West Coast University
West Coast University (or the Institution or the University) is an institution of higher learning offering undergraduate and graduate degree programmes in “nursing and other in-demand healthcare” disciplines. The Institution uses a collection of technologically advanced tools to help students gain the “knowledge, experience, and confidence” they need to execute critical responsibilities in today’s healthcare environment (West Coast University, 2016). The Institution has decided to bolster the security of its information assets to prevent and mitigate security risks in the current era of increasingly growing security threats. Therefore, the Institution needs to implement an information security policy which forms the foundation for a concrete information security program reflecting an organisation’s security goals and objectives along with an agreed management strategy to secure information assets according to Whitman and Mattord (2011). An information security policy is a collection of management directives and requirements regarding information security to provide guidelines for security personnel (National Institute of Standards and Technology, 2009; Wood & Lineman, 2009).
- Information security policy
Fundamentally, information systems are critical to effective and efficient administrative, teaching, and research functions (Wood & Lineman, 2009). The purpose of this information security policy is to provide a framework and associated guidelines for information security management in the Institution to protect the following three major information constraints:
- Confidentiality: information is accessed by authorized persons only.
- Integrity: information is accurate, up-to-date, and reliable.
- Availability: information is ever available to authorized users.
- University reputation.
- External compliance issues, including the Western Australian State legislation, Federal legislation, and telecommunications legislation to eliminate financial loss and cause unwanted legal liabilities.
2.2 Scope and applicability
This information security policy addresses all technological facilities, systems, programs, networks, information and data processed by the Institution, internal and external communications, and all technology users in the Institution, without exception. The policy applies to all IT users (employees, students, contractors and visitors) with access to the Institution’s IT systems.
2.3 Roles and responsibilities
2.3.1 University Council
- Oversee information security management to ensure that the Institution complies with all internal and external requirements.
- Provide required resources.
2.3.2 ICT sub-committee on information security policy
- Promote awareness regarding this policy.
- Seek sufficient implementation and maintenance resources (personnel, technologies and processes).
- Monitor continuous compliance.
- Schedule reviews to incorporate relevant changes – legislation, contractual obligations and organizational.
- Solicit continuous top management support and commitment.
2.3.3 Departmental heads
- Oversee information security in their functional units in line with this overall information security policy.
- Validate relevance of different elements of this policy in relation to specific departmental needs.
2.3.4 Other IT Users
- Responsibly use information assets while complying with this policy.
- Observe contractual agreements in the course of handling the Institution’s information assets.
2.4.1 Risk assessment
- Identity information assets, define their ownership, and quantify their criticality and/or sensitivity.
- Security controls should be applied based on the criticality and/or sensitivity of information.
- Information security assessments should be performed periodically.
2.4.2 Confidential and personal data
- Should be handled according to existing legal and provisions (e.g. the Western Australian State legislation, Federal legislation, and telecommunications legislation) and the Institutions personal data policy.
- Relevant organizational, procedural and technical measures should be taken to prevent unauthorized and/or illegal access to or processing of, or destruction or loss of personal data.
- Sensitive personal data (e.g. religion, health and ethnic origin) should be properly encrypted.
- Confidential data, which may lead to financial loss, damage to reputation, or adverse impact on public safety should be:
- Accessed, used and modified by adequately authenticated and authorized persons only.
- Stored in dedicated and secure storage locations such as file servers as opposed to local or external hard drives.
- Kept for about 6 months to support investigations.
- Stored with proper file and disk encryption to implement an additional “layer of defence”.
- Distributed to only a limited number of and necessary portable media and hard copies.
- Locked in safe cabinets and locked rooms.
- Always kept within the University.
- Disposed in a proper manner that protects confidentiality.
2.4.3 Remote access
- Remote access should be conducted within proper levels of authentication and encryption.
- Remote access should be restricted to minimal access.
2.4.4 Strong password policy
Criminals can get your passwords and get into personal accounts, leading to identity and data breaches. Criminals can even go ahead to blackmail compromised account holders (Wood & Lineman, 2009). This policy seeks to help IT users uphold strong password practices. Applicable policies include:
- Create strong passwords (made up of at least 8 characters, a mixture of alphanumeric characters and symbols as well as upper case and lower case characters, and no dictionary words) for online, PC, and software system accounts to make it reasonably impossible to guess or crack.
- Never share your account passwords with anyone.
- Use different passwords for each account, and regularly change them.
- Suspected instances of password breaches (access or theft) should be changed and reported immediately.
- Use memorable, but adequately strong passwords to ensure that you do not have to write them down to remember them.
2.4.5 Acceptable internet use policy
Today, criminals are increasingly using email scams (spear phishing) to compromise millions of users’ critical information such as passwords and credit/debit card details. These emails are usually crafted in a way that makes them considerably difficult to differentiate from legitimate ones, thus it constitutes an easy approach to execution of fraudulent activities (Whitman & Mattord, 2011). Applicable policies include:
- Emails asking for confidential and sensitive information such as passwords and PINs should be immediately reported to the IT department – these are suspicious emails. Moreover, these emails have warning statements such as “Your account will be de-activated after 48 hours”, technical jargons, unknown senders, news about well-known upcoming events, grammatical errors, and generic greetings.
- Never click on links embedded on suspicious emails.
- Never open or download attachments that come with suspicious emails.
- Never use emails bearing the Institution’s domain for personal communications.
- Verify the URLs of embedded links and website addresses have the right domain name and top-level domain to ensure that they are legitimate.
- Contact service providers such as banks in case of request for personal information via email or phone.
- Keep internet usage at minimum.
- Uphold the legal rights to licensed, patented and copyrighted works such as software and computer games.
- Never access or download pornographic, ethnic, sexist, and extreme political and such materials which may lead to unwanted legal liability.
2.4.6 PCs and personal devices policy
The Web poses real threats to information held in desktop PCs, laptops, tablets and smart phones (National Institute of Standards and Technology, 2009). The threats range from malware propagation to data theft. Applicable policies include:
- Use legitimate operating systems and application software such as web browsers to ensure you benefit from regularly released security updates and patches.
- Install and regularly patch or update anti-virus software, and perform regular malware whole-device scanning.
- Never install software systems from unknown or untrustworthy sources.
- Schedule periodic file backups to avoid complete data loss.
- Scan removable devices (e.g. USB sticks and hard drives) to detect and remove malware.
- Use secure and legitimate online cloud storage, for example, Google Drive and Dropbox.
- Encrypt your backup and PCs and test them regularly.
- Disconnect malware-infected devices from the enterprise network.
- Use strong passwords for PCs and other personal devices.
- Only registered mobile devices should be used to connect to the Institution’s network and the internet.
2.4.7 Physical and network security policy
- Prevent IT infrastructure from physical (vandalism and theft) and environment damage or interference.
- Protect and manage network equipment, software and information.
- All information assets should be properly managed.
- Have SLAs in place to guarantee third-party support in case of a security disaster.
2.4.8 Incident-response policy
- There should be a multi-disciplinary incident-response team – senior IT management, legal, PR, business management, and vendor representatives.
- Prevent potential unauthorized access and/or loss of confidential information.
- Prevent potential propagation of an information security breach.
- Restore and test functionality to affected network elements.
- Perform business continuity planning.
2.5 Enforcement and compliance
- All IT users should be aware of their roles and responsibilities regarding information security.
- Any unauthorized disclosure or loss of confidential and personal information should be reported to the IT department and owners of information.
- Major relevant legislation include: the Western Australian State legislation, Federal legislation, and telecommunications legislation.
- Any information security breach is treated with the seriousness it deserves, including disciplinary action.
- Failure to comply with this policy will result in disciplinary action.
National Institute of Standards and Technology. (2009). Security and Privacy Controls for Federal Information Systems and Organizations. Retrieved from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
Whitman, M., & Mattord, H. (2011). Principles of information security. Cengage Learning.
West Coast University. (2016). A Simple Philosophy of Staying Ahead of the Curve. Retrieved from http://westcoastuniversity.edu
Wood, C. C., & Lineman, D. (2009). Information Security Policies Made Easy Version 11. Information Shield, Inc.