Board of Regents Policy CSCU Information Security Policy

The use of digital technology is integral to the core mission of the Connecticut State Colleges and Universities (CSCU) system, to provide quality, affordable education in transformative learning environments for students to achieve their personal and career goals. Digital technology supports business processes including interaction with students, faculty, staff, businesses, and state and federal agencies.

Digital technology brings privacy and security risks, including threats like malware, phishing, and data breaches. State and federal laws such as Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA), and Gramm-Leach-Bliley Act (GLBA)¹ require digital assets to be protected.

This Security Policy consists of a set of requirements about how CSCU will protect electronic information systems and digital information as required by federal and state law, and consistent with industry best practices. It is loosely derived from the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) methodology and serves the following purposes as a framework for risk mitigation:

• Outlines expectations.
• Assigns responsibilities.
• Measures compliance.
• Defines enforcement.

¹Any exception to GLBA safeguards requires documented risk acceptance by the campus President (or designee).

Accountability: Ensuring that the actions of an entity/individual may be traced uniquely to that entity/individual, who may then be held responsible for that action.

Authentication: Establishing the validity of a claimed entity/verification of the identity of an individual or application.

Availability: Being accessible and usable upon demand by an authorized individual or system.

Campus: For the purposes of information security governance, a campus is an individual institution, location, or regional group within the CSCU system that is administered by a President as chief executive.

Confidentiality: The principle that information is not made available or disclosed to unauthorized individuals, entities, or processes.

CSCU: Collectively, or singularly, any of the following institutions: Central Connecticut State University, Eastern Connecticut State University, Southern Connecticut State University, Western Connecticut State University, Connecticut State Community College, and Charter Oak State College.

Chief Information Officers (CIO): The senior IT leaders for CSCU who serves as the Policy Owner of the Information Security Policy.

Chief Information Security Officers (CISO): The senior security leaders for CSCU who directs the Information Security Program Office (ISPO).

Custodian: Individual or unit in possession of an IT system or asset. They have authority and accountability for all operational aspects such as management and maintenance of systems and oversight and control of access. This is typically an institutional IT organization, but other business units may have operational responsibility for specific systems and data.

Digital assets or data: Anything created and stored digitally. This includes photos, videos, documents, records, or other information that can be accessed and retrieved electronically.

Digital technology: A term for electronic tools, devices, and systems that can store, process, or generate data.

Integrity: The inherent quality of protection that maintains the accuracy of entities of an information and communication system and ensures that the entities are not altered or destroyed in an unauthorized manner.

Information Security Program Office (ISPO): The system-level office that supports CSCU’s information security program and coordinates activities across campuses.

IT: Information technology.

Asset or IT Asset: Any software, hardware, data, administrative, physical, communications, or personnel resource within an information system.

IT system: A discrete set of electronic and digital information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.

Identification and authentication: Functions to establish and verify the validity of the claimed identity of a user.

Local IT Security: Security staff or IT personnel at each CSCU institution who apply systemwide security standards locally and respond to incidents on their campus.

Monitoring: Performance measurement to ensure the confidentiality, availability and integrity of operational systems and information.

Owner: The fiduciary for an IT system or asset. Typically, this is either CSCU as a whole or one of its constituent institutions.

Password: Confidential authentication information composed of a string of characters.

Steward: An individual or unit with authority over an IT system or asset. They are accountable for data governance, information fidelity, and management of access approval. Stewards typically represent key institutional functions such as Provost, Registrar, or Controller.

Roles and Responsibilities

Operational responsibilities reside with the entity that operates and funds the controls.

1. CSCU Chief Information Officer (CIO)
   The CSCU CIO serves as the primary Policy Owner for the CSCU Information Security Policy. In this role, the CSCU CIO owns and maintains the policy document, ensures systemwide governance and alignment with CSCU’s mission, provides the resources necessary to support the CSCU information security program, and offers executive sponsorship at the system level.
2. CSCU Information Security Officer (CISO)
   The CSCU CISO leads the Information Security Program Office (ISPO). This role is responsible for developing and maintaining CSCU’s information security program, coordinating responses to security incidents across the system, and providing regular updates to the CSCU CIO on CSCU’s information security risks, incidents, and program effectiveness. The CISO is designated by the Chancellor as the Qualified Individual for the System Office under the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule. The CSCU CISO serves as the system GLBA liaison, promulgates system-wide standards and guidance, facilitates coordination and information-sharing, and consolidates system-level reporting to the Chancellor and BOR.
3. Information Security Program Office (ISPO)
   The ISPO, led by the CSCU Information Security Officer (CISO), develops and maintains CSCU’s information security program. The office creates system-level policies, standards, processes, and guidelines; supports local campus security teams; and coordinates systemwide activities such as training, incident response, and compliance reviews.
4. Local IT Security
   Each College or University President shall designate a GLBA Qualified Individual (QI) (e.g., campus CIO or CISO) with authority to directly influence campus procedures and to oversee GLBA program implementation, risk assessments, incident response, service-provider oversight, training, and continuous improvement. The designated staff or IT personnel at each CSCU institution who implement CSCU information security standards and policies locally. Local teams may develop campus-specific procedures or programs to meet their operational needs, provided they remain compliant with CSCU systemwide requirements. They also serve as the first point of response for incidents, escalating to the ISPO as required and consistent with applicable laws and contracts. Further, the campus QI shall report at least annually to the College or University President (or designee) with a copy to the CSCU CISO, covering program status, risk posture, incidents, testing/assessments, and remediation progress.

Information System Security
 

1. Individual accountability

1. All faculty, staff, students, guests, and contracted third party vendors who use, access, or perform any activity or function on or manage any part of the IT systems are responsible and accountable for following appropriate recommended procedures and for taking all practical steps to safeguard the information handled by that system and any sensitive assets involved. All IT systems that contain protected information shall provide means, typically by preserving appropriate records, by which individual users can be uniquely identified and held accountable for their actions.
2. All users of the IT systems are responsible, within the span of their control, to reasonably ensure that no actions are taken which could unduly degrade or compromise the confidentiality, the level of accuracy, completeness, dependability and responsiveness levels of the programs, services and information handled by the system.
3. Individuals accessing an IT system or computer shall report any observed or suspected action/security weaknesses in, or threat to, systems or services to the custodian of the IT system or computer, or to the associated steward.

2. Controlled access

1. An individual shall be granted access to only the level of information and assets for which appropriate access authorization(s) and the need to know have been established and approved.
2. An individual shall be granted access to only those IT system resources necessary to perform the assigned functions and only when such access will not lead to a breach of this or any other security principles.
3. Appropriate segregation of duties on IT systems, specifically allocated and defined in writing, shall apply.
4. Controlled access shall be achieved via physical and procedural, and technical means. Unique identification of an individual to a system containing protected data must be provided. An explicit authorization mechanism shall determine access and privileges, grant such access and privileges, and record, control, and monitor these.
5. Strong authentication, including multi-factor authentication where appropriate, shall be required for access to CSCU IT systems that handle sensitive or regulated information.

3. Levels of protection

1. The protection applied to IT systems shall be commensurate with the sensitivity levels of the information and assets involved and shall take into consideration the identified threats to and vulnerabilities of the system.
2. CSCU information shall be classified based on sensitivity, and handling requirements shall be defined and applied to ensure appropriate protection.²
3. Risks or threats to IT systems shall be identified, analyzed, evaluated, and quantified in terms of the probability of them occurring and the potential impact of such an event.
4. A documented security plan should exist to manage risk and respond to incidents, which should be reviewed annually and revised as needed.

4. System access control and passwords

1. Access to IT systems and individual computers shall be controlled by means of an approved set of standards and processes which identify the authorized individual and verify their identity.
2. The access control process shall generate an audit trail of authorized and unauthorized efforts to access computer systems. Unauthorized access efforts shall be treated as attempted security breaches. These shall be dealt with according to the persistence of activity and the associated risk that access would represent.
3. Passwords shall be individual and exclusive where possible and shall not be disclosed without authorization in exceptional cases, and without documentation.
4. Where individual passwords cannot be accommodated, such as but not limited to lab equipment and building systems, other mitigating controls should be applied such as limiting to a defined and documented set of individuals or maintaining a logbook. Unauthorized disclosure of passwords is a violation of security.

5. Fixed and portable devices

1. IT systems that hold protected data shall be in a physically restricted environment where access control measures have been instituted and are applied consistently.
2. Unattended equipment shall have appropriate physical and system security protection.
3. Individually assigned computers or those in uncontrolled spaces shall lock after a practical period of inactivity.
4. Portable computers shall utilize disk encryption technology where possible to protect data in the event of loss or theft.
5. Patching levels for the operating system and installed software shall be up to date or lag by only a brief prescribed period. Patching standards shall be documented. Exceptions shall have business justification and the risk mitigated by alternate compensating controls.
6. Endpoint protection tools such as virus scanning and other capabilities as provided by the operating system, or third-party alternatives delivering comparable functionality, shall be installed and enabled.
7. Access to IT systems on which sensitive or protected data is processed or stored shall be controlled and limited by means of a defined approval process and using approved software.

6. Disaster Recovery and/or Business Continuity plan

1. An approved disaster recovery plan and procedures should exist to minimize the operational impact of substantive adverse events on the IT systems, facilitate business continuity, and enhance restoration of services.
2. Disaster recovery plans should be tested annually to ensure efficacy and allow for updates to reflect any operating environment changes or to incorporate improvements.
3. Critical IT systems and CSCU information shall have documented backup and recovery strategies to ensure availability within timeframes appropriate to their classification.

7. Security Education

1. Individuals who have access to IT systems should receive a program of effective and appropriate security education to foster their security awareness of risks and the approved principles of appropriate use. Instruction should be appropriate to the level of access and the sensitivity of associated data.

8. Physical Security

1. Areas where IT systems holding protected data are located, or office areas where sensitive information is dealt with, shall be protected in such a way that unauthorized access is prevented. Access control systems and procedures where possible should regulate and monitor movement in these areas.

9. Utilization of private computers

1. When personally owned devices are used, they must be properly maintained and kept up to date. They may only be used to access public information or information associated with that individual that is not sensitive or protected. Personally owned devices shall not be used to access sensitive or protected information or to perform privileged or administrative functions. Any access beyond this must follow CSCU’s documented exception approval process and be formally approved and recorded.

10. Communications

1. Communications containing protected information or between IT systems that hold protected information and that traverse networks that are not physically controlled shall be encrypted where possible.
2. Electronic mail shall not be utilized to transmit sensitive or protected information unless either the information or the email or both are fully encrypted.

11. Security Controls

1. If any computer or other device poses a specific risk to the network, other devices, or service delivery, it is subject to being disconnected from the network or otherwise isolated until the risk has been mitigated, resolved, or formally accepted.
2. Contractors and third parties with access to CSCU systems or data must meet CSCU security requirements and contractually agree to protect CSCU information.
3. Use of cloud services must comply with CSCU security requirements, including access controls, logging, and protection of regulated data.
4. External network connections to the internal network may only be used for the purpose(s) it was authorized and intended for. All services being accessed from external or non-secure networks shall use secure protocols.
5. Public Wi-Fi or open network ports in uncontrolled spaces should, by default, be treated like external connections. They can be used to access the Internet and publicly available systems (i.e., Library systems) but shall not have direct access to internal networks or systems that hold protected data without adequate and documented compensating controls to prevent improper use.

12. Security Breaches

1. All employees have the responsibility to report any incident of security breach to their immediate management, their local IT security, and to the CSCU ISPO.
2. Breaches of security shall be dealt with using the highest degree of confidentiality to protect the individual(s) concerned.
3. CSCU shall maintain a systemwide incident response plan so that security problems are found quickly, contained, investigated, and reported in a consistent way across all campuses.
4. All system owned assets must fall under the purview of a defined incident response plan which includes preparation, detection, analysis, containment, and recovery.
5. Incident response plans shall be updated as part of any post incident review.
6. Incident response plans that have not been exercised within a year as part of an actual incident should be evaluated via and updated based on a tabletop exercise.

13. Metrics and Continuous Improvement

1. The effectiveness of CSCU’s information security program shall be measured and reported to leadership on a regular basis to support continuous improvement.
    

Enforcement

Failure to follow the specific standards and guidance delineated in this policy exposes individual and institutional systems and data to destruction or loss. Data breaches have statutory notification obligations that can cause reputational damage. Liability can result in financial penalties.

Any CSCU institution violating this policy and supplemental CSCU Information Security Standards, Processes, and Procedures may be accountable for remediation costs associated with a resulting information security incident or other regulatory non-compliance penalties, including financial penalties or legal fees.

Faculty, staff, or students who violate this policy and supplemental CSCU Information Security Standards, Processes, and Procedures may be subject to disciplinary action commensurate with HR or other appropriate administrative policies.

Exceptions to this policy must be documented, approved by the appropriate authority, and include compensating controls and an expiration date.

²GLBA safeguards and classification requirements apply to all covered data regardless of format (electronic and physical). Where other BOR policies govern physical records, they must be harmonized to eliminate conflicting authorities.