Information Security Plan
Washington and Lee University's commitment to information technology (IT) security can be seen through its Information Security Program (ISP), Confidentiality Policy, eCommerce Policy and Practices, and the Computing Resources, Network and E-mail Use Policy.
Mission and Objective
The mission of the Office of Information Technology Services (ITS) Information Security Plan is to support the academic mission and culture of Washington and Lee University by striving to ensure the availability, confidentiality, and integrity of the university's information technology assets in accordance with the University's Information Security Program and Confidentiality Policy and other applicable standards and procedures. ITS has defined the role of Chief Information Security Officer (CISO) to help coordinate IT security efforts. This plan has the following main components: risk management; incident response; awareness; policy; and compliance/tools.
This plan applies to any use of the University's computing or network resources as defined in the Computing Resources, Network and E-mail Use Policy, and the University's Confidentiality Policy. Additional standards and procedures may govern specific data or computer systems or networks provided or operated by Third-party service providers.
Definitions, Roles and Responsibilities
Confidential Information is defined by the University's Confidentiality Policy as "...any personally-identifiable student and parent records, financial records (including social security and credit card numbers), and health records; contracts; research data; alumni and donor records; personnel records other than an individual's own personnel records; University financial data; computer passwords, University proprietary information/data; and any other information for which access, use, or disclosure is not authorized by: 1) federal, state, or local law; or 2) University policy or operations."
Similarly defined as "non-public personal information" and "covered data" by the Financial Information Security, "...W&L chooses as a matter of policy to also define covered data and information to include any bank and credit card account numbers, income and credit information, tax returns, asset statements, and social security numbers received in the course of business by the University..."
Data Trustee: Data trustees are the senior university officials (or their designees) who have planning and policy-level responsibility for data within their functional areas and management responsibilities for defined segments of institutional data. Responsibilities include assigning data stewards, participating in establishing policies, and promoting data-resource management for the good of the entire university. These are the Provost/VP-level officials.
Data Steward: Data stewards are university officials having direct operational-level responsibility for information management - usually department heads or directors. Data stewards are responsible for data access and policy implementation issues. Examples of these are the University Registrar, Executive Director of Human Resources, Controller, etc. Please note: these are listed as data "custodians" in the University's Student Education Records Policy as it refers to the Family Educational Rights and Privacy Act of 1974 (commonly referred to as the "Buckley Amendment" or "FERPA"), but insofar as many electronic records are concerned, they are stewards and the IT/ITS personnel are custodians (see below) by this plan.
Data Custodian: The custodian is responsible for providing a secure infrastructure in support of the data, including, but not limited to, providing physical security, backup and recovery processes; granting access privileges to system users as authorized by data trustees or their designees (usually the data stewards); and implementing and administering controls over the information. In many cases, ITS is the data custodian but not always. If the data custodian is a third-party service provider, extra steps are required to ensure the secure transmission, storage, and handling of the university's confidential information or covered data.
Data User: Data users are individuals who need and use university data as part of their assigned duties or in fulfillment of assigned roles or functions within the university community. Individuals who are given access to sensitive data have a position of special trust and as such are responsible for protecting the security and integrity of those data.
Chief Information Security Officer (CISO): The CISO helps coordinate security efforts and assists with the dissemination of policies, procedures and guidelines to the university community; helps raise information security awareness through education and training; helps develop risk management plans and incident response procedures; analyzes security incidents; and develops a set of tools to assist investigation and compliance.
Information Security Program (ISP) and ISP Committee: The ISP and the ISP Committee were organized at the direction of the Provost in 2003 to comply with the Gramm-Leach-Bliley Act (GLBA) and to implement the "Safeguards Rule" issued by the Federal Trade Commission. The ISP Committee is chaired by the ISP Coordinator and the Committee has responsibility, in advising the Provost, for the ISP. The original program scope was intentionally broader than necessary for simple legal compliance, and requires all departments to have written procedures documenting the safeguards used to protect the University's information assets.
Risk management is an ongoing process of mitigating risks to the University based on risk assessments. The ISP Financial Information Security (Elements 2 and 3) specifies the identification and assessment of risks and the design, implementation and monitoring of safeguards to those risks. Risk assessments involve continuously evaluating threats, vulnerabilities, and impacts to information assets, while risk management is designing, implementing, and monitoring safeguards as are necessary to protect University IT assets.
Risk Assessment Procedures
Data Custodians are responsible for performing the following steps to assess the risks to university data under their operations. Please review the Risk Assessment Guidelines before proceeding.
Step 1: Identify servers/systems, applications, databases, computer shares, or other locations with university data.
The identification of university data may involve, but is not limited to, formal surveys, new application/server requests, word of mouth, and software-based scans for certain confidential information or covered data (i.e., SSNs, credit card numbers).
Additionally, the ISP Committee has developed a web-based survey that the Office of General Counsel (OGC) circulates on a schedule to all data stewards/trustees to help identify where and how data is used and stored. Information from that survey can also be used to help identify network locations with university data that need to be protected.
Third-party service providers: If confidential information or covered data are being handled or processed by a third-party service provider as data custodian, the contract(s) must be reviewed by the OGC. The contracts must carry provisions that ensure the proper handling of the confidential information or covered data. Additionally, the vendor must provide a written statement of the risks and safeguards in place to the CISO.
Step 2: Classify the data identified during Step 1.
Consult the definitions of confidential information or covered data, to help determine the data classification, as well as the Risk Assessment Guidelines.
Step 3: Identify safeguards or planned safeguards (see ITS Security Safeguards for IT Resources).
Data custodians in conjunction with data stewards/trustees need to document all existing safeguards or planned safeguards to help protect the University's assets from identified threats and vulnerabilities. The Office of ITS has compiled a non-exclusive list of possible safeguards (see ITS Security Safeguards for IT Resources) to assist with determining the proper data handling guidelines for compliance.
If confidential information is not necessary and or essential for the system function, eliminate it to reduce the risk.
Step 4: Develop a Risk Management Plan for how identified risks will be managed.
Since all risk cannot be eliminated, a Risk Management Plan can now be developed, and the process of mitigating the threats that can exploit vulnerabilities can begin.
A Risk Management Plan must be a written plan (see Element 3 Financial Information Security) that will include at least the administrative, technical, and physical safeguards being used or needed to adequately protect the confidential information of the university. The Risk Management Plan will be provided to the CISO, Chief Technology Officer (CTO), and the Coordinator of the ISP Committee and other departmental administrators, to allow the prioritization of assets (e.g., staffing, funding, etc.). If the data custodian is not ITS, the data custodian (i.e., third-party service provider) will be responsible for providing the CISO a written Risk Assessment and Risk Management plan, which must include at least the minimum information above.
Review and return to Step 1 annually or semi-annually or when there is a system or procedural change.
Incident Response Procedures
An IT security incident, for the purposes of this ITS Security Plan, is defined as any event that impacts or has the potential to impact the confidentiality, integrity or availability of W&L IT resources. There are four phases to the Incident Response Process: Discover, Investigation, Response and Closure.
In order to coordinate response to and resolution of IT security incidents, the Office of ITS has established an Incident Response Team (IRT). The ITS IRT is led by the CISO and includes the following (or their designee):
- Chief Information Security Officer
- Director of Enterprise Systems and Integration Services
- Director Client Services
- Director Network Infrastructure Services
- Director Core Services
- Data Custodian (as needed if not ITS)1. Discovery - occurs when an incident is reported.
1. Discovery - occurs when an incident is reported.
ITS will begin the discovery with in-house personnel, but ITS maintains Rapid7 on an "incident response retainer" for when expertise is needed that exceeds in-house abilities. If the discovery efforts reveal covered data are at risk, using the scale below determines if ITS will invoke Beazley Breach Response Services (BBR) (at additional retainer expenses):
Reasonable Belief Scale:
Level 1 - Confirmed that confidential or covered data were not compromised
Level 2 - Reasonable belief that confidential or covered data were not compromised
Level 3 - No data available to determine if confidential or covered data were compromised
Level 4 - Reasonable belief that confidential or covered data were compromised
Level 5 - Confirmed that confidential or covered data were compromised.
At the first indication that covered data may be at risk, the CISO or CTO will contact the Office of General Counsel seeking legal advice to establish attorney-client privilege. All incident reports and correspondence should be made to counsel's attention and include markings indicating attorney-client privilege.
If no covered data are believed to be at risk, then the next phases may proceed without 3rd party involvement.
2. Investigation - occurs after Discovery to determine extent of a data breach.
If the Discovery phase reasonable belief scale rating is 4 or 5, ITS will engage Beazley Breach Response Services, for additional retainer fees that also include legal advice. The BBR tech team will perform in depth forensics to confirm the breach is contained and determine steps to help prevent similar incidents in the future. The BBR services will provide legal advice to the Office of General Counsel, and help guide reporting obligations and strategies and whether law enforcement should be involved. The investigation should result in a report with findings and recommendations to assist the university in Phase 3 (Response).
Reminder: all incident reports and correspondence should be made to counsel's attention and include markings indicating attorney-client privilege.
If the Discovery phase reveals no covered data are at risk, the Investigation phase may involve Rapid7 Incident Response, but not BBR.
3. Response - occurs when the University takes further action to protect the University IT resource, and or individuals if personally identifiable information (PII) or protected health information (PHI) is at risk or has been compromised.
The Beazley Breach Response Services covers both information technology and legal services, and will help coordinate the University's Response efforts. Based on the Phase 2 recommendations, this will include notifications (i.e., legal, contractual, individual, etc.) and credit monitoring/identity theft protection services.
4. Closure - occurs after Response phase with a review of incident and actions taken.
After an incident, the CISO and IRT will review the response, actions taken, and effectiveness of the overall incident response. The review may include the following:
- Could additional/modified policy have prevented the incident?
- Was a procedure or policy not followed which allowed the incident? Then what could be changed to be sure the procedure or policy is followed in the future?
- Have changes been made to prevent a new and similar situation?
- Was the incident response appropriate? How could it be improved?
- Was every appropriate party informed in a timely manner?
- Were the incident response procedures detailed and cover the entire situation? How can they be improved?
- Have changes been made to prevent a recurrence? Are all systems patched, systems locked down, passwords changed, anti-virus updated, etc.?
- Should any security policies be updated?
- What lessons have been learned from this experience?
Increasing information security awareness at W&L can be accomplished through a security awareness training program that encompasses communication, policies and procedures, risk avoidance, best practices and incident response procedures.
This will include a combination of several existing tools ITS already has, supplemented by tools that need to be developed or expanded, including but not limited to:
- Signing or other attestation of the Confidentiality Policy
- Best-Practices web pages
- Annual or semi-annual assessment and refresher training.
Confidentiality Policy - All new employees are required to sign or attest that they have read and understand the Confidentiality Policy. This will be renewed/reviewed at least annually.
Training - The CISO will be using a variety of methods to develop, publish, and track information security awareness courses and policies for all employees, as well as specific courses for those employees handling confidential data. These assessments will be conducted at least annually.
Web pages - The CISO, with the help of the ISP Committee, will develop and publish web pages with best practices, as well as guidance on information security requirements. As new threats and vulnerabilities evolve, the web pages will be updated.
Incident Response - During and after incident response the CISO will discuss information security in person with the affected offices and report in summary to the ISP Committee.
The ISP mission has its foundation in the policies of the university that drive the security standards and requirements. An initial list of existing policies includes:
- Computing Resources, Network and E-mail Use Policy
- Confidentiality Policy
- Copyright Policy
- DMCA Policy
- eCommerce Policy
- Financial Information Security
The review conducted of each incident response will involve the assessment of current policies or the need for additional policies.
A successful information security program will have a variety of tools to protect assets, enforce policy compliance, and to proactively identify weaknesses. At W&L this includes, but is not limited, to the following:
Antivirus - W&L ITS licenses antivirus clients for Windows and Mac computers for all faculty, staff and students.
Local Firewalls - Most operating systems now include a local firewall - e.g., Windows 7, 8, and 10 Firewall and Mac OS Xx Firewall.
Spam Filter/Email virus Scanning - W&L currently outsources spam filtering and email antivirus filtering to Microsoft Office 365 Exchange Online Protection.
Network Scanning - The CISO and affiliates will, at least semi-annually, conduct proactive network scanning, system probing, or penetration testing of systems on the W&L network to identify vulnerabilities. The results of scans will be communicated to the Data Custodian(s) for remediation under the Incident Response portion of this plan.
Currently, ITS is using QualysGuard Enterprise Suite for vulnerability assessments, which includes a network scanner appliance on the W&L network in addition to off-premise scanners. This scanner will be used to proactively identify risks and vulnerabilities in servers, applications, and hardware on the W&L network.
Virtual Private Network (VPN) - Using W&L's SSL VPN client, faculty, staff, and students can securely access on-campus resources from off campus.
Incident Response/Forensics - During an incident there will be a need for tools that ITS does not currently have including a "WriteBlocker" tool. This tool will be used to prohibit writing to media which could contaminate any forensic evidence.
Key to Abbreviations
CTO - Chief Technology Officer
FERPA - Family Educational Rights and Privacy Act of 1974 (also known as the "Buckley Amendment")
GLBA - Gramm-Leach-Bliley Act
IRT - Incident Response Team
CISO - Chief Information Security Officer
ISP - Information Security Program
IT - information technology
ITS - Information Technology Services
NAC - Network Access Controls
OGC - Office of General Counsel
SSN - social security number
SAV - Symantec Antivirus
VPN - Virtual Private Network
- Confidentiality Policy
- Acceptable Use Policy (Computing Resources, Network and Email Use Policy)
- Copyright Policy
- eCommerce Policy
- Financial Information Security