Summary
The purpose of this policy statement is to establish the requirements necessary to prevent or minimize accidental or intentional unauthorized access or damage to Southern Adventist University information resources.
Applicability
This policy applies to all university students, faculty and staff, affiliates, third-party support contractors, and all others granted access to Southern’s information resources. All users of information resources bear responsibility for the protection of those assets. Based on system and information classification categories, some categories of users have a greater burden of responsibility and accountability than others.
This policy pertains to all university information resources, whether the resources are individually or departmentally controlled, enterprise managed, stand-alone or networked. It applies to all computer and communication facilities owned, leased, operated or contracted by the university, networking devices, mobile devices, telephones, wireless devices, workstations, portable storage devices and any associated peripherals and software, whether used for administrative, research, teaching or other purposes. It applies to personal devices that are attempting to access, store or maintain university information. This policy also pertains to hard-copy documents that are classified under these guidelines.
Section headings are:
Responsibilities
Adherence to the principles of information security set forth in this policy requires the participation and involvement of the entire university community. In particular, state law (Tenn. Code Ann. §§ 47-18-2105 to -2107 (2005)) mandates that the university notify individuals when there is a breach of the security of system information or written material that contains their “personally identifiable information,” as defined by the law. Because of the legal requirement to protect this information, such personal information should be treated as Restricted Information. Southern employees who are aware of any attempted or actual breach are required to report the incident to the Information Technology Department for investigation and potential breach notification.
Within the framework of these principles, the responsibilities of those in key positions, as well as other members of the campus community, are as follows:
Principles of Information Security
The purpose of information security is to protect the information resources of the university from unauthorized access or damage. The underlying principles followed to achieve this objective are:
Classification of Information Records
All university information, including electronic and hard copy records, is assigned to stewards, who classify it by the level of sensitivity and risk. These classifications take into account the legal protections, contractual agreements, ethical considerations and proprietary worth. Information can also be classified as a result of the application of “prudent stewardship,” where a legal mandate to protect such information is lacking, but reasonable discretion may be required in its disclosure.
The classification level assigned to information guides information stewards, end users, business and technical project teams, and others who may obtain or store information, in the security protections and access authorization mechanisms appropriate for that information.
Information classification is defined in Southern’s Data Classification Policy as follows:
When the appropriate level of protection is determined, that same level of protection shall be applied to all other related information in whatever format, wherever retained (e.g., servers, network segments, desktop computers, mobile devices and storage devices such as jump drives, CD or DVD, and physical storage units such as rooms/spaces, desk drawers and file cabinets).
Classification of Systems
University systems, both hardware and software, are classified by scope and level of support and by impact on university operations. The classification of systems takes into account legal protections, contractual agreements, ethical considerations, and strategic or proprietary worth of information maintained in such systems. The classification level assigned to systems will guide system and data stewards, and business and technical project teams in the security protections and access authorization mechanisms appropriate for those systems. Such categorization provides the basis for planning, allocation of resources, support, and security/ access controls appropriate for those systems.
The system classifications are as follows:
Non-Managed Workstations and Devices - Non-Managed workstations and devices may include but are not limited to faculty and staff personal workstations, personal computers, mobile devices, etc. Non-Managed Workstations and Devices shall have no access or limited access to enterprise or business critical systems that store Restricted Information.
Information Storage and Disposition
Information and records, whether maintained in electronic files or on paper, must be stored and disposed of securely according to the guidelines published in Southern’s Data Classification Policy.
ALL information and records subject to a litigation hold must be retained in whatever format the information is in and in whatever classifications notwithstanding other general policies on retention.
Violations of Policy and Misuse of Information
Violations of this policy include, but are not limited to: accessing information to which the individual has no authorization or business purpose; enabling unauthorized individuals to access information; disclosing information in a way that violates applicable restricted access or confidentiality procedures, or handling or using information contrary to any other relevant regulations or laws; inappropriately modifying or destroying information or university business records; inadequately protecting Restricted Information or Confidential Information; or ignoring the explicit requirements of information stewards for the proper management, use and protection of information resources. Violations may result in network removal, access revocation, corrective action, university disciplinary action and/or civil or criminal prosecution, if applicable. Should disciplinary action be implemented, up to and including dismissal, suspension or expulsion, such actions will be taken pursuant to applicable university policies and procedures.
In the event that a university office or department is found to have generally violated this policy (beyond actions taken by an individual employee), the vice president responsible for that area will be notified. Corrective actions and possible financial costs associated with an information security incident will be coordinated at cabinet level.
Third-party vendors and/or consultants found to have breached their respective agreements with the university may be subject to consequences, including but not limited to, the loss of third-party vendor/consultant access to university information technology resources, removal of the vendor/consultant from university facilities, termination/cancellation of the agreement, payment of damages, and criminal or civil charges based on the nature of the violation.
The university is sometimes required to transmit information by state or federal forms and formats. When using such forms and formats, university employees should transmit such information following university policy and utilize appropriate safeguarding and security measures in the transmission of that information. It is important to work with state and federal officials in striving to meet industry best practices in the transmission of information.
Exceptional Information Releases
In some instances the university is mandated to disclose, or authorize to release information that would normally be protected under this policy. Examples include, but are not limited to, disclosures pursuant to state or federal reporting requirements, legal process (such as subpoenas, court orders, warrants, etc.), and certain authorized releases of information about particular individuals (students, employees or customers).
Legal Process
Any employee or affiliate of the university who is served with a legal document (for example, a subpoena, summons, court order, warrant, etc.) that refers to university records or data shall notify the Senior Vice President of Financial Administration immediately and prior to the release of any requested information. The Senior Vice President of Financial Administration will review the legal document to determine the validity and enforceability of the document, and to provide guidance and assistance in properly responding.
Legal documents that are addressed to a particular person should be accepted only by that person. If an unintended recipient is served with the legal document, it should not be accepted. The process server or deliverer should be referred to the person identified on the document, by name, title or job description, or should be directed to the Senior Vice President of Financial Administration.
Requests from External Entities and Persons, including Law Enforcement and Attorneys
The university receives numerous requests for information and records maintained by the university from persons and entities that are external to the university. The release of information about a particular person may require authorization by that person. The Senior Vice President of Financial Administration is available to assist with evaluating the validity and scope of any authorization provided for the release of information, as well as providing guidance for appropriately responding to information requests pursuant to an authorization.
External law enforcement agencies sometimes request information. Before responding to these requests, the Senior Vice President of Financial Administration should be contacted to determine the authenticity of the request and the requestor. In addition, any request for information from an attorney, whether by legal process or not, should be immediately referred to the Senior Vice President of Financial Administration.
All other requests for information from outside entities or persons should be evaluated on a case-by-case basis. For identifying information or data stored in an electronic format at Southern, the Information Technology Department is available for assistance.
In the absence of the Senior Vice President of Financial Administration, all legal requests should be directed to the Senior Vice President of Academic Administration.
Sources of More Information
The duties and responsibilities of university employees with regards to information protection and safeguarding are defined by numerous documents, including but not limited to, state and federal laws and regulations, university policies and procedures, and industry standards and best practices. Since information security is a growing and evolving area, the Information Technology Department, with cooperation from the Compliance Committee, will constantly monitor for new developments and maintain a listing of relevant resources on this topic.