IT安全
校董会政策.17
日期2020年6月
取代2010年1月
目的
Security breaches of data and technology pose a very real and very expensive 威胁 到学院. 安全保障措施必须到位,以保护学院免受这些 威胁,基于它们所带来的风险. 此策略的目的是启用 the 大学 to help protect all 大学 data, ensure 可用性 and 完整性 of technology required to run the 大学 (networks, applications, data warehouses, etc.), 并遵守有关数据隐私和保护的法律法规.
范围
The scope of this policy includes IT security management for all the 大学 facilities, 数据、技术和所有用户. 此策略不包括非it的管理 相关资产,如纸质记录.
政策
The 大学 will ensure the 保密, 完整性, and 可用性 of technology 和数据,通过制定和实施合规标准 满足各种IT安全需求. 这些标准将遵循行业定义 确保技术和数据安全的最佳实践.
角色和职责
校董会委派评估和批准的责任 遵从性标准s that are part of the 资讯科技保安计划 到学院 President.
The Vice President of Information Technology will serve as the 大学’s Information 安全官. 在这个角色中,信息技术副总裁负责 for the development, implementation, and continued administration of the IT安全 项目合规标准. 经主席批准后,合规标准 将由资讯科技副总裁执行.
Any 用户 that 访问es any 它的资产 play a crucial role in ensuring the success of the 资讯科技保安计划, and that responsibility must be viewed as a top priority 任何用户的. 例如,用户必须创建强密码,以保护其登录 credentials, and utilize the 大学’s resources that are made available to ensure 数据的安全存储和传输.
合规性标准概述
Compliance standards will be added, removed, and modified within the 资讯科技保安计划 取决于行业中最佳实践的变化. 这些标准要求 the Vice President of Information Technology, and those members of the 大学 information technology staff designated by the Vice President of Information Technology, to take 采取措施保护书院的资料及科技,例如:
- 对学院资讯科技资产进行风险评估;
- Install, maintain, and review security 维护s to achieve acceptable levels of 风险;
- 根据对学院的敏感性和关键性对数据进行分类;
- Educate the 大学 community of the importance of protecting sensitive data and methods 识别和报告可疑的保安事件;
- 策略性及有效率地回应资讯科技保安事件;
- 维护安全措施,保护学院的网络设备;
- 为电子传送敏感资料订定安全措施;
- Implement security 维护s to prevent, detect, and resolve 资讯科技保安事件s 源自针对网络、系统和用户的威胁;
- Define the security requirements for 用户 who 访问 sensitive 它的资产s from remote (i.e.(校外)地点;
- 维护安全措施,防止恶意软件的感染和传播;
- Properly manage 用户标识, 身份验证, and the creation and protection 强密码;
- 维持一个持续的漏洞管理程序;
- 及时通过安全更新解决IT资产中的漏洞;
- Limit 访问 to sensitive 它的资产s to permit 用户 the ability to 访问 only those 履行其核定职责所需的资源;
- 制定和遵循适当的数据备份和恢复程序;
- Implement security 维护s restricting physical 访问 to areas that contain sensitive 它的资产;
- Define the requirements for maintaining, reviewing and securing logs on the 大学’s systems and 它的资产s so that potential security incidents are identified and addressed 及时地;
- Establish rules for managing 第三方 访问 to sensitive 它的资产s, as well as 在授予第三方访问权限后保护学院的IT资产;
- Implement appropriate data loss prevention measures to prevent and detect data breaches.
不合规的后果
Whenever a 用户 is found to be negligent in, or have a disregard for, the compliance with an IT security 遵从性标准, the 大学 will determine the appropriate 对用户采取的行动. 举例来说,学院可以在一个 case of simple negligence or inadvertent mistake that training the 用户 is appropriate. The 大学 may consider certain single incidents of non-compliance to be so harmful 如要立即上升到纪律后果较严重的级别,予以处分 包括长期停职、终止雇佣关系、 removal of service, academic suspension, academic expulsion, termination of 第三方 关系,或终止合同.
定义
访问
The permission to enter, view, instruct, communicate with, store data in, retrieve
数据从,或以其他方式利用特定的信息资源
身份验证
The process of verifying that a 用户 or computer is who it purports to be, via 密码,
令牌或其他凭证
可用性
The assurance that information and communications services will be ready for utilization
当预期
备份
将数据复制到辅助介质上的过程.g.(磁盘、磁带),以防万一
主介质失效
大学
蒙哥马利县社区学院
遵从性标准
A document in the 资讯科技保安计划 which addresses a specific area of IT security,
并为该区域定义适当的安全需求
保密
The assurance that information will be kept secret, with 访问 limited to the appropriate
用户
临界
The classification given to data which determines the importance of maintaining its
可用性
完整性
The assurance that information is not accidentally or maliciously altered or destroyed,
并且是及时、准确、完整和符合其预期目的的
它的资产
An IT-related hardware, software, and data resource which support the 大学’s mission
资讯科技保安事件
An IT-related event which causes a breach of 保密, 完整性, and/or 可用性
IT资产的价值
资讯科技保安计划
The collection of policies, 遵从性标准s, procedures, and other documentation
支持学院在资讯科技保安方面的目标
日志
The chronological record of events which occur against an 它的资产, including connection,
用户 login, 访问, and other various events, independent of whether or not any actual
或者发生了企图违反安全的行为
恶意软件
恶意软件(e).g.(病毒,蠕虫,特洛伊木马)开发的目的是造成
对IT资产的机密性、完整性或可用性的破坏
网络设备
An 它的资产 which forms part of the underlying connectivity infrastructure for a network
(e.g., router, switch, firewall, intrusion prevention system, content filtering system,
远程访问系统)
密码
A secret string of characters which provides 身份验证 for a 用户 account necessary
获得对IT资产的访问权限
复苏
将数据恢复到辅助介质(如.g. 磁盘,磁带)在一个实例中
主介质失效
风险
一个事件的概率和它的结果的组合
风险评估
发现、分析、解释和确定IT安全优先级的过程
风险s by examining 威胁s to and vulnerabilities of 它的资产s, determine the magnitude
评估风险,并确定风险的可接受性
维护
An administrative, technical, or physical entity that enforces or promotes the security
IT资产的价值
安全更新
减轻IT资产中的安全漏洞的软件补丁
灵敏度
The classification given to data which determines the importance of maintaining its
保密及诚信
第三方
非学院内部人员或组织
威胁
The potential for a 威胁-source to accidentally trigger or intentionally exploit
特定的漏洞
用户
Any faculty member, staff member, contractor, student, or Third Party having 访问
转移至学院的资讯科技资产或电子资料
用户标识
在IT系统中确定用户身份的过程(例如.g.、用户名)
脆弱性
A flaw or weakness in system security procedures, design, implementation, or internal
controls that could be accidentally triggered or intentionally exploited and result
在一个安全漏洞或违反系统的安全策略