WISP2.0CHANGE-LOG

NEIT WISP 2.0 Change Log

The purpose of this document is to provide users with a summary of changes in version 2.0 of NEIT’s WISP. While this document provides an overview of the changes, exact details may not be included. In the case of any conflicting statements, NEIT’s WISP will supersede this document.

General/Global Changes

Replaced references to specific technologies/systems with generic terms in line with best practices.
Consolidated definitions from other parts of the document to the definitions section
Removed, consolidated or adjusted redundant/unnecessary elements
Consolidated similar statements/elements to their appropriate section
Removed elements which:
1. Change more often than the WISP lifecycle. i.e. changes more frequent than once per year.
2. Do or should not require the full review/approval process of NEIT’s WISP lifecycle.
Adjusted main policy section headers and added scope statements.
1. Renamed “Policy Elements Applying to Everyone” to “Institution Wide Policies”
  1. Applies to all users of NEIT’s computing and network resources including but not limited to students, faculty, and staff, service providers, vendors and contractors.
2. Renamed “Policy Elements Applying to Everyone EXCEPT students” to “Business Policies”
  1. Applies to all users of NEIT’s computing and network resources working in a business capacity for NEIT including but not limited to faculty, staff, service providers, vendors, contractors, volunteers and students employed by NEIT.

Information Security Policy Overview

Adjusted purpose and scope sections.
Added additional roles and responsibilities:
1. NEIT users (including students) are responsible for:
  1. Protecting data they encounter from unauthorized disclosure, use, modification and deletion
2. The Chief Information Officer is responsible for:
  1. Acting as NEIT’s Qualified Individual as required by GLBA compliance.
3. The Executive Committee is responsible for:
  1. Supporting and enforcing security operations including adequate funding, training and staffing
4. DOTS Security Team is responsible for
  1. Developing security baselines and guidelines
  2. Auditing and assessing posture and compliance with governance, regulation and compliance as well as NEIT policies and procedures
5. System Administrators are responsible for:
  1. Managing vendor relationships
Adjusted existing roles and responsibilities
1. BYOD Owners are responsible for
  1. The operation, privacy and security of their assets/devices
  2. Keeping BYOD assets/devices up to date with critical and security patches
  3. Any operation, privacy or security issues associated with their assets/devices
2. The Chief Information Officer is responsible for:
  1. Coordinating the development and maintenance of NEIT’s Information Security Program.
3. System Administrators are responsible for:
  1. Controlling and monitoring access to the data, systems, and applications they administer
4. Added “third-parties” to the vendors, contractors and service providers responsibilities
Changed WISP lifecycle process so that the new Security Management Team reviews the WISP draft in place of DOTS staff.
Moved and adjusted the scope of the disciplinary action statement so that it applies to the entire WISP instead of only the AUP.

Institution Wide Policy Changes

Acceptable Usage Policy

Re-ordered items for better grouping
Adjusted “Prohibited Uses of NEIT’s Computing & Network Resources”
1. Breaching, tampering with or circumventing security controls; or attempting unauthorized access to computing & network resources or institutional data.
2. Accessing any data, system or technology in a manner that adversely affects the availability or security of Computing & Network Resources or institutional data.
3. Developing, publishing, posting, collecting, distributing or disseminating defamatory, infringing, obscene, unlawful or other inappropriate material of information.
4. Using Computing & Network Resources for monetary gain or for commercial purposes that are not directly related to NEIT business or educational programs.
5. Copying, uploading, sending copies or falsifying the source or origin of documents, software programs or other materials in violation of copyright laws.
6. Downloading or use of unapproved software technologies or systems; Instant Messaging; or Chat Services on Computing & network resources without approval of the DOTS Information Security Team.
7. Removing endpoints containing sensitive data or information from campus without authorization.
8. Use of personal or external account to conduct NEIT business is strictly prohibited. NEIT business must be conducted using NEIT accounts.
Adjusted “NEIT Access, Inspection and Disclosure of Computing & Network Resources”
1. Any user of NEIT’s Computing & Network Resources who makes use of an encryption device or other means to restrict or inhibit access to institutional data must provide access to such institutional data when requested to do so under appropriate NEIT authority.

Authentication Policy

Consolidated and adjusted password requirements.
1. Password must now be changed on an annual basis or when suspected of being compromised.
2. Passwords must not contain any part of a previously compromised password
Added new elements
1. Multi-actor authentication is required for the following:
  1. Other systems, technologies and data as determined by the ISA.
Adjusted existing elements
1. Passwords must not be shared with ANYONE. Users cannot under any circumstance give their password to students, employees, contractors or temporary workers.   No DOTS employee should ever ask a user for their password; users should not be asked to share passwords with DoTS and they should not share passwords with anyone if they are asked include DOTS.
2. Passwords must never be written down or stored electronically in an unsecure method (i.e. word, excel, text files). Passwords stored digitally must make use of a password manager. The Help Desk can assist with setting up a password manager.
3. Passwords must never be sent through email. Sending of passwords though email is not permitted.

Asset/Device Security

Changed the section title from Endpoint security to better align with technologies in use at NEIT.
Added new elements
1. Requirements for assets/device which store, process, transmit or access institutional data not classified as public.
  1. Mobile devices must be encrypted
  2. Computers should be encrypted
  3. Mobile devices must not be “rooted”, “jail broken” or have other similar security bypasses in place
2. Unused and unnecessary software must be removed from enterprise assets/devices.
3. All software must be approved for use. DOTS may prohibit use or installation of software on enterprise assets/devices.
4. Theft or loss of any asset/device which stores, processes, transmits or accesses institutional data not classified as public must immediately be reported to DOTS.

Bring Your Own Device

Corrected typo in heading

Remote Access

Adjusted existing elements
1. All individuals and machines connected remotely to NEIT’s Computing & Network Resources are subject to NEIT’s Written Information Security Policy.
2. Changed remote access technology review and approval from DOTS to the ISA.

Data Classification and Governance

Moved Data Types and Classifications to a separate document. These can change more often than an annual basis.
Changes to Data Handing
1. Added new elements
  1. Propagation and duplication of data must be kept to a minimum and performed only as needed.
    1. Storing of Internal, Private or Restricted data on removable media must only be performed as needed and must be securely deleted when no longer needed. Removable media should be encrypted.
  2. Email is not to be used as a storage method for institutional data.
  3. Institutional Data must be returned to NEIT and removed from non-NEIT systems upon departure from NEIT.
  4. Requests for data deletion must be handled by DOTS. Contact [email protected] for more information.
2. Adjusted existing elements
  1. Electronic data classified as Internal or Private must be protected from disclosure to unauthorized parties when being transmitted over networks.
  2. Data classified as Internal, Private or Restricted are not permitted to be stored in personal/non-NEIT accounts, cloud storage or similar technologies.
Changes to Data Destruction
1. Adjusted existing elements
  1. All data destruction, electronic or hard copy, must comply with data retention requirements.
  2. All media containing data classified entirely as Public can be disposed of using any method.
  3. All media containing data classified as Internal, Private or Restricted must be destroyed using industry accepted standards which prevent re-assembly of the data.

Information Security Incident Response Management

Moved Incident Response Plan elements to NEIT’s new Incidence Response Plan
Added new elements
1. All members of the NEIT community are required to promptly report any suspected or confirmed information security incident involving NEIT or associated information systems to the Help Desk, Information Security Architect or CIO. Events reported to the Help Desk will be escalated to the ISA/CIO.
2. The incident response team is responsible for recovery, containment and remediation efforts. Members of the NEIT community must cooperate with incident investigations and may not interfere, obstruct, prevent, retaliate against or dissuade others from reporting an incident or cooperating with an investigation.
3. During incident investigations, DOTS is authorized to monitor relevant resources and retrieve information without notice or further approval including confiscating or disconnecting equipment.
4. Any external disclosure of information must be reviewed and approved in writing by the ISA, CIO and legal counsel before being shared externally.
  1. Responsibilities for communicating with external parties will follow the “Individual Responsibilities” section defined in NEIT’s Emergency Preparedness and Response Plan
Adjusted existing elements
1. Changed responsible party for organizing the incident response team from DOTS to the ISA.
2. Adjusted statement with regards to NEIT’s Emergency Preparedness and Response Plan
  1. NEIT’s Information Security Incident Response Management will complement NEIT’s Emergency Preparedness and Response Plan.
3. Better defined Incident Response specific roles, responsibilities and authority.
  1. The ISA/CIO are responsible for evaluating potential incidents to determine if an information security incident has occurred.
  2. The ISA is responsible for coordinating all technical and forensic efforts.

Business Policy Changes

Asset Management

Adjusted policy based on current DOTS practices and capabilities.

Vulnerability Management

Changed verbiage by removing “and Patch” from “vulnerability and patch management”
Added new elements
1. Changes to core infrastructure, systems or applications must be tested in a non-production environment and/or a pilot group of systems before being deployed to production.
2. End of life end of support systems must be replaced or retired. Those which cannot be feasibly replaced or retired must have additional security controls put in place. These controls must be approved by the ISA.
Adjusted existing elements
1. Changes should be validated in a non-production environment or against a pilot group of systems.
2. Emergency patches will be evaluated on a per case basis.

User Access Control

Changed generic/unnamed account exception approval from the DOTS security team to the ISA.

Physical and Environmental Security

Added “and Environmental” to the title.
Added new elements
1. Network and systems infrastructure must be physically secured from tampering or theft.
  1. Access to these locations must be logged.
  2. Power protection devices must be used. Primary data centers must have generator backup.
  3. Critical network and systems locations must have protection for temperature and humidity.
  4. Appropriate fire suppression technologies must be used.
Adjusted existing elements
1. Network and systems infrastructure must be physically secured from tampering or theft.
  1. Physical access by visitors including vendors/contractors must be approved by DOTS prior to granting access.
2. Storage locations for sensitive institutional data must be physically secured from tampering or theft.
  1. Physical access by visitors including vendors/contractors must be approved by the Data Steward prior to granting access.

Security Awareness Training

Added new elements
1. Staff who regularly perform information security roles must be provided with resources necessary to stay abreast of current information security threats, technologies and trends.

Configuration Management

Moved “standards” based items to separate “standard” document
Added new elements
1. DOTS will develop configuration management standards which must be adhered to when:
  1. Implementing new systems or technologies
  2. Making changes to systems or technologies

Backup Policy

Moved “standards” based items to separate “standard” document
Added new elements
1. DOTS will develop backup standards which must be adhered to.

Change Management

Moved Change management process items to separate procedure document.
Added new elements
1. DOTS will develop change management standards, processes and procedures. A Change is the transition of an identifiable infrastructure component or service (whether hardware or software) from one defined configuration state to another. Examples include configuration changes, patches, hardware updates, O/S and application upgrades.
  1. DOTS is solely responsible for change management oversight.
  2. All standards, processes and procedures must be adhered to by everyone including third-parties.

Log and Event Management

Moved standards/guidelines based elements to separate document
Added new elements
1. DOTS will establish standards, processes and guidelines for the configuration and management of logs and events.
2. Information System audit logs must be retained for one year or otherwise based on business requirements. Audit logs that have exceeded this retention period should be destroyed.