Georgetown University Information Security Policy for Technology Service Provider Organizations, Systems and Network Admins (Legacy)

Approved by David Smith, University Information Security Officer, April 9, 2013

Statement

This policy defines and describes the information security responsibilities for Technology Service Provider Organizations (TSPs), Systems and Network Administrators (SNAs), Departmental Information Security Officers (DISOs), and their managers. All members of Technology Service Provider Organizations, all Systems and Network Administrators, and all Departmental Information Security Officers must comply with secure and responsible administrative, technical, and physical information security practices.

Applicability

This Policy applies to Georgetown University staff in departments designated as Technology Service Provider Organizations, to Systems and Network Administrators, to Departmental Information Security Officers, and to the Managers and Executives responsible for Technology Service Provider Organizations.

Guiding Principles and Purpose

Due to the nature of their jobs, Technology Service Providers, Systems and Network Administrators, Departmental Information Security Officers, and their managers, routinely handle, process, store, and use many types of University information. University employees in these positions are accountable for their management and use of University information. This Policy applies to all information that supports the operation or administration of the University and its research and educational missions.

This policy complements and supports other University policies that protect the University’s information assets and resources including, but not limited to, the Information Security Policy, Information Classification Policy, the Record Retention Policy, and the Policy on the Use, Collection, and Retention of Social Security Numbers. These, and other related policies, can be found at the Policies and Procedure tab at the University Information Security Office web site (http://security.georgetown.edu/).

Administration and Implementation

Technology Service Provider Organization staff and mangers, Systems and Network Administrators, and Departmental Information Security Officers are responsible for supporting the administration and implementation of the Georgetown University Information Security Policy. They are also bound by the responsibilities of Data Users, as defined in the Information Security Policy, the Procedures for the Protection of University Information, and other University policies.

Information security practices and procedures relevant to this Policy are detailed in the Procedures for the Protection of University Information.

Responsibilities

Members of the Georgetown University community with specific responsibilities governed by this policy are listed below. For clarification on the terms used in this document, please refer to the “Office of Information Services Policy Definitions, Roles, and Responsibilities.” The Procedures for the Protection of University Information defines the procedures required to fulfill these responsibilities.

The University Information Security Office is responsible for:

  • Appointing and overseeing Departmental Information Security Officers .
  • Managing an information security training and awareness program specific to the work of Technology Service Provider Organization staff, Systems and Network Administrators, and Departmental Information Security Officers .
  • Reviewing and approving, as appropriate, design and architecture plans developed by TSP personnel.
  • Auditing systems and services related to University information resources throughout the lifecycle.
  • Periodically reassessing this Policy to determine if revisions are needed to accommodate the fast-changing nature of information technology, or to address weaknesses in the Policy.
  • Handling and reporting incidents, and developing and disseminating procedures for handling such incidents.

Technology Service Provider Organization executives, managers, and staff; and Systems and Network Administrators are responsible for:

  • Understanding information security risks, and providing reasonable protections to the University systems and information under their management.
  • Undertaking responsibility for systems they design that others will maintain in the future.
  • Undertaking responsibility for systems they maintain, regardless of the original designer(s) or builder(s) of those systems.
  • Implementing designs, policies, and procedures that protect the integrity of those services for which they support authorized access.
  • Implementing authorizations by the Data Stewards to grant individuals access privileges to information resources.
  • Installing password mechanisms that meet or exceed the University standard and assisting users with the selection and management of strong passwords.
  • Ensuring the continued availability of University information resources under their management, and planning for the resumption of mission-critical business information services following the loss of equipment, data, and/or technology rooms due to flood, fire, equipment failure, natural disasters, etc.
  • Reporting suspected or known compromises of information resources, including contamination of resources by computer viruses, immediately upon discovering the known or suspected compromise, as described in the Procedures for Reporting a Security Incident.

Executives in charge of Technology Service Provider Organizations are responsible for:

  • Nominating qualified Departmental Information Security Officers.
    • Technology Service Provider Organizations required to nominate qualified Departmental Information Security Officers (Mandated Technology Service Provider Organizations) are listed in the Procedures for the Protection of University Information.
    • Other Technology Service Provider Organizations may opt to nominate Departmental Information Security Officers .
    • Should no qualified Departmental Information Security Officer be appointed, the functions of that role revert to the University Information Security Office.
  • Establishing supplemental security policies and procedures governing the information resources managed by the Technology Service Provider Organization, as approved by the University Information Security Office.

Departmental Information Security Officers are responsible for:

  • Complying with the nomination process.
  • Extending information security within their organization to systems and networks that they manage, including the verification of information security safeguards.
  • Maintaining their certification as Departmental Information Security Officers
  • Coordinating efforts with the University Information Security Office.
  • Reporting suspected or known compromises of information resources, including contamination of resources by computer viruses, immediately upon discovering the known or suspected compromise, as described in the Procedures for Reporting a Security Incident.

Enforcement

Pursuant to the Georgetown University Human Resources Confidential Information Policy, employees who violate the University’s Information Security Procedures may be subject to disciplinary action, up to and including dismissal. Unauthorized access or disclosure of legally protected information may result in civil liability or criminal prosecution.

Consistent with the Computer Systems Acceptable Use Policy, the University may temporarily suspend, block or restrict a user’s access to information and systems when it reasonably appears necessary to do so in order to protect the integrity, security, or functionality of University resources or to protect the University from liability.

The University may routinely monitor network traffic to assure the continued integrity and security of University resources in accordance with applicable University policies and laws. The University may also refer suspected violations of applicable law to appropriate law enforcement agencies.

Definitions

For clarification on the terms used in this document, please refer to the Office of Information Services Policy Definitions, Roles, and Responsibilities. Terms used in this policy include:

  • Departmental Information Security Officers
  • System and Network Administrators
  • Technology Service Provider Organizations

Resources

UIS Security Responsibility Policy
Policy on the Use, Collection, and Retention of Social Security Numbers by Georgetown University
Georgetown University Record Retention Policy
Georgetown University Information Classification Policy
Georgetown University Human Resources Confidential Information Policy
Georgetown University Acceptable Use Policy
Office of Information Services Policy Definitions, Roles, & Responsibilities
Office of Information Services Procedures for Reporting a Security Incident
Office of Information Services Procedures for the Protection of University Information

Approval

Recommended for University Approval by UIS Advisory Committee on January 25, 2011.
Approved by David C. Smith, University Information Security Officer, on April 9, 2013.

Review Cycle

This policy will be reviewed and updated as needed, but at least annually, unless changes in institutional policy or relevant law or regulation dictate otherwise.

Revisions

Submitted for approval to UIS Advisory Committee on January 25, 2011, by Judith House and Heidi Wachs.
Submitted for approval to David C. Smith, University Information Security Officer, on April 9, 2013 by Judith House.