Print
Print:
Body
Policy: Information Security
Body
Statement of Policy
Miami University is a leader in scholarship, research, public service, athletic excellence, and the development of knowledge through inquiry, investigation and collaboration. Information security will continue to play a more and more critical role in the process of education, innovation, and information sharing. This policy allows the University to remain a world leader by ensuring a successful approach to cyber risk management and incident response
Contact
Vice President for Information Technology & Chief Information Officer
Reason for Policy
Information security is of the utmost importance to Miami University. In an increasingly collaborative world that depends upon shared electronic information, it is essential that the University implement a policy to guide protection and availability. This policy aims: to protect user confidentiality; to maintain the integrity of all data created, received or collected by the University; to meet legal and regulatory requirements; and to ensure timely, efficient and secure access to information technology resources. This policy simplifies the process of cyber risk management and prepares the University for a world in which information security is increasingly critical
Entities Affected by Policy
Employees (faculty and staff), employed students, students, contractors, suppliers, affiliates, and other authorized users
This policy applies to all University campuses and all other locations
Responsibilities
Chief Information Officer (CIO):
Provides financial and operational oversight for the delivery of information technology services that meet the requirements of this policy. Provides management oversight for information security planning, implementation, budgeting, staffing, program development and reporting. Sets operational priorities and obtains alignment with executive leadership
Chief Information Security Officer (CISO):
Assists with the interpretation and application of this policy. Provides management and execution oversight of the information security program through collaborative relationships with the CIO, academic, and administrative officials, using local governance structures and compliance strategies. Reports information security incidents to leadership. Manages the exception process for this policy
Unit Head:
A generic term for dean, vice president or person in a similarly senior role who has the authority to allocate budget and is responsible for unit performance. In some specific situations, the following senior roles may also be unit heads: department chairs, assistant/associate vice presidents (AVP), principal investigators, directors or senior managers. Unit heads have important responsibilities to ensure effective management of cyber risk of data and IT resources under their purview. Additional responsibilities include: partnering with the Information Security Office; delegating tactical responsibility with their unit; making cybersecurity a priority; allocating time and resources appropriately; and reporting cyber events
Unit IT Leaders:
Oversees the execution of this policy within the college or division specifically for applications, systems, and data that is outside of IT Services enterprise controls. Identifies and inventories institutional data and IT resources managed by the college or division. Reports information security incidents to the Information Security Office. Reports to the CISO any information security policy or standard that is not fully met by the college or division, or by a service provider managing institutional data or IT resources on behalf of the college or division. Ensures the above responsibilities are included in the overall college or division planning and budgeting process
Employees (faculty and staff), employed students, students, affiliates, vendors, and other authorized users:
Complies with this policy. All authorized users accessing institutional data are responsible for maintaining security according to our guidelines on any personal devices they use for University business
Information Owner and Data Stewards:
Assumes overall responsibility for establishing the protection level classification, access to and release of a defined set of institutional data. Establishes and documents rules for use of, access to, approval for use of and removal of access to the institutional data related to their area of responsibility. Approves institutional data transfers and access related to their areas of responsibility
Researcher:
Identifies and meets confidentiality and data security obligations based on laws, regulations, policies, grants, contracts and binding commitments (such as data use agreements and participant consent agreements) relating to research data. Creates and maintains evidence that demonstrates how security controls were implemented and kept current throughout the project. Develops and follows an information security plan that manages security risk over the course of their project. Ensures that suppliers who store or process institutional data during the project follow Miami University policy for written contracts. Ensures that Supplier agreements include approved terms supporting the information security controls specified in this policy and applicable purchasing requirements
Service Provider:
An internal organization that offers IT services to the University, a college or a division. Service providers typically assume most of the security responsibility and help users understand their responsibilities with respect to cyber security
Supplier:
An external, third-party vendor or entity that provides goods or services to the University. The University has specific contract terms that clarify the responsibilities of Suppliers and protect the University
Definitions
Institutional data:
This consists of University information and data, independent of the location (physical or cloud)
IT Resources:
A term that broadly describes IT infrastructure, software, or hardware with computing and networking capability. These include, but are not limited to: portable computing devices and systems, mobile phones, printers, network devices, industrial control systems (SCADA, etc.), access control systems, digital video monitoring systems, data storage systems, data processing systems, backup systems, electronic media, logical media, biometric and access tokens and other devices that connect to any University network. This includes both University-owned and personally owned devices while they store institutional information, are connected to University systems, are connected to University networks or used for University business
Service Provider:
Internal University groups or organizations providing specific IT services to the University, a college or a division
Supplier:
An external, third-party entity that provides goods or services to the University
Unit:
A point of accountability and responsibility that results from creating, collecting, managing, or possessing institutional data, or installing and managing IT resources. A unit is typically a defined organization, such as the College of Engineering and Computing, or a division, such as Student Life, or the collection of Regional campuses. A unit can also be defined as an organizational research unit. Because Miami University is decentralized for non-enterprise systems and maintains a shared governance model, this policy provides units with the flexibility and responsibility to manage cyber risk
Unit Head:
A generic term for dean, vice president or person in a similarly senior role who has the authority to allocate budget and is responsible for unit performance. In some specific situations, the following senior roles may also be unit heads: department chairs, assistant/associate vice presidents (AVP), principal investigators, directors or senior managers
Management Goals and Principles
Miami University management is dedicated to the following goals and principles
Goals
Preserve academic freedom and research collaboration
Protect privacy
Follow a risk-based approach
Maintain confidentiality, protect integrity, and ensure availability
Information Security Management Principles
Policy goals guide decisions
To ensure sound financial and operational decisions, the goals listed above must be used to scope, protect and make risk-based decisions about commensurate protection of institutional information and IT resources
IT Services is accountable for implementing information security at the enterprise level
The Chief Information Officer is accountable for appropriately protecting enterprise-level institutional data and IT resources, and for managing information security risk under their purview in a manner consistent with this policy
Units are accountable for implementing information security at the non-enterprise level
College and division heads, also termed as Unit heads, are accountable for appropriately protecting institutional data, IT resources, and for managing information security risk under their purview in a manner consistent with this policy
Risk level determines decision-making rights
To protect the University, information security and cyber risk management decisions must be made at the level of financial, privacy, legal, reputation, brand or other organizational authority that matches the level of and risk identified
Security is a shared responsibility
All employees are responsible for ensuring the protection of institutional information and IT resources. Understanding the risks, threats, costs and incidents associated with securing Institutional information is a shared responsibility
Security is embedded in the lifecycle of systems, services and software
Information security must be incorporated into the entire lifecycle for any system, service or software. This includes identifying, budgeting for, planning, developing, implementing and maintaining security processes and controls
Policy
Data Classification and Retention
The University follows a
Confidential Information Policy
delineating institutional data or information protected by federal, state, or other regulatory statutes. Each faculty and staff member must assume responsibility for protecting confidential information from unauthorized exposure
All access to and use of University confidential information must be for authorized purposes only
The Information Security Office further delineates
data classification levels
which aid in the cyber risk assessment and application of administrative, technical and physical controls to protect the confidentiality, integrity and availability of Institutional data. These levels include restricted (FERPA, HIPAA, PCI-DSS, ITAR, etc.), confidential (intellectual property, personal records, financial, etc.), internal-only (exams, internal memoranda, business plans, etc.), and public (directory, public website, etc.) information. When the classification is higher, more effort goes into protecting the associated assets. These classifications also inform this policy’s risk-based approach to security
All electronic and physical records must be retained for the designated retention period and disposed of properly as delineated in the MUPIM
Records Retention, Electronic Records, and Signatures policy
All University-owned assets must be discarded or disposed of using approved methods included in the Miami University
Transfer and Disposal
directives
A Standards-Based and Risk-Based Approach
This policy follows both a standards-based and risk-based approach to information security to ensure the University meets industry, government and regulatory requirements while also properly scoping controls and making appropriate investment decisions. The policy incorporates a subset of controls based on NIST SP 800-171, NIST SP 800-53, ISO 27001 and ISO 27002 that align with and support the University mission of teaching, research and public service. Policy also addresses legal requirements associated with HIPAA, the Payment Card Industry (PCI) and other state and federal regulations and includes requirements needed to qualify for certain grants that are essential to University research funding (NIST 800-171). Additionally, the policy’s risk-based approach guides the allocation of resources by evaluating risk and assessing the cost and benefit of risk management
Risk Management and Security Plans
The MUPIM Confidential Information Policy, OAC Rule 3339-3-22 Confidential Information Policy, and ORC Chapter 1347 Personal Information Systems require the protection of Miami University confidential information. Each employee, employed student, students, affiliates, vendors, and other authorized users must assume responsibility for protecting confidential information from unauthorized exposure. The Information Security Office (ISO) is charged with delivering an appropriate security plan and written consent before any University office is permitted to collect or maintain social security numbers and other confidential information
The ISO follows a risk-based approach and supports University units (colleges, divisions, departments, research projects, etc.) in conducting risk assessments and implementing a security plan for the protection of confidential information. Implementation includes resource allocation to put in place administrative, technical and physical information security control mechanisms. Units are accountable for the implementation of unit-specific (non-enterprise) information security requirements
Security plans provide unit findings and recommended security controls following a MU NIST 171 Plus compliance control gap analysis and risk assessment
Security plans provide recommended mitigations based on risk assessment findings to reduce risk and improve a Unit’s cybersecurity posture. The IT Services ISO fully recognizes implementation of suggested controls may require substantial resources including personnel (FTE), material costs, and time. Additionally, the Unit assessments may require periodic review and assessment of controls
Upon receipt of the security plan, the unit head or officer acknowledges the following responsibilities:
The unit is responsible for the risks annotated in the assessment and understand mitigations documented in the plan
Compliance with MUPIM Confidential Information Policy and with IT Service’s policies is expected for all Units, university-owned information, and resources
The unit shall implement mitigations as resources and time allow. Until such mitigations are implemented, the Unit acknowledges the risks associated with this exception to information security policies. This exception may be subject to follow-up by the Internal Audit and Consulting Services (IACS) office or the ISO.
The unit acknowledges that incidents related to the identified risks may influence University eligibility for cyber insurance coverage if the required information security controls and compensating mitigations are not implemented and maintained
Information Security Controls
When securing institutional data and IT resources, The ISO will use an information security control framework called ‘NIST 171 Plus’, which is a consolidation of NIST SP 800-171, ISO 27001 and 27002, and the Center for Internet Security CIS Controls. This framework provides administrative, physical and technical controls scoped according to data classification level
The ISO employs the NIST 171 Plus framework when conducting an information security review, assessment, or consultation on enterprise and unit-specific infrastructures or implementations. This framework assesses administrative, technical, and physical controls focused on the confidentiality, integrity, and availability of institutional data. Responsibility for control implementation may be shared between IT Services and the unit depending on scope of infrastructure
Minimum Security Requirements
Miami University’s Information Security Office requires the practices listed in the
Minimum Security Requirements for Working with Sensitive Data
document be followed by anyone accessing or storing sensitive information from managed, non-managed, or personal computers and devices
All individuals must abide by MUPIM 19.2
Responsible Use of University Computing Resources
Any actual or suspected loss, theft, or improper use of or access to Miami University institutional data and computing resources must be promptly reported to
infosec@miamioh.edu
Vulnerability Management Program
Information security vulnerabilities on any University-owned computing resource must be remediated in accordance with the
Vulnerability Management
standard
Privileged Level Access To Major Systems
Controlled access to IT resources is essential for Miami University to continue its mission of learning, discovery and engagement while ensuring the security and functionality of IT systems, applications, hardware, and services, and the data stored or transmitted by those resources. Because of their greater access to IT resources relative to general user accounts, privileged accounts and service accounts pose a higher risk to the University
Creation of privileged accounts requires authorization of an IT resource owner, who must maintain an inventory of all privileged accounts, including the account name, purpose and responsible party for the account. The IT resource owner must review each privileged account at least annually to confirm the account is still necessary for university business and remove accounts no longer needed. The IT resource owner must immediately disable privileged accounts used by vendors or third parties upon contract end
Where implemented, privileged accounts must use multi-factor authentication, such as Duo, or certificate authentication
Privileged accounts must be separate and use a different password from general user accounts
Privileged account passwords must meet, and where possible, exceed the minimum password requirements outlined in our
best practices website
for complexity and change requirements
Creation of service accounts requires authorization of an IT resource owner, who must maintain an inventory of service accounts, including the account name, purpose and responsible party for the account. All service accounts must be configured following the principle of least privilege to run the service or process
Service account passwords must meet, and where possible, exceed the minimum password requirements outlined in our
best practices website
for complexity and change requirements
Service account passwords must not be coded into programs or stored on disk without approved encryption
Service account passwords must be changed at least annually or upon a personnel change in the group managing the account or with access to the password
Vendor-supplied default passwords must be changed immediately upon initial configuration of the system and follow the password requirements noted above
Where the capability exists, limit interactive login capabilities (e.g., prohibit console/terminal access, configure restricted shell, enforce network access restrictions, etc.)
Change Control Management of Applications and Systems
Applications and systems are increasingly more complex in their function, interaction, and form. There is an increasing dependency between resources and applications that can negatively impact operations if not managed and orchestrated in an organized fashion. Effective management and communication of updates, maintenance, and regular releases help to minimize customer impacts. From time to time systems require outages for planned upgrades, maintenance, or fine-tuning. Managing these changes is a critical part of providing a stable infrastructure
Changes must be executed in a well-communicated, planned and predictable manner that minimizes unplanned outages and unforeseen system issues. Effective change management requires planning, communication, monitoring, rollback, and follow-up procedures to reduce negative impact to the user community
The Change Advisory Board (CAB) supports the assessment, prioritization, authorization, and scheduling of technology changes at Miami University. Meeting once a week, the committee analyzes the risk of proposed changes to Miami’s production environment and seeks to minimize outages or other impacts on active systems to the extent feasible
Segregation of duties for system changes
To meet best practices for system and environment change practices, the following principles must be followed
Separation of Duties. Ensure that a person who creates or develops code (application or infrastructure) is not the person that deploys that code to our production environment
Least Privilege. Actors should only have the privileges necessary to complete the work they are tasked with doing
Auditability. The ability to report and demonstrate the adherence to policies or standards and our guiding principles is imperative to information security and compliance
Technical controls are preferred over procedural controls to apply the principle of separation of duties. It is simpler and more confidence exists in the auditing and reporting capabilities of technical controls than procedural ones
To control the life cycle of all changes and to enable beneficial changes to be made with minimum disruption to IT Services, all changes are required to follow
Change Enablement
best practices
Password Requirements
Miami University passwords are used with services such as myMiami, Canvas, BannerWeb, Miami Directory, and Miami email. Due to the sensitive nature of the information that underlies these services, IT Services has implemented two rules for the mandatory change of MUnet password every 180 days or five years, depending on the complexity of the password provided. Please visit our
best practices
website for complexity and change requirements
Do not share your password with anyone for any reason
Change your password upon indication of compromise
Do not write your password down or store it in an insecure manner
Avoid reusing a password
Avoid using the same password for multiple accounts
Change default account passwords
Do not use the same password for multiple administrator accounts
Backup Requirements
All institutional data must be copied onto a secure storage media on a regular basis (i.e., backed up), for disaster recovery and business continuity purposes
Data backup solutions by IT Services are provided in order to meet or exceed minimum backup requirements for typical applications, however, data stewards and data custodians must verify that backups meet the requirements of the data collections for which they are responsible
Services contracted from an outside vendor should be assessed to determine responsibility for backups, and ability to meet backup requirements
Federal and state regulations pertaining to the long-term retention of information (e.g., financial records, research data) must be met using retention policies as described in the
Miami University Records Retention Manual
Exceptions
Exceptions to any provision of this policy or supplemental standards, requirement, guidelines and practices must be approved by the Chief Information Security Officer
Additional Resources and Procedures
Additional specific policies and standards may be found in the
Best Practices Library
Transfer and Disposal
Records Retention Manual
Policy Administration
Other Miami University Computing Policies
Confidential Information Policy
Records Retention, Electronic Records, and Signatures
Responsible Use of University Computing Resources
Responsible Officers
Vice President for Information Technology & Chief Information Officer
Legal Reference
Electronic Communications Privacy Act
Computer Fraud and Abuse Act
Compliance Policy
Yes
Reference ID(s)
MUPIM 19.2
OAC 3339-19-02
Reviewers
Vice President for Information Technology & Chief Information Officer
Revision History
2023-04-05: Update
2022-06-06: Policy published
Details
Details
Article ID:
143871
Created
Mon 6/6/22 11:59 AM
Modified
Tue 7/2/24 10:29 AM
Supported Office or Community
University Community of Students, Staff, and Faculty