November 20, 2014


Policy Owner: IT Solutions and IT Operations  

Approval Date: November 20, 2014 

Approved By: President’s Executive Group (PEG)  

Last Revision: November 13, 2017


Policy

The  Data and Technology Security Risk Management Policy to protect confidential information and related technologies includes the following:

  1. All information is classified according to the policy established in this document and other related documents. 
  2. BYU-Idaho is designated as the owner for all confidential information. 
  3. Data Stewards are designated for all confidential information. 
  4. Data Stewards maintain a record of all confidential information for which they are responsible. 
  5. Data Stewards manage confidential information according to this policy and all other applicable policies, standards, and plans. 
  6. Information security controls must comply with this policy and supporting standards, plans, and procedures, unless specifically exempted. 
  7. Only authorized employees and University agents are allowed access to confidential information and related systems. 
  8. All persons authorized to access confidential information are accountable for following this policy and any related documents. 
  9. Networks, systems, software, and all other IT services that store, transmit, or process BYU-Idaho confidential information are managed according to this policy and all related documents. 


Standards and Plans

The following is an alphabetical list of the standards, policies, and plans that support the Data and Technology Security Risk Management Policy, as well as an explanation on how BYU-Idaho IT Department incorporates the statements from this policy into actual work performed:


Account and Password Management Standard – Approved by ITEC on March 17, 2015 

Appropriate management of computer system accounts and passwords protect against unauthorized access of these systems and the data accessible from them. This standard defines how accounts are requested, granted, administered, and terminated as well as how passwords are managed for university IT systems and services. These documents were combined per request of the IT Solutions Director on November 1, 2017.


Asset Management Standard  – Approved by ITEC on April 6, 2015 

Desktop computers, mobile computing devices, server computers, storage devices, network equipment, and other electronic equipment must be purchased, tracked, and dispositioned appropriately to ensure that the most value is realized from this significant University expense. This standard describes how physical assets are managed throughout their lifecycle.


Confidential Information Management Standard – Approved by ITEC on March 17, 2015 

Managing confidential information in a secure and consistent manner is critical to ensuring that it is protected from unauthorized access or use or any other inappropriate access. This standard provides a basic understanding of employee responsibilities for protecting and safeguarding University confidential information. 


Configuration Management Standard – Approved by ITEC on December 15, 2014 

Ensuring secure and efficient IT system configurations enables all systems to protect data from corruption or inappropriate access and improves the reliability and performance of these systems. This standard defines how configuration management is implemented. 


Data Center Management Standard – Approved by ITEC on February 1, 2016 

The BYU-Idaho Data Centers house critical technology infrastructure, including network devices, servers, storage, and many other devices that store and process confidential and other types of data. Managing these rooms in a secure way is critical to ensuring the security of University data. This standard describes how these rooms are managed. 


Data Classification Standard – Approved by Information Governance Council (IGC) on March 20, 2015 

Knowing the data that is included in various classification levels enables systems and employees to protect data as needed. This standard describes the three levels of data classification the University has adopted and how data is classified. 


Data Stewardship Policy (1-38) and Procedures  Removed November 11, 22017 

The Data Stewardship Policy and Data Stewardship Procedures were removed from this policy per request of the IT Solutions Director. Copies of the documents can be found in the archived section of the IT SharePoint Site.  


Disaster Recovery/Business Continuity Plan – Approved by ITEC on June 30, 2016 

All reasonable attempts are made to prevent disasters, but there are some that are inevitable or unpreventable. This Disaster Recovery/Business Continuity Plan describes the process of mitigating the impacts of a disaster and making the best recovery possible. 


Information Security Education, Training and Awareness Standard – Removed December 5, 2017 

This standard was removed from this policy per request of the IT Process Improvement Director.  


Risk Assessment Standard - Approved by ITEC on December 15, 2014 

There are many risks involved in managing confidential data, providing data for use, and providing IT services to the University. This standard explains the approach for people across the University to take in assessing known risks to IT systems and data. 


Vulnerability and Patch Management Standard - Approved by ITEC on December 15, 2014 

IT systems will have vulnerabilities throughout their lifecycle from a variety of sources. It is important that systems are assessed on a regular basis to determine if they have vulnerabilities. It is also important that systems are patched or updated regularly to remove these vulnerabilities. This standard describes the approach and measures taken by the University to assess systems and patch them appropriately. 


Logging and Monitoring Standard - Approved by ITEC on December 15, 2014 

Inappropriate events on IT systems cannot be acted upon unless they are known. To know when these events occur, system activity must be logged and the logs produced must be monitored. This standard describes the approach taken by the University to log and monitor IT system events. 


Network Management Standard - This standard is currently being written. 

Wired and wireless networks provide the communication medium for systems, data, and people who interact with IT systems. It is critical that these networks are managed in a manner that ensures protection of transmitted data. This standard defines how these systems are managed. 


Payment Card Industry Data Security (PCI DSS) Standard – Approved by PCI Compliance Committee on April 9, 2015 

This standard describes how the university will protect cardholder information of students, parents, donors, alumni, customers, and any individual or entity that utilizes a credit card to transact business with the University. This standard is intended to be used in conjunction with the PCI-DSS requirements as established and revised by the PCI Security Standards Council. 


Phishing and Social Engineering Standard - Approved by ITEC on December 15, 2014 

Phishing and social engineering are threats to the security of university confidential information. This standard describes processes and strategies used to educate employees and students regarding tactics used and preventive measures available to avoid becoming a victim.  


Physical Security Standard - Approved by ITEC on February 1, 2016 

All physical IT devices must be managed in a way that prevents them from being used in an insecure manner that would allow unauthorized access to confidential information. This standard defines the way that equipment will be managed.  

Security Incident Management Standard - This standard is currently being written and may be combined with a more general “Incident Management Standard.” 

Incidents of one type or another are part of providing IT services. Some of these incidents are security related and must be dealt with in a deliberate and secure manner to prevent, mitigate, and/or recover from data theft, loss, or corruption. This standard defines how security incidents are managed. 


Software Acquisition Policy (8-6) – Approved by PEG on April 16, 2012 

New software purchased or received through donation becomes an integral part of the university IT systems. It is critical that this software is acquired in a manner that allows it to be evaluated for security risks and vulnerabilities. This university policy defines how software is acquired to ensure security. 


Software Development Standard - Approved by ITEC on September 4, 2015 

Software developed by university IT employees must protect data at the level required by its classification. This standard defines the guidelines for how software is developed to ensure data and system security. 


Virus and Malware Standard - Approved by ITEC on December 15, 2014 

Malware, or malicious software, is a pervasive and persistent threat to the security of university information and systems. This standard defines the measures used to protect and mitigate against these threats.