Information Security Policy

 

 

Introduction

Franklin & Marshall College, like all colleges and universities, is responsible for maintaining the integrity of a wealth of personal, sensitive, and confidential information collected during the course of normal business operations. Financial, medical, and academic records include details such as social security numbers, bank accounts, and credit card numbers -- details which are protected by federal and state laws, industry regulations, and contractual obligations. The exposure of such sensitive information could cause irreparable harm to the College or individual members of this community. Therefore, it is imperative that all members of the College community work to diligently protect information to which they are granted access.

This information security policy is not intended to impede the fundamental teaching or research missions of the College; rather, we aim to balance information security with community members’ needs to conduct their work. Should any aspects of the information security policy obstruct teaching, learning, academic freedom, or research endeavors, appropriate provisions will be made to allow these essential functions to proceed in a secure manner.

The Franklin & Marshall College (F&M) Information Security Policy provides the College’s senior staff, College Information Technology Committee (CITC), Chief Information Officer(CIO), and Chief Information Security Officer (CISO) with direction and support, establishes an implementation framework for security, and ensures compliance of information security within F&M. At their discretion, the College Information Technology Committee reserves the right to modify this policy at any point in time.  Currently the following components comprise the Information Security Policy:

Audience

This policy applies to all members of the F&M community, which includes but is not limited to employees, students, alumni, visitors, volunteers, third parties, contractors, consultants, clients, temporaries, and others (collectively known as “users”), who have access to, support, administer, manage, or maintain F&M information assets.  “Information assets” are defined as the computers, communications facilities, networks, data, and information that may be stored, processed, retrieved or transmitted by them, including programs, specifications, and procedures for their operation, use and maintenance.

Policy Maintenance

The College Information Technology Committee will review this policy on an annual basis. All revisions will be presented to the Chief Information Officer (CIO) for approval.

Policy Statement

The Information Security Policy provides a framework for defining the necessary technological and procedural controls necessary to ensure the confidentiality, integrity, and availability of College data and information systems.  The College’s Senior Staff has approved and endorsed this Information Security Policy.  The Chief Information Officer (CIO) and Chief Information Security Officer (CISO) are responsible for development, maintenance, and enforcement of the Information Security Policy.

I. Exceptions to Policy

Scope

This policy defines the procedures that will be followed by College personnel to identify any exceptions to policies that must occur in order to successfully complete College operations. It outlines the documentation that must be completed as well as the approvals that must occur before the exception to policy will be allowed

Exceptions to Policy Statement

In instances where there is a justifiable need to perform actions that are in conflict with F&M policy standards, management will consider providing a waiver for these exceptions. In almost all cases, alternative methods which do not conflict with policy can be deployed to solve any given business need.  Only when such options have been exhausted will an exception be considered.  F&M recognizes, however, that policies cannot be created and enforced which address 100% of all community issues. Exceptions are designed to facilitate new F&M needs, or to address areas where technological changes are not addressed by current policies. However, it is the responsibility of management to understand and mitigate risks.

Any exceptions will be documented and will be reviewed on a periodic basis as appropriate for the level of risk to the College presented by the exception and the amount of operational oversight and technical configurations necessary to enable and manage the exception.

Guidelines

Requests for exceptions to policies must have a justifiable reason documented and must have the necessary approvals to be considered valid. Exceptions must be approved and signed by the Data Steward and/or Data Owner, the Chief Information Security Officer, and the Chief Information Officer. Once approved, exceptions to policy will be valid for a period of no more than one year at which time the exception must be re-evaluated and re-approved.

--------
Policy Maintained by: Information Technology Services, Associate Vice President and Chief Information Officer
Last Reviewed:   August 11, 2017