University Policies

Information Security Program Policy

Approved by: President
Approval Date: June 26, 2023

POLICY STATEMENT

This document establishes the policy for the Information Security Program at Western Illinois University (WIU). The formation of this policy is driven by many factors, including the need to protect the availability, integrity and confidentiality of WIU data and systems. The policy sets the ground rules under which WIU shall operate and safeguard its information and information systems to reduce risk and minimize the effect of security incidents and threats in accordance with WIU’s risk appetite.

SCOPE (WHO SHOULD READ THIS POLICY)

This policy applies to all WIU information, information systems, information technology activities, and information technology assets owned, leased, controlled, or used by WIU, WIU agents, contractors, or other business partners on behalf of WIU.

This policy applies to all WIU employees, contractors, sub-contractors, and their respective facilities supporting WIU business missions, wherever WIU data is stored or processed.

POLICY

Background

In order to provide an effective framework for implementing and enforcing the Information Security Program, WIU has numerous policies and procedures to ensure the confidentiality, integrity and availability of University information and systems and to comply with the security controls included herein.

Information Technology Controls

WIU collects, generates, and stores student, financial, employee, alumni, donor and other sensitive information. WIU is responsible and accountable to protect and ensure the confidentiality, integrity and availability of all of its data regardless of how it is created, distributed, or stored. As part of the information security program, WIU implements IT security controls designed to protect its assets in accordance with the organization’s risk appetite and in compliance with all federal and state regulations and requirements. IT security controls implemented by WIU follow the framework of National Institute of Standards and Technology (NIST) Special Publication 800-171; Protecting Controlled Unclassified Information in Non-federal Systems and Organizations and recommended by the Federal Trade Commission (FTC) and the Department of Education. NIST 800-171 consists of over 100 IT controls broken into fourteen (14) control families.

NIST 800-171 Security Control Families
  • Access Control
  • Awareness and Training
  • Audit and Accountability
  • Configuration Management
  • Identification and Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Personnel Security
  • Physical Protection
  • Risk Assessment
  • Security Assessment
  • System and Communications Protection
  • System and Information Integrity
Security Categorization

Federal Information Processing Standard (FIPS) Publication 199, Standards for Security Categorization of Federal Information and Information Systems, provides a framework for assessing the system security level by evaluating the potential exposure (high, moderate, low) for each of the three security objectives (confidentiality, integrity, and availability). Utilizing NIST 800-171, WIU has determined a moderate security control baseline for its assets,  as recommended by the FTC and Department of Education, per NIST 800-171:

The requirements recommended for use in this publication are derived from FIPS 200 and the moderate security control baseline in SP 800-53 and are based on the CUI regulation [32 CFR 2002]. The requirements and controls have been determined over time to provide the necessary protection for federal information and systems that are covered under the Federal Information Security Management Act (FISMA).

WIU may elect to tailor the security control baseline applied to an asset to be greater than the moderate baseline, based on the assessed level of risk, but may not apply a baseline of less than moderate unless the asset is determined to contain only data classified as public, per the definitions outlined in the Sensitive Data Handling Procedures outlined in the Administrative Procedures Handbook.

Methodology
Review

Annually, WIU will perform a risk assessment of the current IT security controls established in the WIU System Security Plans in accordance with NIST 800-171 control framework. Per the GEN-16-12 guidance issued by the Department of Education, the annual risk assessment will, at a minimum, evaluate whether WIU performs the following:

  • Limit information system access to authorized users;
  • Ensure that system users are properly trained;
  • Create information system audit records
  • Establish baseline configurations and inventories of systems;
  • Identify and authenticate users appropriately;
  • Establish incident-handling capabilities;
  • Perform appropriate maintenance on information systems;
  • Protect media, both paper and digital, containing sensitive information;
  • Screen individuals prior to authorizing access;
  • Limit physical access to systems;
  • Conduct risk assessments;
  • Assess security controls periodically and implement action plans;
  • Monitor, control, and protect organizational communications; and
  • Identify, report, and correct information flaws in a timely manner.
Implement

The implementation of security controls to protect WIU’s mission and business processes requires proper implementation of the System Development Life Cycle (SDLC). University Technology staff shall determine how the SDLC applies to each asset within the defined information system boundary to ensure proper security functionality is implemented to the appropriate systems and supporting infrastructure. Security controls must be implemented based on the most stringent requirement to meet all applicable regulatory requirements.

Assess

The security controls must be tested and evaluated prior to implementation to ensure the controls are working as designed. University Technology maintains a change management process to ensure changes to information assets are adequately tested and controlled prior to deployment to production. The results of the security control testing provides feedback to the effectiveness of implemented security controls to the Change Advisory Board and should be considered as a critical factor that may affect the decision to deploy a change. Approval from the University Technology CAB is an essential milestone for the security authorization of system implementation and changes to systems to assure compliance with the information security program policy.

Authorize

All new implementations and changes to existing information systems must be authorized by University Technology. The authority to operate is granted through the approval of the Change Approval Board (CAB) change management approval process. Approval to implement the information system change is based on the verified effectiveness of the security controls to WIU policies and standards together with an identified risk to the organization’s operation or assets.

Monitor

Periodic or continuous testing and evaluation of security controls in an information system are required on an ongoing basis to ensure that the controls are working as designed and effective in their implementation.

Third-Party Service Providers

The university will routinely monitor and assess the information security controls implemented by its third-party service providers. The university will not enter into contract with a third party service provider without performing an assessment of its information security controls. This assessment must find that the third-party service provider has adequate information security controls that are equivalent or more stringent than those employed by the university.

Technical Risk Assessments

The university must conduct penetration testing on an annual basis and vulnerability scanning on a monthly basis. University Technology must address the findings of the penetration tests and vulnerable scans in a timely manner, commensurate with the risks/threats posed by the vulnerabilities identified.

Incident Response Plan

University technology must maintain a written incident response plan that contains processes for responding to an information security event; clear definition of roles, responsibilities and decision-making authority; a communication plan; a remediation process; documentation and reporting expectations; and requirements for testing, updating and revising the plan, as needed.

Change Management Plan

The University Technology Change Management Plan establishes, maintains, and enforces security controls throughout an information system’s life cycle. The process outlined in the plan is considered holistically to encompass the security authorization of information system changes and implementations. University Technology must maintain the plan, including updating and revising the plan, as needed.

Exceptions

The university must document and formally accept the risk associated with any identified gaps in control implementation or failures to meet university policies/processes if the university is unable to address the failure within one year of identification. If the university is able to address the gap within a year, the control failure/gap must be tracked utilizing a corrective action plan.

RESPONSIBILITIES (Implementation and Enforcement)

The university shall appoint a designated qualified individual responsible for overseeing and implementing and enforcing the information security program. The qualified individual is responsible to report regularly to the CIO and Director of Internal Audit the effectiveness of the information security program. Additionally, the qualified individual is responsible to provide an annual written report to the Board of Trustees of the information security program effectiveness.

RESOURCES