• About
• Services
• People
• Units
• Initiatives
• Policies
• Contact
• IS&T Home

• Students
• Faculty
• IT Staff
• Staff

• Help Center
• Workstations
• Classrooms and Labs
• IT Procurement Review

Information Security Management System Policy

Approved on: March 4, 2009
By: Administrative Council
Effective:  March 4, 2009

Policy Summary

The University selected the Information technology –Security techniques –Information security management systems – Requirements (ISO 27001) as a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS).  The adoption of an ISMS was a strategic decision which was influenced by the needs and objectives, security requirements, and processes employed at the University.  ISMS implementation has been incremental and will continue to be scaled in accordance with University requirements.

Applicability/Eligibility

 All University personnel are responsible for the security and privacy of the data they access, transmit, and store as prescribed in University policy, legal, regulatory, and statutory requirements.  Those that work in areas within the scope of the University’s ISMS will be required to participate in additional activities such as training, audits, and risk assessments.

Exceptions

Where legal or compliance imperatives demand an immediate modification (or suspension) of policy (and practice), an interim policy (and or procedures) will be developed and enacted, pending formal review and approval.

Procedures Links

Internal Audit Procedure
Corrective Action Procedure
Preventive Action Procedure

Administration of Policy

Mandating Authority:  Information Systems and Technology
Responsible Office:  Information Security Department, security@gsu.edu, Room 1003 Citizens Trust Building
Responsible Executive:  Associate Provost and CIO of
Information Systems and Technology

Policy

Document Control.  Relevant versions of applicable documents will be available at points of use.  When a new procedure, or version of a procedure, is issued for inclusion in the University’s Information Security Management System it will include (at a minimum):

• A revision level showing the new document(s)/version(s)
• Point(s) of contact for questions or comments
• Date of last update or issuance
• Data classification (if sensitive or confidential)

Internal Audit.   Internal audits of the ISMS shall be conducted at planned intervals at least annually or as the need arises (internal audits do not necessarily involve University Auditing and Advisory Services).

• Personnel who are independent of the current work or project shall perform the internal audits.
• Auditors shall possess personal attributes to enable them to act in accordance with the principles of auditing and have successfully completed at least 32 hours of formal ISMS training or possess internationally recognized certifications such as the Certified Information Systems Auditor (CISA) or Certified Internal Auditor (CIA).

Management Review. Semiannual meetings will be held and at a minimum the input to the management reviews shall include:

• Results of ISMS audits and reviews
• Feedback from interested parties
• Techniques, products or procedures, which could be used at the University to improve the ISMS’s performance and effectiveness
• Status of preventive and corrective actions
• Vulnerabilities or threats not adequately addressed in the previous risk assessments
• Results from effectiveness measurements
• Follow-up actions from previous management reviews

Records Retention. Unless specified otherwise, ISMS records will be maintained in the department or college in which they were produced for a minimum of 30 days.

Training.   All relevant personnel shall be made aware of the relevance and importance of their information security activities and how they contribute to the achievement of the ISMS objectives.  

Rationale

Information security is not an ‘IT problem’, it is a business issue.  Organizations that are within the scope of the University’s ISMS must establish, operate, and continuously ensure the appropriateness of safeguards against security threats.  Beyond technology, crucial elements of the ISMS include managed planning, the creation of and adherence to policy/procedures, and properly recorded activities.  The University’s ISMS depends on people who, with appropriate training and awareness, are its greatest strength.

Definitions

Control A means of managing risk, including policies, procedures, guidelines, practices or organizational structures, which can be of administrative, technical, management, or legal nature NOTE: Control is also used as a synonym for safeguard or countermeasure (from ISO 27002:2005).

Information Security Preservation of confidentiality, integrity and availability of information; in addition, other properties, such as authenticity, accountability, non-repudiation, and reliability can also be involved (from ISO 27002:2005).

Information Security Management System (ISMS) The key concept of ISMS is for an organization to design, implement and maintain a coherent suite of processes and systems for effectively managing information accessibility, thus ensuring the confidentiality, integrity and availability of information assets and minimizing information security risks..

Risk Assessment Overall process of risk analysis and risk evaluation (from ISO/IEC Guide 73:2002).

Threat A potential cause of an unwanted incident, which may result in harm to a system or organization (from ISO/IEC 13335-1:2004).

Vulnerability  A weakness of an asset or group of assets that can be exploited by one or more threats (from ISO 27002:2005).

Additional Information

• Digital Millennium Act
• Family Educational Rights and Privacy Act (FERPA)
• FTC Red Flag rule
• Health Insurance Portability and Accountability Act (HIPAA)
• VISA Payment Card Industry (PCI) Compliance

Category

 Governance

Version

1.0

Index Words

 Information Security, Information Security Management System, ISMS, ISO 27001, Risk Assessment, Security