Information Security Policy
Effective Date: February 7, 2024
Policy Statement
The purpose of this policy is to assist the New Jersey Institute of Technology (“NJIT” or ”University”) in its efforts to fulfill its fiduciary responsibilities relating to the protection of Information Assets (defined below in Section 3.0) and comply with applicable legal, regulatory, and contractual requirements involving information security and privacy. This policy framework as set forth below is supplemented by the National Institute of Standards and Technology (“NIST”) Standards documents, based on guidance provided by the NIST Special Publication 800-53 Rev. 5[1] and Special Publication 800-171 Rev. 2[2], which may be amended from time to time; and controls implemented based on the Center for Internet Security Critical Security Controls priorities[3], which may be amended from time to time.
Although no set of policies can address every possible scenario, this framework, taken as a whole, provides a University-wide governance structure that addresses key controls in all known areas needed to provide for the confidentiality, integrity, and availability of the University’s Information Assets. This framework also provides administrators guidance necessary for making prioritized decisions, as well as justification for implementing University-wide change.
Purpose
The purpose of this Information Security Policy is to clearly establish NJIT’s role in protecting its Information Assets and communicate minimum expectations for meeting these requirements. Fulfilling these objectives enables NJIT to implement a University-wide “Information Security Program”.
Applicability
The scope of this policy includes all Information Assets governed by the University. “Information Assets” means all NJIT owned or leased information technologies (“IT”), and information resources used for conducting NJIT business such as processing, transmission, storage, and communications including, but not limited to computer labs, classroom technologies, computing and end point devices and services, email, networks and infrastructures, internet access through NJIT systems, computer hardware and software, telephones, voice mail, fax, video, multimedia, and any instructional materials, also including all services that are owned, leased, operated or provided by the University or otherwise connected to NJIT resources, such as cloud services and infrastructures, or any other connected and hosted service. All personnel and service providers who have access to or utilize assets of the University, including data at rest, in transit or in process shall be subject to these requirements. This policy applies to:
- All Information Assets and IT resources operated by the University;
- All Information Assets and IT resources provided by the University through contracts, subject to the provisions and restrictions of the contracts, as applicable; and
- All Users of NJIT Information Assets and IT resources.
“Users” means all members of the NJIT community, including students, faculty and staff employees, student employees, contractors, and affiliates and guests who are granted access by NJIT to NJIT’s Information Assets. Users also include persons who are otherwise serving as an agent or working on behalf of NJIT, including any person or any process generated by individual(s) that is authorized by NJIT to access the Information Assets.
Policy
NJIT recognizes the need to protect the availability, integrity, and confidentiality of data while providing information resources to fulfill the University’s mission. The Information Security Program must be risk-based, and implementation decisions must be made based on addressing the highest risk first.
Administration must implement the NIST standards whenever possible, and document exceptions in situations where doing so is not practicable. NJIT has implemented an Information Security Committee (“ISC”). The ISC supports the University's mission by providing oversight and prioritization of information security issues, risk mitigation efforts, and resource investments through the review and development of information security policies, procedures, and guidelines. The ISC will assist with ensuring alignment between the information security objectives and efforts and the University’s strategic business objectives. It will provide guidance to NJIT in order to reduce operational risk, identify emerging risks within the University and potential solutions to address these risks and serve as a consultative body to Senior Management and the Board of Trustees. Roles set forth below in Section 5.0 establish the responsibilities to ensure the maintenance and a continual improvement of NJIT’s Information Security Program. Operating areas will implement documented controls and ensure compliance with the Information Security Program.
Roles and Responsibilities
NJIT has assigned the following roles and responsibilities:
1) Chief Information Officer: The Chief Information Officer is ultimately accountable for the implementation of the Information Security Program including, but not limited to:
a) Security policies, standards, and procedures;
b) Security compliance including managerial, administrative, and technical controls; and
c) Reporting the status and direction of the Information Security Program to the President Council, at least once annually or as specific circumstances warrant.
The Chief Information Officer is to be informed of security incidents, information security implementations, and ongoing development of the Information Security Program design.
2) Information Security Committee: The ISC is responsible for managing security risks and remediation efforts, across all University operations. The committee will be comprised of representatives of senior staff[4], and functions as the Information Security Program Office. Responsibilities for the ISC include, without limitation:
a) Review and recommend strategies related to the Information Security Program;
b) Review and approve information security policies and standards, and other supporting documentation;
c) Approve and maintain oversight of the risk management process, including risk assessment methodology, risk acceptance criteria, residual and accepted risks;
d) Approve actions to resolve issues identified during reviews in an effective and timely manner;
e) Advise on year-over-year goals and priorities for the Information Security Program.
f) Ensure compliance with all Information Security Program requirements, policies, standards, and procedures;
g) Review findings results from various audits and assessments;
h) Oversee implementation of remediation plans to ensure high priority risks have been resolved;
i) Ensure open communications between the ISC and the other departments as needed to promote collaborative planning and execution of information security initiatives, corporate objectives, and partnerships;
j) Educate campus about inherent risks of confidentiality, integrity, or availability of systems and data, and how to help protect information;
k) Assist in the resolution of resource allocation issues as needed;
l) Review information security risk assessment summaries and review the acceptance of information security risks that cannot be avoided, transferred, or mitigated;
m) Assist in the development of relevant and appropriate metrics designed to measure the effectiveness of the Information Security Program and review results; and
n) Review summaries of information security incidents, audit findings, Business Continuity testing or other test reports and ensure appropriate root-cause analysis was performed and corrective action is being taken.
The ISC shall meet at least once every quarter but may increase or decrease this frequency as specific circumstances warrant. An agenda will be distributed to all ISC members prior to the meeting and minutes shall be taken and distributed to the ISC and other internal stakeholders following the meeting. All ISC members are encouraged to submit agenda items. Meeting agendas will be compiled by the ISC Chair in consultation with ISC members. Meetings shall be directed by the Information Security Officer.
3) Information Security Officer: The Information Security Officer is responsible for the development, implementation, and maintenance of a comprehensive Information Security Program for NJIT. To establish and maintain the Information Security Program, the ISO will support the ISC by, without limitation:
a) Providing strategic guidance for maintaining compliance with applicable security standards, policies, regulations, and legislation;
b) Ensuring the security program aligns with the goals of the University;
c) Providing visibility into security trends affecting the University and/or the industry;
d) Oversee internal teams handling of security incidents when potential incidents are identified;
e) Promoting a culture of strong information security;
f) Providing visibility into inherent or residual risks when contracting with vendors and/or subcontractors;
g) Ensuring budget for the Information Security Program is efficient and effective;
h) Increasing the overall awareness of the importance of information security within the University. Ensure all NJIT employees/faculty/students/staff (“Personnel”) within the University are well informed about the latest cyber threats.
4) Users: The User is responsible for, without limitation:
a) Understanding and conforming with all applicable NJIT policies, standards, and procedures;
b) Protect and properly use all Information Assets made available to the User; and
c) Immediately communicate any detected security incident or anomaly through the appropriate channels and in accordance with NJIT Incident Response Plan.
Information and System Classification
NJIT must establish and maintain security categories for Data, University Data, and Data Classification (as defined in the Data Classification Policy) and information systems. For more information, reference the Data Classification Policy[5].
Provisions for Information Security Standards
NJIT’s Information Security Program is framed on NIST Standards and controls implemented based on the Center for Internet Security Critical Security Controls priorities. NJIT must develop appropriate control standards and procedures required to support the University’s Information Security Policy. This Information Security Policy is further defined by NIST standards, procedures, control metrics, control tests, vulnerability testing and management, and patching processes to assure functional verification.
The NJIT Information Security Program is based on NIST Special Publication 800-53 Rev. 5 and Special Publication 800-171 Rev. 2, and Center for Internet Security Critical Security Controls (“Information Security Standards”).
Access Control (AC)
NJIT must limit information system access to authorized users, processes acting on behalf of authorized users or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise.
Awareness and Training (AT)
NJIT must: (i) ensure that managers and users of information systems are made aware of the security risks associated with their activities and of the applicable laws, directives, policies, standards, instructions, regulations, or procedures related to the security of the University’s information systems; and (ii) ensure that personnel are adequately trained to carry out their assigned information security-related duties and responsibilities.
Audit and Accountability (AU)
NJIT must: (i) create, protect, and retain system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity on protective enclave systems, specific to confidential data and confidential networks, at a minimum; and (ii) ensure that the actions of individual information system users can be uniquely traced for all restricted systems.
Assessment and Authorization (CA)
NJIT must: (i) periodically assess the security controls in the University’s information systems to determine if the controls are effective in their application; (ii) develop and implement plans of action designed to identify and correct deficiencies and reduce or eliminate vulnerabilities in University information systems; (iii) authorize the operation of the University’s information systems and any associated information system connections; and (iv) monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls.
Configuration Management (CM)
NJIT must: (i) establish and maintain baseline configurations and inventories of the University’s information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles; and (ii) establish and enforce security configuration settings for information technology products employed in the University’s information systems.
Contingency Planning (CP)
NJIT must establish, maintain, and effectively implement plans for emergency response, backup operations, and post-disaster recovery for the University’s information systems to ensure the availability of critical information resources and continuity of operations in emergency situations.
Identification and Authentication (IA)
NJIT must identify information system users, processes acting on behalf of users, or devices and authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to the University’s information systems.
Incident Response (IR)
NJIT must: (i) establish an operational incident handling capability for the University’s information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities; and (ii) track, document, and report incidents to appropriate University officials and/or authorities.
Maintenance (MA)
NJIT must: (i) perform periodic and timely maintenance on the University’s information systems; and (ii) provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance.
Media Protection (MP)
NJIT must: (i) protect information system media, both paper and digital; (ii) limit access to information-on-information system media to authorized users; (iii) encryption, where applicable; and (iv) sanitize or destroy information system media before disposal or release for reuse.
Physical and Environmental Protection (PE)
NJIT must: (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the University’s physical and support infrastructure for information systems; (iii) provide supporting utilities for information systems; (iv) protect information systems against environmental hazards; and (v) provide appropriate environmental controls in facilities containing information systems.
Planning (PL)
NJIT must develop, document, periodically update, and implement security plans for the University’s information systems that describe the security controls in place or planned for the information systems as well as rules of behavior for individuals accessing the information systems.
Personnel Security (PS)
NJIT must: (i) ensure that individuals occupying positions of responsibility within the University meet established security criteria for those positions; (ii) ensure that the University’s information and information systems are protected during and after personnel actions such as terminations and transfers; and (iii) employ formal sanctions for personnel failing to comply with NJIT’s security policies and procedures, including, but not limited to the Acceptable and Responsible Use Policy.
Risk Assessment (RA)
NJIT must periodically assess the risk to University operations (including mission, functions, image, or reputation), University assets, and individuals, resulting from the operation of University information systems and the associated processing, storage, or transmission of University information.
System and Services Acquisition (SA)
NJIT must: (i) allocate sufficient resources to adequately protect University information systems; (ii) employ system development life cycle processes that incorporate information security considerations; (iii) employ software usage and installation restrictions; and (iv) ensure that third-party providers employ adequate security measures, through federal and state law and contractual requirements, to protect information, applications, and/or services outsourced from the University.
System and Communications Protection (SC)
NJIT must: (i) monitor, control, and protect the University’s communications (i.e., information transmitted or received by the University’s information systems) at the external boundaries and key internal boundaries of the information systems for confidential data transmissions; and (ii) employ architectural designs, software development techniques, encryption, and systems engineering principles that promote effective information security within the University’s information systems.
System and Information Integrity (SI)
NJIT must: (i) identify, report, and correct information and information system flaws in a timely manner; (ii) provide protection from malicious code at appropriate locations within the University’s information systems; and (iii) monitor information system security alerts and advisories and take appropriate actions in response.
Program management (PM)
NJIT will implement security program management controls to provide a foundation for NJIT’s Information Security Program. By way of example and without limitation, with ongoing assessment of policies and initiatives including data classification, privacy, security awareness, asset management, vulnerability management, identity access management, and incident response.
Enforcement
NJIT may temporarily suspend or block access to any individual or device when it appears necessary to do so in order to protect the integrity, security, or functionality of University and computer resources.
Any Personnel found to have violated this procedure may be subject to disciplinary action, up to and including termination of employment.
Privacy
The use of NJIT’s Information Assets is not completely private, and Users should have no expectation of privacy in their use of the University’s Information Assets. Users do not have a right to privacy for communications transmitted or stored on University resources. For more information, reference the NJIT Acceptable and Responsible Use Policy[6].
Additionally, in response to a judicial order or any other action required by law or permitted by official University policy or as otherwise considered reasonably necessary to protect or promote the legitimate interests of the University, the Chief Information Officer, or an authorized agent, may access, review, monitor and/or disclose computer files associated with a User's account.
Exceptions
Exceptions to the policy may be granted by the Chief Information Officer, or their designee. To request an exception, submit an Information Security Exception request to NJIT’s IST Service Desk.
Disclaimer
NJIT disclaims any responsibility for and does not warrant information and materials residing on non-NJIT systems or available over publicly accessible networks. Such materials do not necessarily reflect the attitudes, opinions, or values of NJIT.
Compliance
This Information Security Policy shall take effect upon publication. This policy may be amended at any time, which shall become effective upon publication.
If compliance with this policy is not feasible or technically possible, or if deviation from this policy is necessary to support the University’s mission, an exception must be requested in accordance with the process set forth in Section 10.0.
References
- NIST Special Publication 800-53 Rev. 5
- NIST Special Publication 800-171 Rev. 2
- Center for Internet Security Critical Security Controls
- The Gramm - Leach Bliley Act (GLBA)
- Family Educational Rights and Privacy Act (FERPA)
- FIPS-199
- PCI DSS 3.1
Related NJIT Policies
- Data Classification Policy
- Acceptable and Responsible Use Policy