Information Security Policy

The scope of this policy includes all information assets governed by the organization. All personnel and service providers who have access to or utilize assets of the organization, including data at rest, in transit or in process shall be subject to these requirements. This policy applies to:

• All information assets and IT resources operated by the organization;
• All information assets and IT resources provided by the organization through contracts, subject to the provisions and restrictions of the contracts; and
• All authenticated users of Earlham College information assets and IT resources.

The purpose of this policy is to assist the organization in its efforts to fulfill its fiduciary responsibilities relating to the protection of information assets and comply with regulatory and contractual requirements involving information security and privacy. This policy framework consists of eighteen (18) separate policy statements, with supporting Standards documents, based on guidance provided by the National Institute of Standards and Technology (NIST) Special Publication 800-171.

Although no set of policies can address every possible scenario, this framework, taken as a whole, provides a comprehensive governance structure that addresses key controls in all known areas needed to provide for the confidentiality, integrity and availability of the organization’s information assets. This framework also provides administrators guidance necessary for making prioritized decisions, as well as justification for implementing organizational change.

Earlham College needs to protect the availability, integrity and confidentiality of data while providing the information resources necessary to fulfill the organization’s mission. The Information Security Program must be risk-based and implementation decisions must be made based on addressing the highest risk first.

Earlham College’s administration recognizes that fully implementing all controls within the NIST Standards is not possible due to organizational limitations and resource constraints. Administration must implement the NIST standards whenever possible, and document exceptions in situations where doing so is not practical.

Earlham College has assigned the following roles and responsibilities:

1. Chief Information Officer: The Chief Information Officer is accountable for the implementation of the Information Security Program, including: a) security policies, standards, and procedures, and b) security compliance, including managerial, administrative and technical controls. The Chief Information Officer is to be informed of information security implementations and ongoing development of the Information Security Program design.
2. Information Security Committee: This group is responsible for the design, implementation, operations and compliance functions of the Information Security Program for all Earlham College constituent units.  The committee is comprised of senior staff and functions as the Information Security Program Office.
3. Information Security Officer: GreyCastle Security performs as the Information Security Officer for Earlham College. GreyCastle is responsible for the development, implementation and maintenance of a comprehensive Information Security Program for Earlham College.  This includes security policies, standards and procedures which reflect best practices in information security.

The Earlham College Security Program is based on NIST Special Publication 800-171. This publication is structured into 18 control groupings, herein referred to as Information Security Standards. These Standards meet all statutory and contractual requirements.

1. Access Control: Earlham College limits information system access to authorized users, processes acting on behalf of authorized users or devices (including other information systems), and the types of transactions and functions that authorized users are permitted to exercise
2. Awareness and Training: Earlham College ensures that (i) managers and users of information systems are made aware of the security risks associated with their activities and of the applicable laws, directives, policies, standards, instructions, regulations, or procedures related to the security of organization information systems; and (ii) personnel are adequately trained to carry out their assigned information security-related duties and responsibilities.
3. Audit and Accountability: Earlham College (i) creates, protects, and retains system audit records to the extent necessary for monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity on protected systems, specific to confidential data and confidential networks, at a minimum; and (ii) ensures that actions of individual information system users can be uniquely traced for all restricted systems.
4. Assessment and Authorization: Earlham College (i) periodically assesses the security controls in organization information systems to determine if the controls are effective in their application; (ii) develops and implements plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organization information systems; (iii) authorizes the operation of the organization’s information systems and any associated information system connections; and (iv) monitors information system security controls on an ongoing basis to ensure the continued effectiveness of the controls.
5. Configuration Management: Earlham College (i) establishes and maintains baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the resspective system development life cycles; and (ii) establishes and enforces security configuration settings for information technology products employed in organizational information systems.
6. Contingency Planning: Earlham College establishes, maintains, and effectively implements plans for emergency response, backup operations, and post-disaster recovery for the organization’s information systems to ensure the availability of critical information resources and continuity of operations in emergency situations.
7. Identification and Authentication: Earlham College identifies information system users, processes acting on behalf of users, or devices and authenticates (or verifies) the identities of those users, processes, or devices, as a prerequisite to allowing access to Earlham College information systems.
8. Incident Response: Earlham College (i) implements an operational incident handling capability for organization information systems that includes preparation, detection, analysis, containment, recovery, and user response activities; and (ii) tracks, documents, and reports incidents to appropriate organization officials and/or authorities.
9. Maintenance: Earlham College (i) performs periodic and timely maintenance on organization information systems; and (ii) provides effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance.
10. Media Protection: Earlham College (i) protects information system media, both paper and digital; (ii) limits access to information on information system media to authorized users; and (iii) encrypts data, where applicable, and (iiii) sanitizes or destroys information system media before disposal or release for reuse.
11. Physical and Environmental Protection: Earlham College (i) limits physical access to information systems, equipment and the respective operating environments to authorized individuals; (ii) protects the physical plant and support infrastructure for information systems; (iii) provides supporting utilities for information systems; (iv) protects information systems against environmental hazards; and (v) provides appropriate environmental controls in facilities containing information systems.
12. Planning: Earlham College develops, documents, periodically updates and implements security plans for organization information systems that describe the security controls in place or planned for the information systems as well as rules of behavior for individuals accessing the information systems.
13. Personnel Security: Earlham College (i) ensures that individuals occupying positions of responsibility within organizations are trustworthy and meet established security criteria for those positions; (ii) ensures that organization information and information systems are protected during and after personnel actions such as terminations and transfers; and (iii) employs formal sanctions for personnel failing to comply with Earlham College security policies and procedures.
14. Risk Assessment: Earlham College periodically assesses the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage or transmission of organizational information.
15. System and Services Acquisition: Earlham College (i) allocates sufficient resources to adequately protect organization information systems; (ii) employs system development life cycle processes that incorporate information security considerations; (iii) employs software usage and installation restrictions; and (iv) ensures that third- party providers employ adequate security measures, through federal and state law and contract, to protect information, applications and/or services outsourced from the organization.
16. System and Communications Protection: Earlham College (i) monitors, controls and protects organization communications (i.e., information transmitted or received by organization information systems) at the external boundaries and key internal boundaries of the information systems for confidential data transmissions; and (ii) employs architectural designs, software development techniques, encryption, and systems engineering principles that promote effective information security within organization information systems.
17. System and Information Integrity: Earlham College (i) identifies, reports and corrects information and information system flaws in a timely manner; (ii) provides protection from malicious code at appropriate locations within organization information systems; and (iii) monitors information system security alerts and advisories and take appropriate actions in response.
18. Program management: Earlham College implements security program management controls to provide a foundation for the organizational Information Security Program.

Earlham College may temporarily suspend or block access to any individual or device when it appears necessary to do so in order to protect the integrity, security or functionality of organization, computer, and information resources.

Any personnel found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Earlham College makes every reasonable effort to respect a user’s privacy. However, personnel do not acquire a right of privacy for communications transmitted or stored on organization resources.

Additionally, in response to a judicial order or any other action required by law or permitted by official organization policy or as otherwise considered reasonably necessary to protect or promote the legitimate interests of the organization, the Chief Information Officer, or an authorized agent, may access, review, monitor and/or disclose computer files associated with an individual’s account.

Exceptions to the policy may be granted by the Chief Information Officer, or his or her designee.  To request an exception, submit an Information Security Exception request to Information Technology Services.

Earlham College disclaims any responsibility for and does not warrant information and materials residing on non-Earlham College systems or available over publicly accessible networks. Such materials do not necessarily reflect the attitudes, opinions or values of Earlham College.

This policy will be reviewed annually by the Chief Information Officer. Amendments will be adopted with the approval of the Chief Financial Officer.

• NIST Special Publication 800-171
• The Gramm – Leach Bliley Act (GLBA)
• Family Educational Rights and Privacy Act (FERPA)
• Federal Information Processing Standard Publication 199 (FIPS-199)