Go to USC home page USC Logo University Technology Services
RSS Feed Twitter Facebook
1244 Blossom St.
Office Hours:
M-F 8:30 a.m. - 5 p.m.

Service Desk Hours:
M-F 8 a.m. - 6 p.m.

iCARE Center Hours:
M-F 8:30 a.m. - 5 p.m.

GET HELP!






Information Security Program - USC

Search the Information Security Program

Overview
revised 18-Nov-2013

Quick-Start | Introduction | Assessment/Enforcement | Definitions
Policies | Provisions | Procedure Development
University Procedures and Guidelines | Implementation Guides
Incident Response | Data Standards


Quick-Start

Checking for sensitive data on your computer systems:

Establishing an Information Security Plan for your unit:
  • pdf  Executive Guide - This document describes the executive level process for establishing your Information Security Plan.
  • pdf  Technical Guide - This document describes the technical process for establishing your Information Security Plan.

Establishing Data Access/Security Standards:
  • pdf  Data Steward Guidelines - This document provides instructions for Data Stewards in establishing their Data Access Requirements and Data Security Requirements, in compliance with University Policy.

Introductory Videos:

Back to Top


Introduction

Information Security is the job of all members of the University community. Many of us handle sensitive data routinely, and all of us use University resources, so we should all understand the associated risks to the confidentiality, integrity, and availability of these data and resources. Establishing and following security-conscious procedures is critical to reduce these risks.

This website describes the University's "Information Security Program," as authorized by University Policy IT 3.00. This Program is the collection of actions, Procedures, and Guidelines to be followed by all members of the University community, with respect to Information Security, to be consistent with the Policies of the University, the security of the University's IT assets, and the safety of the University community.

Back to Top


Assessment, Enforcement, and Consequences

The University Information Security Office may perform or coordinate the following measures for the purpose of assessing or enforcing compliance with any University policy, standard, or procedure:

  • Passively observe, log, or otherwise monitor usage of information technology assets.
  • Actively assess devices connected to University information technology assets. e.g. virus scan, vulnerability scan, network access control

Any University information technology assets or personally owned technologies that are found to be configured or used in a manner that is out of compliance with the Information Security Program, or any other University Policy, Standard, or Procedure, may be disconnected from the network. The University Information Security Office may take actions commensurate with the level of risk to University interests, in order to isolate and deny access to the user, data, or information technology asset. Any attempt to interfere with or avoid information security measures, or any attempt to dissuade any person from reporting a suspected case of noncompliance, is prohibited and may be cause for investigation and disciplinary action.

Back to Top


Definitions

The following abbreviations are used in this website:

  • UISIRT - University Information Security Incident Response Team. This team is charged by the University to manage any information security incident that might arise within the University. Currently the UTS IT Security Office is designated to perform this role.
  • UISO - University Information Security Office. This office is appointed by the University to implement University-wide information security strategy. Currently the UTS IT Security Office is designated to perform this role.
  • OU - Organizational Unit. This is an administrative unit such as a College, School, Department, Office, or Team within the University. In some cases an OU may span across multiple reporting structures, for example, an IT project that involves individuals from multiple departments.
  • IT - Information Technology. Any technological device used to store, transmit, or process data. e.g. computer, hard drive, magnetic tape, network device, cell phone

Back to Top


What are Policies, Standards, Guidelines, and Procedures?

Policy framework for the University is organized into the following hierarchy:


pdf  click here for a detailed illustration
  • Policies are University-wide rules established at the executive level. They represent the intention and direction of the University, formally expressed by management.
  • Standards are University-wide rules established by those authorities who are designated in University Policies. These tend to be broad, setting standards for conduct and process within the OUs. Standards must conform to applicable Policies.
  • Guidelines are documents created by subject-matter authorities who are designated in University Policies. These documents contain recommendations to assist in the creation of related Procedures. Guidelines must conform to applicable Policies and Standards.
  • Procedures are documents created or adopted by OU administrators, with specific directions for conducting business and operations at the University. Procedures must conform to applicable Policies and Standards, and should also adhere to applicable Guidelines where practical.

Back to Top


Provisions of University Policy IT 3.00

Policy IT 3.00 defines the University's stance and infrastructure for implementing Information Security. Sections chartering this document, and establishing responsibility and accountability pertaining to it, are paraphrased below.

  • UISO Must Develop Information Security Program (IT 3.00, II.A.1) - The UISO is charged with the responsibility to develop the University-wide Information Security Program (described on this website).
  • UISO Must Develop Incident Response Procedure (IT 3.00, II.A.2) - The UISO is charged with the responsibility to develop and implement the University-wide Information Security Incident Response Procedure (see the "Incident Response Procedure" section near the bottom of this page).
  • Management Must Ensure Security (IT 3.00, II.A.5) - The management staff of each OU is responsible for ensuring the security of its IT assets.
  • Management Must Establish Security Contact (IT 3.00, II.A.7) - The management staff of each OU must designate a security contact as a liaison to the UISO, and make the identity of that contact known to its users and to the UISO.
  • Users Are Accountable (IT 3.00, II.A.6) - All users are accountable for ensuring the security of the data and IT assets they use.
  • Reporting Compromise (IT 3.00, II.A.4) - If a person sees signs of a compromise of a university computing device, the person must immediately contact a designated security contact, the UTS Service Desk, or the IT Security Office.
  • Disconnection of Compromised Assets (IT 3.00, II.A.3) - In the course of responding to an information security incident, the UISIRT has the authority to order the disconnect of compromised assets from the network.

  • pdf The full text of University Policy IT 3.00 is available online in .pdf format at this address: http://www.sc.edu/policies/it300.pdf

Back to Top


Provisions of University Policy IT 1.06

Policy IT 1.06 defines acceptable use of the University's IT resources. The sections most relevant to the Information Security Program are paraphrased below.

  • Users Are Accountable for Activity (IT 1.06, II.A.2) - Users are responsible for any activity conducted using their assigned credentials (user ids and passwords), and are prohibited from using credentials they have not been assigned in accordance with the University Information Security Program.
  • Administrators Must Maintain Systems per Policy (IT 1.06, II.A.3) - System administrators must maintain IT systems in accordance with the Information Security Program.
  • All Management Must Educate Employees about Responsibilities (IT 1.06, II.A.4) - All levels of management must educate their employees regarding responsibilities under this Policy and the Information Security Program.
  • OU Must Request Data Access from Data Stewards (IT 1.06, II.A.4) - The head of a unit must request and obtain authorization for access to University data from the appropriate Data Steward (per Policy UNIV 1.50).
  • OU Must Remove Access for Transferred and Terminated Employees (IT 1.06, II.A.5) - The head of a unit is responsible to ensure that access permissions are removed for employees who transfer to another unit or are terminated.
  • Users Are Responsible for Reporting Violations (IT 1.06, II.A.2) - Users are responsible for reporting any known or suspected violation of any of the provisions of this Policy or of the Information Security Program.

  • pdf The full text of University Policy IT 1.06 is available online in .pdf format at this address: http://www.sc.edu/policies/it106.pdf

Back to Top


Provisions of University Policy UNIV 1.50

Policy UNIV 1.50 defines the University's methodology for managing access to its data. The sections most relevant to the Information Security Program are paraphrased below.

  • Data Trustees/Stewards Approve Access to Data (UNIV 1.50, I.A.2 & II.B.1) - Data Trustees and Stewards determine the level of access permitted to employees based on business requirements and regulations.
  • List of Data Trustees/Stewards (UNIV 1.50, II.B.2) - The list of Data Trustees and Stewards is maintained at this address:
    pdf  http://datawarehouse.sc.edu/DataWarehouseDocs/UNIV_1_50_Data_Stewards.pdf
  • "General Access" Data Defined (UNIV 1.50, I.B.5) - "General Access" data are those which are not classified as Restricted or Limited Access (see below). General Access data are to be broadly accessible.
  • "Limited Access" Data Defined (UNIV 1.50, I.B.6) - "Limited Access" data are available only to those who have legitimate need to access them.
  • "Restricted" Data Defined (UNIV 1.50, I.B.7) - "Restricted" data are only available to employees who have strict business, research, or educational need to access the data.
  • Data Administration Advisory Committee (DAAC) Chartered (UNIV 1.50, I.C) - The DAAC is to be comprised of respresentatives from all Operational Areas, as defined in section II.A.1. The DAAC is to review policy consistency, accessibility, and implementation; and to recommend revisions.
  • Users Are Responsible for Proper Access (UNIV 1.50, II.C.1) - Users must protect their data access privileges and the data they are entrusted with, according to established University Policy, Standards, and Procedures.
  • All Management Must Educate Employees about Responsibilities (UNIV 1.50, II.C.3) - All levels of management must educate their employees regarding responsibilities under this Policy.

  • pdf The full text of University Policy UNIV 1.50 is available online in .pdf format at this address: http://www.sc.edu/policies/univ150.pdf

Back to Top


Procedure Detail Development

Because of their broad scope, the Procedures below do not contain a high degree of implementation detail. In brief, these are the guidelines for developing procedure details specific to your OU:

pdf  Executive Guide - This document describes the executive level process for establishing your Information Security Plan.

pdf  Technical Guide - This document describes the technical process for establishing your Information Security Plan.

  • How should Procedure details be developed and published?
    • The lead administrator of each campus, college, school, department, and project team should read the Executive Guide above, and determine what steps they need to take to delegate or perform the tasks described in the Technical Guide.
    • Technical staff should consult the University level procedures listed on this website, along with any procedure detail published by superior OUs. If these procedures do not adequately describe the technical processes to be followed by your OU, document and publish these processes according to the Technical Guide.
    • The language used within Procedure details should not be overly specific, lest it lose its relevancy to some environments within its scope (e.g. specifying that Windows Updates must be applied to all computers, when an OU or its subordinate OUs may also have Macintosh or Linux computers in use).
    • Procedure details should be approved by an OU manager.
    • Procedure details should be published where they will remain accessible to all persons responsible for implementation, and should be advertised to these persons when details are created or revised. Details should not be posted in a publicly accessible location, as they may contain sensitive operational information that could be used by a cyber intruder.

Back to Top


University Procedures and Guidelines

The Procedure and Guideline documents below are organized by subject matter hierarchy.

UISO 901 Data Security Procedure
This Procedure establishes a framework for information security practices in keeping with University Policy and Data Steward Standards. [revised DD-Mmm-YYYY]
 
UISO 901.1 Procurement and Contracts Procedure
Describes provisions to include during procurement process and contract negotiation of software and services. [revised DD-Mmm-YYYY]
 
UISO 901.2 Project Management Security Procedure
Describes a process to be integrated with project management and system development, to include provisions for information security. [revised DD-Mmm-YYYY]
 
UISO 901.2.1 Security Risk Assessment Procedure
Establishes a process for performing a Security Risk Assessment for projects or systems. [revised DD-Mmm-YYYY]
 
UISO 901.2.2 Data System Development Practices Procedure
Describes security best practices for development of data systems and software applications. [revised DD-Mmm-YYYY]
 
UISO 901.3 Sensitive Data Security Procedure
Establishes a process for properly securing sensitive data while in use, and properly disposing at the conclusion of usage, to include auditing its usage and retention. [revised DD-Mmm-YYYY]
 
UISO 901.3.1 Media Security Procedure
A process for properly securing data storage media while in use, and properly purging or destroying such media before transferring possession, to prevent accidental leakage of sensitive information or violation of licensing terms. [revised DD-Mmm-YYYY]
 
UISO 901.3.2 Guidelines for In-Processing / Out-Processing Procedure
Recommends in-processing steps for new employees and out-processing steps for terminated/transferred employees, with regard to information security. [revised DD-Mmm-YYYY]
 
UISO 901.3.3 Travel Security Procedure
Establishes secure processes for traveling with a computer: preparing for travel, during travel, and following travel. [revised DD-Mmm-YYYY]
 
UISO 901.3.4 Sensitive Data Discovery Procedure
Establishes a process for locating sensitive data on data systems and media. [revised DD-Mmm-YYYY]
 
UISO 901.4.1 Server Security Procedure
Describes best practices for secure server configuration, usage, and maintenance. [revised DD-Mmm-YYYY]
 
UISO 901.4.2 Workstation Security Procedure
Describes best practices for secure workstation/desktop/portable computer configuration, usage, and maintenance. [revised DD-Mmm-YYYY]
 
UISO 901.4.3 Mobile Device Security Procedure
Describes best practices for secure configuration, usage, and maintenance of mobile devices. [revised DD-Mmm-YYYY]
 
UISO 901.4.4 Compromised System Response Procedure
Describes the initial process to be followed when compromise of a University system is detected [revised 27-Aug-2013]
 
UISO 901.5 Logging Practices Procedure
Describes best practices for logging and review of security-related events. [revised DD-Mmm-YYYY]
 
UISO 901.6 Software Patching Procedure
Describes best practices for updating any software, including operating systems, applications, and firmware. [revised DD-Mmm-YYYY]
 
UISO 901.7 Password Practices Procedure
Describes best practices for password complexity, usage, and protection. [revised DD-Mmm-YYYY]
 
UISO 901.7.1 Data/System Access Agreement Procedure
Describes a process for establishing an agreement with employees, contractors, and vendors, to ensure they are aware of Policies and Procedures. [revised DD-Mmm-YYYY]
 
UISO 901.11 Exemption Procedure
Establishes a process for creating an exemption to a Procedure. [revised DD-Mmm-YYYY]
 
pdf Information Security Training and Certification for IT Staff - Guidelines - These guidelines assist in determining appropriate training and certifications for IT staff members.[revised 16-Jan-2014]
 

Back to Top


Implementation Guides

The documents below provide more detail for implementation of information security processes and technologies. University login required.


Back to Top


UISO 902 Incident Response Procedure

The documents below illustrate the University-wide Information Security Incident Response Procedure. Sub-Procedures within the overall process are maintained with the respective organizational units.


Back to Top


Data Access/Security Standards

The documents below comprise the Data Access Requirements and Data Security Requirements, as approved by the Data Administration Advisory Committee (DAAC) to comply with University Policy UNIV 1.50.

  • Data Access Requirements (Standards) - Per Policy UNIV 1.50, these Data Access Requirements have been approved by the Data Administration Advisory Committee (DAAC) as the required process to be followed for all persons and information systems in order to access University data systems or use University data. [revised 10-Jun-2013]

  • Data Element Requirements (Standards) - Specific data types may be identified by Data Stewards for special security provisions. Any such data types and provisions are recorded centrally in this document. [revised 09-Jul-2013]

  • Data Security Requirements (Standards) - Per Policy UNIV 1.50, these Data Security Requirements have been approved by the Data Administration Advisory Committee (DAAC) as security requirements to be satisfied by all persons and information systems in the handling of University data. [revised 09-Jul-2013]

Back to Top

 
Safety/Emergency Information Directory: Find People        Map: Find Places        Calendar: Find Events        VIP        my.sc.edu Contact and Site Information
Columbia, SC 29208 • 803-777-1800 • Webmaster © University of South Carolina Board of Trustees