NEIT-WISP-2.0

New England Institute of Technology

Written Information Security Policy 

Contents

Information Security Policy Overview

• Purpose
• Scope
• Definitions
• Roles and Responsibilities
• Information Security Policy Lifecycle
• Policy Exceptions
• Disciplinary Action

Institution Wide Policies

• Acceptable Use Policy
• Authentication Policy
• Asset/Device Security
• Bring Your Own Device (BYOD)
• Remote Access
• Data Classification and Governance
• Information Security Incident Response Management

Business Policies

• Asset Management
• Vulnerability Management
• Vendor Management
• System/Technology Acquisition
• User Access Control
• Physical and Environmental Security
• Network Threat Protection
• Security Awareness Training
• Configuration Management
• Backup Policy
• Change Management
• Log and Event Management

Information Security Policy Overview

Purpose 

New England Institute of Technology’s (NEIT’s) Written Information Security Policy (WISP) is intended to ensure the confidentiality, integrity, and availability of data and resources through the use of effective and established information security processes and procedures.  The WISP ensures that NEIT: 

1. Establishes a comprehensive approach to information security 
2. Complies with international, federal and state regulations including but not limited to: 
   1. FERPA (Family Educational Rights and Privacy Act) 
   2. GLBA (Gramm Leach Bliley Act) 
   3. PCI (Payment Card Industry Data Security Standard) 
   4. HIPPA (Health Insurance Portability and Accountability Act)   

Scope 

The policy requirements and restrictions defined in this document shall apply to network infrastructures, databases, external media, encryption, hardcopy reports, films, slides, models, wireless, telecommunication, conversations, and any other methods used to convey knowledge and ideas across all hardware, software, and data transmission mechanisms including systems that create, maintain, store, access, process or transmit institutional data.  This policy also applies to information resources owned by others, such as contractors of NEIT or entities in the private sector, in cases where NEIT has a legal, contractual or fiduciary duty to protect said resources while in NEIT custody. In the event of a conflict, the more restrictive measures apply.  This policy covers NEIT’s network system which is comprised of various hardware, software, communication equipment and other devices designed to assist NEIT in the creation, receipt, storage, processing, and transmission of information.  This definition includes equipment connected to any NEIT domain or VLAN, either hardwired or wirelessly, and includes all stand-alone equipment that is deployed by NEIT at its office locations, at remote locales or in cloud environments. 

Definitions 

1. Computing & Network Resources – Information systems and network infrastructure resources (e.g. email, Internet, Intranet, and a wide variety of computer/technical programs, applications and services) made available to the campus community including students, faculty and staff. 
2. Institutional data - Institutional data is information created, collected, maintained, transmitted, or recorded by or for the university to conduct university business. Institutional data includes, but is not limited to, information in paper, electronic, audio, and visual formats.  
3. Data stewards - Data stewards are designated university officials, typically department managers/functional directors, whose functional areas of responsibility include the creation or origination of institutional data. 
4. Data custodians - Data custodians are individuals authorized by the data steward(s) who have operational responsibility for the administration of the systems and devices that store, process, transmit, or provide access to institutional data. 
5. Enterprise Asset/Device – Any asset/device that is owned by NEIT. 
6. BYOD Asset/Device – Any asset or device that is not owned by NEIT. 
7. Asset/Device Types 
   1. Computers – Laptops and Desktops running a full Operating System (OS) such as Windows, MacOS or Linux. 
   2. Mobile Devices – phones, tablets, Chromebook and similar devices.  i.e. iPad, iPhone, Android phone, Android tablet, etc.  
   3. Gaming devices – Network connected gaming devices.  i.e. Xbox, PlayStation, Switch, etc.  
   4. Network Devices – Network infrastructure devices which are used to provide network transport/communication services.  I.e. Routers, switches, firewalls, access points, etc. 
   5. Internet of Things (IoT Devices) – All other network connected devices.  i.e. Smart TV, Smart Speakers (Google Home, Eco Dots), Smart Lighting, etc.  

Roles and Responsibilities 

The first line of defense in data security is the individual NEIT user.  Security is a team effort and shared responsibility.  Security is part of a proactive mindset. Being security minded means you take precautions and follow best practices that will reduce your risk of becoming a victim of fraud or other criminal activity. 

NEIT users (including students) are responsible for: 

1. Protecting data they encounter from unauthorized disclosure, use, modification and deletion 
2. Complying with NEIT’s WISP 
3. Reporting suspected information security incidents to Department of Technology Services (DOTS) 

BYOD Owners are responsible for: 

1. Device owners are responsible for the operation, privacy and security of their assets/devices. 
2. Users are required to keep their BYOD assets/devices up to date with critical and security patches. 
3. Users are responsible for any operation, privacy or security issues associated with their assets/devices. 

The Chief Information Officer is responsible for: 

1. Coordinating the development and maintenance of NEIT’s Information Security Program 
2. Acting as NEIT’s Qualified Individual as required by GLBA compliance. 

The Executive Committee is responsible for: 

1. Ensuring NEIT’s WISP is enforced across the entire organization.  
2. Security is considered throughout NEIT’s strategic planning process. 
3. Supporting and enforcing security operations including adequate funding, training and staffing 

The DOTS Information Security Team is responsible: 

1. For maintaining ongoing training programs to inform all users of these requirements 
2. Coordinating information security incident response 
3. Provide information security consulting services throughout the organization 
4. Developing security baselines and guidelines 
5. Auditing and assessing posture and compliance with governance, regulation and compliance as well NEIT policies and procedures. 

System Administrators and DOTS are responsible for: 

1. Controlling and monitoring access to the data, systems, and applications they administer 
2. Providing technical support and guidance to system users 
3. Managing vendor relationships 

Public Safety is responsible for: 

1. Managing and maintaining physical security controls for access to institutional data and systems 

Data Stewards are responsible for: 

1. The management and proficiency of data stored in an organization 
2. Develop, implement and monitor data standards 
3. Provide support for data related questions 

Data Custodians are responsible for: 

1. The technical data environment 
2. Managing the data structure 

Vendors, contractors, service providers, and third-parties are responsible for: 

1. Establishing and maintaining their own information security controls 
2. Protecting institutional data and systems they have access to 

Information Security Policy Lifecycle 

NEIT’s WISP will be reviewed and updated on a minimum of an annual basis using the process below: 

1. NEIT’s Chief Information Officer (CIO) and Information Security Architect (ISA) will identify updates and changes to be made. 
2. Updates and changes will be developed into a new draft. 
3. The draft will be reviewed by other members of NEIT’s community including: 
   1. SMT
   2. Legal Council 
4. The CIO and ISA will work with reviewers to make any adjustments to the draft. 
5. The draft will be sent to the Executive Committee for review and approval. 
6. Once approved, the updated draft will be published and disseminated to all NEIT users for review and acknowledgement. 

Policy Exceptions 

Unless otherwise specified, all exceptions to NEIT’s WISP must be approved in writing by the CIO and ISA prior to being put in place. 

Disciplinary Action 

Violations of the NEIT’s Written Information Security policy may result in the immediate suspension of Computing & Network Resources privileges, disciplinary action, including but not limited to, suspension or expulsion, and/or legal action.  

Institution Wide Policies  

Applies to all users of NEIT’s computing and network resources including but not limited to students, faculty, and staff, service providers, vendors and contractors. 

Acceptable Use Policy 

The use of NEIT’s Computing & Network Resources is a privilege. The effective use of those resources requires the mutual respect and cooperative conduct of all users to ensure that everyone has necessary access and protection from interference or harassment.  

Privacy and Confidentiality Considerations: NEIT will make reasonable efforts to maintain the integrity and effective operation of its Computing & Network Resources, but users are advised that the systems should in no way be regarded as secure media for the communication of sensitive or confidential information. Because of the nature and technology of electronic communication, NEIT can assure neither the privacy of an individual user’s use of NEIT’s Computing & Network Resources, nor the confidentiality of particular messages or materials that may be created, transmitted, received, or stored thereby. 

Authorized Users: Only NEIT faculty, staff, students and other persons who have received permission under the appropriate NEIT authority are authorized users of NEIT’s Computing & Network Resources. All authorized users will be issued a “username” and a “password” to access the various Computing & Network Resources available. The use of “usernames” and “passwords” is an important aspect of NEIT’s Computing & Network Resources security. Usernames and passwords are the front line of protection for information maintained on the system. PROTECT YOUR “USERNAME” and “PASSWORD”. DO NOT SHARE THEM WITH ANYONE, including students or other employees. All “usernames” and “passwords” are to be treated as confidential NEIT information. Users are responsible for all activity associated with their user accounts. 

Permitted Uses of NEIT’s Computing & Network Resources: The use of NEIT’s Computing & Network Resources is provided to support NEIT’s business activities, academic programs and related activities. Computing & Network Resources shall be used in a manner consistent with those purposes. All activities inconsistent with those purposes are considered to be inappropriate and may jeopardize a user’s continued use or access to NEIT’s Computing & Network Resources.  

Prohibited Uses of NEIT’s Computing & Network Resources:  

1. Revealing your account password to others or allowing use of your account by others.  
2. Violating others’ privacy; breaching, tampering with, or circumventing security controls; or attempting unauthorized access to Computing & Network Resources or institutional data.  
3. Executing any form of unauthorized network monitoring or access which will intercept data restricted or prohibited by laws/regulations or not intended for the individual 
4. Accessing any data, system or technology in a manner that adversely affects the availability or security of Computing & Network Resources or institutional data. 
5. Development or introduction of malicious programs or files into Computing & Network Resources (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.). Uploading files that the user has reason to believe contains a virus or corrupted data.  
6. Developing or executing programs that could harass others, infiltrate the system, or damage or alter the components of the system.  
7. Threatening, harassing, intimidating or otherwise violating the legal rights of others.  
8. Developing, publishing, posting, collecting, distributing or disseminating defamatory, infringing, obscene, unlawful, or other inappropriate material or information.  
9. Using Computing & Network Resources for monetary gain or for commercial purposes that are not directly related to NEIT business or educational programs.  
10. Copying, uploading, sending copies, or falsifying the source or origin of documents, software programs or other materials in violation of copyright laws.  
11. Deleting any author attributions, legal notices or proprietary designations or labels in a file in violation of copyright laws. (Software programs are protected by Section 117 of the 1976 Copyright Act. Unless they have written the program themselves, users do not have the right to make and distribute copies of programs without specific permission of the copyright holder.)  
12. Excessively using Computing & Network Resources (e.g., tying up resources through game playing or other trivial applications; sending frivolous or excessive mail, including chain mail; downloading video, audio, etc.; or printing excessive copies of documents, files, images, or data).  
13. Physically abusing any Computing & Network Resources computing equipment or supplies. (Incidences will be reported to Public Safety and to the appropriate administrative office.)  
14. Downloading or use of unapproved software, technology or systems; Instant Messaging; or Chat Services on Computing & Network Resources without prior approval of the DOTS Information Security Team.  
15. Removing endpoints containing sensitive or proprietary data or information, from campus without authorization.   
16.  Using personal or external accounts to conduct NEIT business is strictly prohibited. NEIT business must be conducted using NEIT accounts. 

NEIT Access, Inspection and Disclosure of Computing & Network Resources  

1. NEIT reserves the right to access, inspect and disclose the contents of Computing & Network Resources as deemed necessary in its sole discretion without consent of the user.  
2. To the extent permitted by law, NEIT reserves the right to access and disclose the contents of faculty, staff, students’, and other users’ electronic mail without the consent of the user.  
3. Faculty, staff, students and other users are advised that NEIT’s Computing & Network Resources should be treated like a shared filing system, i.e., with the expectation that communications sent or received with the use of NEIT resources may be made available for review by any authorized NEIT official for purposes related to NEIT business.  
4. Electronic mail and other data of students may constitute “education records” subject to the provisions of the federal statute known as the Family Educational Rights and Privacy Act of 1974 (FERPA). NEIT may access, inspect, and disclose such records under conditions that are set forth in the statute.  
5. Any user of NEIT’s Computing & Network Resources who makes use of an encryption device or other means to restrict or inhibit access to institutional data must provide access to such institutional data when requested to do so under appropriate NEIT authority.  
6. Limitations on Disclosure and Use of Information Obtained: NEIT may, in its sole discretion, disclose the information contained in NEIT’s Computing & Network Resources to the extent permitted by law, without permission of the user.  

Authentication Policy 

1. All passwords must be managed by single sign on. Users will not be allowed to change passwords in Windows or in Web for Students/Faculty.    
2. Passwords must meet the following requirements: 
   1. Minimum length of 14 characters 
   2. Must be changed on an annual basis and whenever suspected of being compromised 
   3. Must contain three of the following: 
      1. Upper case letters 
      2. Lower case letters 
      3. Numbers 
      4. Symbols 
   4. Must not 
      1. Match any of the previous 5 passwords 
      2. Contain any part of the username 
      3. Contain dictionary or easily guessable words 
      4. Contain any part of a previously compromised password 
      5. Match or use part of passwords used outside of NEIT 
3. Passwords must not be shared with ANYONE. Users cannot under any circumstance give their password to students, employees, contractors or temporary workers.   No DOTS employee should ever ask a user for their password; users should not be asked to share passwords with DoTS and they should not share passwords with anyone if they are asked include DOTS. 
4. Passwords must never be written down or stored digitally in an unsecure method. (i.e. Word, Excel, text files).  Passwords stored digitally must make use of a password manager.  The Help Desk can assist with setting up a password manager.   
5. Passwords must never be sent through email.  Sending of passwords through email is not permitted.  
6. Users must answer security questions with legitimate answers - Users should not make up answers because they may need to use the answers later to unlock accounts. Users must not use the same or similar passwords for NEIT accounts that they use for personal accounts such as banking, online shopping, social media, etc. 
7. Users must use a unique password for all systems not integrated with single sign on.  
8. Multi-actor authentication is required for the following: 
   1. All NEIT Email. 
   2. Remote access to NEIT’s campus network. 
   3. Other systems, technologies and data as determined by the ISA. 

Asset/Device Security 

1. All computers accessing NEIT’s Computing & Network Resources must be running active, up to date malware protection.  Enterprise endpoints must use NEIT’s enterprise managed antivirus installed in managed mode. 
   1. Malware protection must be enabled at all times. 
   2. Files must be scanned on access. 
2. All computers accessing NEIT’s Computing & Network Resources must be running a currently supported operating system. 
3. Assets/Devices which store, process, transmit or access institutional data not classified as public must be protected to prevent unauthorized access.   
   1. Automatic screen locking mechanisms which require the use of a pin, password or other form of authentication must be configured. 
   2. Mobile devices must be encrypted 
   3. Computers should be encrypted and use host based firewalls where possible 
   4. Mobile devices must not be “rooted”, “jail broken” or have other similar security bypasses in place 
4. Unused and unnecessary software must be removed from enterprise assets/devices. 
5. All software must be approved for use.  DOTS may prohibit use or installation of software on enterprise assets/devices. 
6. Theft or loss of any asset/device which stores, processes, transmits or accesses institutional data not classified as public must immediately be reported to DOTS. 
7. Use physical security devices to lock down computers that are in public or otherwise unsecured spaces. Laptops must not be stored overnight or for long periods of time in vehicles. When traveling, laptops must be kept out of sight (i.e. in a trunk). 

Bring Your Own Device (BYOD) 

Restrictions, Risks, Liabilities and Disclaimers 

1. Use of BYOD Network Devices are not permitted on any NEIT campus.  Unmanaged or “dumb” switches may be used only in Residence Halls. 
2. Microphone and Voice enabled BYOD devices are only permitted in Residence Hall residence rooms. 
3. Operating any BYOD device in a manner which bridges or extends NEIT’s network is prohibited.   
4. NEIT is not responsible for the maintenance, backup or loss of data on a BYOD device. 
5. NEIT is not responsible for the security of BYOD devices connected to NEIT’s campus network or systems 
6. NEIT is not responsible for the loss, theft or damage of BYOD devices.  This includes when a BYOD device is used for academic or business activities. 
7. NEIT may require the installation of mobile device management or other management agents on BYOD devices used for conducting NEIT business. 
8. Institutional data must only be stored, processed, transmitted or access via BYOD device if necessary to perform job duties. 
9. NEIT reserves the right to inspect BYOD devices used for business purposes for institutional data or other information. 
10. NEIT may wipe or destroy institutional data stored on BYOD devices used for business purposes.  While NEIT will take efforts to prevent loss of personal data, we cannot guarantee that personal data  will not be lost.    
11. NEIT reserves the right to disconnect/disable access to any BYOD device without notification. 
12. NEIT reserves the right to review or retain personal and company-related data on personal devices or to release the data to government agencies or third parties during an investigation or litigation. 

Remote Access 

1. All individuals and machines connected remotely to NEIT’s Computing & Network Resources are subject to NEIT’s Written Information Security Policy. 
2. Only approved remote access technologies are permitted.  All remote access technologies must be evaluated and approved by the ISA prior to use.    
3. Users are required to disconnect remote access technologies when not in use.  
4. Secure remote access must be strictly controlled with strong encryption (i.e., Virtual Private Networks (VPNs)) and strong pass-phrases.  
5. Authorized Users shall protect their login and password, even from family members.  
6. Individuals are required to report the loss or theft of a device with VPN access installed immediately.  
7. Individuals are not permitted to remotely access another individual’s system unless they are required to do so in performing their job or supporting/conducting academic activities.  
8. The use of remote support tools such as GoToAssist, LogMeIn Rescure, Bomgar, etc is permitted only when receiving external support from a vendor/manufacturer.  Establishment of permanent or unattended access through these technologies is prohibited.  
9. Students are only permitted Virtual Desktop Infrastructure (VDI) access to lab systems.  Students are not permitted use of VPN or other remote access technologies for access to NEIT internal networks.  
10. Remote access to NEIT’s systems must be protected using multi-factor authentication. 

Data Classification and Governance 

Classification Levels  

1. Public – Public data is institutional data that is intended for public use and has no access or management restrictions. 
2. Internal - Internal data is institutional data used to conduct university business and operations. It may only be accessed and managed by users whose role, function, or assignment requires it. Unless otherwise indicated, internal is the default level for institutional data.  
3. Private - Private data is institutional data classified as private due to legal, regulatory, administrative, or contractual requirements; intellectual property or ethical considerations; strategic or proprietary value; and/or other special governance of such data. Access to and management of private data requires authorization and is only granted to those users as permitted under applicable law, regulation, contract, rule, policy, and/or role.  
4. Restricted - Restricted data is institutional data that requires the highest level of protection due to legal, regulatory, administrative, contractual, rule, or policy requirements. Access to and management of restricted data is strictly limited as unauthorized use or disclosure could substantially or materially impact the university’s mission, operations, reputation, finances, or result in potential identity theft.  

Data Types and Classifications  

Data types and classifications can be found in the NEIT Data Classification Standard.

Data Collections

Data Stewards may wish to assign a single classification to a collection of data that is common in purpose or function. When classifying a collection of data, the most restrictive classification of any of the individual data elements should be used. For example, if a data collection consists of a student’s name, address and social security number, the data collection should be classified as Private even though the student’s name and address may be considered Public information.  

Data Handling  

1. Data classified as Public is permitted to be stored and transmitted freely both electronically and in hard copy.  Data transmitted in email and over public networks (Internet) does not need to be encrypted.  
2. Data classified as Internal, Private or Restricted must only be captured, created, processed, transmitted or stored via DOTS approved technologies, systems or applications. 
   1. Electronic data classified as Internal or Private must be protected from disclosure to unauthorized parties when being transmitted over networks.  This is commonly achieved using encrypted communication methods.  Data transmitted in email destined for any external recipient (those without an @neit.edu or @email.neit.edu email address) must use NEIT’s encrypted email solution. 
   2. Data classified as Restricted is not permitted to be captured, transmitted or stored electronically in email.  Other electronic storage locations must be approved by DOTS.  Hard copies must be kept to a minimum and secured in locations with restricted access.  
   3. Storing of credit card information is strictly prohibited. 
3. Any data that is classified as Internal, Private or Restricted that is received via an insecure method, must be protected in any response or forwarding of the information.  For instance, a SSN in the body of an email received by NEIT must be removed or encrypted when responding. 
   1. Users are not permitted to request information in a manner which is insecure. 
4. Data classified as Internal, Private or Restricted are not permitted to be stored in personal/non-NEIT accounts, cloud storage or similar technologies. 
5. Propagation and duplication of data must be kept to a minimum and performed only as needed. 
   1. Storing of Internal, Private or Restricted data on removable media must only be performed as needed and must be securely deleted when no longer needed.  Removable media should be encrypted. 
6. Data must not be solely stored on endpoints (computers and mobile devices) unless the endpoint is backed up via a DOTS approved method.  
7. Email is not to be used as a storage method for institutional data. 
8. Institutional Data must be returned to NEIT and removed from non-NEIT systems upon departure from NEIT. 
9. Requests for data deletion must be handled by DOTS.  Contact [email protected] for more information. 

Data Retention  

All data retention, electronic or hard copy, must comply with 6.2 RECORD RETENTION AND DISPOSAL POLICY posted on Technet. 

Data Destruction  

1. All data destruction, electronic or hard copy, must comply with data retention requirements. 
2. All media containing data classified entirely as Public can be disposed of using any method. 
3. All media containing data classified as Internal, Private or Restricted must be destroyed using industry accepted standards which prevent re-assembly of the data. 

Information Security Incident Response Management 

Information security incident response is the set of activities taken to plan for, detect and correct the impact of an information security incident.  An information security incident is: 

1. An event that suggests a violation of NEIT’s information security policies or posture has or is likely to occur. 
2. An event which impacts one or more information assets and poses a clear threat to the confidentiality, integrity or availability of information resources. 

The ISA will organize an incident response team which will include those individuals who must be present to handle the systems and functional areas that can minimize the impact of an incident as it occurs.   

1. NEIT’s Information Security Incident Response Management will complement NEIT’s Emergency Preparedness and Response Plan. 
2. All members of the NEIT community are required to promptly report any suspected or confirmed information security incident involving NEIT or associated information systems to the Help Desk, Information Security Architect or CIO.  Events reported to the Help Desk will be escalated to the ISA/CIO. 
3. The ISA/CIO are responsible for evaluating potential incidents to determine if an information security incident has occurred. 
4. The ISA is responsible for coordinating all technical and forensic efforts. 
5. The incident response team is responsible for recovery, containment and remediation efforts.  Members of the NEIT community must cooperate with incident investigations and may not interfere, obstruct, prevent, retaliate against or dissuade others from reporting an incident or cooperating with an investigation.
6. During incident investigations, DOTS is authorized to monitor relevant resources and retrieve information without notice or further approval including confiscating or disconnecting equipment. 
7. Any external disclosure of information must be reviewed and approved in writing by the ISA, CIO and legal counsel before being shared externally. 
   1. Responsibilities for communicating with external parties will follow the “Individual Responsibilities” section defined in NEIT’s Emergency Preparedness and Response Plan

Business Policies

Applies to all users of NEIT’s computing and network resources working in a business capacity for NEIT including but not limited to faculty, staff, service providers, vendors, contractors, volunteers and students employed by NEIT. 

Asset Management 

1. All NEIT owned or leased software products must be inventoried by DOTS. 
2. All network infrastructure and data center hardware must be inventoried by DOTS. 
3. All devices which capture payment card data via direct physical interaction must be inventoried by DOTS. 
4. All asset inventories must be updated at a minimum of an annual basis. 

Vulnerability Management 

DOTS will document, implement and maintain a vulnerability management program including a list of assets to be scanned.  DOTS staff will coordinate vulnerability remediation/mitigation with service providers, system administrators and other appropriate individuals.   

1. Changes to core infrastructure, systems or applications must be tested in a non-production environment and/or a pilot group of systems before being deployed to production. 
2. Changes should be validated in a non-production environment or against a pilot group of systems.   
3. End of life end of support systems must be replaced or retired.  Those which cannot be feasibly replaced or retired must have additional security controls put in place.  These controls must be approved by the ISA. 
4. All system components and software shall be protected from known vulnerabilities by installing applicable vendor supplied security patches on a regular schedule.  The patching schedule will be determined by a variety of factors but should meet the following guidelines wherever possible. 
   1. Out of Band and emergency patches will be evaluated on a per case basis. 
   2. Critical and security updates and patches shall be installed within 30 days. 
   3. High and medium severity patches shall be installed within 120 days. 
   4. All other patches will be evaluated and installed on a per case basis. 

Vendor Management 

1. All vendor contracts for services or products that create, maintain, store, access, process or transmit institutional data (new and renewals) must be reviewed and approved by DOTS and NEIT Legal Counsel prior to being executed by NEIT. 
2. Vendor contracts must include cybersecurity language/stipulations pertaining to the processing and storing of institutional data. 
3. Vendor contracts must include a breach notification clause. 
4. Vendor contracts must have a backout clause pertaining to cybersecurity incidents and breaches. 
5. All vendor relationships must have a non-disclosure agreement. 
6. Service provider SOC reports must be reviewed prior to engaging in a contract. 
7. Service level agreements and other contractual obligations must be reviewed for failures and considered when renewing contracts. 

System/Technology Acquisition 

DOTS must evaluate and approve all potential systems or technologies for security and due diligence prior to purchase, for paid systems/technologies or implementation, for free/open source systems/technologies. 

User Access Control 

1. DOTS will establish standards, procedures and guidance for user account moves, adds, changes and deletion. 
   1. DOTS and system administrators must be notified of all changes in employment. 
   2. Notifications must be provided 48 business hours prior to the effective date of the change.  Any notifications sent within 48 hours will be made under best effort. 
   3. Termination notifications must be sent immediately. 
2. DOTS will establish standards, procedures and guidance for user account permission management. 
3. The principle of least privilege must be used when granting permissions.  Users must only be granted access to systems and institutional data which is needed to perform their duties. 
4. User accounts dormant for more than 180 days must be disabled.  Managerial approval is required to re-activate dormant accounts. 
5. The use of generic/unnamed accounts is not permitted.  Service accounts must be registered with DOTS prior to being placed into use.  Exceptions must be approved in writing by the ISA. 

Physical and Environment Security 

1. Network and systems infrastructure must be physically secured from tampering or theft. 
   1. Doors must remain closed and locked at all times.  Doors must not be propped open or left unlocked when unattended. 
   2. Physical access by visitors including vendors/contractors must be approved by DOTS prior to granting access. 
   3. Access to these locations must be logged. 
   4. Power protection devices must be used.  Primary data centers must have generator backup. 
   5. Critical network and systems locations must have protection for temperature and humidity. 
   6. Appropriate fire suppression technologies must be used. 
2. Storage locations for sensitive institutional data must be physically secured from tampering or theft. 
   1. Doors must remain closed and locked at all times.  Doors must not be propped open or left unlocked when unattended. 
   2. Physical access by visitors including vendors/contractors must be approved by the Data Steward prior to granting access.   
   3. Access to these locations must be logged. 
   4. Appropriate fire suppression technologies must be used. 
3. All visitors must present valid ID and sign in/out prior to accessing secured areas.  Visitors must be escorted in these areas and are not to be left unattended in secured areas. 

Network Threat Protection 

1. Firewalls and intrusion detection/prevention technologies must be installed at the boundary between NEIT’s campus network and any public network (i.e. the Internet). 
2. All perimeter firewalls must be managed by DOTS. 
3. DOTS is responsible for the security and architecture of NEIT’s network threat protection systems. 
4. Network segmentation must be used to compartmentalize systems and data. 
5. Managed Secure Domain Name System (DNS) must be used on internal network segments and NEIT’s campus network. 

Security Awareness Training 

1. DOTS will establish and maintain a security awareness training program. 
2. All NEIT employees are required to complete basic security training. 
3. System administrators may be required to complete additional security training. 
4. Users with access to regulated/protected information may be required to complete additional security training. 
5. All employees are required to review and acknowledge NEIT WISP at the following events/intervals: 
   1. Hire (new and returning). 
   2. Whenever changes are made to the WISP or annually, whichever is shorter. 
6. Staff who regularly perform information security roles must be provided with resources necessary to stay abreast of current information security threats, technologies and trends. 

Configuration Management 

DOTS will develop configuration management standards which must be adhered to when: 

1. Implementing new systems or technologies 
2. Making changes to systems or technologies 

Backup Policy 

DOTS will develop backup standards which must be adhered to.  DOTS is solely responsible for managing backups of institutional data. 

Change Management 

DOTS will develop change management standards, processes and procedures.  A Change is the transition of an identifiable infrastructure component or service (whether hardware or software) from one defined configuration state to another. Examples include configuration changes, patches, hardware updates, O/S and application upgrades.   

1. DOTS is solely responsible for change management oversight. 
2. All standards, processes and procedures must be adhered to by everyone including third-parties. 

Log and Event Management 

DOTS will establish standards, processes and guidelines for the configuration and management of logs and events.  Information System audit logs must be retained for one year or otherwise based on business requirements. Audit logs that have exceeded this retention period should be destroyed.