Security Policies

Table of Contents

Getting Started

The initial process in developing an information security policy is to work with appropriate offices across campus to identify which laws, regulations, and information security drivers are applicable to your institution.

  1. Perform a high level gap analysis of each regulatory requirement and driver that is applicable to determine where policy is needed.

  2. Develop a prioritized action plan that will help you organize your efforts.

  3. Prepare a summary document of the impact that the information security policy or policies will have on the institution. The document should:

    1. Describe the policy

    2. Communicate the reason or business justification for the policy, as well as the risks and negative impact of not implementing the policy

    3. Identify regulatory, technical, cultural, and organizational dependencies for implementation of the policy

    4. Identify milestones and possible roadblocks of implementation, compliance, and enforcement

    5. Identify impacted stakeholders

  4. Develop the policy in collaboration with other key stakeholders at your institution.

  5. Ensure the policy is vetted by impacted subject matter experts and business owners, including information security, legal counsel, human resources, operational staff, and any other applicable steering committees.

  6. Review resources in the Guide such as the GRC FAQ, as well as standards and regulations that address specific requirements (e.g., PCI DSS 3.0, HIPAA, GLBA, GDPR).

  7. Publish, communicate, train, and implement.

Top of page

Overview

This chapter includes two components. The first is information about the process of creating information security policies. The second component is a listing of sample information security policies from higher education institutions.

The adoption of one or more information security policies is the first step that institutions of higher education take to express their commitment to the protection of institutional information resources and the information entrusted to them by constituencies and partners. At institutions of higher education, institutional policies, including information security policies, are often drafted through a consensus building process with solicitation and feedback from all identified stakeholders. Once approved and published, its effective communication and periodic reviewing and updating ensures that the policy’s stated intent and corresponding expectations are consistent and relevant over time to reflect changes in technology, laws, business practices, and other factors.

Information Security Policy Development

A policy for information security is a formal high-level statement that embodies the institution’s course of action regarding the use and safeguarding of institutional information resources. The policy statement should clearly communicate the institution's beliefs, goals, and objectives for information security. It also provides institutional leaders with an opportunity to set a clear plan for information security, describe its role in supporting the missions of the institution, and its commitment to comply with relevant laws and regulations. To be effective an information security policy must:

Also, the information security policy should:

A careful balance must be reached to ensure that the policy enhances institutional security by providing enough detail that community members understand their expected role and contribution but not so much detail that the institution is exposed to unnecessary risk.

Some elements to be included in information security policies include the following:

 

Information Security Policy Frameworks

There are a number of frameworks that can be used as a foundation for the subject matter included in an institution's information security policy. These frameworks can be used as the basis of one large, overarching information security policy, or for smaller policies devoted to discrete information security topics. Higher education institutions have found success following either model. The Standards box at the end of this page lists a few popular industry frameworks/standards that may be consulted when drafting information security policies. The 2016 EDUCAUSE Core Data Service found that the following information security frameworks/standards are most popular in higher education:

Choosing the right policy framework is all about what will work best for the institution and its missions. Institutions of higher education should consider the following when selecting a framework for their information security policy:

Top of page

Policy Review and Update Process

Most institutions of higher education will have a documented periodic policy review process in place (e.g., annually) to ensure that ensure that policies are kept up to date and relevant. In some institutions, a policy owner or manager would be the individual who would determine the need for a new policy or the update to an existing policy. In other institutions, the role of policy manager may be played by the Business Owner (e.g., the Chief information Security Officer may be the owner/manager of the information security policy.) We use the term policy manager in this section.

In most instances, the information security policy manager will review and update the policy at the required intervals or when external or internal factors require the review and update of the policy. The following are the most common factors that would prompt a review of the institution's information security policy.

The process to review and update the information security policy should include many of the steps identified in the Getting Started section of this chapter. Many institutions have a “policy on policies,” or a process to follow to implement institution-wide policies from inception to maintenance and review. That document may also list steps to follow in order to properly update an institutional policy. At a minimum, the policy manager must:

  1. Document needed changes
  2. Make changes to a draft version of the policy
  3. Ensure stakeholder review if necessary. For instance, if the policy changes are significant or alter the intent of the original policy, then the policy manager will want to ensure the changes are vetted by impacted subject matter experts and business owners, information security, legal counsel, human resources if applicable, any other applicable steering committee
  4. Publish, communicate, train, and implement according to the institution’s policy management process.

Top of page

Standards, Guidelines, and Procedures

Policies are not the only documents that end users should look to when trying to understand an institution’s information security stance. While policies may state the high-level institutional goals around expected information security behaviors and outcomes, other documents may be used to state a threshold of acceptable behavior, step-by-step processes to follow, or recommended (but not required) actions to take. You may see these other types of documents used in an institution’s information security program to supplement information security policies. The hierarchy for institutional governance documents is typically:

Top of page

Resources

EDUCAUSE Resources

Initiatives, Collaborations, & Other Resources

Top of page

Standards

ISO

NIST

COBIT

PCI DSS

2014 Cybersecurity Framework

HIPAA Security

27002:2013 Information Security Management
Chapter 5: Information Security Policies

800-53: Recommended Security Controls for Federal
Information Systems and Organizations

APO01.03
EDM01.01
EDM01.02

Req 12

ID.GV-1

45 CFR 164.316(a)
45 CFR 164.316(b)

Top of page


Questions or comments? Contact us.

Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).