Information Security - Master Policy
This Master Policy governs the planning, organization, management, and security controls deployment for Winthrop University Information Security.
This policy applies to all Winthrop University faculty, staff, students, and user of information assets or systems.
| Policy Number: | 7.1.01 |
| Effective Date: | 12/16/2020 |
| Date Reviewed: | 04/29/2020 |
| Last Review Date: | |
| Responsible Official: | Craig Sauvigne, Caroline Overcash, Esq. |
| Responsible Office: | Risk Management |
| Contact Information: |
infosec@winthrop.edu |
Agency, State Government–refers to any South Carolina state agency, institution, institution of higher learning, department, division, board, commission, or authority.
Business Unit- A logical element or segment of a company (such as accounting, production, marketing) representing a specific business function, and a definite place on the organizational chart, under the domain of a manager. Also called department, division, or a functional area.
Guidance: Guidance refers to best practices and industry standards that have been used as a guide to develop the security policies and the policy supplements.
Information security liaison: Official responsible for carrying out the “Chief Information Officer” responsibilities within the agency under the Federal Information Security Management Act (FISMA) and serving as the primary liaison between the DIS office of the Chief Information Security Officer and the agency’s authorizing officials, information system owners, and information system security officers.
Information Security Plan–the collection of procedures and other guidance developed by state government agencies to implement the SC DIS Information Security Program within the agency
Risk posture: Risk posture identifies the specific threats that the agency faces and quantifies the risks associated with each of those threat events materializing.
SC DIS–South Carolina Division of Information Security
SC DIS Information Security Program–the collection of policies, procedures, and other guidance published on the SC DIS website (dis.sc.gov).
1.0 Definitions
1.1. Control, Information Security–refers to any process or technology intended to reduce a security risk.
1.2 Policy exemptions: Scenarios which require exemption from the existing provisions of the Security policy are called policy exemptions.
1.3 Specific meanings of bolded terms seen throughout this policy can be found within the University’s Policy Definitions Glossary by following the link below.
1.4 http://www.winthrop.edu/policy-definitions-glossary/
2.0 Information Security Program Planning
2.1 Information Security Plan
2.1.1 Winthrop University shall develop and communicate an information security plan that underlines security requirements, the security management controls, and common controls in place for meeting those requirements.
2.1.2 Winthrop University’s information security plan shall identify and assign security program roles, responsibilities and management commitment, and ensure coordination among the University’s business units, as well as compliance with the information security plan.
2.1.3 Winthrop University shall ensure coordination among the University’s business units responsible for the different aspects of information security (i.e., technical, physical, personnel, etc.)
2.1.4 The Winthrop University Board of Trustees shall authorize the development of an information security plan.
2.1.5 The information security plan shall be approved by executive leadership.
2.1.6 Winthrop University shall review the information security plan on at least an annual basis.
2.1.7 Winthrop University shall update the information security plan to address changes and problems identified during plan implementation or security control assessments.
2.1.8 Winthrop University shall protect the information security plan from unauthorized disclosure and modification.
2.2 Information Security Resources
2.2.1 Winthrop University shall consider resources needed to implement and maintain the information security plan in capital planning and investment requests.
2.3 Plan of Action and Milestones (POAM) Process
2.3.1 Winthrop University shall implement a process for ensuring that plans of action and milestones for the information security program and associated information systems are developed and maintained.
2.3.2 Winthrop University shall review plans of action and milestones for consistency with the University’s risk management strategy and priorities for risk response actions.
2.4 Information Security Measures of Performance
2.4.1 Winthrop University shall develop, monitor, and report on the results of information security measures of performance, as directed or guided by the SC Division of Information Security and SC Enterprise Privacy Office.
3.0 Information Security Organization (Roles and Responsibilities)
3.1 Information Security Authority
3.1.1 Winthrop University’s executive leadership shall ensure that the University’s senior leadership group are given the necessary authority to secure the operations and assets under their control.
3.2 Information Security Liaison
3.2.1 Winthrop University shall appoint an information security liaison with the mission and resources to: coordinate, develop, implement, and maintain an information security plan.
3.3 Information Security Workforce
3.3.1 Winthrop University shall establish an information security workforce and professional development program appropriately sized to the University’s information security needs.
3.4 Role-based Security Training
3.4.1 Winthrop University shall provide role-based information security training to personnel with assigned information security roles and responsibilities.
4.0 Policy Management (Plan of Action)
4.1 Procedure Development
4.1.1 Winthrop University shall adopt a risk-based approach to identify State and Winthrop University-specific information security objectives, and shall develop information security procedures in alignment with the identified security objectives.
4.1.2 Winthrop University shall allocate the appropriate subject matter experts to the development of State and Winthrop University-specific information security procedures.
4.1.3 Winthrop University shall approach independent external (third party) specialists to assist in the development of information security policies in cases where it is established that the required skills do not exist within the University and are not available within any other state government agency.
4.1.4 Winthrop University shall work in collaboration with other states, Federal government, and external special interest groups in cases where procedures directly or indirectly affect interfacing activities with them.
4.1.5 Information security procedures that are developed at Winthrop University shall contain the following information, as appropriate:
(a) Revision history
(b) Introduction
(c) Preface
(d) Ownership, roles, and responsibilities
(e) Purpose
(f) Policy statements
(g) Policy supplement
(h) Guidance
(i) Definitions
4.1.6 Scenarios which cannot be effectively addressed within the constraints of Winthrop University’s information security procedures, should be identified as exceptions:
(a) Exceptions shall be evaluated in the context of potential risk to Winthrop University as a whole;
(b) Exceptions that create significant risks without adequate compensating controls shall not be approved; and
(c) Exceptions shall be consistently evaluated in accordance with the University’s risk acceptance practice.
4.1.7 The University shall review each draft procedure with stakeholders who shall be impacted by the procedure, to ensure that the procedure is enforceable and effective.
4.1.8 The University shall identify gaps within the procedures that are not enforceable and effective, shall document the gaps, and shall assign the appropriate resources to remediate the gaps.
4.1.9 The University shall develop and implement a communication plan to disseminate new procedures or changes to existing procedures.
4.1.10 The University shall review procedures on an annual basis to ensure that procedures are up-to-date and aligned with the State’s risk posture.
4.2 Procedure Review and Approval
4.2.1 A procedure governance committee shall be established for the purpose of review and approval of procedures.
4.2.2 Procedure exemptions shall be explicitly approved by the procedure governing committee.
4.2.3 Procedure approval history shall be documented in detail.
4.3 Procedure Implementation
4.3.1 The University shall implement mechanisms to help ensure that information security procedures will be available to the University’s personnel on a continuous basis and whenever required.
4.3.2 The University shall require employees to review and acknowledge understanding of information security procedures prior to allowing access to sensitive data or information systems.
5.0 Information Security Controls Deployment
5.1 Controls Deployment
5.1.1 The University shall adopt a risk-based approach to prioritize deployment of controls.
5.1.2 The University shall allocate the appropriate subject matter experts to the deployment of State and University-specific information security controls.
5.1.3 The University shall approach independent external (third party) specialists to assist in the deployment of information security controls in cases where it is established that the required skills do not exist within the University and are not available within any other state government agency.
5.1.4 Controls which cannot be deployed due to the University’s resource or other constraints must be reported to the office of the State Chief Information Security Officer.
5.1.5 The University shall review each control with stakeholders who shall be impacted, to ensure that the control is enforceable and effective.
5.1.6 The University shall identify gaps within the controls that are not enforceable and effective, shall document the gaps, and shall assign the appropriate resources to remediate the gaps.
5.1.7 The University shall develop and implement a communication plan to disseminate new controls or changes to existing controls.
5.1.8 The University shall review controls on an annual basis to ensure that they are up-to-date and aligned with the State’s risk posture.
This section was intentionally left blank.
NIST SP 800-53 Revision 4: PM 2 Senior Information Security Officer
NIST SP 800-53 Revision 4: PM 13Information Security Workforce
NIST SP 800-53 Revision 4: AT 3Role-based Security Training
NIST SP 800-100: 2.2.3.1 Agency Head
NIST SP 800-53 Revision 4: PM 1Information Security Program Plan
NIST SP 800-53 Revision 4: PM 3 Information Security Resources
NIST SP 800-53 Revision 4:PM 4 Plan of Action and Milestones Process
NIST SP 800-53 Revision 4:PM 6 Measures of Performance
This section was intentionally left blank.
