Information Security Plan

February 2017

Introduction

Washington and Lee University's commitment to information technology (IT) security can be seen through its Information Security Program (ISP), Confidentiality Policy, eCommerce Policy and Practices, and the Computing Resources, Network and E-mail Use Policy.

Mission and Objective

The mission of the Office of Information Technology Services (ITS) Information Security Plan is to support the academic mission and culture of Washington and Lee University by striving to ensure the availability, confidentiality, and integrity of the university's information technology assets in accordance with the University's Information Security Program and Confidentiality Policy and other applicable standards and procedures. ITS has defined the role of Chief Information Security Officer (CISO) to help coordinate IT security efforts. This plan has the following main components: risk management; incident response; awareness; policy; and compliance/tools.

Scope

This plan applies to any use of the University's computing or network resources as defined in the Computing Resources, Network and E-mail Use Policy, and the University's Confidentiality Policy. Additional standards and procedures may govern specific data or computer systems or networks provided or operated by Third-party service providers.

Definitions, Roles and Responsibilities

Confidential Information is defined by the University's Confidentiality Policy as "...any personally-identifiable student and parent records, financial records (including social security and credit card numbers), and health records; contracts; research data; alumni and donor records; personnel records other than an individual's own personnel records; University financial data; computer passwords, University proprietary information/data; and any other information for which access, use, or disclosure is not authorized by: 1) federal, state, or local law; or 2) University policy or operations."

Similarly defined as "non-public personal information" and "covered data" by the Financial Information Security, "...W&L chooses as a matter of policy to also define covered data and information to include any bank and credit card account numbers, income and credit information, tax returns, asset statements, and social security numbers received in the course of business by the University..."

Data Trustee: Data trustees are the senior university officials (or their designees) who have planning and policy-level responsibility for data within their functional areas and management responsibilities for defined segments of institutional data. Responsibilities include assigning data stewards, participating in establishing policies, and promoting data-resource management for the good of the entire university. These are the Provost/VP-level officials.

Data Steward: Data stewards are university officials having direct operational-level responsibility for information management - usually department heads or directors. Data stewards are responsible for data access and policy implementation issues. Examples of these are the University Registrar, Executive Director of Human Resources, Controller, etc. Please note: these are listed as data "custodians" in the University's Student Education Records Policy as it refers to the Family Educational Rights and Privacy Act of 1974 (commonly referred to as the "Buckley Amendment" or "FERPA"), but insofar as many electronic records are concerned, they are stewards and the IT/ITS personnel are custodians (see below) by this plan.

Data Custodian: The custodian is responsible for providing a secure infrastructure in support of the data, including, but not limited to, providing physical security, backup and recovery processes; granting access privileges to system users as authorized by data trustees or their designees (usually the data stewards); and implementing and administering controls over the information. In many cases, ITS is the data custodian but not always. If the data custodian is a third-party service provider, extra steps are required to ensure the secure transmission, storage, and handling of the university's confidential information or covered data.

Data User: Data users are individuals who need and use university data as part of their assigned duties or in fulfillment of assigned roles or functions within the university community. Individuals who are given access to sensitive data have a position of special trust and as such are responsible for protecting the security and integrity of those data.

Chief Information Security Officer (CISO): The CISO helps coordinate security efforts and assists with the dissemination of policies, procedures and guidelines to the university community; helps raise information security awareness through education and training; helps develop risk management plans and incident response procedures; analyzes security incidents; and develops a set of tools to assist investigation and compliance.

Information Security Program (ISP) and ISP Committee: The ISP and the ISP Committee were organized at the direction of the Provost in 2003 to comply with the Gramm-Leach-Bliley Act (GLBA) and to implement the "Safeguards Rule" issued by the Federal Trade Commission. The ISP Committee is chaired by the ISP Coordinator and the Committee has responsibility, in advising the Provost, for the ISP. The original program scope was intentionally broader than necessary for simple legal compliance, and requires all departments to have written procedures documenting the safeguards used to protect the University's information assets.

Risk Management

Risk management is an ongoing process of mitigating risks to the University based on risk assessments. The ISP Financial Information Security (Elements 2 and 3) specifies the identification and assessment of risks and the design, implementation and monitoring of safeguards to those risks. Risk assessments involve continuously evaluating threats, vulnerabilities, and impacts to information assets, while risk management is designing, implementing, and monitoring safeguards as are necessary to protect University IT assets.

Risk Assessment Procedures

Data Custodians are responsible for performing the following steps to assess the risks to university data under their operations. Please review the Risk Assessment Guidelines before proceeding.

Step 1: Identify servers/systems, applications, databases, computer shares, or other locations with university data.

The identification of university data may involve, but is not limited to, formal surveys, new application/server requests, word of mouth, and software-based scans for certain confidential information or covered data (i.e., SSNs, credit card numbers).

Additionally, the ISP Committee has developed a web-based survey that the Office of General Counsel (OGC) circulates on a schedule to all data stewards/trustees to help identify where and how data is used and stored. Information from that survey can also be used to help identify network locations with university data that need to be protected.

Third-party service providers: If confidential information or covered data are being handled or processed by a third-party service provider as data custodian, the contract(s) must be reviewed by the OGC. The contracts must carry provisions that ensure the proper handling of the confidential information or covered data. Additionally, the vendor must provide a written statement of the risks and safeguards in place to the CISO.

Step 2: Classify the data identified during Step 1.

Consult the definitions of confidential information or covered data, to help determine the data classification, as well as the Risk Assessment Guidelines.

Step 3: Identify safeguards or planned safeguards (see ITS Security Safeguards for IT Resources).

Data custodians in conjunction with data stewards/trustees need to document all existing safeguards or planned safeguards to help protect the University's assets from identified threats and vulnerabilities. The Office of ITS has compiled a non-exclusive list of possible safeguards (see ITS Security Safeguards for IT Resources) to assist with determining the proper data handling guidelines for compliance.

If confidential information is not necessary and or essential for the system function, eliminate it to reduce the risk.

Step 4: Develop a Risk Management Plan for how identified risks will be managed.

Since all risk cannot be eliminated, a Risk Management Plan can now be developed, and the process of mitigating the threats that can exploit vulnerabilities can begin.

A Risk Management Plan must be a written plan (see Element 3 Financial Information Security) that will include at least the administrative, technical, and physical safeguards being used or needed to adequately protect the confidential information of the university. The Risk Management Plan will be provided to the CISO, Chief Technology Officer (CTO), and the Coordinator of the ISP Committee and other departmental administrators, to allow the prioritization of assets (e.g., staffing, funding, etc.). If the data custodian is not ITS, the data custodian (i.e., third-party service provider) will be responsible for providing the CISO a written Risk Assessment and Risk Management plan, which must include at least the minimum information above.

Review and return to Step 1 annually or semi-annually or when there is a system or procedural change.

Incident Response Procedures

An IT security incident, for the purposes of this ITS Security Plan, is defined as any event that impacts or has the potential to impact the confidentiality, availability or integrity of W&L IT resources (Computing Resources, Network and E-mail Use Policy). This document includes the procedures and guidelines regarding IT security incident response. Specific procedures may vary depending on the type of incident, but all procedures include the following steps:

  1. Discovery
  2. Documentation
  3. Notification
  4. Acknowledgement
  5. Containment
  6. Investigation
  7. Resolution
  8. Closure

In order to coordinate response to and resolution of IT security incidents, the Office of ITS has established an Incident Response Team (IRT). The ITS IRT is led by the CISO and includes the following (or their designee):

  • Chief Information Security Officer
  • Director of Enterprise Systems and Integration Services
  • Director Client Services
  • Director Network Infrastructure Services
  • Director Core Services
  • Data Custodian (as needed if not ITS)

Summary Incident Response and Legal Issues
Examples: defamation, civil fraud, harassment, theft

Secure any evidence as is necessary, and contact the CISO, Campus Security, or the OGC.

Summary of Incident Response Communications Outside ITS - All communications will need to be authorized through the CTO in conjunction with the W&L Communications and Public Affairs Office as necessary.

Incident Response Procedures for Vulnerabilities

Examples: patch or upgrade needed, weak password, unrestricted access

  1. Discovery. The CISO uses various tools to scan the University's address space for vulnerabilities. Other sources include monitoring notifications from vendors and security groups.
  2. Documentation. The CISO documents and tracks all discovered vulnerabilities.
  3. Notification. When a vulnerability is discovered, the CISO or IRT will notify the appropriate contacts. The notification may be augmented as needed to include other necessary staff.
  4. Acknowledgement. Not all vulnerability notifications need an acknowledgement and the email notification will include applicable instructions.
  5. Containment. IT resources with vulnerabilities should be contained until the vulnerability is resolved.
  6. Investigation. The responsible contact must investigate the vulnerabilities identified and research applicable security resources to determine the appropriate remediation.
  7. Resolution. The responsible contact must resolve the vulnerabilities identified in the notifications. They should follow established change management procedures to make applicable software updates. Common resolutions to correct a vulnerability include upgrading and patching. Alternatives include physical, network, host, user and/or other access restrictions. Please contact the CISO if other resolutions may also apply.
  8. Closure. The CISO will review the various steps above, and close the ticket when appropriate.

Incident Response Procedures for Compromised IT Resources

Examples: attack/exploit, backdoor or trojan, denial of service, malware, unauthorized access or disclosure, loss or theft of IT resource

  1. Discovery. The CISO receives and processes discovery notifications of compromised IT resources from various sources including the anti-virus products, the Fortinet firewall, and reports from employees.
  2. Documentation. ITS documents and tracks all discovered compromised IT resources. The anti-virus reporting servers are configured to generate an email alert that is directed into the WebHelpDesk tracking system. The CISO may also track compromised resources in a separate tracking system.
  3. Notification. When a compromised resource is discovered, the CISO or IRT will notify the appropriate contacts. The anti-virus reporting servers are configured to generate an email alert directly into the WebHelpDesk tracking system, which will then assign the ticket to the appropriate contact and generate an email notification to the contact.
  4. Acknowledgement. These notifications should be acknowledged as soon as possible.
  5. Containment. If the IT resource is actively engaged in attacking other resources, it must be contained immediately.Containment can be achieved by immediately disconnecting the resource from the network, revoking user access, or other means as appropriate. If the compromised resource is a critical system, the CISO must be contacted before any action is taken.
  6. Investigation. The responsible contact must investigate the compromised resource and research applicable security resources to determine the appropriate remediation. ITS has developed the Malicious Code Incident Response Procedures and Guidelines to assist with investigating virus, trojan, spyware, and other malicious software.
    Evidence Collection and Retention: a) All compromised hosts must be scanned for confidential information or covered data. b) If confidential information or covered data are discovered on a compromised system, contact the CISO immediately. The first step for the CISO or CTO will be to contact the Office of General Counsel seeking legal advice to establish attorney client privilege. The CISO will direct and coordinate the rest of the incident response
  7. Resolution. Compromised resources should be resolved as soon as possible. If a compromise includes certain malware (rootkit, backdoor, keystroke loggers, etc.), the host must be rebuilt from scratch or re-imaged. Incidents must be resolved and the host re-evaluated for vulnerabilities before compromised hosts are reconnected to the network or filters/blocks are lifted. In some cases, the CISO or IRT may request real-time proof to ensure the host is safe to resume network connectivity.

    Using the information from the investigation, the CISO or IRT will determine incident severity, and if confidential information or covered data are discovered on a compromised system will use the following reasonable belief scale to help Data Trustees/Stewards in making a notification determination:

    Reasonable Belief Scale:
    • Level 1: Confirmed that confidential or covered data were not compromised
    • Level 2: Reasonable belief that confidential or covered data were not compromised
    • Level 3: No data available to determine if confidential or covered data were compromised
    • Level 4: Reasonable belief that confidential or covered data were compromised
    • Level 5: Confirmed that confidential or covered data were compromise.
  8. Closure. The CISO will review the various steps above, and close the ticket when appropriate.

Incident Response Procedures for Copyright Infringement (Copyright Policy)

Examples: unlicensed movies, music, or software

The University's Copyright Policy (Section "X. Policy Violations and Compliance With the Digital Millennium Copyright Act" [DMCA]) defines the necessary Incident Response Procedures to be followed, which are excerpted and abbreviated below to fit the format of this document. Please refer to the University's Copyright Policy for complete, official details.

  1. Discovery. If the University's Designated Agent receives a Notice of Infringement, s/he will review the Notice to ensure that it meets all the elements of notification under 17 U.S.C. § 512(c)(3), and will notify: 1) the Office of General Counsel (OGC); and 2) the University's Chief Technology Officer (CTO), or the CISO.
  2. Documentation. The CISO documents and tracks all notices of infringement.
  3. Notification. After consultation with the OGC and the CTO/CISO, the Designated Agent will notify the alleged infringer by written letter.
  4. Acknowledgement. All ITS Notices of Infringement should be acknowledged.
  5. Containment. The CTO/CISO will act as quickly as is feasible to remove or disable public access to the targeted materials and suspend network access of the alleged infringer.
  6. Investigation. The letter to the alleged infringer will inform him/her that their network account has been suspended (until they sign a Cease-and-Desist Statement), advise him/her of their right to file a counter-notification, indicate they may still be subject to criminal/civil liability for infringement, and that the matter may be referred to the appropriate University disciplinary body, supervisor, or administrator as a violation of University Policy.
  7. Resolution. If the alleged infringer files a counter-notification, the Designated Agent will forward it to the complainant, along with a notification that the removed material may be restored in ten to fourteen business days unless legal action is commenced against the alleged infringer. If the complainant fails to notify the designated agent that it has initiated legal proceedings within ten to fourteen business days after receiving a counter-notification, the designated agent will notify the CISO that the material may be restored.
  8. Closure. The CISO will review the various steps above, and close the ticket when appropriate.

Incident Response Procedures for Violations of University IT-related Policies

(e.g., Confidentiality Policy, Computing Resources, Network and E-mail Use Policy, Peer-to-peer File Sharing Prohibition)

Examples: excessive or disruptive use, complaint, spam, inappropriate content, suspicious activity

  1. Discovery. All W&L faculty, staff, and students who identify violations of an IT-related policy should notify the CISO or IRT promptly.
  2. Documentation. The CISO documents and tracks all notifications of IT-related policy violations.
  3. Notification. The CISO or IRT will notify the appropriate contacts. If the violation includes unauthorized disclosure or acquisition of confidential information or covered data, the CISO or IRT will direct notifications to the appropriate University administration or other parties as appropriate according to established University policies, procedures, or guidelines.
  4. Acknowledgement. All ITS notices of IT-related policy violations should be acknowledged immediately.
  5. Containment. The CISO or IRT will immediately notify the CTO and work as quickly as possible to contain the violator(s). Containment can be achieved by immediately disabling network access, disconnecting violators from the network, or other means as appropriate, unless the action would interfere with an investigation.
  6. Investigation. The CISO or IRT will coordinate the investigation in consultation with the OGC as necessary.
  7. Resolution. The CISO or IRT will work with the appropriate administrative office, and update the tracking system with the necessary information.
  8. Closure. The CISO will review the various steps above, and close the ticket when appropriate.

Incident Response Procedures for Suspicious Activities

Examples: sweeps, scans, unusual connections, excessive bandwidth consumption

  1. Discovery. ITS receives and processes discovery notifications of suspicious activity on the W&L network from various sources and reports from employees.
  2. Documentation. ITS documents and tracks all discovered suspicious activity in the WebHelpDesk tracking system. The CISO may also track suspicious activity in a separate tracking system.
  3. Notification. The CISO or IRT will notify the appropriate contacts, and as necessary to the appropriate University administration or other parties according to established University policies, procedures, or guidelines.
  4. Acknowledgement. Notifications of suspicious activity should be acknowledged immediately.
  5. Containment. Suspicious activity should be contained as appropriate until the investigation is complete or the incident is resolved. Containment can be achieved by immediately disconnecting the resource from the network, revoking user access, blocking network access, or other means as appropriate, especially if there is a definitive danger to the rest of the network.
  6. Investigation. The investigation should include an analysis and identification similar to the "Detection and Identification" section of the Malicious Code Incident Response Procedures and Guidelines.
  7. Resolution. Suspicious activity should be resolved as soon as possible. The responsible contact can update the WebHelpDesk tracking system with information concerning the suspicious activity
  8. Closure. The CISO will review the various steps above, and close the ticket when appropriate.

Review - After an incident the CISO and IRT will review the response. The review may include the following:

  • Could additional/modified policy have prevented the incident?
  • Was a procedure or policy not followed which allowed the incident? Then what could be changed to be sure the procedure or policy is followed in the future?
  • Have changes been made to prevent a new and similar situation?
  • Was the incident response appropriate? How could it be improved?
  • Was every appropriate party informed in a timely manner?
  • Were the incident response procedures detailed and cover the entire situation? How can they be improved?
  • Have changes been made to prevent a recurrence? Are all systems patched, systems locked down, passwords changed, anti-virus updated, etc.?
  • Should any security policies be updated?
  • What lessons have been learned from this experience?

Awareness

Increasing information security awareness at W&L can be accomplished through a security awareness training program that encompasses communication, policies and procedures, risk avoidance, best practices and incident response procedures.

This will include a combination of several existing tools ITS already has, supplemented by tools that need to be developed or expanded, including but not limited to:

  • Signing or other attestation of the Confidentiality Policy
  • Best-Practices web pages
  • Annual or semi-annual assessment and refresher training.

Confidentiality Policy - All new employees are required to sign or attest that they have read and understand the Confidentiality Policy. This will be renewed/reviewed at least annually.

Training - The CISO will be using a variety of methods to develop, publish, and track information security awareness courses and policies for all employees, as well as specific courses for those employees handling confidential data. These assessments will be conducted at least annually.

Web pages - The CISO, with the help of the ISP Committee, will develop and publish web pages with best practices, as well as guidance on information security requirements. As new threats and vulnerabilities evolve, the web pages will be updated.

Incident Response - During and after incident response the CISO will discuss information security in person with the affected offices and report in summary to the ISP Committee.

Policy

The ISP mission has its foundation in the policies of the university that drive the security standards and requirements. An initial list of existing policies includes:

  • Computing Resources, Network and E-mail Use Policy
  • Confidentiality Policy
  • Copyright Policy
  • DMCA Policy
  • Privacy Policy
  • eCommerce Policy
  • Financial Information Security

The review conducted of each incident response will involve the assessment of current policies or the need for additional policies.

Compliance/Tools

A successful information security program will have a variety of tools to protect assets, enforce policy compliance, and to proactively identify weaknesses. At W&L this includes, but is not limited, to the following:

Antivirus - W&L ITS licenses antivirus clients for Windows and Mac computers for all faculty, staff and students.

Local Firewalls - Most operating systems now include a local firewall - e.g., Windows 7, 8, and 10 Firewall and Mac OS Xx Firewall.

Spam Filter/Email virus Scanning - W&L currently outsources spam filtering and email antivirus filtering to Microsoft Office 365 Exchange Online Protection.

Network Scanning - The CISO and affiliates will, at least semi-annually, conduct proactive network scanning, system probing, or penetration testing of systems on the W&L network to identify vulnerabilities. The results of scans will be communicated to the Data Custodian(s) for remediation under the Incident Response portion of this plan.

Currently, ITS is using QualysGuard Enterprise Suite for vulnerability assessments, which includes a network scanner appliance on the W&L network in addition to off-premise scanners. This scanner will be used to proactively identify risks and vulnerabilities in servers, applications, and hardware on the W&L network.

Virtual Private Network (VPN) - Using W&L's SSL VPN client, faculty, staff, and students can securely access on-campus resources from off campus.

Incident Response/Forensics - During an incident there will be a need for tools that ITS does not currently have including a "WriteBlocker" tool. This tool will be used to prohibit writing to media which could contaminate any forensic evidence.

Key to Abbreviations

CTO - Chief Technology Officer
FERPA - Family Educational Rights and Privacy Act of 1974 (also known as the "Buckley Amendment")
GLBA - Gramm-Leach-Bliley Act
IRT - Incident Response Team
CISO - Chief Information Security Officer
ISP - Information Security Program
IT - information technology
ITS - Information Technology Services
NAC - Network Access Controls
OGC - Office of General Counsel
SSN - social security number
SAV - Symantec Antivirus
VPN - Virtual Private Network

Related Documents

Related Policies