URP: I.19.p Information System Integrity

Tags techurp

STATEMENT OF PURPOSE
This document establishes the information integrity regulations and procedures. The purpose of these regulations and procedures are to manage Texas Woman’s University’s (TWU) risks from information system flaws/vulnerabilities, malicious code, unauthorized code changes, and inadequate error handling through the establishment of an information integrity program.


DEFINITIONS
Information System Integrity is the assurance that the information is trustworthy and accurate, and functioning in an operating system environment that is free of software conflicts.
Malicious Code is any part of a software system or script that is intended to cause undesired effects, security breaches, or damage to an information system.


SCOPE
The scope of these regulations and procedures are applicable to all information resources owned or operated by TWU. All users are responsible for adhering to this policy. If needed or appropriate, information regarding roles, responsibilities, management commitment, and coordination among organizational entities are embedded within these procedures.


REGULATIONS AND PROCEDURES
The State of Texas has chosen to adopt the Access Control principles established in NIST SP 800-53 “System and Information Integrity,” Control Family guidelines. The following subsections outline the system and information integrity standards that constitute TWU’s regulations and procedures.

SI-1 System and Information Integrity:
 Regulations:
▪ TWU must develop, adopt, or adhere to a formal, documented information system integrity regulations and procedures that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
 Procedures:
▪ The Office of Technology (OOT) will maintain regulations and procedures for information system integrity regulations and procedures that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.

SI-2 Flaw Remediation:
 Regulations:
▪ TWU must:
• Identify, report, and correct information system flaws;
• Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;
• Install security-relevant software and firmware updates on a regular basis or when the Information Security Officer (ISO) deems necessary; and
• Incorporates flaw remediation into the University's configuration management process.
 Procedures:
▪ OOT Security Team utilizes monitoring and information gathering systems to identify, track, report, and help correct any potential systems flaws that may
hinder system or information integrity.
▪ All information systems must be configured using the Operating System Configuration Guidelines document. Different monitoring and reporting methods
or standards are utilized depending on system setup, use, and information accessed. Information systems that are not set up to auto-update are the responsibility of the system owner to maintain and update.
▪ Critical information systems owners must review infrastructure patches on a monthly basis and work with appropriate system users to coordinate applying the
patches.
▪ All information systems are scanned by OOT Security with vulnerability scanning software upon creation and are subject to additional scans for security flaws.
Information systems containing or accessing sensitive information are scheduled to be scanned at regular intervals. Vulnerabilities are reported to the system
administrator and OOT Security Team to ensure steps are taken to remedy any potential vulnerabilities.

SI-3 Malicious Code Protection:
 Regulations:
▪ TWU must:
• Employ malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;
• Update malicious code protection mechanisms whenever new releases are available; and
• Configure malicious code protection mechanisms to:
 Perform periodic scans of the information systems and real-time scans of files from external sources when delivered through email or as the files
are downloaded, opened, or executed in accordance with organizational security policy;
 Block malicious code; quarantine malicious code; send alert to appropriate personnel; and
 Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the
information system.
 Procedures:
▪ OOT utilizes various tools, systems and techniques to protect against malicious code, these services are subject to change on the basis of TWU’s needs, and service offerings.
▪ OOT malicious code protection systems perform periodic scans and real-time scans of files from external sources. External sources are real-time scanned when they are delivered through TWU’s email system or as the files are downloaded, opened, or executed.
▪ OOT malicious code protection systems block or quarantine malicious code and send alerts to the OOT Security Team to assess the potential risk and/or false positive detection.

SI-4 Information System Monitoring:
 Regulations:
▪ TWU must:
• Monitor information systems to detect attacks, indicators of potential attacks,
unauthorized local, network, and remote connections on the basis of TWU’s needs, and service offerings;
• Attempt to identify unauthorized use of the information systems;
• Protect information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;
• Heighten the level of information system monitoring activity whenever there is an indication of increased risk to University operations and assets,individuals, other organizations, or the Nation based on law enforcementinformation, intelligence information, or other credible sources of information;and
• Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives,
policies, or regulations.
 Procedures:
▪ OOT utilizes various tools, systems and techniques to monitor possible security related issues, these services are subject to change on the basis of TWU’s needs,
and service offerings.
▪ OOT Security Team ensures that information system monitoring logs are securedand retained.
▪ The Chief Information Officer (CIO) consults with TWU’s General Counsel beforeOOT deploys a new Information system monitoring technique.
▪ When the CIO or ISO receive credible information on an increased risk to information security, they notify the OOT Security Team to deploy additional
manual interventions as necessary to meet the new risk.

SI-5 Security Alerts, Advisories, and Directives:
 Regulations:
▪ TWU must:
• Receive information system security alerts, advisories, and directives from the Texas Department of Information Resources on an ongoing basis;
• Generate internal security alerts, advisories, and directives as deemed necessary;
• Disseminate security alerts, advisories, and directives to information system owners; and
• Implement security directives in accordance with established time frames, or notifies the issuing information system owner of the degree of noncompliance.
 Procedures:
▪ OOT Security Team, ISO, and CIO receive security notices, alerts, and other useful information from the Texas Department of Information Resources.
▪ OOT utilizes various tools, systems and techniques to alert information system owners of possible security related issues, these services are subject to change on the basis of TWU’s needs, and service offerings.
▪ OOT Security Team reports security incidents and statistical information to theState of Texas on a monthly basis. Information for these reports are gathered from several internal systems, ticketing systems, network security appliances, and networked antivirus reporting and management interfaces.
▪ Information system owners are notified of security related issues throughautomated monitoring and reporting systems or directly by OOT Security Team.


APPLICABILITY: TWU Students, Faculty, Staff, and Guest

COMPLIANCE
Violation of this policy may result in disciplinary action, which may include termination foremployees and temporaries; a termination of employment relations in the case of
contractors or consultants; termination of access; legal action; termination for interns andvolunteers; disciplinary review; suspension or expulsion (in the case of a student).


SPECIAL NOTES
Department of Information Resources Security Standards Catalog
http://publishingext.dir.texas.gov/portal/internal/resources/DocumentLibrary/Security%20Control%20Standards%20Catalog.pdf

Owner: Associate Provost for Technology

Details

Article ID: 56386
Created
Fri 6/22/18 11:23 AM
Modified
Mon 3/25/19 11:20 AM