Information Security Program

PURPOSE

Shepherd University’s Information Security program is comprised of policies, network and security architecture, and current IT procedures and practices. It is an iterative process that, holistically, reflects an Information Security Program that is designed to provide technical and operational safeguards and mitigate risks regarding the storage and processing of sensitive and protected data, as described in the DATA CLASSIFICATION POLICY. Furthermore, it is designed to ensure the confidentiality, integrity, and availability of student and employee systems and data.

Shepherd University adheres to the philosophy of “Defense in Depth,” a practice which implements several layers of protection to contribute to an overall security posture. These include

1. Physical access controls.
2. Logical access controls.
3. Perimeter, network, and server security.
4. Penetration testing and tabletops in cooperation with external partners.
5. Third party data security agreements for external vendors.
6. Employee training and awareness.

By implementing an effective Information Security Program, the University demonstrates its commitment to safeguarding sensitive and protected data and mitigating the risk of security incidents.

PROGRAM DESCRIPTION

A yearly CIS CSTAT risk assessment forms the basis for the development, evaluation, and modification of the Information Security Program. The results of these risk assessments are reviewed with Executive Leadership.

The Information Security Program informs and influences the following:

• Design and implementation of safeguards to mitigate and address identified risks to sensitive and protected data. See Data Classification Policy.
• Policies and procedures, such as Access Control Procedures.
• Oversight of information system service providers.
• Consultation on projects that relate to data security.

In addition to the yearly CIS CSTAT risk assessment, risks may also be identified through the use of external audits, penetration testing, review of logs and similar activities. Shepherd University works with external cybersecurity providers to conduct two tabletop information security reviews per year, and a penetration test every other year. The outputs of these activities inform the creation and modification of the Information Security Program. The University reviews its Information Security Program yearly in order to ensure that changes and newly identified risks are accounted for.

The Office of the CIO/CISO also acts as a resource for campus project management to ensure that security is accounted for throughout the project lifecycle. The Office of the CIO/CISO also conducts a review of vendor contracts and new installations to ensure that they meet security requirements.

BANNER SYSTEM CHANGE MANAGEMENT

Updates to the Banner system are coordinated with internal IT Teams and Data Custodians. When a need for an update is identified, the following steps are taken and documented.

1. The update is announced to the Data Custodians and an installation to one of the test databases is scheduled.
2. Internal IT teams are notified, if necessary.
3. The installation takes place, and the Data Custodians begin testing the upgrade/release.
4. When Data Custodians and IT Services agree that testing is complete and successful, a date is scheduled for the production upgrade.
5. Internal IT teams are notified. Estimated production downtimes are announced to internal IT and Data Custodians.
6. The upgrade takes place as scheduled.

SCOPE of AFFECTED PARTIES

This policy applies to all users, such as students, faculty, and staff of Shepherd University and to other persons accessing Shepherd University information assets and/or IT resources including but not limited to authorized agents or community members, regardless of whether such information asset or IT resource is accessed from on-campus or off-campus.

ROLES & RESPONSIBILITIES

All Shepherd University students, faculty, staff, and other parties with access to Shepherd University information assets and IT resources shall be responsible for:

USERS

• Understand and comply with the guidance provided by this policy, as well as applicable compliance programs and affiliated awareness training with all applicable laws, standards, procedures, and university protocols.
• Physically secure and safeguard information assets and IT resources, within the user’s possession and control, including abiding with the safe handling of data.
• Promptly report any suspected violation of this policy, any security events, and/or incidents involving a suspected compromise of a user’s account or IT resource to itworkorder@shepherd.edu.

CIO/CISO – INFORMATION PRIVACY OFFICER

• Oversee and administer this policy.
• Provide authorization and direction to IT Services staff in accordance with this policy.
• Develop awareness and necessary training materials as it pertains to this policy.

IT SERVICES STAFF

• With appropriate authorization, take directed action in accordance with this policy to preserve, secure, and protect the interests of Shepherd University.
• Ensure all associated procedures are followed and documented accordingly when taking any actions outlined in this policy.

RELATED TOOLS

TRAINING
• Family Educational Rights & Privacy Act (FERPA) Training
• Gramm-Leach-Bliley Act (GLBA) Training

RELATED POLICIES & GUIDELINES
BOG#35: Information Technology Security
Acceptable Use Policy
IT Information Security & Privacy Policy
Social Security Number Guidelines
Work from Home / Remote Access Guidelines

POLICY: Information Security Program
IMPACT: Data, Technology, and IT Resources
RESPONSIBLE OFFICE: IT Services
CREATED: February 7, 2024
REVIEWED: February 16, 2024
APPROVED BY: CIO/CISO – Information Privacy Officer
VERSION: 24.1