The ISO shall periodically (at least annually) complete or commission a risk assessment of the information resources considered essential to the university's critical mission and functions, and shall recommend to the owners and custodians of these resources appropriate risk mitigation measures, technical controls, and procedural safeguards. The assessment may incorporate self-assessment questionnaires, vulnerability scans, scans for confidential information, and penetration testing. Findings and recommendations shall be provided to the owners and custodians of the information assets and shall also be presented to the VPIT for sharing with the president as appropriate (see TAC 202.71(a)).
04. INFORMATION ASSET MANAGEMENT PROCEDURES
04.01 As stated in Section 01.02, the university’s information resources are strategic and vital assets that must be available when needed and protected commensurate with their value. In this policy, the university has identified specific actions required to achieve these objectives. The university has also articulated the owner, custodian, and user roles to clearly distinguish the parties responsible and accountable for taking those actions, in consultation with the IRM and ISO.
04.02 The Owner Role – The university (and consequently the state of Texas) is the legal owner of all the university’s information assets. As a practical matter, the university delegates specific ownership responsibilities to those with day-to-day oversight of the information asset. For example, for a shared file system hosted on a departmental server, both the file share and the computer are owned by the department. Conversely, ownership is split for departmental file shares hosted on Technology Resources servers in the data center (i.e., the shared directories and their contents are owned by the department and the host computer and related disk storage are owned by Technology Resources).
Owners have been designated for data assets based upon the general subject matter of the data. For example, Human Resources and Faculty Records are the designated owners of staff and faculty employee information, respectively (see the Data Ownership Guide on the IT Security website for more information).
Ownership responsibility for network, hardware, and software assets is assigned to the party accountable for the assets, as documented in the university’s inventory, procurement, and licensing records.
In consultation with the IRM and ISO, owners are specifically responsible for:
a. keeping abreast of laws and policies related to the information assets they own and classifying these assets according to their need for security protection (see Section 04.08, Data Classification);
b. determining the value of, authorizing user access to, and establishing procedures for authorized disclosure of their information assets;
c. specifying data control requirements for their information assets and conveying those requirements to co-owners, custodians, and users;
d. specifying appropriate controls, based on risk assessment, to protect their information assets from unauthorized use, modification, deletion, or disclosure;
e. selecting and assigning custody of information assets, in consultation with appropriate IT division staff, to custodians capable of implementing the necessary security controls and procedures;
f. contractually binding non-university custodians to implement and comply with their specified security controls and procedures;
g. confirming the implementation of and compliance with the specified controls by the custodians; and
h. reviewing and maintaining access authorization lists based on documented security risk management decisions; this includes periodically reviewing the access authorization lists for their assets to ensure that authorization is revoked from those whose roles no longer justify the specified access (see TAC 202.72 (1)).
04.03 The Custodian Role – In consultation with the IRM and ISO, custodians provide information asset services to both owners and users. A custodian may be a person (such as a departmental system support specialist), a team or department (such as Technology Resources), or a third-party provider of information resource management services (such as a website or application hosting firm).
Regardless of how the role is filled, custodians are expected to:
a. assist the owner in identifying cost-effective controls, along with monitoring techniques and procedures for detecting and reporting control failures or violations;
b. implement the controls and monitoring techniques and procedures specified by the owner and as specified by university policies, procedures, and standards;
c. provide and monitor the viability of physical and procedural safeguards for the information resources in accordance with the information security program;
d. provide appropriate information security training to employees; and
e. ensure information is recoverable in accordance with risk management decisions (see TAC 202.72 (2)).
04.04 The User Role – The user role is the default role possessed by all users of Texas State information resources. Users of information resources shall use those resources for defined purposes that are consistent with their institutional responsibilities and always in compliance with established controls. Users must comply with the university’s published security policies and procedures, as well as with security bulletins and alerts that IT Security or other IT units issue in response to specific risks or threats. The use of Texas State information resources implies that the user has knowledge of and agrees to comply with the university’s policies governing such use (see TAC 202.72 (3)).
Employee users are responsible for ensuring the privacy and security of the information they access in the normal course of their work. Employees are also responsible for the security of any terminal, workstation, printer or similar electronic device utilized in the normal course of their work. Employees are authorized to use only those resources and materials that are appropriate and consistent with their job functions and must not violate or compromise the privacy or security of any data or systems accessible via the university computer network. See UPPS No. 04.01.07, Appropriate Use of Information Resources, for additional information about acceptable and prohibited uses of Texas State’s information resources.
Except as provided in Sections 04.05 and 04.06, users may not attempt to violate the security or privacy of other computer users on any system accessible via the university computer network. The attempted violation of information security or privacy is grounds for revocation of computer access privileges, suspension or discharge of employees, suspension or expulsion of students, and prosecution to the full extent of the law.
Users are responsible for the security of any computer account (e.g., NetID or username) issued to them and are accountable for any activity that takes place in their account. Users who discover or suspect that the security of their account has been compromised must immediately change their password and report the incident to the Information Technology Assistance Center (ITAC) for initial investigation. ITAC shall escalate the incident to IT Security if the compromise may increase the risk to other university information resources. Any suspected or attempted violation of system security should be reported immediately to ITAC (512.245.4822, firstname.lastname@example.org) or IT Security (512.245.4225, email@example.com).
04.05 Privileged Roles – By virtue of their job duties (e.g., the review and monitoring activities described in Section 04.06), designated employees may require and may be entrusted with elevated access privileges to specified information assets. These employees normally function in custodial or security-related roles with respect to the specified information assets.
Users entrusted with elevated access privileges shall:
a. use those privileges solely for the purpose intended by the asset owner; and
b. access, disclose, and discuss the information only to the extent required to perform the job duty for which the privileges were granted.
04.06 Review and Monitoring – Texas State’s information resources are subject to monitoring, review, and disclosure as provided in Section 07. of UPPS No. 04.01.02, Information Resources Identity and Access Management. Consequently, users should not expect privacy in their use of Texas State's information resources (see NIST 800-53 AC-8, AR-4).
04.07 Interagency Operations – When confidential information from another university or state agency is received by Texas State in connection with the transaction of official business, Texas State shall maintain the confidentiality of the information in accordance with the conditions imposed by the providing agency or university.
04.08 Data Classification – Prior to releasing, publishing, or disclosing any university information, the designated university owner of the information, in consultation with the IRM and ISO, shall classify the information as public, sensitive, or confidential, according to its need for confidentiality. Moreover, the information’s owner should ensure that disclosure controls and procedures are implemented and followed to afford the degree of protection required by the assigned classification.
Information shall be assigned one of the following three classifications:
a. Public (Level 1) information is by its very nature designed to be shared broadly, without restriction, at the complete discretion of the owner. It may or may not have been explicitly designated as public. Public information may be freely disseminated without potential harm to the university, individuals, or affiliates. From the perspective of confidentiality, public information may be disclosed or published by any person at any time.
Examples of public information include: advertising and marketing literature, degree program descriptions, course offerings and schedules, campus maps, job postings, press releases, descriptions of university products and services, and certain types of unrestricted directory information as specified by the Family Educations Rights and Privacy Act of 1974 (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA).
b. Sensitive (Level 2) information can be difficult to classify as it often presents attributes of both public and confidential information. Sensitive information may be deemed “public” in the sense that, under certain circumstances, disclosure may be required under provisions of the Texas Public Information Act (TPIA). However, the disclosure of sensitive information also requires assurances that its release is both controlled and lawful. Sensitive information is often intended for use within a specific workgroup, department or group of individuals with a legitimate need-to-know. Likewise, access to sensitive information may be controlled by identity authentication and authorization measures (e.g., NetID and password). Unauthorized disclosure of sensitive information could adversely impact the university, individuals, or affiliates.
Examples of sensitive information include: some employee records (such as performance appraisals, home address, home telephone number, and personal email addresses), departmental policies and procedures that might reveal otherwise protected information, the contents of email, voice mail, instant messages and memos, unpublished research, information covered by non-disclosure agreements, and donor information.
Generally speaking, sensitive information should not be published or disclosed to the public except by the university’s designated owner of the information in accordance with the owner’s established practices, or after consultation with the TSUS associate general counsel. See the Data Ownership Guide on the IT Security website for more information.
c. Confidential (Level 3) information is defined by TAC 202 to be “information that must be protected from unauthorized disclosure or public release based on state or federal law or other legal agreement” such as the TPIA and the FERPA.
Confidential information is generally intended for a very specific purpose and shall not be disclosed to anyone without a demonstrated need-to-know, even within a workgroup or department. Disclosure of confidential information is generally regulated by specific legal statutes (e.g., TPIA, FERPA, HIPAA), contract agreements, published opinions by the Office of the Attorney General of Texas, and the Rules and Regulations of The TSUS Board of Regents. Unauthorized disclosure of this information could have a serious adverse impact on the university, individuals, or affiliates, and presents the most serious risk of harm if improperly disclosed.
Examples of confidential information include: student education records as defined under FERPA, personally-identifiable medical records, passport information, crime victim information, library transactions (e.g., circulation records), court sealed records, and access control credentials (e.g., PINs and passwords). Confidential information also includes any of the following when combined with other personally-identifying information: social security number, driver license number, date of birth, payment cardholder information, or financial account information.
Confidential information must not be disclosed to the public under any circumstances other than those specifically authorized by law. Any such disclosure should be immediately reported to IT Security for incident mitigation and investigation. Requests for such information received from persons with a questionable need to know should be directed to the TSUS associate general counsel.
04.09 Standards for Handling Sensitive and Confidential Information – Because of the harm that can result from improper disclosure, sensitive and confidential university information shall be afforded the following special protections by owners, custodians, and users:
a. A person’s social security number, driver license number, or other widely-used government-issued identification number shall not be captured, stored, or used as a person identifier unless such use is required by an external, governmental, or regulatory system that is authorized for use at the university. The Texas State ID number should be used in lieu of such prohibited identifiers in situations where personal names or other identifiers do not assure uniqueness. Where use of such numbers is required, owners, custodians, and users shall store these numbers in encrypted form or using other compensating controls with the advice and authorization of the ISO (or the ISO’s designee).
b. Payment cardholder data (i.e., the primary account number or the magnetic stripe contents together with any one of: cardholder name, expiration date, or the service code) shall not be stored on any device connected to the university’s data network for longer than is necessary to authorize a transaction using that information.
c. Confidential information must not be transmitted electronically over a public network (e.g., the Internet) in unencrypted form. Either the information itself must be encrypted prior to transmission or an encrypted connection must be established and maintained for the duration of the transmission. Authorized encrypted connection examples include the university’s implementations of: VPN – Virtual
Private Network, TLS – Transport Layer Security, and SSH – Secure Shell.
d. Confidential information should not be stored on portable devices or media such as notebook or tablet computers, PDAs, smart phones, USB drives, CDs, DVDs, tape cartridges, etc. If such storage is required, the confidential information must be protected by encryption or by other compensating controls with the advice and authorization of the ISO (or the ISO’s designee).
e. Confidential information must not be accessed from remote locations in an unauthorized manner. Examples of authorized remote access solutions include the university’s implementations of: VPN, TLS, and SSH. Contact IT Security for up-to-date information about the acceptability of other remote access solutions.
f. Confidential information should not be stored on personally-owned devices or media. If such storage is required, the confidential information must be protected by encryption or by other compensating controls with the advice and authorization of the ISO (or the ISO’s designee).
g. Confidential information shall not be stored on any devices external to the campus network except as provided under contract with an authorized information resource service provider that is contractually bound to properly protect the information (see Section 05.06).
*h. Confidential or sensitive information shall be retained only as long as the information is needed to conduct university business. It is the responsibility of owners, custodians, and employee users to perform periodic reviews to ensure confidential and sensitive information stored on university information resources (e.g., desktops, laptops, portable drives, and servers) is removed when no longer needed. Information Technology provides data loss prevention software to assist in the identification, encryption, or removal of confidential and sensitive information on all university workstations.
*i. Encryption requirements for information storage and transmission, as well as for portable devices, removable media, and encryption key management, shall be based on documented risk management decisions. Contact IT Security for up-to-date information about university-supported encryption solutions.
*j. All workstation computing devices that do not have an approved exemption are required to employ whole disk encryption regardless of their intended use or the data stored on them to protect against inadvertent data disclosure. Please refer to the Computer Encryption Program website for information on computer encryption best practices.
*k. ITAC, in consultation with the ISO, will provide and support whole disk encryption for all university workstations. Departments who do not have a technical support person can request assistance from ITAC with installing encryption software on their computers. It is the responsibility of each workstation owner and the associated department head to ensure that systems under their custodianship are encrypted.
*l. There may be instances in which a device, or group of devices, may need to be exempted from the encryption standard (e.g., a computer lab that is imaged on a regular basis). In these cases, a formal encryption exception request form must be submitted for approval. Department computing resources that need to be exempted from encryption or have encryption configured should direct requests to firstname.lastname@example.org. The ISO, or designee, will review and authorize exemption requests. Approved exemptions are valid for 365 days. Owners may appeal denied exemption requests to the vice president for Information Technology, whose decision is final.
*m. Confidential information shall not be shared, exposed or transmitted via any peer-to-peer (P2P) file sharing mechanism prior to completion of a comprehensive risk assessment, including penetration testing, of the proposed P2P file sharing mechanism by IT Security.
04.10 Transfer, Disposal, or Destruction of Information Assets – The sale, transfer, or disposal of old, obsolete, damaged, nonfunctional, or otherwise unneeded electronic devices and media pose information risks for the university. These risks are related primarily to the media contents that might be exposed, which can be sensitive or confidential information, licensed and non-transferable software, copyrighted intellectual property, or other protected information. Even supposedly deleted data can be retrieved through data recovery techniques.
Under Texas Government Code §2054.130, state agencies and institutions of higher education are required to permanently remove data from data processing equipment before disposing of or otherwise transferring the equipment to an entity that is not a state agency or other agent of the state. The Texas Department of Information Resources (DIR) recommends that “state agencies shall assess whether to remove data from any associated storage device. Electronic state records shall be destroyed in accordance with §441.185, Government Code” (see NIST 800-53 MP-7).
Owners, custodians, and users shall contact ITAC for media sanitization assistance prior to transferring ownership or otherwise disposing of any magnetic media (e.g., hard disk drives, USB drives, backup tape cartridges, DVDs, CDs, etc.) or any devices containing such media (e.g., computers, PDAs and smart phones, printers, copiers, etc.). ITAC will securely sanitize or destroy the media, at its sole discretion, and maintain appropriate records of the action taken. See UPPS No. 05.01.02, University Surplus Property (Equipment and Consumable Supplies), for additional information regarding proper disposal procedures.
Owners, custodians, and users shall not repurpose or reassign any electronic device or electronic media contained within a device without first fully sanitizing the media using a tool sanctioned by the ISO (or the ISO’s designee). Reformatting the media does NOT constitute, by itself, a satisfactory sanitization process.
05. HUMAN RESOURCES SECURITY PROCEDURES
05.01 In any organization, people represent both the greatest information security assets as well as the greatest information security threats. Consequently, employee awareness and motivation are integral parts of any comprehensive information security program.
05.02 To emphasize security awareness and the importance of individual responsibility with respect to information security, all Texas State employees shall explicitly affirm their agreement to abide by the university’s information security, copyright, and appropriate use policies each time they change their Texas State NetID password (see TAC 202.70(3)(c)).
*05.03 IT Security shall provide training and literature during the employee onboarding process, as well as recurring information security education through periodic workshops, educational events, and online training. All such training and events will provide references to relevant university policy and procedure documents and promote the IT Security website as a valuable repository of information security policies, procedures, guidelines, and best practices. Department heads shall continually reinforce the value of security-consciousness in all employees whose duties entail access to sensitive or confidential information resources (see NIST 800-53 AT).
05.04 Department heads are responsible for implementing the measures necessary to ensure that department members maintain the confidentiality of information used in departmental operations. Examples of such information include personnel and payroll records, transcript and grade records, financial aid information, and other sensitive or confidential information. Such information shall not be used for unauthorized purposes or accessed by unauthorized individuals. Department heads are encouraged to obtain and retain signed non-disclosure agreements from their employees prior to granting those employees access to departmental information resources. Template non-disclosure agreements are available, together with other Policies, Standards and Guides, on the IT Security website (see TAC 202.70 and TAC 202.72).
05.05 Department heads are responsible for ensuring that access privileges are revoked or modified as appropriate for any employee in their charge who is terminating, transferring, or changing duties. Department heads should provide written notification to the appropriate security administrator whenever an employee's access privileges should be revoked or changed as a result of the employee's change in status (a list of major Information System Assets and Security Administrators is available on the IT Security website) (see TAC 202.72).
05.06 Owners of information resources shall obtain and retain signed non-disclosure agreements from all temporary employees, consultants, contractors, and other external parties prior to their obtaining access to Texas State information resources. The agreements shall affirm their compliance with Texas State’s security policies and procedures. Template non-disclosure agreements are available, together with other Policies, Standards and Guides, on the IT Security website (see TAC 202.72).
06. PHYSICAL AND ENVIRONMENTAL SECURITY PROCEDURES
06.01 Physical access to mission critical information resources facilities shall be managed and documented by the facility’s custodian. The facilities must be protected by physical and environmental controls appropriate for the size and complexity of the operations and the criticality or sensitivity of the systems operated within those facilities (see NIST 800-53 PE-1).
06.02 The information owner must review physical security measures annually in conjunction with each facility’s risk assessment, as well as whenever facilities or security procedures are significantly modified (see TAC 202.72).
06.03 Physical access to information resources facilities administered by the IT division is restricted to individuals having prior authorization from the assistant vice president responsible for the facility. The responsibility for securing departmentally administered computer facilities or equipment from unauthorized physical access ultimately rests with the designated owner and designated custodian of the facility or equipment.
A log will be maintained of all persons entering or leaving the university’s primary data centers, including the date, time, and purpose of the visit. Access to the equipment rooms in these data centers shall be electronically secured and visually monitored and recorded.
06.04 Employees and information resources shall be protected from the environmental hazards posed by information resources facilities. Employees with duty stations inside information resources facilities shall be trained to monitor any installed environmental controls and equipment, and to respond appropriately to emergencies or equipment malfunctions. Emergency procedures shall be developed, documented, and regularly tested in collaboration with the university’s Office of Environmental Health, Safety & Risk Management (see NIST 800-53 PE).
06.05 Terminals, computers, workstations, mobile devices (e.g., PDA’s, portable storage devices, smart phones, etc.), communication switches, network components, and other devices outside the university’s primary data centers shall receive the level of protection necessary to ensure the integrity and confidentiality of the university information accessible through them. The required protection may be achieved by physical or logical controls, or a combination thereof.
No authenticated work session (i.e., a session in which the user’s identity has been authenticated and authorization has been granted) shall be left unattended on one of these devices unless appropriate measures have been taken to prevent unauthorized use. Examples of appropriate measures include:
a. activation of password-protected keyboard or device locking;
b. automatic activation of a password-protected screensaver after a brief inactivity period (15 minutes or less, based upon risk assessment); and
c. location or placement of the device in a locked enclosure preventing access to the device by unauthorized parties.
The creator of the work session is responsible for any activity that occurs during a work session logged in under his or her account.
07. COMMUNICATIONS AND OPERATIONS MANAGEMENT PROCEDURES
07.01 Network resources used to exchange sensitive or confidential information shall protect the confidentiality of the information for the duration of the session. Controls shall be implemented commensurate with the highest risk. Transmission encryption technologies (e.g., VPN, TLS, HTTPS, SSH, IPSEC, etc.) shall be employed to accomplish this objective (see NIST 800-53 SC-8).
07.02 Confidential university information must not be transmitted over a public network (e.g., the Internet) in unencrypted form. Either the information itself must be encrypted prior to transmission or an encrypted connection must be established and maintained for the duration of the transmission. Authorized encrypted connection examples include the university’s implementations of VPN, TLS, and SSH, as well as any wireless network connection utilizing the Wi-Fi Protected Access 2 (WPA2) Advanced Encryption Standard (AES). These restrictions apply regardless of the user’s location and include transmissions over any network accessible to the user, including in-home networks. Technology Resources shall establish and maintain a WPA2-AES encrypted (or equivalent or superior) wireless network for use on the university campus.
07.04 Owners of distributed information resources within the campus network shall prescribe sufficient controls to ensure that access to those resources is restricted to authorized users and uses only. Examples of such resources include network equipment rooms, data closets, and the equipment contained within them. Controls shall restrict access to the resources based upon user identification and authentication (e.g., password, smartcard or token), physical access controls, or a combination thereof (see TAC 202.70 and NIST 800-53 PE).
07.05 Owners of applications containing or with access to sensitive or confidential information, or applications involving automated transmission of such information to other applications, shall require authentication of user identity prior to granting access to the applications (see TAC 202.70 and NIST 800-53 AC).
08. ACCESS CONTROL PROCEDURES
*08.01 Prior to obtaining access to the Texas State network, any device connected to that network, any service provided via that network, or any application hosted on that network, individuals must authenticate themselves as authorized users of the network, service, device, or application. This requirement may be waived in situations where a formal risk assessment has determined that access to the resource does not require individual user identification, authorization, or accountability.
A university-assigned network identifier (e.g., NetID or Texas State ID number) and its corresponding “secret” (e.g., a password/PIN or smartcard or token) shall be used to accomplish the authentication. Based upon security risk assessment, information resources that contain sensitive or confidential information may require the use of two-factor authentication where one factor is provided by a device separate from the computer gaining access. The network identifier shall be unique to an individual in all cases except for authorized “service” accounts that must be accessible to a team of custodians charged with supporting a breadth of resources (see NIST 800-53 AC).
Based upon security risk assessment, and excepting service accounts as described in the preceding paragraph, owners and custodians shall implement and maintain audit trails and transaction logs as necessary to provide individual accountability for changes to mission critical information, hardware, software, and automated security or access rules (see NIST 800-53 AC).
08.02 Self-service systems must incorporate security procedures and controls to ensure the data integrity and protection of sensitive or confidential information. Self-service systems must authenticate the identity of individuals that utilize the systems to retrieve, create, or modify sensitive or confidential information about them (see NIST 800-53 AC).
08.03 To the extent practicable, all initial login and authentication screens should clearly and prominently display the following user advisory:
“Use of computer and network facilities owned or operated by Texas State University requires prior authorization. Unauthorized access is prohibited. Usage may be subject to security testing and monitoring, and affords no privacy guarantees or expectations except as otherwise provided by applicable privacy laws. Abuse is subject to criminal prosecution. Use of these facilities implies agreement to comply with the policies of Texas State University.” (See NIST 800-53 AC.)
08.04 A user's NetID shall be deactivated whenever the user’s then current affiliation with the university no longer qualifies the user to possess an active NetID. See Section 04.06 of UPPS No. 04.01.07, Appropriate Use of Information Resources, for specifics regarding the deactivation of employee accounts upon separation from service (see NIST 800-53 AC).
08.05 Sensitive and confidential information shall be accessible only to personnel with authorization from the information owner on a strict "need-to-know" basis in the performance of their assigned duties. Such information shall be disclosed only by the information owner, as described in the Data Ownership Guide on the IT Security website (see NIST 800-53 AC-6).
*08.06 Passwords – Texas State systems that employ passwords for authenticating user identities shall comply with the following minimum password acceptability standards:
a. passwords must be case-sensitive;
b. passwords must be at least eight characters in length; longer passwords and passphrases are strongly encouraged;
c. passwords must include at least one character from at least three of the following four character sets:
1) uppercase characters (A, B, C … Z);
2) lowercase characters (a, b, c … z);
3) numeric characters (0, 1, 2 … 9); and
4) special characters or symbols (e.g., #, $, %, ^, &, -);
d. passwords may not include the associated NetID or the NetID owner’s first or last name; and
e. passwords cannot have been used previously with the associated NetID.
Password repositories must utilize one-way encryption and, once assigned, the password must not be retrievable by anyone. Thus, when a password is lost or forgotten, the existing password will not be retrieved but rather, a new password will be assigned.
Password change logs shall be maintained by custodians that issue passwords. The log entries should reflect the date and time of the password change and the NetID associated with the changed password, but neither the new nor the old password.
Passwords shall be distributed from the password source to the owner in a confidential manner. Newly-assigned accounts must require a password change by the NetID owner upon initial login and at least once per year thereafter. System owners and custodians may require more frequent password changes based upon risk assessment results. Passwords shall be changeable by their owners at will (see NIST 800-53 IA).
In the event that a legacy or administrative system is incapable of meeting all requirements for user passwords, alternative mitigating security controls shall be implemented in place of these requirements with approval from the ISO, or designee.
09. INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT, AND MAINTENANCE PROCEDURES
09.01 Test functions shall be kept either physically or logically separate from production functions. Copies of production data shall not be used for testing unless all personnel involved in testing are authorized access to the production data or all confidential information has been removed from the test copy (see NIST 800-53 SC).
09.02 Appropriate information security and audit controls shall be incorporated into new systems. Each phase of systems acquisition or development shall incorporate corresponding development or assurances of security controls. The movement of system components through various lifecycle phases shall be tracked and, more specifically, the movement of any software component into production shall be logged (see NIST 800-53 SA).
09.03 After a new system has been placed into production, all program changes shall be authorized and accepted by the system owner (or the owner’s designee) prior to implementation (see NIST 800-53 SA).
09.04 To the extent practicable, the principle of separation of duties and least privilege shall be applied to the system development and acquisition lifecycle. The developer or maintainer of a component should not also have the ability to place the component into production.
09.05 Modifications to production data by custodians or developers shall be authorized in advance by the data owner. If advance authorization is not possible in a real or perceived emergency, the owner shall be notified as soon as possible after the fact and the notification logged. The notification log entry shall contain the notification date and time, a description of the data modified, the justification for the modification, and the identities of the owner and the custodian.
09.06 Owners and custodians will ensure that new and modified Web applications are compliant with Technology Resources’ Web application development standards prior to their production deployment.
10. INFORMATION SECURITY INCIDENT MANAGEMENT PROCEDURES
10.01 The ISO is charged with establishing and maintaining an effective security incident response program to ensure that:
a. security events are thoroughly investigated and documented;
b. immediate damage is minimized, latent risks are identified, and subsequent exposures are mitigated;
c. incident reporting and notification are timely and legally compliant; and
10.02 As part of the incident response program, the ISO will develop a security breach response plan (SBRP) for responding to incidents that may require notification of impacted parties as described in Texas Business & Commerce Code, Chapter 521.
The VPIT will activate the SBRP when, in his or her judgment, sensitive personal information (as defined in CH 521) was, or is reasonably believed to have been, acquired by an unauthorized person. The response team associated with the SBRP will include, at a minimum:
a. the VPIT, as the team lead;
b. the ISO, as the adjutant team lead;
c. the owners and custodians of the breached information resource, along with their respective vice presidents;
d. the TSUS associate general counsel;
e. the director, University News Service; and
f. other IT and university employees at the discretion of the VPIT in collaboration with other members of the team.
To facilitate rapid activation and execution of the SBRP, the ISO shall, to the extent practicable, maintain a prefabricated website and appropriate templates for use by the team.
At the direction of the VPIT, the SBRP will be tested annually in a table-top exercise developed by the ISO. Test results will be evaluated by the participants and the SBRP will be modified in response to those evaluations.
10.03 Owners, custodians and users must immediately report suspected information resources security incidents to ITAC (512.245.4822, email@example.com) or IT Security (512.245.4225, firstname.lastname@example.org).
10.04 If criminal activity is suspected, the ISO shall immediately contact the appropriate law enforcement and investigative authorities (see TAC 202.73).
10.05 Except as provided in Section 10.02, information security incident response will be managed by the ISO (or the ISO’s designee) and will involve, at a minimum, IT Security staff and the owners and custodians of the compromised information resources. The ISO shall fully document the incident, the investigation itself, and the results of the investigation. A draft incident report will be prepared and shared with the VPIT, the owners and custodians of the compromised resources, their respective vice presidents, the TSUS associate general counsel, and the director of Audits and Analysis.
The draft report’s completeness and accuracy will be reviewed in a meeting of the report recipients and modifications noted in that meeting.
The final report will be released to all recipients subsequent to the review meeting. If required, the results will be included in the ISO’s report to the DIR.
10.06 The ISO shall report any incident to the DIR within 24 hours, and to other entities as may be appropriate to the incident, if the initial incident investigation reveals a critical threat that might propagate beyond the confines of the campus network and threaten other networks (see TAC 202.73).
10.07 The ISO shall also provide recurring summary reports to the DIR as directed by the DIR (see TAC 202.73).
11. BUSINESS CONTINUITY MANAGEMENT PROCEDURES
11.01 Administrative heads responsible for delivering mission critical university services should maintain written business continuity plans (BCP) that provide for continuation or restoration of such services following a disruption in critical information systems, communication systems, utility systems, or similar required support systems.
The BCP should incorporate:
a. a business impact analysis that addresses the maximum possible downtime for critical service delivery components and resources including: key personnel, facilities, components of electronic information and communication systems (e.g., voice and data network, hardware, and software), and vital electronic and hard copy records and materials;
b. to the extent practicable, alternate methods and procedures for accomplishing its program objectives in the absence of one or more of the critical service delivery components;
c. a security risk assessment to weigh the cost of implementing preventive measures against the risk of loss from not taking preventive action;
d. a recovery strategy assessment that documents realistic recovery alternatives and their estimated costs; and
e. reference to a disaster recovery plan that provides for the continuation or restoration of electronic information and communication systems as described later in this section.
11.02 Key aspects of the BCP should be tested or exercised at least annually and updated as necessary to assure the plan’s continued viability. Results of such tests and exercises should be documented and retained until the end of the current fiscal year, plus three years (see NIST 800-53 CP).
11.03 Technology Resources shall prepare and maintain a written and cost-effective disaster recovery plan that addresses key infrastructure components in its custody. The plan should provide for the prompt and effective continuation or restoration of critical university information systems and processes if a disaster were to occur that might otherwise severely disrupt these systems and processes. The plan should provide for the scheduled backup of mission critical information and for the off-site storage of that backup in a secure, environmentally safe and locked facility accessible only to authorized IT staff. The plan should also identify other key continuation and recovery strategies, required resources, alternate sources of required resources, as well as measures employed to minimize harmful impacts. Technology Resources shall exercise or test key aspects of the disaster recovery plan and make periodic updates as necessary to assure its viability (see NIST 800-53 CP).
11.04 Owners and custodians of departmental information resources are responsible for disaster recovery plans associated with those resources. The plans should include regular schedules for making backup copies of all data and software resident in their systems and for ensuring that the backups are stored in a safe location. Users are responsible for ensuring that the data and software resident on their personal computers are backed up as required by their individual circumstances. The security controls over the backup resources should be as stringent as the protection afforded to the primary resources. See the Server Backup and Recovery Guide available from the IT Security website or ITAC for assistance in the design of backup and recovery solutions.
12.01 The VPIT shall commission periodic reviews of the university’s information security program for compliance with TAC 202 standards. Reviews will be conducted at least biennially by individuals independent of the information security program and will be based on business risk management decisions (see TAC 202.70).
12.02 Key aspects of the university’s information security program shall be a prominent component of any university program designed to encourage or enhance legal and policy compliance by university constituents.
13. REVIEWERS OF THIS UPPS
*13.01 Reviewers of this UPPS include the following:
Chief Information Security Officer April 1 E2Y
Director, Environmental Health, April 1 E2Y
Safety & Risk Management
Associate Vice President for April 1 E2Y
Vice President for Information April 1 E2Y
Technology and Chair, Campus
Information Resource Advisory Council
*14. CERTIFICATION STATEMENT
This UPPS has been approved by the following individuals in their official capacities and represents Texas State policy and procedure from the date of this document until superseded.
Chief Information Security Officer; senior reviewer of this UPPS
Vice President for Information Technology