Information Security Program Plan

Guiding Principles:
The Baylor Information Technology Services (ITS) Information Security Group is committed to excellence in ensuring the confidentiality, integrity, and availability of the university's information assets in order to enable the academic, research, and operational business of the university.

Information Security staff work closely with ITS colleagues, campus academic and administrative departments, and individual faculty and staff members to maintain and enforce effective policies, compliance, guidelines, and procedures to protect the university's network, information, and technology assets.

Plan contact and responsible officer:
Jon Allen, Assistant Vice President and Chief Information Security Officer

Reporting Structure:
The ITS Information Security Group reports to the Chief Information Officer through the Deputy Chief Information Officer.

Scope:
This Information Security Program Plan applies to all faculty, staff, students, auxiliary staff, and any other persons with access to Baylor University electronic information and technology resources.

Applicable Policies and Guidelines:
BU-PP-025 Technology Systems Usage Policy Information Use Policy
Network Usage Policies
Server Security Policy
Password Policies
Incident Response Policy

Information Security at Baylor University

Digital & Physical Access Control

  • Baylor utilizes a commercial identity management system to ensure that access to university resources is de-provisioned appropriately at separation. The system supports a request and approval process for university ERP access authorization based on approved university guidelines.
  • Functional user departments perform an annual review of access authorization to university ERP systems under the supervision of the university internal audit department.
  • VPN access is secured with two-factor authentication (www.duo.com/).
  • VPN, with the two-factor authentication, is required for access to critical university data resources from outside the campus primary wired network, including through the campus Wi-Fi network (AirBear).
  • Visitors to the Information Technology Services data center must be sponsored, logged in, badged, and accompanied by appropriate ITS staff members.
  • Single sign-on credentials are used for accessing most university resources minimizing the number of username/password combinations constituents must maintain.
  • University owned devices are deployed with password enabled activity timeouts. Users are encouraged to proactively lock their systems before stepping away from them.

Identification and Authentication

  • Shibboleth authentication through the InCommon Federation is the university standard for cloud services.
  • Duo two-factor authentication is deployed for the most sensitive data access with plans for expansion to additional critical university technology services.
  • Strong passwords are enforced with forced change every 180 days and no re-use of last four values.
  • Potential account compromises are identified using internal systems and external notifications. Those accounts are disabled until passwords are reset.
  • Users are required to set a mobile passcode at the time their device is deployed.

Awareness and Training

  • The ITS Information Security awareness program is branded as BearAware.
  • The BearAware website (www.baylor.edu/its/bearaware) is updated with news and information about information security best practices, university security policies and requirements, and general cyber security threats.
  • The BearAware program includes use of social media (Twitter, Facebook) to increase awareness and reach constituents.
  • Planned BearAware Bulletins are sent via email throughout the year to provide information on information security issues and trends. (www.baylor.edu/its/index.php?id=60337)
  • BearAware Alerts are sent via email as needed to address immediate campus information security issues. (www.baylor.edu/its/index.php?id=60337)
  • The ITS Information Security section leads the university’s observance of National Cyber-Security Awareness Month each October with special events and unique marketing campaigns.
  • A BearAware table is staffed at summer new student orientation sessions and provides campus information security information to incoming students and their parents.
  • The Chief Information Security Officer leads a Security Working Group composed of key campus IT staff members to discuss and deploy security-related issues and information.
  • The Chief Information Security Officer is a key participant in new faculty and new staff orientation sessions.
  • The Chief Information Security Officer provides ad hoc information security presentations throughout the year to various campus committees and working groups such as the Academic Technology Directors, the Libraries & ITS Advisory Council, and the university’s Executive Council.

Configuration & Systems Management & Maintenance

  • A standard configuration is deployed for all university-owned desktop/notebook/laptop computers that includes active anti-virus software.
  • Patches and upgrades for installed OS and software on university-owned computers are tested and pushed in a timely manner.
  • Critical security updates and patches to essential applications (i.e., Java, Oracle) are given immediate priority.
  • The university uses a centralized asset management system for university-owned computers that supports system patching and compliance checks.
  • Vulnerability scanning is conducted to audit compliance with configuration standards and patching levels.
  • System activity is logged to monitor for security incidents.

Data Protection

  • CrashPlan backup software is deployed on all university primary computers to safeguard university data.
  • The Box file system is licensed for all faculty, staff, and students for encrypted, authenticated file storage.
  • A data classification guide, created by ITS Information Security, is maintained and used in technology evaluations and requirements.
  • Hard drives of computers returned to ITS are digitally scrubbed to NIST requirements before recycling or donation.
  • A data loss prevention application is deployed on university-owned computers that access sensitive and/or confidential data.
  • Proposed new technologies undergo information security, infrastructure fit, and legal reviews to protect the integrity and ownership of university data.

Audit, Assessment & Risk Management

  • A comprehensive bi-annual third-party security audit is contracted by ITS Information Security.
  • All proposed new technologies and services are reviewed by information security staff members before contract approval and signature.
  • An isolated PCI network, selective deployment of thin client workstations, participation in the university’s Payment Card Operations committee, and consistent use of the TouchNet payment gateway by applications and services that accept online payments are components of technology-related PCI compliance efforts.
  • ITS Information Security, IT Infrastructure, and Information Systems & Services are participants in the university enterprise risk process to align information risks with overall institutional risks.
Updated February 9, 2017