Location: Bowdoin / IT / Policies / Information Security

Information Security

Authority

This IT policy will be approved by the President, Chief Financial Officer and Chief Information Officer.

Summary

The purpose of this policy is to ensure the protection of Bowdoin’s information resources from accidental or intentional access or damage while also preserving and nurturing the open, information-sharing requirements of its academic culture.

Applicability

This policy is applicable to all College students, faculty and staff and to all others granted use of Bowdoin College information resources. Every user of Bowdoin’s information resources has responsibility toward the protection of those assets; some offices and individuals have very specific responsibilities.

This policy refers to all College information resources whether individually controlled or shared, stand-alone or networked. It applies to all computer and communication facilities owned, leased, operated, or contracted by the College. This includes networking devices, personal digital assistants, telephones, wireless devices, personal computers, workstations, minicomputers and any associated peripherals and software, regardless of whether used for administration, research, teaching or other purposes.

Introduction

Today, information & technology (IT) permeates all aspects of teaching, learning, research, outreach and the business and facilities functions of the college. Safeguarding information and information systems is essential to preserving the ability of the college to perform its missions and meet its responsibilities to students, faculty, staff, and the citizens whom it serves. State and federal statutes, rules, and regulations, College policies and other explicit agreements also mandate the security of information and information systems. Failure to protect the college’s information & technology assets could have financial, legal and ethical ramifications.

Bowdoin College acknowledges its obligation to ensure appropriate security for information and IT systems in its domain of ownership and control. Furthermore, the college recognizes its responsibility to promote security awareness among the members of the Bowdoin College community. This policy establishes the general principles of IT security that will be applied throughout the college, and specifically:

  • Explain the need for IT security
  • Define and enumerate the objectives of IT security and specify the domain of IT security
  • Discuss risk and risk assessment, and provide guidance regarding levels of impact for the college
  • Indicate the IT security responsibilities of each member of the college
  • Establish specific security responsibilities of individuals and units with particular roles in maintaining IT security and reporting responsibilities and procedures in the case of security breaches
  • Explain the importance and responsibility for educating Bowdoin College students, faculty, and staff about the college’s security policy and security practices

1. Information & Technology Security

Need

Information & Technology security is critical to the interests of the college and the many constituencies it serves. The following list provides insight into some of the reasons for IT security and show the depth and breadth or information resources that need protection. This list is representative and is not meant to suggest the full range of information and resources that must be protected.

  • Support and maintain the ongoing functions of the college. As an increasing percentage of the college’s functions are handled electronically, it is critical that information and information systems be protected so the college can operate without interruption.
  • Protect college assets. The college is in possession of many assets including intellectual property, research and instructional data systems, and physical assets. Loss of these assets could have significant financial impact as well as major negative impact on critical research and instructional programs.
  • Safeguard the privacy of individuals and information. With the increasing risk of identity fraud and other potential misuses of personal information, it is paramount the college safeguard personal information entrusted to its stewardship.
  • Safeguard financial transactions and electronic communications. The college is the custodian of financial records and transactions; safeguarding these records is critical to maintaining trust relationships essential to our business functions.
  • Protect the integrity and reputation of the institution. Security breaches reflect negatively on the capability of the college to manage the entrusted resources. In addition, security breaches could result in the potential for criminal or civil action.
  • Prevent the use of college systems for malicious acts. The open nature of the college and the desire to provide ease of access to a large and diverse group of constituents makes us a target for unauthorized users to utilize college resources inappropriately. The college must prevent the use of Bowdoin College systems and infrastructure for malicious acts against its own systems as well as attacks against other individuals and organizations.
  • Comply with state and federal laws. State and federal laws and regulations require the college to take reasonable steps to ensure the security of the data (i.e. FERPA, HIPPA, GLBA). Failure to safeguard this information could result in the legal action or cause the college to lose its ability to offer services.

Definition

Security can be defined as the state of being free from unacceptable risk. Thus, IT security focuses on reducing the risk of computing systems, communications systems, and information being misused, destroyed, modified or disclosed inappropriately either by intent or accident.

Objectives

The four primary objectives of IT security are to protect:

  • Confidentiality of information. Preserving the privacy of personal or college information for authorized uses only and preserving the rights of ownership associated with intellectual property (i.e. copyright trademark, license).
  • Integrity of data. Assuring the reliability of data by preventing unauthorized or inadvertent modification or deletion of data.
  • Availability of resources. Ensuring timely and reliable access to and use of data and information technology resources.
  • Authorized use of resources. Preserving the use of information resources for authorized use and preventing the malicious use of information resources.

Domain

Information security necessarily encompasses a broad range of college activities and assets. Within the domain of security this policy incorporates:

  • Computer systems. The hardware, software, and IT infrastructure assets of the college represent significant monetary investments. The value of these assets is not only in their purchase costs, but also in the personnel time spent to develop them into functioning systems.
  • Data storage, transmittal, and use. Information can include personal records about students, employees, alumni, or others; financial and business information; archives of historic significance; critical, classified, and irreproducible research data; and other information of critical significance to the operation and prestige of the college. Legal and policy guidelines impact the security practices that must be exercised for various types of data.
  • Procedures. Guidelines for interactions of faculty, staff, and students as well as IT support staff and management personnel with systems, data, physical assets, and communication information.
  • Physical assets. The premises occupied by IT personnel and equipment.
  • Environment. Environmental control, power, physical security devices, etc.
  • Communications systems. Communications equipment, personnel, transmission paths, and adjacent areas.

2. Risk and Impact

Risk Assessment

Risk assessment in information technology security is a systematic process used to determine the potential for any given information system to be subject to loss and to assess the impact of that loss. In general, risk is a composite of three factors:

  • Threats. Actions or events that potentially compromise the confidentiality, integrity, availability, or authorized use. These threats may be human or non-human, natural, accidental, or deliberate. Examples:
    • Acts of malice by individuals or groups. Purposeful or malicious use of information or information systems.
    • Natural or physical disasters. Fire, flood, hardware failures.
    • Unintentional oversight, action, or inaction. Data left open to unauthorized access, accidental deletion of data files, inadequate data backup procedures.
  • Vulnerabilities. Security exposures that increase the potential for a failure of security. Examples:
    • Software or hardware that allows unauthorized access to information or information systems.
    • Business practices. Collecting and storing required personal information that could be damaging to the individual if revealed.
    • Personal practices or procedures. Improperly protecting one’s password; providing inadequate physical environments for IT systems.
  • Impact. The degree to which a security failure has the potential to result in harm or loss. Determining impact requires careful evaluation of the nature of the information and information systems. Factors:
    • What are the ramifications of the loss of confidentiality, integrity, availability, or authorized use of systems?
    • Will physical harm to any individual result?
    • Will the strategic mission of the college be affected?
    • Will personal information be compromised?
    • Will large segments of the community be inconvenienced?
    • Will the reputation of the college suffer?
    • Who will need to resolve the security incident?

College Impact

Three levels of risk have been defined for the college:

  • Low. Incidents that cause limited damage to operations or assets and that do not involve risk for individuals. These incidents require minor corrective actions or repairs within the designated custodial structure and communication is frequently required only within the affected area.
  • Moderate. Incidents that cause short-term degradation or partial loss of the colleges mission capability; that affect or disadvantage only subsets of the college community; or result in limited loss or damage to significant assets. These incidents require corrective actions or repairs that can normally be handled within the designated custodial structure, usually involves only internal communications, and normally will not require the involvement of high-level administration.
  • High. Incidents that cause an extensive loss of the colleges mission capability; result in a loss of major assets; pose a significant threat to the well-being of large numbers of individuals or to human life; or damage the reputation of the college. These incidents require substantial allocation of human resources to correct; may require communication to external agencies or law enforcement and the public; and often require the involvement of high-level administration within the college.

Factors used to determine the level of risk include the effect of the loss on the colleges strategic missions; the extent of loss to major information systems; the potential for injury or damage to individual(s); the inconvenience or loss of productivity for subsets of the college community; the potential for damage to the college’s reputation; the level of administrative involvement required; and the level at which the security problem can be resolved.

Risk Examples:

Risk Level
  Low Moderate High
Confidentiality Disclosure of course offerings before the Registrar publishes the information on the web. Disclosure of emails detailing a negotiation strategy during a land purchase. Disclosure of student medical records or payroll.
Data Integrity Malicious modification of a student’s personal webpage. Malicious modification of classroom schedules, leading to overbooking or confusion for a period of time. Malicious modification of an administrative report, leading to embarrassment for the college.
Availability Attack on servers holding personal web pages or attack on networked environmental controllers. Attack on the course registration servers during the student registration weeks. Attack on network routers, rendering many systems inoperable.
Authorized Use A Bowdoin student shares their password with a high-school friend, thereby granting unauthorized access to computing services for their friend. Gaining access to a computer with publicly available hacking tools, and then using the computer to capture passwords on the network. Gaining access to a computer with publicly available hacking tools, and then using the computer as a platform to launch a debilitating attack on the campus network.

Risk Mitigation

Risk mitigation is that action taken to reduce the risk to an acceptable level. An analysis evaluating the cost versus the benefits along with the impact to the college will become factors in deciding if any action should be taken and if so, what. Some options to reduce risk include risk avoidance, limitation, transfer, and assumption.

3. Roles and Responsibilities

Policy Development and Approval

Approval of the IT Security Policy is vested with the President. Development and implementation of the policy is the responsibility of the Office of the Chief Information Officer.

Chief Information Officer

The Office of the Chief Information Officer (CIO) has overall responsibility for the security of the college’s information technologies. Implementation of security policies is delegated throughout the college to various college services, departments and other units; and to individual users of campus IT resources.

Chief Information Security Officer

The Chief Information Security Officer is responsible for providing interpretation of this and other related policies and disseminating related information.

College Services

Various offices within the college have the primary responsibility and authority to ensure the Bowdoin College meets external in internal requirements for privacy and security of specific types of confidential and business information. Other departments are responsible for general security issues (i.e. legal issues, security compliance, physical security, communications, and IT infrastructure security). These college services are responsible for assisting in the development of college IT security policies, standards and best practices in their areas of responsibility. They are also responsible for advising departments and individuals in security practices relating to these areas:

  • Personnel information and confidentiality: Human Resources
  • Student information and confidentiality: Registrar’s Office
  • Financial information and transactions: Treasurer’s Office
  • Student loan information: Student Aid
  • Physical building security: Facilities Management
  • Infrastructure, communications, and systems security and audit: Information Technology
  • Legal issues: College Counsel
  • Health Information: Health Information Privacy Officer

Departments and other units

Departments and other units are responsible for the security of any information they create, manage, or store, and for any information they acquire or access from other college systems (i.e. student records, personnel records, business information).

Individuals as Users of College Information Systems

Protecting the security of college information and information systems is the responsibility of every member of the college community. Each student, faculty and staff is responsible for knowing and complying with published IT policies and practices including the IT Security Policy. Failure to comply with these policies may result in loss of computing privileges and/or disciplinary action.

Individuals as Owners of Computers and Other Network Devices

Students, faculty and staff who use personally-owned systems to access college resources are responsible for the security of their personally-owned computers or other network devices and are subject to the following:

  • The provisions of the university security policies, standards and guidelines for best practices for users of college computing and network facilities.
  • All other laws, regulations, or policies directed at the individual users.

Reporting Security Incidents

Reporting incidents is an ethical responsibility of all members of the Bowdoin College community. A critical component of security is to address security breaches promptly and with the appropriate level of action. The IT Security Incident Reporting Policy outlines the responsibilities of departments and individuals in reporting as well as defining procedures for handling security incidents.

Education

Creating a heightened awareness of the importance of information technology security is an important component in establishing an environment in which each individual feels both responsible and empowered to act in their own and the community’s best interests. All departments will provide opportunities for individuals to learn about their roles in creating a secure IT environment.