Information Security Policy

Executive Summary

The mission of Hobart and William Smith Colleges, to prepare students to lead lives of consequence, is innately dependent upon the institution’s ability to shield its community of students, educators, and staff from threats that could undermine collaboration and education.

To fulfill this mission, Hobart and William Smith Colleges must achieve institutional prestige and distinction in the pursuit of information security, developing an approach that is community-minded, flexible and inclusive, and imbued with rigor appropriate for the institution’s obligations. A successful information security program will protect institutional reputation and safeguard its academic environment. Achieving success is a shared responsibility, with obligations expressed at both the institutional and individual level.

This Information Security Policy defines objectives and lays the foundation for a mature information security program at Hobart and William Smith Colleges. Structurally, this document is guided by obligations defined by nationally recognized standards, federal and state regulations, and other requirements imposed upon institutes of higher education. For example, the US Department of Education requires Hobart and William Smith to meet several standards defined by the National Institute of Standards and Technology (NIST) to safeguard financial aid data and protect the privacy of student data. To that end, this policy is composed of eighteen (18) separate policy statements, with supporting Standard documents based on the National Institute of Standards and Technology Special Publication 800-171 Rev. 2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (NIST SP 800-171 rev 2).

While no set of security controls can address every possible scenario, this framework provides a comprehensive governance structure that addresses key controls needed to protect confidentiality, integrity, and availability of the institution’s information assets.

1.0 Purpose

The purpose of this policy is to clearly establish the role of Hobart and William Smith Colleges in protecting institutional reputation, systems, and data, including the data of its faculty, staff, and students. This document communicates minimum expectations for meeting these requirements. Fulfilling these objectives will enable Hobart and William Smith Colleges to implement a comprehensive system-wide Information Security Program.

2.0 Scope

The scope of this policy includes all information assets governed by the institution. All personnel and service providers who have access to or utilize assets of the institution, including data at rest, in transit, or in process, shall be subject to these requirements. This policy applies to:

  • All information assets and IT resources operated by the institution;
  • All information assets and IT resources provided by the institution through contracts, subject to the provisions and restrictions of the contracts;
  • All users of Hobart and William Smith Colleges information assets and IT resources;
  • All departments and business units that comprise the institution;
  • Individuals who provide information systems not centrally supported; and
  • Vendors embedded within the institution that provide key services.

3.0 Implementation

Hobart and William Smith Colleges needs to protect the availability, integrity, and confidentiality of data while providing information resources to fulfill the institution’s mission. A risk-based Information Security Program will be developed and maintained, and implementation decisions should prioritize the resolution of risks in accordance with severity whenever feasible.

Hobart and William Smith Colleges’ administration recognizes that fully implementing all controls within the NIST Standards is not possible due to institutional limitations and resource constraints. Appropriate security controls mandated by various standards (e.g., NIST 800-171 and NIST 800-53) will be implemented whenever possible, and exceptions will be documented in situations where doing so is not practical.

4.0 Privacy

Consistent with an educational mission fostering collaboration and free expression, Hobart and William Smith Colleges will make every reasonable effort to respect and preserve the privacy of community members. As required by New York State civil rights law, employees are notified upon hiring and annually thereafter if they are subject to electronic monitoring.

As outlined in the Responsible and Acceptable Use of Electronic Resources policy and others, personnel do not acquire a right of privacy for communications transmitted via or stored using institutional resources.

In response to a judicial order or any other action required by law or permitted by official institutional policy or as otherwise considered reasonably necessary to protect or promote the legitimate interests of the institution, the Chief Information Officer, or an authorized agent, may access, review, monitor, and/or disclose data or activity associated with an individual’s account and/or device.

5.0 Roles & Responsibilities

Hobart and William Smith Colleges have assigned the following roles and responsibilities:

  1. Chief Information Officer: The Chief Information Officer is accountable for the implementation of the Information Security Program, including:
    • Security policies, standards, and procedures
    • Security compliance, including managerial, administrative, and technical controls
  2. Executive Security Committee: This group of senior leaders oversees and approves security and regulatory compliance initiatives. The committee is comprised of the President, Provost, Legal Counsel, VP for Administration / Chief Financial Officer, and Chief Information Officer.
  3. Information Security Committee: The group is responsible for the design, implementation, operations, and compliance functions of the Information Security Program for all Hobart and William Smith Colleges constituent units.
  4. Information Security Officer: Responsible for the development, implementation, and maintenance of a comprehensive Information Security Program for Hobart and William Smith Colleges. This function includes security policies, standards, and procedures which reflect best practices in information security. Informs the Chief Information Office about information security implementations and ongoing development of the Information Security Program design.
  5. Data Protection Officer: Responsible for fulfilling Hobart and William Smith Colleges obligations to protect individuals’ personal data by acting as the primary contact for data privacy matters, assessing and correcting data protection deficiencies, and promoting a culture of sound data handling practices by educating employees about data and privacy compliance requirements. This role must interpret and implement applicable organizational statutory requirements (e.g., FERPA, GLBA, and others).

6.0 Information and System Classification

Hobart and William Smith Colleges will establish and maintain policies for data governance and classification for both information and information systems. A corresponding data inventory will be developed and maintained to document systems of record, indicating the classification of data types processed, housed, or transported through each information system.

7.0 Provisions for Information Security Standards

Hobart and William Smith Colleges will develop appropriate control standards and procedures required to support the institution’s Information Security Policy. This policy is further defined into 18 objectives, requiring the creation of supporting Information Security Standards (with applicable requirements defined by NIST 800-171), procedures, control metrics, and control tests to assure functional verification. These Standards will also address all statutory and contractual security/privacy requirements.

7.1 Access Control (AC)

Hobart and William Smith Colleges will limit information system access to authorized users, processes acting on behalf of authorized users or devices (including other information systems), and the types of transactions and functions that authorized users are permitted to exercise.

7.2 Audit and Accountability (AU)

Hobart and William Smith Colleges will: (i) create, protect, and retain system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity relating to restricted or sensitive data; and (ii) ensure that the actions of individual system users can be uniquely traced within such systems. Hobart and William Smith Colleges should retain audit records for administratively useful purposes and duration, emphasizing events related to system security. Records targeted for collection and retention periods should be documented within a supporting audit and accountability standard.

7.3 Awareness and Training (AT)

Hobart and William Smith Colleges will ensure that: (i) managers and users of information systems are made aware of the security risks associated with their activities and of the applicable laws, directives, policies, standards, instructions, regulations, or procedures related to the security of institutional information systems; and (ii) users are adequately trained to carry out their assigned information security-related duties and responsibilities.

7.4 Configuration Management (CM)

Hobart and William Smith Colleges will: (i) establish and maintain baseline configurations and inventories of institutional information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles; and (ii) establish and enforce security configuration settings for information technology products employed in institutional information systems.

7.5 Contingency Planning (CP)

Hobart and William Smith Colleges will establish, maintain, and validate plans for emergency response, backup operations, and post-disaster recovery for the institutional information systems to ensure the availability of critical information resources and continuity of operations in emergency situations.

7.6 Identification and Authentication (IA)

As a prerequisite to allowing access to information systems, Hobart and William Smith Colleges will identify information system users and devices, as well as processes acting on behalf of users or devices, by authenticating (or verifying) the identities of those entities. Information systems for which anonymized access is permitted will be documented.

7.7 Incident Response (IR)

Hobart and William Smith Colleges will: (i) establish an operational incident handling capability for institutional information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities; and (ii) track, document, and report incidents to appropriate institutional officials and/or authorities as obligated by law (e.g., NY SHIELD Act).

7.8 Maintenance (MA)

Hobart and William Smith Colleges will: (i) perform periodic and timely maintenance on institutional information systems in accordance with information security best practices and organizational standards for configuration management and maintenance; and (ii) limit access to the tools, techniques, and mechanisms used to conduct information system maintenance to designated, authorized personnel.

7.9 Media Protection (MP)

For information systems related to data classified as non-public, Hobart and William Smith Colleges will: (i) protect information system media, both paper and digital; (ii) limit access to data on information system media to authorized users; (iii) employ encryption to protect data, where applicable; and (iv) sanitize or destroy information system media before disposal or release for reuse.

7.10 Personnel Security (PS)

Hobart and William Smith Colleges will: (i) ensure that individuals occupying positions of responsibility are trustworthy and meet established security criteria for those positions; (ii) ensure that institutional information and information systems are protected during and after personnel actions such as terminations and transfers; and (iii) employ formal sanctions for personnel failing to comply with Hobart and William Smith Colleges security policies and procedures.

7.11 Physical and Environmental Protection (PE)

Hobart and William Smith Colleges will: (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provide supporting utilities for information systems; (iv) protect information systems against environmental hazards; and (v) provide appropriate environmental controls in facilities containing information systems.

7.12 Planning (PL)

Hobart and William Smith Colleges will develop, document, periodically update, and implement security plans for institutional information systems that describe the security controls in place or planned for the information systems as well as rules of behavior for individuals accessing the information systems.

7.13 Program Management (PM)

Hobart and William Smith Colleges will establish security program management controls to facilitate the implementation of the institutional Information Security Program.

7.14 Risk Assessment (RA)

Hobart and William Smith Colleges will periodically assess the risk to institutional operations (including mission, functions, image, or reputation), institutional assets, and individuals resulting from the operation of institutional information systems and the associated processing, storage, or transmission of institutional information.

7.15 Security Assessment and Authorization (SAA)

Hobart and William Smith Colleges will: (i) periodically assess the security controls in institutional information systems to determine if the controls are effective in their application; (ii) develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in institutional information systems; (iii) establish processes to authorize the operation of the institutional information systems and any associated information system connections; and (iv) monitor and test information system security controls on an ongoing basis to ensure the continued effectiveness of the controls.

7.16 System and Communications Protection (SC)

Hobart and William Smith Colleges will: (i) monitor, control, and protect institutional communications (i.e., information transmitted or received by institutional information systems) at the external boundaries and key internal boundaries of the information systems for confidential data transmissions; and (ii) employ architectural designs, software development techniques, encryption, and systems engineering principles that promote effective information security within institutional information systems.

7.17 System and Information Integrity (SI)

Hobart and William Smith Colleges will: (i) identify, report, and correct information and information system flaws in a timely manner, in accordance with a vulnerability management standard; (ii) provide protection from malicious activity at appropriate locations within institutional information systems; and (iii) monitor information system security alerts and advisories and take appropriate actions in response.

7.18 System and Services Acquisition (SA)

Hobart and William Smith Colleges will: (i) allocate sufficient resources to adequately protect institutional information systems; (ii) employ system development life cycle processes that incorporate information security considerations; (iii) employ software usage and installation restrictions; and (iv) ensure that third-party providers are required to comply with federal and state laws, and are contractually obligated to employ adequate security measures to protect information, applications, and/or services outsourced by the institution.

8.0 Enforcement

Hobart and William Smith Colleges may temporarily suspend, block, or modify access to information systems and/or data for any individual or device when deemed necessary to protect the integrity, security, or functionality of institutional and computer resources.

Any person found to have violated this policy may be subject to disciplinary action.

9.0 Exceptions

Exceptions to the policy may be granted by the Chief Information Officer or their designee. To request an exception, submit an Information Security Exception request to the Chief Information Officer.

10.0 Disclaimer

Hobart and William Smith Colleges disclaims any responsibility for and does not warrant information and materials residing on non-Hobart and William Smith Colleges systems or available over publicly accessible networks. Such materials do not necessarily reflect the attitudes, opinions, or values of Hobart and William Smith Colleges.

11.0 References

  • Family Educational Rights and Privacy Act (FERPA)
  • Gramm - Leach Bliley Act (GLBA)
  • New York State Stop Hacks and Improve Electronic Data Security (SHIELD) Act and Information Security Breach and Notification Act
  • NIST SP 800-171 – Rev. 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
  • NIST SP 800-53 Rev. 5 – Security and Privacy Controls for Information Systems and Organizations
  • § 52-C, Article 5 New York State civil rights law

12.0 Related Polices

Responsible & Acceptable Use Policy

13.0 Responsible Department

Information Technology Services

14.0 Policy Authority

This policy is issued by the Chief Information Officer for Hobart and William Smith Colleges