Information Security Policy
|Policy Approval Authority||President|
|Responsible Division||Division of Information Technology|
|Responsible Officer(s)||Chief Information Security Officer, Associate Vice President and University Privacy Officer|
|Contact Person||Fred Williams email@example.com|
|Effective Adoption Date||12-08-2017|
|Last Review Date||09-25-2019|
Ethics & Conduct
Finance / Risk Management
Research Ethics / Intellectual Property
This policy statement establishes the requirements necessary to prevent or minimize accidental or intentional unauthorized access or damage to Northern Illinois University (NIU) information resources. This policy balances the responsibility for information security with the need to foster an open and information-sharing atmosphere among members of the academic community.
This policy applies to all university students, faculty and staff, affiliates, third-party support contractors, and all others granted access to NIU information resources. All users of information resources bear responsibility for the protection of those assets. Based on system and information classification categories defined in this policy, some categories of users have a greater burden of responsibility and accountability than others.
This policy pertains to all university information resources, whether the resources are individually or departmentally controlled, enterprise managed, stand-alone or networked. It applies to all computer and communication facilities owned, leased, operated or contracted by the University, networking devices, personal digital assistants, telephones, wireless devices, workstations, mainframes, minicomputers, portable storage devices and any associated peripherals and software, whether used for administrative, research, teaching or other purposes. It applies to personal computers that are used to access, store or maintain university information. This policy also pertains to hard-copy documents that are classified under these guidelines.
The purpose of information security is to protect the information resources of the University from unauthorized access or damage. The underlying principles followed to achieve this objective are:
Information Availability, Protection, Back-Up, and Recovery
Institutional information resources, including systems, workstations, and data and record classifications, identified by this policy, shall be operated in a manner that reasonably minimizes the threat of internal or external compromises to the security, confidentiality or integrity of University information. Information custodians and users are expected to safeguard such information in compliance with legal obligations and administrative policies and procedures, including confidentiality and non-disclosure agreements. They should have plans in place to restore such information to assure the continuation of the necessary business operations of the University, in the event of a compromise to institutional information resources.
Support of Academic Pursuits and Business/Administrative Functions
The information resources of the University, including the network, the hardware, the software, the facilities, the infrastructure, hard-copy documents and any other such resources, must be available to support the teaching, learning, research and administrative roles for which they are created. The requirement to safeguard information resources should balance the need to meet regulatory guidelines, legal requirements, and audit criteria with the support of these critical university functions.
Information stewards should employ appropriate authentication and verification measures so that the information, used in the pursuit of teaching, learning, research, and administration, can be trusted to be accurate. Moreover, data should not be corrupted or altered in such a way that would misrepresent or hinder auditability.
Access to Information, Information Confidentiality, and Disclosure
The value of information as an institutional resource increases through its widespread and appropriate use; its value diminishes through misuse, misinterpretation, or unnecessary restrictions on its access. The ability to access or modify information shall be provided as needed to users for authorized purposes, based on a minimal access model. Users requesting access to university information resources, or collecting such information, shall be required to limit the scope of those requests or collections to only the information necessary for their legitimate use. Users must not disclose Restricted Data to unauthorized individuals or entities without a legitimate educational or business reason for access to the information. State and federal law and regulations and university policies provide standards for the distribution of various forms of information contained in university records. Except as approved by source information stewards, in accordance with such standards, subsequent distribution of information is not authorized.
The use of Restricted Data for identification, authentication, or any other purpose should be eliminated whenever possible. Historical records containing Restricted Data shall be appropriately maintained and destroyed in accordance with legal and regulatory standards, and the principles set forth in this policy and the Data Classification Guidelines and Procedures.
All University information, including electronic and hard-copy records, is assigned to stewards, who classify it by the level of sensitivity and risk. These classifications take into account the legal protections (by statute or regulation), contractual agreements, ethical considerations and proprietary worth. Information can also be classified as a result of the application of “prudent stewardship,” where a legal mandate to protect such information is lacking, but reasonable discretion may be required in its disclosure, as in the Private Data classification described below.
The classification level assigned to information guides information stewards, end users, business and technical project teams, and others who may obtain or store information, in the security protections and access authorization mechanisms appropriate for that information.
Information classifications are discussed at length in the Data Classification Guidelines and Procedures. In summary:
- Restricted Data is the most confidential information and therefore requires the highest level of protection. Restricted Data includes information that the university is required to protect under rule, law, regulation and statutory provisions.
- Private Data is university-maintained information that requires moderate to high levels of protection, even though that protection is not mandated by state or federal law.
- Public Data is information which is published or can be made available for public access. Low to moderate levels of protection should still be applied to this classification of information, since there are risks associated with the maintenance and distribution of this information, such as the unauthorized modification of publicly posted information.
Relationship to Personal Information Security
Data that contains personally identifiable information (PII) mandates that a higher level of security must be applied for its protection. As information becomes more anonymous and there is less personally identifiable information, then less rigorous measures are required.
Relationship to Other Information Assets
When the appropriate level of protection is determined, that same level of protection shall be applied to all other related information in whatever format, wherever retained (e.g., servers, network segments, desktop computers, mobile devices and storage devices such as jump drives, CD or DVD, and physical storage units such as rooms/spaces, desk drawers and file cabinets).
The retention and destruction of information and records are governed by federal and state legal standards such as the Illinois State Records Act).
Information Security Incidents and Data Breaches
All potential information incidents or data breaches are fully investigated. As required by law, in the event of a data breach NIU shall notify all identifiable individuals whose personal information is affected by a breach whether the source is an NIU computer system data or written material. NIU shall use an investigative process to help mitigate and remediable any on-going or future information security or data breach vulnerabilities. All users under the scope of this policy who are aware of any attempted or actual breach are required to report the incident to the Division of Information Technology (DoIT) at 815-753-8100 for investigation and potential breach notification.
All information security incident or data breach response actions shall follow the approved process and procedures outlined in the Division of Information Technology’s Investigation and Information Incident Response Guide (“Guide”) copies of which may be requested from the CIO.
The President of the University, or designee, shall be empowered to declare a data breach. As designated by the President of the University, the Chief Information Officer (CIO) has primary executive oversight of Information Incidents and Data Breaches. In conjunction with the Chief Information Security Officer (CISO) and University Privacy Officer, the CIO shall name a responsible party to manage the response to any incident and provide full details regarding the investigative process including all actions leading to the detection, mitigation, and remediation of information and data incidents. The CIO, or designee, shall provide timely briefings and a final after-action report to the President regarding any information incident or data breach.
Within the framework of these actions, the responsibilities of those in key positions, as well as other members of the campus community, are as follows:
- Chief Information Security Officer - Responsible for oversight, consultation about, and interpretation of this and other related information security policies, and for disseminating related information.
- University Privacy Officer - Responsible for assisting in the development of policies and procedures and for providing the interpretation of those policies and procedures governing Private or Restricted Information that the university is required to protect under legal or regulatory provisions.
- University Controller - Responsible for administering the procedural implementation of the Illinois State Records Act.
- System and Information Stewards – Responsible for the application of this and related policies to the systems, data, paper records, and other information resources under their care or control.
- System Administrators - Responsible for the application of this and related policies to the systems information resources in their care. System Administrators shall comply with any information security procedures and shall coordinate such compliance with the DoIT Security Office. Systems that store Restrictive or Sensitive Information, including departmentally and individually supported server-based applications, if not centrally managed and maintained by DoIT, should be managed by department System Administrators in coordination with DoIT.
- System Developers and Information Integrators - Responsible for the application of this and related policies to the systems, data, and other information resources in their care and shall coordinate with the Information Security Office to ensure that all aspects of the development process are in compliance with the NIU Information Security Procedures.
- Users - Responsible for the application of this and related policies to the systems, data, paper records and other information resources in their care, including both electronic and hard-copy. In addition, users who download or store Private or Restricted Information to User-managed university workstations or to personal computers or other workstations should be aware of the security risks and responsibilities associated with such activities and follow applicable information security procedures.
- Third-party Vendors and Consultants – Employees involved with out-sourcing, shall mandate that third-party vendors and consultants implement appropriate information protection and security measures as a condition of receipt or use of university information. When receiving and using university information, third-party vendors and consultants are expected to follow the guiding principles of this policy and (1) provide for the security of information during transmission, (2) safeguard information while in their possession and control, and (3) properly dispose of or return the information to the University at the completion of, and in compliance with, the contractual arrangement. In the event that a third-party vendor or consultant discovers any breach of the security of university information in its possession and control, the third-party vendor or consultant shall notify the university immediately upon discovery when the information was, or is reasonably believed to have been, acquired by an unauthorized person.
Cybersecurity Insurance and Divisional Areas of Responsibility
The Division of Information Technology (DoIT) shall maintain cybersecurity insurance on behalf of the institution, develop and maintain a group of security points of contact (SPOC) for each identified IT support team at NIU, provide professional development opportunities for SPOCs, and develop a regular campaign of security awareness messaging for all NIU faculty, students, and staff. DoIT will, upon request, facilitate an After Action Review to look for continuous improvement activities.
The Division leader within whose area of responsibility (AOR) the breach occurs is accountable for ensuring that recommended actions are implemented and that suitable continuous improvement activities are performed as indicated by an After Action Review of the breach. In the event email or paper-based notifications are required, the AOR Division lead may be a signatory on the notices. The AOR Division leader is responsible for covering all costs related to the breach that are not covered by cyberinsurance.
Classification of Systems
University systems, both hardware and software, are classified by scope and level of support and by the impact on university operations. The classification of systems takes into account legal protections (by statute or regulation), contractual agreements, ethical considerations, and strategic or proprietary worth of information maintained in such systems. The classification level assigned to systems will guide system and data stewards, and business and technical project teams in the security protections and access authorization mechanisms appropriate for those systems. Such categorization provides the basis for planning, allocation of resources, support, and security/ access controls appropriate for those systems.
The system classifications are as follows:
- Enterprise Systems - Systems with university-wide data accessibility presence across various departments or academic units. These systems, considered business-essential, require a high degree of availability.
- Department Critical Systems - Systems with a localized departmental presence, essential for conducting business processes or delivery of academic content.
- Department Servers - Servers that provide an academic and/or administrative function that may house Private or Restricted Information.
All systems hosting server services must be registered with the Division of Information Technology.
Workstations and Other Access Devices
Users who access university systems and data via their workstations or other devices are responsible for exercising proper accountability and stewardship in protecting the confidential, sensitive, private, personal or institutional information they access or use in the conduct of their job responsibilities.
In order to protect university data from inappropriate disclosure, all workstations or devices that store Restricted Data must encrypt the data in compliance with NIU data encryption guidelines.
User access to university systems and information resources will be governed by the type of workstation or device used as follows:
- Managed Workstations and Devices - Workstations and devices that access enterprise or business critical systems or access Restricted Information shall adhere to configuration standards and maintenance procedures established and published by the Division of Information Technology. Failure to meet these requirements will be grounds for denial of system or university network access.
- Non-Managed Workstations and Devices - Non-Managed workstations and devices may include but are not limited to faculty and staff workstations, personal computers, mobile devices, etc. Personally-owned devices must comply with NIU’s Bring Your Own Device (BYOD) Policy.
Information Storage and Disposition
Information and records, whether maintained in electronic files or on paper, must be stored and disposed of securely, in accordance with the State Records Act and the Electronic Commerce Security Act, ref. 5 ILCS 160/17; and P.A. 90-759, sect. 5-135(a)(1).
NOTE: Pursuant to applicable State and/or Federal requirements (e.g. Federal Rules of Civil Procedure, etc.) ALL information and records subject to a litigation hold must be retained in whatever format the information is in and in whatever classifications notwithstanding other general policies on retention.
- Restricted Data - Access to Restricted Data is limited and should be maintained within centrally managed and controlled data centers. To the extent possible, Restricted Data should not be stored in distributed servers, workstations, or mobile devices (laptop/notebook computers, PDAs, external drives, USB drives, floppy disks, CDs, DVDs, etc.). In cases where storing information on these devices cannot be avoided, it must be encrypted using a process documented and approved by the information steward and the Division of Information Technology.
- Private Data - Departments with custody of Private Data may follow the policy for Restricted Data or practices of prudent care, depending on the requirements of the information steward(s).
- Public Data -This information should be protected from unauthorized alteration only.
- Restricted Data - Documents must be stored in locked spaces with authorized access and shredded or otherwise disposed of according to state law when no longer needed.
- Private Data - Departments with custody of documents may follow the policy for Restricted Data or practices of prudent care, depending on the requirements of the information steward(s).
- Public Data - Documents should be recycled when no longer needed.
Violations of this policy include, but are not limited to: accessing information to which the individual has no authorization or business purpose; enabling unauthorized individuals to access information; disclosing information in a way that violates applicable restricted access or confidentiality procedures, or handling or using information contrary to any other relevant regulations or laws; inappropriately modifying or destroying information or university business records; inadequately protecting Restricted Information or Sensitive Information; or ignoring the explicit requirements of information stewards for the proper management, use and protection of information resources.
In coordination with divisional authorities, violations may result in network removal, access revocation, corrective action, university disciplinary action and/or civil or criminal prosecution, if applicable. Should disciplinary action be implemented, up to and including dismissal, suspension or expulsion, such actions will be taken pursuant to applicable university policies and procedures.
Divisional authorities will be notified in the event that a university office or department is found to have generally violated this policy (beyond actions taken by an individual employee). Corrective actions and possible financial costs associated with an information security incident will be coordinated at the division level.
Third-party vendors and/or consultants found to have breached their respective agreements with the university may be subject to consequences, including but not limited to, the loss of third-party vendor/consultant access to university information technology resources, removal of the vendor/consultant from university facilities, termination/cancellation of the agreement, payment of damages, and criminal or civil charges based on the nature of the violation.
The university is sometimes required to transmit information through state or federal forms and formats. When using such forms and formats, university employees should transmit such information following university policy and utilize appropriate safeguarding and security measures in the transmission of that information. It is important to work with state and federal officials in striving to meet industry best practices in the transmission of information.
In some instances, the University is mandated to disclose, or authorized to release information that would normally be protected under this policy. Examples include, but are not limited to, disclosures pursuant to state or federal reporting requirements, legal process (such as subpoenas, court orders, warrants, etc.), disclosures pursuant to the Illinois Freedom of Information Act (FOIA), and certain authorized releases of information about particular individuals (students, employees or customers).
Any employee or affiliate of the University who is served with a legal document (for example, a subpoena, summons, court order, warrant, etc.) that refers to University records or data shall notify University Legal Services immediately and prior to the release of any requested information. University Legal Services will review the legal document to determine the validity and enforceability of the document, and to provide guidance and assistance in properly responding.
Legal documents that are addressed to a particular person should be accepted only by that person. If an unintended recipient is served with the legal document, it should not be accepted. The process server or deliverer should be referred to the person identified in the document, by name, title or job description, or should be directed to University Legal Services.
All requests for access to or release of records or data under the Illinois Freedom of Information Act (FOIA) should be referred to the Freedom of Information Officer within University Legal Services for appropriate review of the request. FOIA requests must be in writing. University Legal Services will coordinate the collection of information that is properly responsive to the request, especially when information from multiple university offices is requested.
Requests from External Entities and Persons, including Law Enforcement and Attorneys
The University receives numerous requests for information and records maintained by the University from persons and entities that are external to the University. The release of information about a particular person may require authorization by that person. Publicly available information about individuals and other types of information that can be released are available at the University’s web pages: www.niu.edu. University Legal Services and Media and Public Relations are available to assist with evaluating the validity and scope of any authorization provided for the release of information, as well as providing guidance for appropriately responding to information requests pursuant to an authorization.
External law enforcement agencies sometimes request information. Before responding to these requests, University Legal Services and the Department of Public Safety should be contacted to determine the authenticity of the request and the requestor. In addition, any request for information from an attorney, whether by legal process or not, should be immediately referred to University Legal Services.
All other requests for information from outside entities or persons should be evaluated on a case-by-case basis. University Legal Services and Media and Public Relations are available for assistance in this area. For identifying information or data stored in an electronic format at NIU, the Division of Information Technology is available for assistance.
- Policy Categories
- Board of Trustees
- Campus Safety / Security
- Ethics & Conduct
- Facilities / Real Estate
- Faculty & Academics
- Finance / Risk Management
- Governance / Administration
- Human Resources / Employment
- Information Technology
- Marketing & Communication
- Research Ethics / Intellectual Property
- Student Affairs
- Sponsored Funding/Grants and Contracts