New England Institute of Technology

Written Information Security Policy 

Contents

Information Security Policy Overview

Policy Elements Applying to Everyone

Policy Elements Applying to Everyone EXCEPT student

Information Security Policy Overview 

Purpose 

New England Institute of Technology’s (NEIT’s) Written Information Security Policy (WISP) is intended to ensure the confidentiality, integrity, and availability of data and resources through the use of effective and established information security processes and procedures.  The WISP ensures that NEIT: 

  • Establishes a comprehensive approach to information security 
  • Complies with international, federal and state regulations including but not limited to: 
    • FERPA (Family Educational Rights and Privacy Act) 
    • GLBA (Gramm Leach Bliley Act) 
    • PCI (Payment Card Industry Data Security Standard) 
    • HIPPA (Health Insurance Portability and Accountability Act) 

The policy requirements and restrictions defined in this document shall apply to network infrastructures, databases, external media, encryption, hardcopy reports, films, slides, models, wireless, telecommunication, conversations, and any other methods used to convey knowledge and ideas across all hardware, software, and data transmission mechanisms.  This policy must be adhered to by all NEIT employees or temporary workers at all locations and by contractors working with NEIT as subcontractors.  

Scope 

This policy document defines common security requirements for all NEIT personnel and systems that create, maintain, store, access, process or transmit institutional data. This policy also applies to information resources owned by others, such as contractors of NEIT or entities in the private sector, in cases where NEIT has a legal, contractual or fiduciary duty to protect said resources while in NEIT custody. In the event of a conflict, the more restrictive measures apply.  This policy covers NEIT’s network system which is comprised of various hardware, software, communication equipment and other devices designed to assist NEIT in the creation, receipt, storage, processing, and transmission of information.  This definition includes equipment connected to any NEIT domain or VLAN, either hardwired or wirelessly, and includes all stand-alone equipment that is deployed by NEIT at its office locations, at remote locales or in cloud environments. 

Definitions 

Enterprise Asset/Device – Any asset/device that is owned by NEIT. 

BYOD Asset/Device – Any asset or device that is not owned by NEIT. 

Data stewards - Data stewards are designated university officials, typically department managers/functional directors, whose functional areas of responsibility include the creation or origination of institutional data. They have overall responsibility for managing and maintaining such data.  

Data custodians - Data custodians are individuals authorized by the data steward(s) who have operational responsibility for the administration of the systems and devices that store, process, transmit, or provide access to institutional data.  

Institutional data - Institutional data is information created, collected, maintained, transmitted, or recorded by or for the university to conduct university business. It includes data used for planning, managing, operating, controlling, or auditing university functions, operations, and mission.  Institutional data includes, but is not limited to, information in paper, electronic, audio, and visual formats.  

Roles and Responsibilities 

The first line of defense in data security is the individual NEIT user.  Security is a team effort and shared responsibility.  Security is part of a proactive mindset. Being security minded means you take precautions and follow best practices that will reduce your risk of becoming a victim of fraud or other criminal activity. 

 NEIT users (including students) are responsible for: 

  • The security of all data which may come to them or they have access to in whatever format 
  • Complying with NEIT’s WISP 
  • Reporting suspected information security incidents to Department of Technology Services (DOTS) 

The Chief Information Officer is responsible for: 

  • Coordinating the development and maintenance of NEIT’s WISP and all supporting policies, procedures and documentation 

The Executive Committee is responsible for: 

  • Ensuring NEIT’s WISP is enforced across the entire organization.  
  • Security is considered throughout NEIT’s strategic planning process. 

The DOTS Information Security Team is responsible: 

  • For maintaining ongoing training programs to inform all users of these requirements 
  • Coordinating information security incident response 
  • Provide information security consulting services throughout the organization 

System Administrators and DOTS are responsible for: 

  • User access controls for systems and applications they administer 
  • Providing technical support and guidance to system users 

Public Safety is responsible for: 

  • Managing and maintaining physical security controls for access to institutional data and systems 

Data Steward is responsible for: 

  • The management and proficiency of data stored in an organization 
  • Develop and implement data standards 
  • Monitor data quality 
  • Provide support for data related questions 

Data Custodians are responsible for: 

  • The technical data environment 
  • Managing the data structure 

Vendors, contractors and service providers are responsible for: 

  • Establishing and maintaining their own information security controls 
  • Protecting institutional data and systems they have access to 

Information Security Policy Lifecycle 

NEIT’s WISP will be reviewed and updated on a minimum of an annual basis using the process below: 

  1. NEIT’s Chief Information Officer (CIO) and Information Security Architect (ISA) will identify updates and changes to be made. 
  2. Updates and changes will be developed into a new draft. 
  3. The draft will be reviewed by other members of NEIT’s community including: 
    • DOTS staff 
    • Legal Council 
  4. The CIO and ISA will work with reviewers to make any adjustments to the draft. 
  5. The draft will be sent to the Executive Committee for review and approval. 
  6. Once approved, the updated draft will be published and disseminated to all NEIT users for review and acknowledgement. 

Policy Exceptions 

Unless otherwise specified, all exceptions to NEIT’s WISP must be approved in writing by the CIO and ISA prior to being put in place. 

Policy Elements Applying to Everyone 

Acceptable Use Policy 

New England Institute of Technology (NEIT) maintains and makes available to the campus community of students, faculty, and staff, computer information systems and network infrastructure resources (e.g. email, Internet, Intranet, and a wide variety of computer programs and applications, hereafter referred to as “Computing & Network Resources”) to support its business activities, academic programs, and related activities.  

 The use of NEIT’s Computing & Network Resources is a privilege. The effective use of those resources requires the mutual respect and cooperative conduct of all users to ensure that everyone has necessary access and protection from interference or harassment. Following is NEIT’s policy with regard to use of, access to, and disclosure of NEIT’s Computing & Network Resources.  

Privacy and Confidentiality Considerations: NEIT will make reasonable efforts to maintain the integrity and effective operation of its Computing & Network Resources, but users are advised that the systems should in no way be regarded as secure media for the communication of sensitive or confidential information. Because of the nature and technology of electronic communication, NEIT can assure neither the privacy of an individual user’s use of NEIT’s Computing & Network Resources, nor the confidentiality of particular messages or materials that may be created, transmitted, received, or stored thereby.  

Authorized Users: Only NEIT faculty, staff, students and other persons who have received permission under the appropriate NEIT authority are authorized users of NEIT’s Computing & Network Resources. All authorized users will be issued a “username” and a “password” to access the various Computing & Network Resources available. Certain employees may also be provided with access to specific applications which are further protected by some form of additional “username” and “password.”   The use of “usernames” and “passwords” is an important aspect of NEIT’s Computing & Network Resources security. Usernames and passwords are the front line of protection for information maintained on the system. PROTECT YOUR “USERNAME” and “PASSWORD”. DO NOT SHARE THEM WITH ANYONE, including students or other employees. All “usernames” and “passwords” are to be treated as confidential NEIT information. Users are responsible for all activity associated with their user accounts. 

Permitted Uses of NEIT’s Computing & Network Resources: The use of NEIT’s Computing & Network Resources is provided to support NEIT’s business activities, academic programs and related activities. Computing & Network Resources shall be used in a manner consistent with those purposes. All activities inconsistent with those purposes are considered to be inappropriate and may jeopardize a user’s continued use or access to NEIT’s Computing & Network Resources.   

Prohibited Uses of NEIT’s Computing & Network Resources:  

  1. Revealing your account password to others or allowing use of your account by others.  
  2. Developing or executing programs that could harass others, infiltrate the system, or damage or alter the software components of the system.  
  3. Violating others’ privacy, tampering with security provisions, or attempting entry to non-public hosts.  
  4. Threatening, harassing, intimidating or otherwise violating the legal rights of others.  
  5. Publishing, posting, collecting, distributing or disseminating defamatory, infringing, obscene, unlawful, or other inappropriate material or information via the Internet.  
  6. Using for monetary gain or for commercial purposes that are not directly related to NEIT business or educational programs.  
  7. Copying, uploading or sending copies of documents or software programs in violation of copyright laws.  
  8. Deleting any author attributions, legal notices or proprietary designations or labels in a file in violation of copyright laws. (Software programs are protected by Section 117 of the 1976 Copyright Act. Unless they have written the program themselves, users do not have the right to make and distribute copies of programs without specific permission of the copyright holder.)  
  9. Falsifying the source or origin of software or other material contained in a file in violation of copyright laws.  
  10. Introduction of malicious programs into NEIT’s Computing & Network Resources (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.). Uploading files that the user has reason to believe contain a virus or corrupted data.  
  11. Executing any form of unauthorized network monitoring which will intercept data not intended for the user’s host.  
  12. Accessing information or data for any purpose restricted or prohibited by laws or regulations.  
  13. Accessing the computing or networking system in a manner that adversely affects the availability or security of NEIT’s Computing & Network Resources to other members of the university community.  
  14. Excessively using Computing & Network Resources (e.g., tying up resources through game playing or other trivial applications; sending frivolous or excessive mail, including chain mail; downloading video, audio, etc.; or printing excessive copies of documents, files, images, or data).  
  15. Attempting to access electronic mail without authorization or attempting to breach/circumvent any security measures on any Computing & Network Resource, electronic mail or computer system or attempting to access electronic mail without authorization, or attempting to intercept or actual interception of any electronic mail or internet network transmissions without proper authorization.  
  16. Physically abusing any Computing & Network Resources computing equipment or supplies. (Incidences will be reported to Public Safety and to the appropriate administrative office.)  
  17. Downloading or use of Instant Messaging or Chat Services on NEIT computers without prior consent of DOTS NEIT.  
  18. Removing laptop computers containing sensitive or proprietary data or information, from campus without authorization.   
  19. NEIT business must be conducted using NEIT email; the use of personal or external email accounts to conduct NEIT business is strictly prohibited.  

NEIT Access, Inspection and Disclosure of Computing & Network Resources 

  1. NEIT reserves the right to access, inspect and disclose the contents of Computing & Network Resources as deemed necessary in its sole discretion without consent of the user.  
  2. To the extent permitted by law, NEIT reserves the right to access and disclose the contents of faculty, staff, students’, and other users’ electronic mail without the consent of the user.  
  3. Faculty, staff, students and other users are advised that NEIT’s Computing & Network Resources should be treated like a shared filing system, i.e., with the expectation that communications sent or received with the use of NEIT resources may be made available for review by any authorized NEIT official for purposes related to NEIT business.  
  4. Electronic mail and other data of students may constitute “education records” subject to the provisions of the federal statute known as the Family Educational Rights and Privacy Act of 1974 (FERPA). NEIT may access, inspect, and disclose such records under conditions that are set forth in the statute.  
  5. Any user of NEIT’s Computing & Network Resources who makes use of an encryption device to restrict or inhibit access to his or her electronic mail must provide access to such encrypted communications when requested to do so under appropriate NEIT authority.  
  6. Limitations on Disclosure and Use of Information Obtained: NEIT may, in its sole discretion, disclose the information contained in NEIT’s Computing & Network Resources to the extent permitted by law, without permission of the user.  

Disciplinary Action: Violations of the Acceptable Use Policy may result in the immediate suspension of Computing & Network Resources privileges, disciplinary action, including but not limited to, suspension or expulsion, and/or legal action.  

Authentication Policy 

  1. All passwords will be managed by TechNet single sign on portal when users logon to Technet / students website. Users will not be allowed to change passwords in Windows or in Web for Students/Faculty.    
  2. Users will have a “Change Password” button inside Technet/Student portal page when they need to change their password.  If a user has forgotten their password or cannot logon for some reason, they must use the “forgot password” button on the logon page. They will be prompted to authenticate with one of the authentication methods they have previously configured, such as security questions or mobile phone.   
  3. Password length –minimum 14 characters.   
  4. Password complexity – at least 3 of these: capital letters, lowercase letters, numbers, symbols. 
  5. Password expiration – 90 days, must wait 24 hours to change password a second time.    
  6. Password reuse – Users cannot use any of their previous 5 passwords.  
  7. If Help Desk or staff absolutely need to get a user’s password, the procedure will be for a staff member to change the password, allow DoTs to access the account, and then set it so that the user is required to change the password on their next access.    
  8. Users are not allowed to use any part of their username in their password.    
  9. Users are not allowed to use dictionary words; no legitimate words should be used in password. 
  10. Passwords must not be shared with ANYONE. Users cannot under any circumstance give their password to students, employees, contractors or temporary workers.    
  11. Passwords must never be written down. DoTS recommends the use of a password safe such as this free one: http://pwsafe.org. The Help Desk can assist with setting up this password safe.   
  12. Passwords should never be sent through email.  Sending of passwords through email is not permitted.  
  13. Users must answer security questions with legitimate answers - Users should not make up answers because they may need to use the answers later to unlock accounts. 
  14. Users must not use the same or similar passwords for NEIT accounts that they use for personal accounts such as banking, online shopping, social media, etc. 
  15. No DOTS employee will ever ask a user for their password; users will not be asked to share passwords with DoTS and they should not share passwords with anyone if they are asked.   
  16. Users must use a unique password for all systems not integrated with Technet single sign on.  
  17. Multi-Factor authentication is required for the following: 
    • All NEIT Email. 
    • Remote access to NEIT’s campus network. 

Endpoint Security 

  1. All Enterprise endpoints must use NEIT’s enterprise managed antivirus installed in managed mode. 
  2. All computers accessing NEIT’s Computing & Network Resources must be running active, up to date malware protection. 
    • Malware protection must be enabled at all times. 
    • Files must be scanned on access. 
  3. All computers accessing NEIT’s Computing & Network Resources must be running a currently supported operating system. 
  4. All endpoints used to access non-public information must have an automatic screen locking mechanism configured. 
  5. Host based firewalls shall be used where possible. 

Bring Your Own Device (BYOD) 

Device Types 

  • Computers – Laptops and Desktops running a full Operating System (OS) such as Windows, MacOS or Linux. 
  • Mobile Devices – phones, tablets, Chromebook and similar devices.  i.e. iPad, iPhone, Android phone, Android tablet, etc.  
  • Gaming devices – Network connected gaming devices.  i.e. Xbox, PlayStation, Switch, etc.  
  • Network Devices – Network infrastructure devices which are used to provide network transport/communication services.  i.e. Routers, switches, firewalls, access points, etc. 
  • Internet of Things (IoT Devices) – All other network connected devices.  i.e. Smart TV, Smart Speakers (Google Home, Eco Dots), Smart Lighting, etc.  

BYOD Owner Responsibilities 

  • Device owners are responsible for the operation and security of their devices. 
    • Users are required to keep their BYOD devices up to date with critical and security patches. 
    • Computers must have current anti-virus installed. 
    • Devices which store, process, transmit or access institutional data not classified as public must be protected to prevent unauthorized access.   
      • Automatic screen locking mechanisms which require the use of a pin, password or other form of authentication must be configured. 
      • BYOD mobile devices must be encrypted 
      • BYOD computers should be encrypted 
      • BYOD mobile devices must not be “rooted”, “jail broken” or have other similar security bypasses in place 
    • Theft or loss of any device which stores, processes, transmits or accesses institutional data not classified as public must immediately be reported to DOTS. 
  • Users are responsible for any privacy or security issues that arise from the use of Smart Speakers and other voice enabled IoT devices. 

Restrictions, Risks, Liabilities and Disclaimers 

  • Use of BYOD Network Devices are not permitted on any NEIT campus.  Unmanaged or “dumb” switches may be used only in Residence Halls. 
  • Microphone and Voice enabled BYOD devices are only permitted in Residence Hall residence rooms. 
  • Operating any BYOD device in a manner which bridges or extends NEIT’s network is prohibited.   
  • NEIT is not responsible for the maintenance, backup or loss of data on a BYOD device. 
  • NEIT is not responsible for the security of BYOD devices connected to NEIT’s campus network or systems 
  • NEIT is not responsible for the loss, theft or damage of BYOD devices.  This includes when a BYOD device is used for academic work or business activities. 
  • NEIT may require the installation of mobile device management or other management agents on BYOD devices used for conducting NEIT business. 
  • Institutional data must only be stored, processed, transmitted or access via BYOD device if necessary to perform job duties. 
  • NEIT reserves the right to inspect BYOD devices used for business purposes for institutional data or other information. 
  • NEIT may wipe or destroy institutional data stored on BYOD devices used for business purposes.  While NEIT will take efforts to prevent loss of personal data, we cannot guarantee that personal data  will not be lost.    
  • NEIT reserves the right to disconnect/disable access to any BYOD device without notification. 
  • NEIT reserves the right to review or retain personal and company-related data on personal devices or to release the data to government agencies or third parties during an investigation or litigation. 

Remote Access 

  1. All individuals and machines connected remotely are subject to NEIT’s Acceptable Use Policy. 
  2. Only approved remote access technologies are permitted.  All remote access technologies must be evaluated and approved by DOTS prior to use.    
  3. Users are required to disconnect remote access technologies when not in use.  
  4. Secure remote access must be strictly controlled with strong encryption (i.e., Virtual Private Networks (VPNs)) and strong pass-phrases.  
  5. Authorized Users shall protect their login and password, even from family members.  
  6. All hosts that are connected to NEIT internal networks via remote access technologies must use the most up-to-date anti-virus software and operating system/application security patches, this includes BYOD devices.  Firewalls should be enabled if possible.  
  7. Individuals are required to report the loss or theft of a device with VPN access installed immediately.  
  8. Individuals are not permitted to remotely access another individual’s system unless they are required to do so in performing their job or supporting/conducting academic activities.  
  9. The use of remote support tools such as GoToAssist, LogMeIn Rescure, Bomgar, etc is permitted only when receiving external support from a vendor/manufacturer.  Establishment of permanent or unattended access through these technologies is prohibited.  
  10. Students are only permitted Virtual Desktop Infrastructure (VDI) access to lab systems.  Students are not permitted use of VPN or other remote access technologies for access to NEIT internal networks.  
  11. Remote access to NEIT’s systems must be protected using multi-factor authentication. 

Data Classification and Governance 

Classification Levels 

Public - Public data is institutional data that is intended for public use and has no access or management restrictions.  

Internal - Internal data is institutional data used to conduct university business and operations. It may only be accessed and managed by users whose role, function, or assignment requires it. Unless otherwise indicated, internal is the default level for institutional data.  

Private - Private data is institutional data classified as private due to legal, regulatory, administrative, or contractual requirements; intellectual property or ethical considerations; strategic or proprietary value; and/or other special governance of such data. Access to and management of private data requires authorization and is only granted to those users as permitted under applicable law, regulation, contract, rule, policy, and/or role.  

Restricted - Restricted data is institutional data that requires the highest level of protection due to legal, regulatory, administrative, contractual, rule, or policy requirements. Access to and management of restricted data is strictly limited as unauthorized use or disclosure could substantially or materially impact the university’s mission, operations, reputation, finances, or result in potential identity theft.  

Data Types and Classifications 

The table below defines common data types and their classifications.

 

Data Type Description & Examples Data Classification 
Contractual Non-Disclosure   

 

Information, materials, data and records designated confidential by contract, including information obtained by the University from third parties under non-disclosure agreements or any other contract that designates third party information as confidential.  

 

 

Internal 
Departmental Administration   

 

Budgetary, departmental, or University planning information. Non-public financial, procurement, health/safety, audit, insurance and claims information.  

 

 

Internal 
Law Enforcement Information   

 

Non-public law enforcement records generated or maintained by Public Safety. 

 

 

Private 
Payment Card Industry (PCI) Information  Information related to credit, debit, or other payment cards. This data type is governed by the Payment Card Industry (PCI) Data Security Standards and overseen by the Bursar’s Office. Credit or debit card information   

cannot be stored in any electronic format.  

  • Cardholder name  
  • Credit/debit card account number  
  • Credit/debit card expiration date  
  • Credit/debit card verification number  
  • Credit/debit card security code  

 

Restricted
Private Personal Information  This is a category of sensitive information that is associated with an individual person, such as an employee, student, or donor.  

 

For everyone: 

 Social Security number  

National ID number  

Passport number  

Visa permit number  

Driver’s license number  

Disability information  

Ethnicity  

Gender  

Biometric information  

Date of Birth 

 

 

For employees: 

 Biographic/demographic data (Date and location of birth, Country of citizenship, Citizenship status, Marital status, Military status)  

Criminal record & criminal background check information  

Home address  

Grievance information  

Discipline information  

Leave-of-absence reason  

Payroll and benefits information  

Health information  

Conflict of Interest information 

 

For donors: 

 Biographic/demographic data  

Contact information  

Prospect data  

Gift and gift-planning data  

 

 

 

 

 

Private

 

 

 

 

 

 

 

 

 

 

 

 

 

Private

 

 

 

 

 

 

 

 

 

Private

 

 

 

 

Proprietary Intellectual Property   

 

Proprietary intellectual property in which the University asserts ownership that is created by University employees in connection with their work.

 

Internal 
Protected Health Information  Protected Health Information (PHI) is defined by the Health Insurance Portability and Accountability Act (HIPAA). PHI is individually identifiable health information that relates to the  

Past, present, or future physical or mental health or condition of an individual.  

Provision of health care to the individual by a covered entity (for example, hospital or doctor).  

Past, present, or future payment for the provision of health care to the individual.  

The following individually identifiable data elements, when combined with health information about that person, make such information protected health information (PHI):  

  • Names  
  • Telephone numbers  
  • Fax numbers  
  • Email addresses  
  • Social Security numbers  
  • Medical record numbers  
  • Health plan beneficiary numbers  
  • License plate numbers  
  • URLs  
  • Full-face photographic images  
  • Any other unique identifying number, characteristic, code, or combination that allows identification of an individual  

 

 

 

 

 

 

 

Private 

 

 

 

 

 

 

 

Student Education Records (FERPA)   

Records that contain information directly related to a student and that are maintained by the University or by a person acting for the University. The Family Educational Rights and Privacy Act (FERPA) governs release of, and access to, student education records. “Directory information” about a student is not regulated by FERPA and can be released by the University without the student’s permission. Students can request non-disclosure from the Registrar’s Office.  

 

Private 
Student Loan Application Information (GLBA)   

Personal financial information held by financial institutions and higher education organizations as related to student loan and financial aid applications. Gramm Leach Bliley Act (GLBA) provisions govern this data type.  

 

Private 
Financial Information   

Bank account numbers (excluding wire transfer/payment account information on invoices RECEVIED by NEIT)  

Loan account numbers  

Tax returns and forms  

 

Restricted 
Technical Authenticators  

Built-in generic account passwords 

VPN pre-shared keys 

PKI private keys 

Network management keys 

Other keys used for authentication or encryption

 

Restricted 

 

Data Collections

Data Stewards may wish to assign a single classification to a collection of data that is common in purpose or function. When classifying a collection of data, the most restrictive classification of any of the individual data elements should be used. For example, if a data collection consists of a student’s name, address and social security number, the data collection should be classified as Private even though the student’s name and address may be considered Public information.  

Data Handling  

  1. Data classified as Public is permitted to be stored and transmitted freely both electronically and in hard copy.  Data transmitted in email and over public networks (Internet) does not need to be encrypted.
  2. Electronic data classified as Internal, Private or Restricted must only be captured, created, processed, transmitted or stored via DOTS approved technologies, systems or applications.
    • Electronic data classified as Internal or Private must be protected from disclosure to unauthorized parties when being transmitted over public networks. This is commonly achieved using encrypted communication methods.  Data transmitted in email destined for any external recipient (those without an @neit.edu or @email.neit.edu email address) must use NEIT’s encrypted email solution.
  3. Data classified as Restricted is not permitted to be captured, transmitted or stored electronically in email. Other electronic storage locations must be approved by DOTS.  Hard copies must be kept to a minimum and secured in locations with restricted access.
    • Storing of credit card information is strictly prohibited.
  4. Any data that is classified as Internal, Private or Restricted that is received via an insecure method, must be protected in any response or forwarding of the information. For instance, a SSN in the body of an email received by NEIT must be removed or encrypted when responding.
    • Users are not permitted to request information in a manner which is insecure.
  5. Data classified as Internal, Private or Restricted are not permitted to be stored in personal/non-NEIT email accounts, cloud storage or similar technologies.
  6. Propagation and duplication of data must be kept to a minimum and performed only as needed.
  7. Data must not be solely stored on endpoints (computers and mobile devices) unless the endpoint is backed up via a DOTS approved method 

Data Retention 

All data retention, electronic or hard copy, must comply with 6.2 RECORD RETENTION AND DISPOSAL POLICY posted on Technet. 

Data Destruction 

  1. All data destruction, electronic or hard copy, must comply with 6.2 RECORD RETENTION AND DISPOSAL POLICY posted on Technet. 
  2. All media containing data classified entirely as Public can be disposed of using any method. 
  3. Physical copies of data classified as Internal, Private or Restricted must be destroyed in a manner which prevents re-assembly of the data. 
  4. Electronic copies of data classified as Internal, Private or Restricted must be destroyed using industry accepted methods. 

Information Security Incident Response Management 

Information security incident response is the set of activities taken to plan for, detect and correct the impact of an information security incident.  An information security incident is: 

  1. An event that suggests a violation of NEIT’s information security policies or posture has or is likely to occur. 
  2. An event which impacts one or more information assets and poses a clear threat to the confidentiality, integrity or availability of information resources. 

DOTS will organize an incident response team which will include those individuals who must be present to handle the systems and functional areas that can minimize the impact of an incident as it occurs.  NEIT’s Information Security Incident Response will work in conjunction with NEIT’s Emergency Preparedness and Response Plan. 

NEIT’s information security incident response management consists of the following phases: 

Planning 

NEIT’s Incident Response (IR) planning will be managed by the CIO/ISA.  NEIT’s IR planning must: 

  1. Be organized in a manner which supports rather than impedes access to the information necessary to respond to an incident. 
  2. Include detailed procedures which include actions to take both during and after an incident. 
  3. Be stored in a location which is both: 
    • Secure enough to prevent unauthorized access. 
    • Easily accessible enough as to not impede response efforts. 
  4. Be regularly updated to keep up with the changes in NEIT’s business. 
  5. Be regularly tested to identify gaps/effectiveness. 

Detection 

During this phase, events are detected and evaluated to determine if an information security incident has occurred.  Early detection of events is critical in the incident response process.  Event detection can occur in multiple ways including: 

  1. Automated detection by technical solutions 
  2. Manual detection and reported by users 

 The following tasks are to be performed during this phase: 

  1. Individuals are required to immediately report all potential information security incidents to the Help Desk, ISA or CIO.  Events reported to the Help Desk will be escalated to the ISA/CIO. 
  2. The ISA/CIO will perform incident classification which is the process of examining a potential incident and determining if an information security incident has occurred.   
  3. The ISA/CIO will coordinate efforts to determine the priority and scope of the incident. 

Reaction 

Incident reaction consists of actions outlined in NEIT’s information security incident response plan which will guide the organization in: 

  1. Attempting to stop the incident. 
  2. Mitigating the impact of the incident. 
  3. Providing information for recovery from the incident. 

The following tasks are to be performed during this stage:

  1. Notification of key personnel though a call tree.
  2. Documentation of the incident including:
    • What occurred.
    • How it occurred.
    • What actions were taken.
  3. Analysis to determine areas of impact and need for system interruption.
  4. If necessary, action is taken to:
    • Stop an incident from occurring.
    • Contain the scope or impact of the incident.

Recovery 

Once an incident has been contained and system control restored, the recovery phase must be immediately executed.   

The following tasks are to be performed during this stage: 

  1. Identification and notification of resources necessary for recovery. 
  2. Incident damage assessment is performed to determine the scope of the breach in confidentiality, integrity or availability of information assets.  The ISA will coordinate all computer and digital forensics efforts. 
  3. Identification and remediation of vulnerabilities which allowed the incident to occur or spread. 
  4. Evaluate and improve safeguards which: 
    • Failed to stop/limit the incident. 
    • Are missing from the system in the first place. 
  5. Evaluate and improve monitoring capabilities. 
  6. Restore data, services and processes. 
  7. Continuously monitor for repeat incidents. 
  8. Restore confidence in communities of interest. 
  9. Implement lessons learned. 

Policy Elements Applying to Everyone EXCEPT students 

Asset Management 

  1. All NEIT owned or leased software products must be inventoried by DOTS. 
  2. All network infrastructure and data center hardware must be inventoried by DOTS. 
  3. All open source or otherwise free software used in the process of conducting NEIT business must be inventoried by DOTS. 
  4. All asset inventories must be updated at a minimum of an annual basis. 

Vulnerability  and Patch Management 

DOTS will document, implement and maintain a vulnerability and patch management program including a list of assets to be scanned.  DOTS staff will coordinate vulnerability remediation/mitigation with service providers, system administrators and other appropriate individuals.   

  • Where possible, patches and updates should be validated in a non-production environment or against a pilot group of systems. 
  • All system components and software shall be protected from known vulnerabilities by installing applicable vendor supplied security patches on a regular schedule.  The patching schedule will be determined by a variety of factors but should meet the following guidelines wherever possible. 
    • Out of Band patches will be evaluated on a per case basis. 
    • Critical and security updates and patches shall be installed within 30 days. 
    • High and medium severity patches shall be installed within 120 days. 
    • All other patches will be evaluated and installed on a per case basis. 

Vendor Management 

  1. All vendor contracts for services or products that create, maintain, store, access, process or transmit institutional data (new and renewals) must be reviewed and approved by DOTS and NEIT Legal Counsel prior to being executed by NEIT. 
  2. Vendor contracts must include cybersecurity language/stipulations pertaining to the processing and storing of institutional data. 
  3. Vendor contracts must include a breach notification clause. 
  4. Vendor contracts must have a backout clause pertaining to cybersecurity incidents and breaches. 
  5. All vendor relationships must have a non-disclosure agreement. 
  6. Service provider SOC reports must be reviewed prior to engaging in a contract. 
  7. Service level agreements and other contractual obligations must be reviewed for failures and considered when renewing contracts. 

System/Technology Acquisition 

DOTS must evaluate and approve all potential systems or technologies for security and due diligence prior to purchase, for paid systems/technologies or implementation, for free/open source systems/technologies. 

User Access Control 

  1. DOTS will establish standards, procedures and guidance for user account moves, adds, changes and deletion. 
    • DOTS and system administrators must be notified of all changes in employment. 
    • Notifications must be provided 48 business hours prior to the effective date of the change.  Any notifications sent within 48 hours will be made under best effort. 
    • Termination notifications must be sent immediately. 
  2. DOTS will establish standards, procedures and guidance for user account permission management. 
  3. The principle of least privilege must be used when granting permissions.  Users must only be granted access to systems and institutional data which is needed to perform their duties. 
  4. User accounts dormant for more than 180 days must be disabled.  Managerial approval is required to re-activate dormant accounts. 
  5. The use of generic/unnamed accounts is not permitted.  Service accounts must be registered with DOTS prior to being placed into use.  Exceptions must be approved in writing by the DOTS security team. 

Physical Security 

  1. Use physical security devices to lock down computers that are in public or otherwise unsecured spaces. Laptops must not be stored overnight or long in vehicles. When traveling, laptops must be kept out of sight (i.e. in a trunk). 
  2. Network and systems infrastructure must be physically secured from tampering or theft. 
    • Doors must remain closed and locked at all times.  Doors must not be propped open or left unlocked when unattended. 
    • Physical access by vendors/contractors must be approved by DOTS prior to granting access. 
  3. Storage locations for sensitive institutional data must be physically secured from tampering or theft.
    • Doors must remain closed and locked at all times.  Doors must not be propped open or left unlocked when unattended. 
    • Physical access by vendors/contractors must be approved by the Data Steward prior to granting access.   
  4. All visitors must present valid ID and sign in/out prior to accessing secured areas.  Visitors must be escorted in these areas and are not to be left unattended in secured areas. 

Network Threat Protection 

  1. Firewalls and intrusion detection/prevention technologies must be installed at the boundary between NEIT’s campus network and any public network (i.e. the Internet). 
  2. All perimeter firewalls must be managed by DOTS. 
  3. DOTS is responsible for the security and architecture of NEIT’s network threat protection systems. 
  4. Network segmentation must be used to compartmentalize systems and data. 
  5. Managed Secure Domain Name System (DNS) must be used on internal network segments and NEIT’s campus network. 

Security Awareness Training 

  1. DOTS will establish and maintain a security awareness training program. 
  2. All NEIT employees are required to complete basic security training. 
  3. System administrators may be required to complete additional security training. 
  4. Users with access to regulated/protected information may be required to complete additional security training. 
  5. All employees are required to review and acknowledge NEIT WISP at the following events/intervals: 
    • Hire (new and returning). 
    • Whenever changes are made to the WISP or annually, whichever is shorter. 

Configuration Management 

  1. Default vendor authenticators (passwords, pins, keys, etc) must be changed on any technology/system prior to being placed into use. 
  2. Default (i.e. factory) certificates must be not be used in production.  Unique certificates generated as part of the deployment are exempt. 
  3. All systems must go through a security hardening and best practices review and remediation prior to being placed into production.
    • Unused services, features and ports must be disabled. 
    • Generic accounts should be removed/secured. 
  4. Secure configuration and architecture must be integrated into the solution/deployment and not added on after implementation. 

Backup Policy 

  1. DOTS is solely responsible for managing backups of institutional data. 
  2. Systems and data in NEIT’s on premise data centers must be backed up. 
    • A minimum of two backup copies must be kept. 
    • Backups must be copied offsite.

Change Management 

A Change is the transition of an identifiable infrastructure component or service (whether hardware or software) from one defined configuration state to another. Examples include configuration changes, patches, hardware updates, O/S and application upgrades. 

DOTS will coordinate the establishment of a Change Advisory Board who will review and approve change requests.  The Change Advisory Board must include: 

  • CIO 
  • ISA 
  • DOTS Managers 

Types of Changes 

  • Standard – Any pre-approved change which is low risk, repeatable and follows a documented process. Documented processes must be approved by NEIT’s Change Advisory Board. 
  • Emergency – Any change which requires immediate implementation. 
  • Normal – Any change which is not standard or emergency.

Maintenance Windows 

  • Standard maintenance windows during academic quarters 
    • M-F – 12 AM to 6 AM 
    • Saturday – 12 AM – 8 AM, 8 PM to 12 AM. 
    • Sunday – 12 AM  – 9 AM 
  • Academic breaks 
    • M-F – 6 PM – 7 AM 
    • Saturday/Sunday – All day 
  • Blackout windows 
    • Requires additional approval.
    • Starts the Saturday before the start of an academic quarter through the end of week 1. 
    • Starts the Saturday prior to week 10 of an academic quarter through the end of week 10.

Change request 

DOTS will develop and maintain processes and procedures for handling change requests.  Change requests must include the following information: 

  1. What services will be impacted and to what degree. 
  2. Description and detail of change to be made. 
    • Vendors working in co-managed NEIT systems are required to provide step by step instructions and full configurations in change requests.
  3. The impact to systems or information security. 
  4. Communication plan. 
  5. Backout plan. 
  6. Testing plan. 
  7. Implementation schedule. 

Change review and approval 

The Change Advisory Board will oversee review and approval of change requests. The review process should include: 

  1. Security and best practices review. 
  2. Approval or rejection decision. 
  3. If reject, provide details (may require adjustments). 
  4. If approve, move onto scheduling. 

Change implementation and validation 

The following restrictions must be adhered to in order to minimize risk. 

  1. The individual implementing the change cannot be the sole approver of the change. 
  2. The individual validating the change cannot be the sole implementer of the change. 

All changes must follow this process: 

  1. Change is implemented. 
  2. Change is immediately validated. 
  3. Change completion signoff. 
  4. Final documentation of change completed and stored. 

Log and Event Management 

Logging from critical systems, applications and services can provide key information and potential indicators of compromise.  Although logging information may not be viewed on a daily basis, it is critical to have from a forensics standpoint.   

DOTS will establish standards, processes and guidelines for the configuration and management of logs and events. 

All systems that handle confidential information, accept network connections, or make access control (authentication and authorization) decisions shall record and retain audit-logging information sufficient to answer the following questions:  

  1. What activity was performed?  
  2. Who or what performed the activity, including where or on what system the activity was performed from (subject)?  
  3. What the activity was performed on (object)?  
  4. When was the activity performed?  
  5. What tool(s) was the activity was performed with?  
  6. What was the status (such as success vs. failure), outcome, or result of the activity? 

Information System audit logs must be retained for an appropriate period of time, based on business requirements. Audit logs that have exceeded this retention period should be destroyed.