Written Information Security Plan (Program)

The overarching objective of information security is to develop, implement and manage a security program that achieves six basic outcomes of effective security governance: 1) Strategic alignment with business strategy to support organizational objectives 2) Execute appropriate risk management measures to protect the confidentiality, integrity, and availability of critical information and systems; 3) Optimize security investment for value delivery; 4) Develop security architecture(s) to effectively and efficiently manage critical infrastructure resources; 5) Monitor and report on information security processes to ensure objectives are achieved; 6) Integrate all relevant assurance factors to ensure that processes operate as intended end-to-end.

BACKGROUND AND INTRODUCTION
This document details the Bryant University Information Security Program. The documents sets forth a university-wide program for evaluating electronic and physical methods of accessing, collecting, storing, using, transmitting and protecting university information assets and technology resources. The goal is consistent delivery across all divisions of the university.  This same risk based Program is applicable to any extension of the campus beyond its Smithfield boarders.  Adoption of the Program ensures that the university implements and maintains effective information security controls that safeguard valuable university assets (information, people and identities, applications and infrastructure). 

SCOPE
The information security program is designed to promote the protection and ensure the confidentiality, integrity, availability, accountability, and auditability of the university’s information assets. An information security program includes the coordinated set of activities, projects and/or initiatives designed to develop the program, implement the strategy, and manage the outcomes. The objective is to enable the business of the university, students, employees, faculty, partners and customers to carry out teaching and learning, conduct research or business, exchange information and ideas in a secure environment where risk is carefully managed and protection of assets is both comprehensive and pervasive. The program covers all university computing resources and information assets; including but not limited to those managed by administrative staff, university departments, and third party managed services. The program applies to everyone who uses, maintains or manages university business processes, applications and infrastructure.

1.0 SENSITIVE DATA
The University manages sensitive data from many sources including: Personally Identifiable Information (PII), accounting, banking and sensitive financial information relating to GLBA, credit card data subject to PCI DSS, and student records subject to FERPA and HIPAA, etc. All of this information is in need of protection from unauthorized access and disclosure, which requires a thorough understanding of the nature of the information, where it is located, how it is created, transmitted, shared, stored, deleted and ultimately destroyed. University/business information belongs to whoever is ultimately responsible for the business process.

2.0 SECURITY PROGRAM GOVERNANCE AND MANAGEMENT
The Bryant University Information Security Plan is approved by the President and CIO.  The Plan sets the direction for information security and information security program strategy, development, and management at the university.

Governance and Management Structure

  • President’s Cabinet – Establish the program to protect the assets and interests of the university;
  • The Chief Information Officer (CIO) – ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on university objectives to be achieved; sets direction through prioritization and decision making;
  • Information Security Program Committee (ISPC) – Leads in the adoption of standards and development of guidelines and recommendations required to protect the university’s information assets and technology resources;
  • Information Security Officer – Chairs the ISPC, responsible for designing, implementing and managing the security program in alignment with the direction set by university governance bodies.

Information Security Program Committee Charter
Bryant University recognizes that protection of information assets and technology resources is critical to the functioning of the university.  It is the responsibility of all members of the university community to safeguard these assets. The Information Security Program Committee will foster adoption of a written information security program that includes consistent and complete standards, guidelines and procedures to protect these assets.

Objectives
The Information Security Program Committee serves the following functions:

  • Oversight of  guidelines and recommendations for implementing the university’s information security policy;
  • Oversight in the development of standards, guidelines and procedures required to protect the university’s information assets and technology resources;
  • Serve as a forum for collaboration among the participants to ensure consistent approaches to assessing, mitigating and responding to risks;
  • Ensure security controls are implemented, maintained and reported;
  • Facilitate requests to provide information security assurance, metrics and reports;
  • Bring confidence to our constituents and other interested parties that their information is being protected in accordance with recognized security standards, while at the same time assuring university management that our own proprietary information is being properly protected.

3.0 PROGRAM COORDINATION
The university employees designated for the coordination and execution of this program are the Information Security Officer (ISO) for the Office of Information Services and representatives from divisional units that serve as the Information Security Program Committee (ISPC).  The program will be evaluated periodically and adjusted as necessary in light of relevant circumstances, including changes in the university’s business arrangements or operations, or as a result of testing and monitoring the safeguards.

The ISO and ISPC will work collaboratively in developing and overseeing an effective security program that ensures appropriate information security controls are in place and effective across the university.

4.0 GUIDELINES
The Office of Information Services (OIS) will set electronic guidelines for the safeguarding of university information that is in electronic format. The OIS will maintain and provide access to university practices, guidelines and recommendations  that are designed to safeguard against anticipated threats to the security or integrity of university information, in either electronic or other formats, and to guard against the unauthorized use of university information.  Each relevant university business unit is responsible for securing protected student, financial and educational records located in its unit in accordance with this program and all other university practices and applicable laws.  Each relevant university business unit must develop and maintain a plan that details the safeguards and security procedures for information located in its unit. Each relevant university business unit will make its security plan available to the OIS upon request.

5.0 SECURITY GOALS AND OBJECTIVES

The security program has the following goals:
  1. Develop a Program implementation roadmap for the university inclusive of all divisions and all university campus extensions.  Review and receive approval from the President’s Cabinet and/or Information Security Program Committee (ISPC) for implementing the various components of the Program across all divisions and university extensions based on the roadmap;
  2. Align with industry best practices [ISO 27002:2013, NIST, Critical Security Controls];
  3. Manage security throughout its lifecycle;
  4. Integrate security and compliance into “normal” operations.
  5. Identify/assign/acquire appropriate resources and investments (tools, technology, training, staffing) to implement and maintain the security program;
  6. Develop and communicate a comprehensive security framework which encompasses the following critical asset groups: Cyber-Security, Endpoint Security, Application Security, Network Security, Systems/Datacenter Security, Database Security, Identity and Access Management (IAM) Governance, Data Governance, Critical Business Unit Assets;
  7. Develop and implement a comprehensive communication plan designed to increase general awareness and educate/ advise key stakeholders on security program deliverables, policies, guidelines and recommendations in regards to the protection of university assets.

6.0 PROGRAM FRAMEWORK
The information security program by large adapts to the National Institute for Standards and Technology (NIST), “Framework for Improving Critical Infrastructure Cybersecurity” , for managing the University’s information assets. The framework is a flexible, risk-based implementation that can be used with a broad array of information security risk management processes.  Adapting the framework allows the university to establish a roadmap for reducing risk that reflects university risk management priorities.

The framework provides a common taxonomy and mechanism to:

  • Describe the university’s current security posture;
  • Describe the university’s target (desired) state for security;
  • Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process;
  • Assess progress toward the target state;
  • Communicate risk among internal and external stakeholders.

The framework will be implemented over time and scaled in accordance with university priorities within the practical constraints of budget and resources. 

7.0 SECURITY CONTROLS
The security program recognizes the importance of having multiple best practice “guidance systems” to navigate the University’s information security efforts. Therefore, the program promotes a balanced portfolio of management, operational and technical controls using NIST, ISO 27002:2013, and cybersecurity controls from the Critical Security Controls Council on Cyber Security.

Security controls as defined by NIST: “the management, operational, and technical safeguards or countermeasures prescribed for an information system to adequately protect the confidentiality, integrity, and availability of the system and the information it contains.”

8.0 PERFORMANCE METRICS
Assess and, where applicable, measure security program performance and report the results to management for review.  Effective security program metrics will be developed based on the following criteria:

  • Meaningful – The metric must be understood by the recipients;
  • Accurate – A reasonable degree of accuracy is essential;
  • Cost effective – The measurements should not be costly to acquire or maintain;
  • Repeatable – The measure must be reliable over time;
  • Predictive – The measurement must be indicative of outcomes;
  • Actionable – It should be clear to the recipient what action should be taken;
  • Genuine – Not random or subject to manipulation.

9.0 PROGRAM IMPROVEMENT
The following steps will be repeated as necessary to continuously improve the program:

  • Assess prioritization and scope of the program;
  • Orient the program to changing scope, assets, risk approach;
  • Conduct periodic risk assessments guided by the university’s overall risk management process;
  • Continue to update the university’s target profile;
  • Determine, analyze, and prioritize gaps in the program;
  • Implement new action plans.

10.0 Enacted and Revisions
Date Enacted: 5/14/2012
Revision: 2017-001
Last Reviewed: 6/2/2017