Information is an asset that is essential to fulfilling the mission of Lehigh University (the “University”) and needs to be suitably protected. This policy establishes the framework for the University’s Information Security Program. The Information Security Program is designed to protect institutional data from a wide range of threats, ensure operational continuity, minimize risk, and allow the University to focus on its mission. The program is intended to: This policy applies to everyone who accesses University data or information resources (including, but not limited to, all University staff, faculty, researchers, students, visitors, vendors, contractors, volunteers, and business partners) and all University information systems and resources. A number of standard information frameworks are available for the University to implement and each has its advantages. The University elects to deploy a hybrid framework for information security. This hybrid approach is designed to meet our University’s unique mission, business objectives, and compliance requirements. The framework draws upon the National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF) and NIST 800-171 to ensure thoroughness and to comply with applicable current and future federal mandates, including around research and Title IV funding, while allowing for flexibility where less security is required. In addition to guidance from NIST, Lehigh University recognizes areas where more specific security and privacy controls are required. These include:
1.0 Purpose
2.0 Scope
3.0 Introduction
Certain capitalized terms used in this policy are defined in Section 9.
4.0 Policy
All University data must be protected according to the provisions below:
- Risk Management: Data protections should be appropriate to the calculated impact to confidentiality, integrity, and availability of data or data systems.
- Risk Acceptance: Senior Management has the authority to accept information security, privacy, and compliance risks for the University.
- Data Classification: All university data is classified into levels based on its sensitivity and risk of harm if the data were to be lost, changed, or disclosed.
- Data Security: The university maintains minimum security controls appropriate to data classification levels.
- Privacy Review: Access to sensitive data required to operate information security program is provided only as required and is monitored and periodically reviewed.
- Compliance: University data must be protected in accordance with laws and regulations applicable to the University’s operations and other requirements imposed by contract.
5.0 Information Security Policy Framework:
The objective of information security policies, procedures, and guidelines is to provide senior management with direction and support for decisions related to information security in accordance with Lehigh’s mission, business requirements, and governing laws and regulations. Information security policies will be approved by senior management or reviewed by appropriate policy committees (i.e. CGRC, ACIS), and published and communicated to all affected members of the University community and relevant external parties. These policies will establish the University’s approach to managing information security and will align with relevant federal, state, and regulatory information protection policies. Procedures (Processes), standards, and guidelines will be more specific. They will be created by departments or individuals and provide operational guidance for specific actions to be taken and minimum baseline security requirements to be met or other activities.
The Information security program will be reviewed at planned intervals (i.e. annually) or if significant changes occur to ensure its continuing efficacy. Each policy/standard/procedure will have an owner who has the responsibility to ensure it functions appropriately within our security framework in response to changes to the environment, new threats and risks, business circumstances, legal and policy implications, and technical environment.
Information security policies have the broadest scope because they form the foundation of the information security program. Therefore, policies will be approved through our ACIS Governance group. Policies that may have broader organizational impact may be referred to General Counsel or the University Trustees.
Standards, procedures, and guidelines will be developed and maintained by individuals who are responsible for specific operational procedures.
I. Policy
Established by Senior Management to reflect the University's values, principles, and strategies. The provide broad guidance to more specific standards and procedures.
II. Standards
Specify measurable requirements for compliance with university policies and applicable regulations and laws.
III. Procedures
Detailed plans to accomplish specific tasks or deliver services to meet the needs of the community while satisfying the requirements of applicable standards and policies. Developed and maintained by expert practitioners.
IV. Guidelines/Best Practices
Provides best practices relative to a particular topic or audience. For example, a summary of security tips for research faculty or for undergraduate students.
The information security program needs to be continuously monitored, reviewed, and improved to ensure that it reflects the dynamic security requirements of the University and maintains the University’s exposure to risk at a level acceptable to senior management in relation to the University’s operational and business needs. The Chief Information Security Officer (CISO) is responsible for ensuring this policy is annually reviewed. Violations of this policy and/or any standard or procedure published under this policy may result in suspension or loss of user privileges, for the purpose of protecting the University’s information and/or information systems. Additional administrative sanctions may apply up to and including termination of employment or contractor status with the University. Civil, criminal, and equitable remedies may also apply. Policies, standards, procedures, and guidelines will be developed in the context of the following control families for the purpose of providing appropriate security controls and to allow the University to validate compliance with legal and regulatory requirements. Access Control [800-171] Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems), and to the types of transactions and functions that authorized users are permitted to exercise. Assessment, Authorization, and Monitoring [800-53 Rev 5] The Chief Information Security Officer is responsible to ensure development, documentation, and dissemination of policies, procedures, standards, and guidelines designed to protect the privacy and security of information and information systems, assess the effectiveness of the controls, monitor for deviations, and ensure senior management authorizes systems and accepts inherent risk. Audit and Accountability [800-171] Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity; and ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions, all in accordance with the University’s applicable policies, rules, and regulations existing from time to time, including the University’s Acceptable Use of Computer Systems and Facilities Policy, as amended. Awareness and Training [800-171] Ensure that managers and users of information systems are made aware of the security risks associated with their activities and of the applicable policies, standards, or procedures related to the security of information systems; and ensure that personnel are adequately trained to carry out their assigned information security-related duties and responsibilities. Configuration Management [800-171] Establish and maintain baseline configurations and inventories of information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles; and establish and enforce security configuration settings for information technology products employed in information systems. Contingency Planning [800-53] Create an acceptable plan for recovering information systems and data following an emergency or system disruption. Ensure the plan is tested periodically and deviations are reported to authorized officials. Identification and Authentication [800-171] Identify information system users, processes acting on behalf of users, or devices and authenticate (verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to information systems. Incident Response [800-171] Establish and maintain an operational incident-handling capability for information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities; and track, document, and report incidents to appropriate officials and/or authorities. Individual Participation [800-53 Rev 5] Establish policies, standards, and procedures to ensure individuals are aware of Lehigh’s privacy policies, provide consent to use their data, and are aware of their rights for redress in accordance with our policies and applicable laws and regulations. Maintenance [800-171] Perform periodic and timely maintenance on information systems; and provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance. Media Protection [800-171] Protect information system media containing sensitive information, both paper and digital; limit access to sensitive information on information system media to authorized users; and sanitize or destroy information system media containing sensitive information before disposal or release for reuse. Personnel Security [800-171] Screen individuals prior to authorizing access to information systems containing sensitive information and ensure that sensitive information and information systems containing sensitive information are protected during and after personnel actions such as terminations and transfers. Physical and Environmental Protection [800-171] Limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; and protect the physical plant and support infrastructure for those information systems. Privacy Authorization [800-53 Rev 5] Establish policies and procedures to ensure that Lehigh has the authority and a specific purpose to collect personally identifiable information and that such information is shared with external parties only as needed and with the appropriate security controls in place. Program Management [800-53] The Chief Information Security Officer (CISO), under the direction of the Vice Provost for Library and Technology Services, is required to develop and maintain an institution-wide information security program. The CISO must periodically report on the status of the program to senior management and/or Board of Trustees on the goals of the program, status relative to goals, prevalent risks, and resources required to support the program. Risk Assessment [800-171] Periodically assess the risk to operations (including mission, functions, image, or reputation), assets, and individuals, resulting from the operation of information systems and the associated processing, storage, or transmission of sensitive information. Security Assessment [800-171] Periodically assess the security controls in information systems to determine if the controls are effective in their application; develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in information systems; and monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls. System and Communication Protection [800-171] Monitor, control, and protect communications (i.e., information transmitted or received by information systems) at the external boundaries and key internal boundaries of the information systems; and employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within information systems. System and Information Integrity [800-171] Identify, report, and correct information and information system flaws in a timely manner; provide protection from malicious code at appropriate locations within information systems; and monitor information system security alerts and advisories and take appropriate actions in response. System and Services Acquisition [800-53] Security and privacy functional requirements must be included when systems and services are acquired or developed which may involve sensitive data. Complementary controls might be needed and funding should be bound to the purchase and ongoing maintenance of the system and service. Responsible University Official: Eric Zematis, CISO6. Review
7. Compliance and Enforcement
8. Security & Privacy Control Families
9. Definitions
10.0 Reference Documents:
11.0 Additional Contacts:
Subject
Contact
Phone
Email
Information Security
security@lehigh.edu
Responsible University Office: Lehigh Library and Technology Services (LTS), 610-758-3994
Effective Date: 02/23/2020
Reviewed Date: 08/25/2021
Revision Number: 1
For additional help, please contact the LTS Help Desk at 610-758-4357 or helpdesk@lehigh.edu