Information Security Plan

1. Purpose 

This Written Information Security Program describes the safeguards implemented by DePauw University to protect confidential data. The goal of the program is to ensure the security of these assets to support the academic mission and culture of DePauw University. These safeguards are provided to:

• Ensure the security and confidentiality of all information assets including confidential and nonpublic data,
• Protect against any anticipated threats or hazards to the security of such assets, and
• Protect against unauthorized access or use of such assets in ways that could result in substantial harm or inconvenience to customers.

2. Scope

This program applies to any use of the University's computing or network resources as defined in the Electronic Communications and Acceptable Policy and the University's Data Classification Policy. Additional standards and procedures may govern specific data or computer systems or networks provided or operated by third-party service providers.

This program applies to individual account holders (@depauw.edu) who utilize information technology resources at DePauw University, as well as the systems employed and managed by DePauw University administrators used to deliver those services. Any use of University data by off-campus entities (auditors, consultants, investigators, etc.) must adhere to the same security policies and guidelines as DePauw account holders.

3. Designation of Representatives

The University’s Chief Information Officer (CIO) is designated as the Information Security Program (ISP) Coordinator who shall be responsible for coordinating and overseeing the program. The ISP Coordinator may designate other representatives of the Institution to oversee and coordinate elements of the program. Their responsibilities shall include:

• Assess information security risks facing the institution and maintain awareness of current threats, mitigation strategies, and industry best practices.
• Recommend policies with regard to the security and integrity of University information systems, resources and data.
• Define, document and implement approved information security technology, practices and procedures.
• Facilitate communication and training on security policies and procedures.
• Meet on a regular basis to review policies and procedures and assess the effectiveness of security awareness education programs on campus.
• Report annually on the status of information and data security to the DePauw Board of Trustees.

4. Safeguards, Risk Identification and Assessment

DePauw University identifies and assesses external and internal risks to the security and confidentiality of confidential data that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information and assess the sufficiency of the safeguards in place to control these risks by:

• Performing periodic risk assessment using an external vendor
• Performing regular penetration testing that rotates from an external vendor performed test to an internally performed test
• Performing regular vulnerability assessments and as deemed necessary due to material changes to operations or business arrangements or other circumstances with a material impact to the information security program
• Conducting a periodic inventory including all hardware and network components that are used to process, store, or transmit customer information
• Monitoring safeguards put in place to detect and identify potential threats
• Monitoring advisory groups such as SANS, REN-ISAC, EDUCAUSE, and others to keep up to date on any new threats that may develop

The ISP Coordinator or their designee(s) will regularly monitor administrative, technical, and physical safeguards to control the risks identified through such assessments described above and to regularly test or otherwise monitor the effectiveness of such safeguards. Information Services division of the University designs and implements safeguards in areas highlighted by the assessments.

4.1. Information Access and Control

DePauw University implements security measures to protect its information systems and data from unauthorized access. The following guidelines are in place where possible:

• Role-based access controls are enforced using integrated identity management and directory systems.
• Multi-factor authentication (MFA) is in place for anyone accessing customer information on systems owned/maintained by DePauw, including staff, faculty, students, emeriti, third-party, and contractors.
• Access provisioning policies are in place to ensure that appropriate access is granted by business owners of data.
• Password complexity requirements are enforced, and authentication information is encrypted using current strong standards.
• Full disk encryption is applied to University-managed endpoints containing sensitive data or systems.
• SSL certificates are employed for all communication services on external networks.

4.2. Data Classification and Handling

DePauw University’s Data Classification Policy outlines a framework and requirements for classifying and handling institutional data based on its level of sensitivity, value, and criticality to the University. Appropriate data classification is guided by state or federal laws that require the University to protect certain types of data (e.g., personally identifiable information such as a social security number or FERPA-protected student education records).

Within the Data Classification Policy, “confidential data” is defined as data protected by federal and state regulations and are intended for use only by individuals who require that information in the course of performing their university functions. For these purposes, confidential data refers to, but is not limited to, financial information, academic and employment information, and other private paper and electronic records. Data that is considered confidential per the Data Classification Policy that is stored in Information Services (IS) managed systems of record or confidential data file shares will be managed per the Confidential Data Handling Recommendations to support DePauw’s Information Security Program and comply with applicable laws or regulations.

4.3. Encryption Standards

DePauw University works to maintain a secure environment by using technical and administrative controls to protect data while stored and in use. Institutionally owned laptops and desktops used by DePauw employees are encrypted to protect data at rest. Removable storage media such as external hard drives must be encrypted if it stores restricted data. Employees accessing the University's internal network resources remotely are recommended to use encrypted VPN connections.

4.4. Change Management

To ensure the successful implementation of changes to enterprise systems, various change control methodologies are employed. These methodologies help to authorize changes, coordinate timelines, and prevent conflicts. These change management procedures help ensure that changes to enterprise systems are properly authorized, coordinated, and implemented in a controlled manner, minimizing any potential risks or disruptions to university operations.

4.5. Developing Internal Applications

Internal applications utilized in the transmitting, accessing, or storing of customer information are developed using best practices and procedures ensuring that security is integrated into every phase of the software development process. This includes planning, requirements gathering, design, coding, testing, deployment, and maintenance. Examples of systems where internal applications are created are e-Services and BigTree.

4.6. Data Lifecycle Management and Secure Disposal

The DePauw University Record Retention and Document Destruction Policy outlines the requirements, limitations, and procedures for managing various institutional data types. Backups are encrypted and no removable media is used in the process. For Cloud hosting environments such as, but not limited to, Azure, Google, Box, and Workday, compliance reports are available through vendors that detail measures taken to limit physical access.

4.7. Audit and Accountability

Measures are taken to log the activity of authorized users and to review if they have accessed, used, or tampered with customer information outside the scope of their authorization. Role-based access control restricts access to information and systems based on a person's role within the institution.

4.8. Physical Controls and Access

DePauw implements strict physical and administrative access controls in our facilities. All data centers require either a key or ID card swipe for entry and access events are logged and monitored. Access to central systems, servers, and networks is restricted to authenticated and authorized users. The primary data center is equipped with a UPS/generator to ensure that power outages do not interrupt services.

Keys, ID cards, and card readers for access to data center environments are maintained by Information Services. Visitors are escorted by authorized personnel when accessing data center environments. These measures help to ensure that institutional data and system remain secure and that only authorized personnel have access to sensitive information.

5. Training Program

Cybersecurity awareness training is required for all employees with DePauw credentials. The awareness and training program, including phishing tests, occur on a regular basis and are reviewed annually and updated as needed to address new technologies, threats, standards, and DePauw requirements. Where applicable, role-based training will be implemented to target specific vulnerabilities within the execution of a respective role.

6. Service Providers

DePauw University will, upon hiring or contracting third party service providers, ensure that they take similar steps to protect confidential data as outlined in this plan. Security controls that a service provider has in place are reviewed using the Higher Education Community Vendor Assessment Toolkit (HECVAT) and is requested of all vendors and/or third parties who would be hosting, storing, or otherwise in possession of Restricted data under our Data Governance Policy. Providers that handle less sensitive data may use the shorter versions of the assessment.

7. Adjustments to Program

The designated ISP Coordinator and their designated personnel are responsible for adjusting and reevaluating the program as regular risk assessment occurs or as major changes occur that may significantly impact DePauw’s operations. The designated ISP Coordinator will revisit this program at least annually to ensure it is reflective of DePauw’s practices and adherence to regulatory requirements.

8. Incident Response

The Information Services Office is to be notified of any known or suspected information security incident, as outlined in the Data Incident Response Plan. Communications surrounding information security incidents, whether internal or external, are performed according to the severity and circumstances surrounding the incident.

9. Executive Report

The ISP Coordinator provides an annual written report to the University Board of Trustees. At a minimum the report will include appropriate metrics to illustrate the state of the security profile, major Security Incidents overview and remediation, program initiative status, and recommended & planned initiatives.

10. Policies Cross-Referenced

• Electronic Communications and Acceptable Use Policy
• Data Classification Policy and Handling Recommendations
• Record Retention and Document Destruction Policy
• FERPA Student Records Policy
• Data Incident Response Plan

11. Effective Date

This plan is effective May 1, 2024.

Last update: 05-20-2024