Policy: Information Security

Statement of Policy

  • Miami University is a leader in scholarship, research, public service, athletic excellence, and the development of knowledge through inquiry, investigation and collaboration. Information security will continue to play a more and more critical role in the process of education, innovation, and information sharing. This policy allows the University to remain a world leader by ensuring a successful approach to cyber risk management and incident response

Contact

  • Vice President for Information Technology & Chief Information Officer

Reason for Policy

  • Information security is of the utmost importance to Miami University. In an increasingly collaborative world that depends upon shared electronic information, it is essential that the University implement a policy to guide protection and availability. This policy aims: to protect user confidentiality; to maintain the integrity of all data created, received or collected by the University; to meet legal and regulatory requirements; and to ensure timely, efficient and secure access to information technology resources. This policy simplifies the process of cyber risk management and prepares the University for a world in which information security is increasingly critical

Entities Affected by Policy

  • Employees (faculty and staff), employed students, students, contractors, suppliers, affiliates, and other authorized users
  • This policy applies to all University campuses and all other locations

Responsibilities

  • Chief Information Officer (CIO): Provides financial and operational oversight for the delivery of information technology services that meet the requirements of this policy. Provides management oversight for information security planning, implementation, budgeting, staffing, program development and reporting. Sets operational priorities and obtains alignment with executive leadership
  • Chief Information Security Officer (CISO): Assists with the interpretation and application of this policy. Provides management and execution oversight of the information security program through collaborative relationships with the CIO, academic, and administrative officials, using local governance structures and compliance strategies. Reports information security incidents to leadership. Manages the exception process for this policy
  • Unit Head: A generic term for dean, vice president or person in a similarly senior role who has the authority to allocate budget and is responsible for unit performance. In some specific situations, the following senior roles may also be unit heads: department chairs, assistant/associate vice presidents (AVP), principal investigators, directors or senior managers. Unit heads have important responsibilities to ensure effective management of cyber risk of data and IT resources under their purview. Additional responsibilities include: partnering with the Information Security Office; delegating tactical responsibility with their unit; making cybersecurity a priority; allocating time and resources appropriately; and reporting cyber events
  • Unit IT Leaders: Oversees the execution of this policy within the college or division specifically for applications, systems, and data that is outside of IT Services enterprise controls. Identifies and inventories institutional data and IT resources managed by the college or division. Reports information security incidents to the Information Security Office. Reports to the CISO any information security policy or standard that is not fully met by the college or division, or by a service provider managing institutional data or IT resources on behalf of the college or division. Ensures the above responsibilities are included in the overall college or division planning and budgeting process
  • Employees (faculty and staff), employed students, students, affiliates, vendors, and other authorized users: Complies with this policy. All authorized users accessing institutional data are responsible for maintaining security according to our guidelines on any personal devices they use for University business
  • Information Owner and Data Stewards: Assumes overall responsibility for establishing the protection level classification, access to and release of a defined set of institutional data. Establishes and documents rules for use of, access to, approval for use of and removal of access to the institutional data related to their area of responsibility. Approves institutional data transfers and access related to their areas of responsibility
  • Researcher: Identifies and meets confidentiality and data security obligations based on laws, regulations, policies, grants, contracts and binding commitments (such as data use agreements and participant consent agreements) relating to research data. Creates and maintains evidence that demonstrates how security controls were implemented and kept current throughout the project. Develops and follows an information security plan that manages security risk over the course of their project. Ensures that suppliers who store or process institutional data during the project follow Miami University policy for written contracts. Ensures that Supplier agreements include approved terms supporting the information security controls specified in this policy and applicable purchasing requirements
  • Service Provider: An internal organization that offers IT services to the University, a college or a division. Service providers typically assume most of the security responsibility and help users understand their responsibilities with respect to cyber security
  • Supplier: An external, third-party vendor or entity that provides goods or services to the University. The University has specific contract terms that clarify the responsibilities of Suppliers and protect the University

Definitions 

  • Institutional data: This consists of University information and data, independent of the location (physical or cloud)
  • IT Resources: A term that broadly describes IT infrastructure, software, or hardware with computing and networking capability. These include, but are not limited to: portable computing devices and systems, mobile phones, printers, network devices, industrial control systems (SCADA, etc.), access control systems, digital video monitoring systems, data storage systems, data processing systems, backup systems, electronic media, logical media, biometric and access tokens and other devices that connect to any University network. This includes both University-owned and personally owned devices while they store institutional information, are connected to University systems, are connected to University networks or used for University business
  • Service Provider: Internal University groups or organizations providing specific IT services to the University, a college or a division
  • Supplier: An external, third-party entity that provides goods or services to the University
  • Unit: A point of accountability and responsibility that results from creating, collecting, managing, or possessing institutional data, or installing and managing IT resources. A unit is typically a defined organization, such as the College of Engineering and Computing, or a division, such as Student Life, or the collection of Regional campuses. A unit can also be defined as an organizational research unit. Because Miami University is decentralized for non-enterprise systems and maintains a shared governance model, this policy provides units with the flexibility and responsibility to manage cyber risk
  • Unit Head: A generic term for dean, vice president or person in a similarly senior role who has the authority to allocate budget and is responsible for unit performance. In some specific situations, the following senior roles may also be unit heads: department chairs, assistant/associate vice presidents (AVP), principal investigators, directors or senior managers

Management Goals and Principles

  • Miami University management is dedicated to the following goals and principles

 

Goals

  • Preserve academic freedom and research collaboration
  • Protect privacy
  • Follow a risk-based approach
  • Maintain confidentiality, protect integrity, and ensure availability

 

Information Security Management Principles

  • Policy goals guide decisions
    • To ensure sound financial and operational decisions, the goals listed above must be used to scope, protect and make risk-based decisions about commensurate protection of institutional information and IT resources
  • IT Services is accountable for implementing information security at the enterprise level
    • The Chief Information Officer is accountable for appropriately protecting enterprise-level institutional data and IT resources, and for managing information security risk under their purview in a manner consistent with this policy
  • Units are accountable for implementing information security at the non-enterprise level
    • College and division heads, also termed as Unit heads, are accountable for appropriately protecting institutional data, IT resources, and for managing information security risk under their purview in a manner consistent with this policy
  • Risk level determines decision-making rights
    • To protect the University, information security and cyber risk management decisions must be made at the level of financial, privacy, legal, reputation, brand or other organizational authority that matches the level of and risk identified
  • Security is a shared responsibility
    • All employees are responsible for ensuring the protection of institutional information and IT resources. Understanding the risks, threats, costs and incidents associated with securing Institutional information is a shared responsibility
  • Security is embedded in the lifecycle of systems, services and software
    • Information security must be incorporated into the entire lifecycle for any system, service or software. This includes identifying, budgeting for, planning, developing, implementing and maintaining security processes and controls

Policy

Data Classification and Retention

  • The University follows a Confidential Information Policy delineating institutional data or information protected by federal, state, or other regulatory statutes. Each faculty and staff member must assume responsibility for protecting confidential information from unauthorized exposure
  • All access to and use of University confidential information must be for authorized purposes only
  • The Information Security Office further delineates data classification levels which aid in the cyber risk assessment and application of administrative, technical and physical controls to protect the confidentiality, integrity and availability of Institutional data. These levels include restricted (FERPA, HIPAA, PCI-DSS, ITAR, etc.), confidential (intellectual property, personal records, financial, etc.), internal-only (exams, internal memoranda, business plans, etc.), and public (directory, public website, etc.) information. When the classification is higher, more effort goes into protecting the associated assets. These classifications also inform this policy’s risk-based approach to security
  • All electronic and physical records must be retained for the designated retention period and disposed of properly as delineated in the MUPIM Records Retention, Electronic Records, and Signatures policy
  • All University-owned assets must be discarded or disposed of using approved methods included in the Miami University Transfer and Disposal directives

 

A Standards-Based and Risk-Based Approach

  • This policy follows both a standards-based and risk-based approach to information security to ensure the University meets industry, government and regulatory requirements while also properly scoping controls and making appropriate investment decisions. The policy incorporates a subset of controls based on NIST SP 800-171, NIST SP 800-53, ISO 27001 and ISO 27002 that align with and support the University mission of teaching, research and public service. Policy also addresses legal requirements associated with HIPAA, the Payment Card Industry (PCI) and other state and federal regulations and includes requirements needed to qualify for certain grants that are essential to University research funding (NIST 800-171). Additionally, the policy’s risk-based approach guides the allocation of resources by evaluating risk and assessing the cost and benefit of risk management

 

Risk Management and Security Plans

  • The MUPIM Confidential Information Policy, OAC Rule 3339-3-22 Confidential Information Policy, and ORC Chapter 1347 Personal Information Systems require the protection of Miami University confidential information. Each employee, employed student, students, affiliates, vendors, and other authorized users must assume responsibility for protecting confidential information from unauthorized exposure. The Information Security Office (ISO) is charged with delivering an appropriate security plan and written consent before any University office is permitted to collect or maintain social security numbers and other confidential information
  • The ISO follows a risk-based approach and supports University units (colleges, divisions, departments, research projects, etc.) in conducting risk assessments and implementing a security plan for the protection of confidential information. Implementation includes resource allocation to put in place administrative, technical and physical information security control mechanisms. Units are accountable for the implementation of unit-specific (non-enterprise) information security requirements
  • Security plans provide unit findings and recommended security controls following a MU NIST 171 Plus compliance control gap analysis and risk assessment
  • Security plans provide recommended mitigations based on risk assessment findings to reduce risk and improve a Unit’s cybersecurity posture. The IT Services ISO fully recognizes implementation of suggested controls may require substantial resources including personnel (FTE), material costs, and time. Additionally, the Unit assessments may require periodic review and assessment of controls
  • Upon receipt of the security plan, the unit head or officer acknowledges the following responsibilities:
    • The unit is responsible  for the risks annotated in the assessment and understand mitigations documented in the plan
    • Compliance with MUPIM Confidential Information Policy and with IT Service’s policies is expected for all Units, university-owned information, and resources
    • The unit shall implement mitigations as resources and time allow. Until such mitigations are implemented, the Unit acknowledges the risks associated with this exception to information security policies. This exception may be subject to follow-up by the Internal Audit and Consulting Services (IACS) office or the ISO.
    • The unit acknowledges that incidents related to the identified risks may influence University eligibility for cyber insurance coverage if the required information security controls and compensating mitigations are not implemented and maintained

 

Information Security Controls

  • When securing institutional data and IT resources, The ISO will use an information security control framework called ‘NIST 171 Plus’, which is a consolidation of NIST SP 800-171, ISO 27001 and 27002, and the Center for Internet Security CIS Controls. This framework provides administrative, physical and technical controls scoped according to data classification level
  • The ISO employs the NIST 171 Plus framework when conducting an information security review, assessment, or consultation on enterprise and unit-specific infrastructures or implementations. This framework assesses administrative, technical, and physical controls focused on the confidentiality, integrity, and availability of institutional data. Responsibility for control implementation may be shared between IT Services and the unit depending on scope of infrastructure

 

Minimum Security Requirements

 

Vulnerability Management Program

  • Information security vulnerabilities on any University-owned computing resource must be remediated in accordance with the Vulnerability Management standard

 

Privileged Level Access To Major Systems

  • Controlled access to IT resources is essential for Miami University to continue its mission of learning, discovery and engagement while ensuring the security and functionality of IT systems, applications, hardware, and services, and the data stored or transmitted by those resources. Because of their greater access to IT resources relative to general user accounts, privileged accounts and service accounts pose a higher risk to the University
  • Creation of privileged accounts requires authorization of an IT resource owner, who must maintain an inventory of all privileged accounts, including the account name, purpose and responsible party for the account. The IT resource owner must review each privileged account at least annually to confirm the account is still necessary for university business and remove accounts no longer needed. The IT resource owner must immediately disable privileged accounts used by vendors or third parties upon contract end
  • Where implemented, privileged accounts must use multi-factor authentication, such as Duo, or certificate authentication
  • Privileged accounts must be separate and use a different password from general user accounts
  • Privileged account passwords must meet, and where possible, exceed the minimum password requirements outlined in our best practices website for complexity and change requirements
  • Creation of service accounts requires authorization of an IT resource owner, who must maintain an inventory of service accounts, including the account name, purpose and responsible party for the account. All service accounts must be configured following the principle of least privilege to run the service or process
  • Service account passwords must meet, and where possible, exceed the minimum password requirements outlined in our best practices website for complexity and change requirements
  • Service account passwords must not be coded into programs or stored on disk without approved encryption
  • Service account passwords must be changed at least annually or upon a personnel change in the group managing the account or with access to the password
  • Vendor-supplied default passwords must be changed immediately upon initial configuration of the system and follow the password requirements noted above
  • Where the capability exists, limit interactive login capabilities (e.g., prohibit console/terminal access, configure restricted shell, enforce network access restrictions, etc.)

 

Change Control Management of Applications and Systems

  • Applications and systems are increasingly more complex in their function, interaction, and form. There is an increasing dependency between resources and applications that can negatively impact operations if not managed and orchestrated in an organized fashion. Effective management and communication of updates, maintenance, and regular releases help to minimize customer impacts. From time to time systems require outages for planned upgrades, maintenance, or fine-tuning. Managing these changes is a critical part of providing a stable infrastructure
  • Changes must be executed in a well-communicated, planned and predictable manner that minimizes unplanned outages and unforeseen system issues. Effective change management requires planning, communication, monitoring, rollback, and follow-up procedures to reduce negative impact to the user community
  • The Change Advisory Board (CAB) supports the assessment, prioritization, authorization, and scheduling of technology changes at Miami University. Meeting once a week, the committee analyzes the risk of proposed changes to Miami’s production environment and seeks to minimize outages or other impacts on active systems to the extent feasible

 

Segregation of duties for system changes

  • To meet best practices for system and environment change practices, the following principles must be followed
  • Separation of Duties. Ensure that a person who creates or develops code (application or infrastructure) is not the person that deploys that code to our production environment
  • Least Privilege. Actors should only have the privileges necessary to complete the work they are tasked with doing
  • Auditability. The ability to report and demonstrate the adherence to policies or standards and our guiding principles is imperative to information security and compliance
  • Technical controls are preferred over procedural controls to apply the principle of separation of duties. It is simpler and more confidence exists in the auditing and reporting capabilities of technical controls than procedural ones
  • To control the life cycle of all changes and to enable beneficial changes to be made with minimum disruption to IT Services, all changes are required to follow Change Enablement best practices

 

Password Requirements

  • Miami University passwords are used with services such as myMiami, Canvas, BannerWeb, Miami Directory, and Miami email. Due to the sensitive nature of the information that underlies these services, IT Services has implemented two rules for the mandatory change of MUnet password every 180 days or five years, depending on the complexity of the password provided. Please visit our best practices website for complexity and change requirements
  • Do not share your password with anyone for any reason
  • Change your password upon indication of compromise
  • Do not write your password down or store it in an insecure manner
  • Avoid reusing a password
  • Avoid using the same password for multiple accounts
  • Change default account passwords
  • Do not use the same password for multiple administrator accounts

 

Backup Requirements

  • All institutional data must be copied onto a secure storage media on a regular basis (i.e., backed up), for disaster recovery and business continuity purposes
  • Data backup solutions by IT Services are provided in order to meet or exceed minimum backup requirements for typical applications, however, data stewards and data custodians must verify that backups meet the requirements of the data collections for which they are responsible
  • Services contracted from an outside vendor should be assessed to determine responsibility for backups, and ability to meet backup requirements
  • Federal and state regulations pertaining to the long-term retention of information (e.g., financial records, research data) must be met using retention policies as described in the Miami University Records Retention Manual

 

Exceptions

  • Exceptions to any provision of this policy or supplemental standards, requirement, guidelines and practices must be approved by the Chief Information Security Officer

 

Additional Resources and Procedures

 

Policy Administration

Other Miami University Computing Policies

 

Responsible Officers

  • Vice President for Information Technology & Chief Information Officer

 

Legal Reference

  • Electronic Communications Privacy Act
  • Computer Fraud and Abuse Act

 

Compliance Policy

  • Yes

 

Reference ID(s)

  • MUPIM 19.2
  • OAC 3339-19-02

 

Reviewers

  • Vice President for Information Technology & Chief Information Officer

 

Revision History

  • 2023-04-05: Update
  • 2022-06-06: Policy published

 

Details

Article ID: 143871
Created
Mon 6/6/22 11:59 AM
Modified
Tue 10/10/23 1:46 PM
Supported Office or Community
University Community of Students, Staff, and Faculty