8.2.1.2 Cybersecurity Policy - Pending President Approval

Policy Statement

It is the policy of OU that faculty and staff who manage or operate any and all OU, or third-party systems, information technology resources, or assets must implement the minimum safeguards and controls defined in this policy.

Web Address For This Policy

To Be Determined

Network Management

The Office of Information Technology (OU IT) is responsible for planning, implementing, and managing the University of Oklahoma network, including wireless connections. 

  1. Asset Administrators managing the following types of devices must be register and request approval to use these devices by submitting an OU IT Network Device Registration form: 
    1. Routers
    2. Wireless Network Devices
    3. Switches
    4. Firewalls
    5. Hubs
    6. Virtual Private Networks
    7. Intrusion Detection/Prevention (IDS/IPS) Devices
    8. Voice over IP Devices
    9. Consumer-grade Network Devices
  2. The National Defense Authorization Act Section 889 (NDAA 889) prohibits executive agencies from entering, extending, or renewing a contract with an entity that uses any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system, on or after August 13, 2020, unless an exception applies, or a waiver is granted.  All telecommunications equipment used by OU IT, Department IT, Staff or Faculty must comply with NDAA Section 889.  See the NDAA Section 889 Guideline for additional information.
  3. Firewalls, when used to conduct OU Business, must be configured and maintained in accordance with the OU IT Firewall Management Standard.
  4. OU IT must maintain a university network diagram that depicts all network devices.
  5. OU IT reserves the right to disconnect devices that are not registered appropriately and suspected of violating University Policy, compromising University data, or are exhibiting known high risk behavior.

Asset Management

Asset management is critical to the University's cybersecurity strategy in understanding the assets in use at the University and their purpose. 

  1. Asset Administrators must maintain an inventory of physical and virtual assets supporting the University missions in accordance with the IT Asset Management Policy.  

Risk Assessment

Risk assessments help identify cybersecurity risks from the use of technology that could potentially cause loss or harm to the University.  Risk assessments also help determine if information technology will comply with federal and state laws or regulations and University policy for protecting data. 

  1. Risk assessments must be completed by Information Technology Governance, Risk, and Compliance in accordance with the Risk Assessment Standard
  2. A risk assessment shall not constitute approval or authorization to purchase a reviewed product.  State of Oklahoma and OU purchasing rules still apply.

Identity and Access Management

Identification, authentication, and authorization are controls to facilitate access and to protect university information resources and data.

  1. Authentication of users must be conducted in accordance with the Identity and Access Management Policy.

Awareness and Training

Everyone is responsible for cybersecurity, making formal training and awareness programs a foundational component of any Cybersecurity Program.

  1. All OU Staff, Faculty, and Students must complete annual Phishing Awareness training.
  2. All OU Staff, Faculty, and Students that fail a scheduled OU IT phishing simulation must complete additional required Social Engineering Awareness training.
  3. OU Staff, Faculty, or Students found to violate University Information Security Policy must complete required Information Security training to be named at the time of Incident and commensurate with the Incident type.

Data Security

University data that is transmitted over a public network (e.g., the Internet) must be protected.

  1. Asset Administrators must configure assets to encrypt data in accordance with the Encryption Standard.
  2. All users transmitting data, subject to confidentiality obligations or expectations, and via email must use OU Secure Email services.
    • OKC/Tulsa Campus:  Simply type [SECURE] in the subject line of any email message to encrypt its contents.
    • Norman/Tulsa Campus: Simply type [OUENCRYPT] in the subject line of any email message to encrypt its contents.

Device Management

University-owned devices must be managed in order to ensure compliance with federal and/or state laws and regulations, and to align with University objectives.

  1. All University-owned end user devices (e.g., laptops, desktops) must have the OU endpoint management software, where supported, installed, and configured to regularly report to the centralized management server.
  2. University-owned end user devices not capable of running the OU endpoint management software must be reported as an IT Exception and implement sufficient mitigating controls or be operated as standalone devices with no connectivity to OU Business or Campus Networks.

Encryption

OU's Endpoint Encryption service leverages native encryption, such as FileVault and Bitlocker, and adds a regular device check-in to report on the status of encryption in order to proect the University against the cost of a data breach due to an unencrypted lost or stolen device.  While existing native encryption provides data security, it does not provide regulatory bodies such as the Department of Education, Office for Civil Rights, and our external funding agencies with verifiable evidence that data was encrypted at the time of loss or theft.

  1. Data must be encrypted in accordance with the Encryption Standard.

Vulnerability and Patch Management

It is important to identify and install relevant patches and system updates to ensure the ongoing functionality and security of Information Systems.

  1. All assets connecting to the OU Business or Campus Networks will be subject to recurring vulnerability scans.
  2. Asset Administrators must remediate vulnerabilities in accordance with the Prioritization Matrix listed below or notify grc@ou.edu via e-mail if unable to remediate a vulnerability.
Vulnerability Remediation Priority
Vulnerability Severity Server End User Device Network Device Other
Critical 15 Days 15 Days 48 Hours 15 Days
High 30 Days 30 Days 48 Hours 30 Days
Medium 90 Days 90 Days 90 Days 90 Days
Low As Needed As Needed As Needed As Needed

Malicious Software Protection

Endpoint security controls are deployed to protect end-user devices and/or secure the data sent to and from end-user devices.  The OU End Point Protection software provides active protection from network threats.

  1. All university-owned assets must have the OU End Point Protection software installed and configured to report to the centralized management server provided by OU IT.

References

  1. General Data Protection Regulation (GDPR)
  2. Health Insurance Portability and Accountability Act of 1996 (HIPAA)
  3. Payment Card Industry (PCI) Data Security Standards
  4. Gramm-Leach-Bliley Act (GLBA)
  5. Family Education Rights and Protection Act (FERPA)
  6. National Institute of Standards and Technology Special Publication 800-171, Protecting Controlled Unclassified Information
  7. National Institute of Standards and Technology Special Publication 800-37, Risk Management Framework
  8. National Institute of Standards and Technology Cybersecurity Framework (CSF)
Print Article

Details

Article ID: 3022
Created
Wed 8/16/23 2:05 PM
Modified
Tue 2/6/24 9:40 AM