Information Security Charter

/https://dev6.siu.edu//search-results.php

Introduction

This document is a charter for the Information Security unit, managed by the Information Security Officer, for the centralized campus administration of data security and privacy as described below.  This charter states policy that is needed because decentralized management of information security presents a substantial risk of non-compliance with legal and regulatory requirements.  This policy is also needed because a decentralized structure does not minimize risks, and could result in large fines, costly control requirements imposed by external entities, and adverse impacts on the reputation of the University.

Applicability

The policy in this charter applies to all personnel associated with SIU electronic data including, but not necessarily limited to, faculty, staff, Civil Service, Administrative Professional, contractual workers, guests, volunteers, temporary extra help, students, student workers, graduate assistants, and undergraduate assistants.  This policy applies to all systems that contain or process electronic data related to SIU.  In the context of this document, system includes software, hardware, processes, and verbal descriptions, printouts and copies of electronic data related to SIU.

Responsibilities

Responsibilities are assigned to various campus components because security personnel cannot function properly without the cooperation of others.

Campus Responsibility

Everyone is responsible for information security in their respective areas.

Persons involved with writing and reviewing policies shall notify Information Security so that a security review of proposed policies can be accomplished.  Persons involved with all third party contracts shall notify Information Security so that these contracts can be reviewed for security issues.   Persons involved with the development of new electronic data systems shall notify Information Security of their intentions and planned procedures so that security recommendations can be made in such development.

Managerial Responsibility

Managers and administrators will decide levels of risk, provide adequate resources, and enforce policies in their respective areas.

Information Security Responsibility

Information Security is authorized to act on behalf of the University for data security.

Information Security will create, maintain, and periodically disseminate an Information Security Plan with policies and policy implementation tools which set organizational strategic directions and address the campus-wide consolidation and centralization of the functions.  These tools will include internal standards, procedures, guidelines, and forms.  The goal of this plan is to provide a consistent and standardized approach to management and control over electronic data addressing applicable compliance requirements, centralized training of information security issues, the performance of security exercises, the review of proposed contracts, an inventory of data, an inventory of where, when, and how sensitive data is being disclosed to third parties, and an incident and breach management process.  This plan will be widely disseminated periodically across campus to assure that managers and employees are kept up-to-date on changes to the plan.

Information Security functions include, but are not limited to, the following:

  1. To implement intrusion detection and prevention techniques and incident response methods.
  2. To implement security aspects of access control for network accounts and general firewalls.
  3. To develop policies, procedures, plans, and guidelines in consideration of industry standards relative to SIU electronic data processing.
  4. To perform vulnerability, penetration, and risk assessments.
  5. To perform forensics as appropriate for human resources, police, and legal issues.  Appropriate fees may be charged for forensics services.
  6. To implement general log administration and maintenance in support of other functions.
  7. To perform information security analyses.
  8. To continually research information security topics including, but not limited to, threat landscapes and mitigation practices.
  9. To educate Information Technology and University personnel on information security issues.
  10. To interact with law enforcement as necessary and appropriate.

Sanctions

Information Security may disable access for protection of the best interests of SIU, may report issues to appropriate managers and administrators of campus units, and may refer suspected violations of the law to law enforcement agencies.  Managers and administrators may initiate disciplinary procedures in their respective areas.  Suspected violations of regulations may be reported to regulatory agencies by anyone authorized by the respective regulatory agencies.