Information Security Program Plan
Guiding Principles
The Baylor Information Technology Services (ITS) Information Security Group is committed to excellence in ensuring the confidentiality, integrity, and availability of the university's information assets in order to enable the academic, research, and operational business of the university.
Information Security staff work closely with Baylor ITS colleagues, campus academic and administrative departments, and individual faculty and staff members to maintain and enforce effective policies, compliance, guidelines, and procedures to protect the university's network, information, and technology assets.
Plan Contact and Responsible Officer
Jon Allen, Chief Information Office and Chief Information Security Officer
Reporting Structure
The Baylor ITS Information Security Group is led by the Chief Information Security Officer, Jon Allen, who also currently serves as the university's Chief Information Officer.
Scope
This Information Security Program Plan applies to all faculty, staff, students, auxiliary staff, and any other persons with access to Baylor University electronic information and technology resources.
Applicable Policies and Guidelines
- Technology Usage Policy
- Information Use Policy
- Network Usage Policies
- Server Security Policy
- Password Policies
- Technology Incident Reporting Policy
Information Security at Baylor University
Digital & Physical Access Control
- Baylor utilizes a commercial identity management system to ensure that access to university resources is de-provisioned appropriately at separation. The system supports a request and approval process for university ERP access authorization based on approved university guidelines.
- Functional user departments perform an annual review of access authorization to university ERP systems under the supervision of the university internal audit department.
- VPN access is secured with Duo two-factor authentication.
- VPN, with the two-factor authentication, is required for access to critical university data resources from outside the campus primary wired network, including through the AirBear wireless campus network.
- Visitors to the Information Technology Services data center must be sponsored, logged in, badged, and accompanied by appropriate Baylor ITS staff members.
- Single sign-on credentials are used to access most university resources, minimizing the number of username/password combinations constituents must maintain.
- University-owned devices are deployed with password-enabled activity timeouts. Users are encouraged to proactively lock their systems before stepping away from them.
Identification and Authentication
- Shibboleth authentication through the InCommon Federation is the university standard for cloud services.
- Duo two-factor authentication is deployed for the most sensitive data access with plans for expansion to additional critical university technology services.
- Strong passwords are enforced with forced change every 180 days and no re-use of last four values.
- Potential account compromises are identified using internal systems and external notifications. Those accounts are disabled until passwords are reset.
- Users are required to set a mobile passcode at the time their device is deployed.
Awareness and Training
- The ITS information security awareness program is branded as #BearAware.
- The #BearAware website (its.web.baylor.edu/bearaware) is regularly updated with news and information about information security best practices, university security policies and requirements, and general cybersecurity threats.
- The #BearAware program leverages @BaylorITS social media platforms to increase awareness.
- BearAware Bulletins are emailed on occasion to provide information on cybersecurity issues and trends.
- BearAware Alerts are emailed as needed to address urgent campus information security issues.
- The ITS Information Security Group leads the university’s observance of National Cybersecurity Awareness Month each October with special events and unique marketing campaigns.
- A Baylor ITS table is staffed at new student orientation sessions and provides campus information security information to incoming students and their parents.
- The Chief Information Security Officer leads a Security Working Group composed of key campus IT staff members to discuss and deploy security-related issues and information.
- The Chief Information Security Officer is a key participant in new faculty and new staff orientation sessions.
- The Chief Information Security Officer provides ad hoc information security presentations throughout the year to various campus committees and working groups such as the Academic Technology Directors, the Libraries & ITS Advisory Council, and the university’s Executive Council.
Configuration & Systems Management & Maintenance
- A standard configuration is deployed for all university-owned desktop/notebook/laptop computers that includes regularly-updated anti-virus software.
- Patches and upgrades for installed OS and software on university-owned computers are tested and pushed in a timely manner.
- Critical security updates and patches to essential applications are given immediate priority.
- The university uses a centralized asset management system for university-owned computers that supports system patching and compliance checks.
- Vulnerability scanning is conducted to audit compliance with configuration standards and patching levels.
- System activity is logged to monitor for security incidents.
Data Protection
- Code42's CrashPlan cloud backup solution is deployed on all university primary computers to safeguard university data.
- Box is licensed for all faculty, staff, and students for encrypted, authenticated file storage.
- A data classification guide, created by ITS Information Security, is maintained and used in technology evaluations and requirements.
- Hard drives of computers returned to ITS are digitally scrubbed to NIST requirements before recycling or donation.
- A data loss prevention application is deployed on university-owned computers that access sensitive and/or confidential data.
- Proposed new technologies undergo information security, infrastructure fit, and legal reviews to protect the integrity and ownership of university data.
Audit, Assessment & Risk Management
- A comprehensive bi-annual third-party security audit is contracted by ITS Information Security.
- All proposed new technologies and services are reviewed by information security staff members before contract approval and signature.
- An isolated PCI network, selective deployment of thin client workstations, participation in the university’s Payment Card Operations committee, and consistent use of the TouchNet payment gateway by applications and services that accept online payments are components of technology-related PCI compliance efforts.
- ITS Information Security, IT Infrastructure, and Information Systems & Services are participants in the university enterprise risk process to align information risks with overall institutional risks.