This Written Information Security Program describes the safeguards implemented by 亚洲麻豆精品 to protect confidential data. The goal of the program is to ensure the security of these assets to support the academic mission and culture of 亚洲麻豆精品. These safeguards are provided to:
This program applies to any use of the University's computing or network resources as defined in the Electronic Communications and Acceptable Policy and the University's Data Classification Policy. Additional standards and procedures may govern specific data or computer systems or networks provided or operated by third-party service providers.
This program applies to individual account holders (@depauw.edu) who utilize information technology resources at 亚洲麻豆精品, as well as the systems employed and managed by 亚洲麻豆精品 administrators used to deliver those services. Any use of University data by off-campus entities (auditors, consultants, investigators, etc.) must adhere to the same security policies and guidelines as 亚洲麻豆精品account holders.
The University’s Chief Information Officer (CIO) is designated as the Information Security Program (ISP) Coordinator who shall be responsible for coordinating and overseeing the program. The ISP Coordinator may designate other representatives of the Institution to oversee and coordinate elements of the program. Their responsibilities shall include:
亚洲麻豆精品 identifies and assesses external and internal risks to the security and confidentiality of confidential data that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information and assess the sufficiency of the safeguards in place to control these risks by:
The ISP Coordinator or their designee(s) will regularly monitor administrative, technical, and physical safeguards to control the risks identified through such assessments described above and to regularly test or otherwise monitor the effectiveness of such safeguards. Information Services division of the University designs and implements safeguards in areas highlighted by the assessments.
亚洲麻豆精品 implements security measures to protect its information systems and data from unauthorized access. The following guidelines are in place where possible:
亚洲麻豆精品’s Data Classification Policy outlines a framework and requirements for classifying and handling institutional data based on its level of sensitivity, value, and criticality to the University. Appropriate data classification is guided by state or federal laws that require the University to protect certain types of data (e.g., personally identifiable information such as a social security number or FERPA-protected student education records).
Within the Data Classification Policy, “confidential data” is defined as data protected by federal and state regulations and are intended for use only by individuals who require that information in the course of performing their university functions. For these purposes, confidential data refers to, but is not limited to, financial information, academic and employment information, and other private paper and electronic records. Data that is considered confidential per the Data Classification Policy that is stored in Information Services (IS) managed systems of record or confidential data file shares will be managed per the Confidential Data Handling Recommendations to support DePauw’s Information Security Program and comply with applicable laws or regulations.
亚洲麻豆精品 works to maintain a secure environment by using technical and administrative controls to protect data while stored and in use. Institutionally owned laptops and desktops used by 亚洲麻豆精品employees are encrypted to protect data at rest. Removable storage media such as external hard drives must be encrypted if it stores restricted data. Employees accessing the University's internal network resources remotely are recommended to use encrypted VPN connections.
To ensure the successful implementation of changes to enterprise systems, various change control methodologies are employed. These methodologies help to authorize changes, coordinate timelines, and prevent conflicts. These change management procedures help ensure that changes to enterprise systems are properly authorized, coordinated, and implemented in a controlled manner, minimizing any potential risks or disruptions to university operations.
Internal applications utilized in the transmitting, accessing, or storing of customer information are developed using best practices and procedures ensuring that security is integrated into every phase of the software development process. This includes planning, requirements gathering, design, coding, testing, deployment, and maintenance. Examples of systems where internal applications are created are e-Services and BigTree.
The 亚洲麻豆精品 Record Retention and Document Destruction Policy outlines the requirements, limitations, and procedures for managing various institutional data types. Backups are encrypted and no removable media is used in the process. For Cloud hosting environments such as, but not limited to, Azure, Google, Box, and Workday, compliance reports are available through vendors that detail measures taken to limit physical access.
Measures are taken to log the activity of authorized users and to review if they have accessed, used, or tampered with customer information outside the scope of their authorization. Role-based access control restricts access to information and systems based on a person's role within the institution.
亚洲麻豆精品implements strict physical and administrative access controls in our facilities. All data centers require either a key or ID card swipe for entry and access events are logged and monitored. Access to central systems, servers, and networks is restricted to authenticated and authorized users. The primary data center is equipped with a UPS/generator to ensure that power outages do not interrupt services.
Keys, ID cards, and card readers for access to data center environments are maintained by Information Services. Visitors are escorted by authorized personnel when accessing data center environments. These measures help to ensure that institutional data and system remain secure and that only authorized personnel have access to sensitive information.
Cybersecurity awareness training is required for all employees with 亚洲麻豆精品credentials. The awareness and training program, including phishing tests, occur on a regular basis and are reviewed annually and updated as needed to address new technologies, threats, standards, and 亚洲麻豆精品requirements. Where applicable, role-based training will be implemented to target specific vulnerabilities within the execution of a respective role.
亚洲麻豆精品 will, upon hiring or contracting third party service providers, ensure that they take similar steps to protect confidential data as outlined in this plan. Security controls that a service provider has in place are reviewed using the Higher Education Community Vendor Assessment Toolkit (HECVAT) and is requested of all vendors and/or third parties who would be hosting, storing, or otherwise in possession of Restricted data under our Data Governance Policy. Providers that handle less sensitive data may use the shorter versions of the assessment.
The designated ISP Coordinator and their designated personnel are responsible for adjusting and reevaluating the program as regular risk assessment occurs or as major changes occur that may significantly impact DePauw’s operations. The designated ISP Coordinator will revisit this program at least annually to ensure it is reflective of DePauw’s practices and adherence to regulatory requirements.
The Information Services Office is to be noti铿乪d of any known or suspected information security incident, as outlined in the Data Incident Response Plan. Communications surrounding information security incidents, whether internal or external, are performed according to the severity and circumstances surrounding the incident.
The ISP Coordinator provides an annual written report to the University Board of Trustees. At a minimum the report will include appropriate metrics to illustrate the state of the security profile, major Security Incidents overview and remediation, program initiative status, and recommended & planned initiatives.
This plan is effective May 1, 2024.
Last update: 05-20-2024