8.2.1.2 Information Protection Policy

Purpose

The purpose of the Information Protection Policy is to provide direction and oversight over people, process, and technology employed to protect the confidentiality, integrity, and availability of University information and Information Systems (IS), while supporting the open, information-sharing needs of OU’s community members.  Consequently, the security of Information Systems must include controls and safeguards to offset possible risks, as well as measures to ensure confidentiality, integrity and availability of University information and Information Systems. 

The University of Oklahoma supports the Information Protection Policy where security measures must be taken to protect information and IS from unauthorized access, use, disclosure, disruption, modification, or destruction. The Information Protection Policy contains administrative, technical, and physical safeguards designed to protect University information and IS.

The intent of the Information Protection Policy is to:

  • Define the Information Security Organization and overall roles and responsibilities related to information security.
  • Define the OU IT Risk Management strategy to identify, manage and treat IT Risks.
  • Comply with applicable laws, regulations, contractual obligations and OU policies.
  • Identify Minimum Security Controls based on University business mission.

This Information Protection Policy is not intended to prevent, prohibit, or inhibit the proper use of information assets as required to meet OU’s core mission and University’s academic, research and administrative goals.

Scope

The Information Protection Policy applies to:

  • All information and Information Systems owned, leased, operated, or under the custodial care of the University;
  • All information and  Information Systems owned, leased, operated, or under the custodial care of third-parties operated on behalf of the University; and
  • All individuals accessing, using, holding, or managing University information or Information Systems on behalf of the University.

Policy

In order to protect the confidentiality, integrity and availability of information and Information Systems, University of Oklahoma users must ensure their actions with respect to information and Information Systems that store, process, or transmit University information meet:

  • OU IT Information Security policy, and
  • All applicable laws, University policies, and University contractual obligations

Individuals must report known non-compliance with this policy and associated Information Security Standards to the University IT Security GRC Office, GRC@OU.EDU, 405-271-2644.

Failure to comply with this policy and associated Information Security Standards may result in denied access to information and Information Systems, and disciplinary action, up to and including termination and dismissal.

USERS

  1. Information Owners must classify, label, handle and secure University information in accordance with the Information Classification Standard.
  2. Information Owners must authorize access to possess, use and modify University Information, in accordance with the Data Governance Policy.

 

IT SECURITY PROGRAM MANAGEMENT

Asset Management

  1. OU IT must establish baseline configuration requirements for Information Systems (including hardware and software) throughout the Information System development life cycles.
  2. Information System Owners must identify and report the use of Information Systems to OU IT GRC as part of the OU IT Procurement Process and OU IT Risk Assessment Process.  See Risk Assessment Standard.
  3. Information System Owners or Administrators must implement and maintain baseline configuration requirements for Information Systems in accordance with OU IT Security Policies and Standards.
  4. OU IT must control the flow of University information, with approved authorizations from the IS Owner.
  5. OU IT must verify and control or limit connections to and use of external Information Systems.

Business Environment

  1. OU IT must identify laws and regulations applicable to information and Information Systems as they become known to foster compliance. 

Governance

  1. OU IT must develop, implement and monitor compliance with an organizational Information Protection Policy.  
  2. The University must implement processes to ensure that employees, contractors, and third-party users are suitable for the roles for which they are being considered, to reduce the risk of fraud, theft, or misuse of facilities.  
  3. OU IT must identify laws and regulations applicable to information and Information Systems as they become known to foster compliance.

Risk Management

  1. OU IT must develop and maintain a program management strategy focusing on information risk management, information security, security assessment, and business continuity.  See Risk Assessment Standard.
  2. OU IT must include contractual obligations on vendors of third party software products and services to satisfy the University’s information security requirements.  

Access Control

  1. Information Resources must authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to University information.
  2. OU IT must define, implement and monitor compliance with a defined password complexity strategy.  See OU Password Policy.
  3. OU IT and Information Owners must ensure that access rights are properly removed, and assets recovered for terminated employees and contractors, and for employees who have changed employment.
  4. Facilities storing, processing, or transmitting University information must employ physical access controls to prevent the theft of, tampering with, or destruction of information and Information Systems.  
  5. OU IT must provide secure remote access mechanisms to permit authorized users to access University information or Information Systems from outside the University of Oklahoma wired or other wireless network.  See Remote Access Policy.
  6. Information Owners must use a centrally-managed University of Oklahoma IT authentication system where feasible, or an authentication system approved by the CIO.  See Identity and Access Management Policy.
  7. OU IT must monitor, control, and protect the flow of University information (i.e., information transmitted or received by Information Systems). 

Awareness and Training

  1. The University of Oklahoma must ensure that managers, Information System Administrators, and users of Information Systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those Information Systems.  
  2. University information and Information System users must complete required information security training.  
  3. OU IT must implement agreements to be signed by employees, contractors and third-party users of Information Systems, stating their security roles and responsibilities at the time of their employment or engagement, prior to access being granted.
  4. University information and Information System users must be made aware of their obligation to know and follow the OU IT Acceptable Use Policy.

Data Security

  1. OU IT must encrypt University information on mobile devices and mobile computing platforms, when the risk of unauthorized access or unauthorized disclosure of information could result in a financial penalty assessed by a regulatory agency (i.e., Office of Civil Rights, Department of Education, or European Union).  See Cybersecurity Policy.
  2. Information System Owners or Information System Administrators must use University-owned workstations located in off-campus clinic facilities and University-owned workstations located in public clinical areas (i.e., reception, waiting, or check-in areas).
  3. OU IT must employ cryptographic mechanisms to protect the confidentiality of University information when it is transmitted across a public network.  See Encryption Standard.
  4. Information System Owners or Admins must protect University information against malicious software, which includes, but is not limited to, malware, viruses, and spyware.  See Cybersecurity Policy.

Information Protection Process and Procedures

  1. OU IT must establish and maintain baseline configuration requirements of Information Systems based on University mission and Information classification:
    1. OU IT Category A – Healthcare Information Security Standard
    2. OU IT Category B – Payment Card Data Security Standard
    3. OU IT Category C - Education Information Security Standard
    4. OU IT Category D – Research Information Security Standard
    5. OU IT Category E – Admin and Finance Information Security Standard
  2. Network devices used to transmit University information must be operated securely and provide timely access to.  
  3. Servers used to store, transmit or process University information must be operated securely and provide timely access to.  
  4. User devices and applications used to store, transmit or process University information must be operated securely.  See Cybersecurity Policy.
  5. Mobile devices and applications used to store, transmit or process University information must be operated securely.  See Cybersecurity Policy.
  6. OU IT must develop, implement, and manage a Change Management Process to track, review, approve or disapprove, and audit changes to Information Systems.  
  7. Information Owners must ensure backups of University information are conducted, maintained, and tested periodically.  See IT Data Backup Policy.
  8. Information and Information Systems Owners must use storage media, which includes but is not limited to optical media (CDs or DVDs), magnetic media (tapes or diskettes), disk drives (external, portable, or removed from Information Systems), flash memory storage devices (SSDs or USB flash drives) and documents (paper documents, paper output, or photographic media), are used and disposed of securely.  
  9. OU IT must establish an Incident Response Plan that includes preparation, detection, analysis, containment, recovery, and user response activities to track, document, and report on incidents.  See Security Incident Reporting Policy.
  10. OU IT must establish a Vulnerability Management Plan to identify, report, and correct Information System flaws in a timely manner.  See Cybersecurity Policy.

Maintenance

  1. OU IT must provide controls on the tools, techniques, mechanisms, and personnel used to conduct Information System maintenance.  
  2. Information System Owners or Administrators must require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.  

Protective Technology

  1. OU IT must create and retain audit records to the extent needed to enable the monitoring, analysis, investigation and reporting of unlawful, unauthorized, or inappropriate Information System activity.  See System Logging Policy.
  2. OU IT must monitor, control, and protect communications (i.e., information transmitted or received by Information Systems) at the external boundaries and key internal boundaries of Information Systems.  

References

  • Family Education Rights and Protection Act (FERPA)
  • Gramm-Leach-Bliley Act (GLBA)
  • General Data Protection Regulation (GDPR)
  • Health Insurance Portability and Accountability Act of 1996 (HIPAA)
  • Payment Card Industry (PCI) Data Security Standards
  • National Institute of Standards and Technology Special Publication 800-17, Controlled Unclassified Information

Enforcement and Compliance

Failure to comply with this policy or other applicable laws, policies, and regulations may result in the limitation, suspension, or revocation of user privileges and may further subject the user to disciplinary action including, but not limited to, those outlined in the Student Code, Staff Handbook, Faculty Handbook, and applicable laws.  This policy is enforced by the OU Chief Information Officer.  Internal Audit, or other departments, may periodically assess compliance with this policy and may report violations to the Board of Regents.

IT Exceptions

The CIO acknowledges that under rare circumstances certain cases will need to employ systems that are not compliant with this standard. Such instances must call the Information Protection Policy exception process.  Each exception request is carefully considered by the Information Owner, Information System Owner, OU IT Security Advisory Council and the CIO.  See OU IT Information Protection Policy Exception Standard.

Revision, Review and Approval History

  • March 2019: OU IT Governance, Risk, and Compliance: Initial draft, opened for comments.
  • November 2019: OU IT Governance, Risk, and Compliance: Comment period closed.
  • December 2019: Campus IT Governance Review and Approval
Print Article