1.0 Policy Purpose
Maintaining the security, confidentiality, integrity, and availability of Brown University Information Technology Resources and the Data contained within such resources is a responsibility shared by all users of those resources. This policy sets forth the requirements for managing and protecting Brown Information Technology Resources and the Data contained within such resources.
2.0 To Whom the Policy Applies
This policy applies to all Brown faculty, staff, students, contractors, and any other individual using Information Technology Resources or Data.
3.0 Policy Statement
The Brown Office of Information Technology (OIT) is authorized to develop, document, periodically update, and implement policies, standard operating procedures, technical specifications, and other guidance necessary to protect Information Technology Resources and the Data contained therein, including specifying the rules of behavior for individuals accessing Information Technology Resources or Data. Such coordinated activities are understood to form the basis of the Brown Information Security Program.
3.1 Implementation
Regarding the implementation of its Information Security Program, Brown University will:
- Follow the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity (NIST Cybersecurity Framework), enhanced by the family of NIST information security controls, including NIST Special Publication 800-171 and NIST Special Publication 800-53, as the foundation for its Information Security Program.
- Follow relevant laws and regulations pertaining to its operation of Information Technology Resources and use of Data, including, but not limited to, the Family Educational Rights and Privacy Act of 1974 (FERPA), the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the Gramm-Leach-Bliley Act of 1999 (GLBA).
- Periodically assess the risk to its Information Technology Resources, Data, and individuals resulting from the operation of Information Technology Resources.
- Ensure that all members of the Brown community are adequately trained to carry out their assigned information security-related responsibilities.
3.2 Identification
To identify its Information Technology Resources, Data, and authorized users, Brown University will:
- Develop and maintain classification levels for Data that are based on risk.
- Establish and maintain inventories and baseline security configurations of its Information Technology Resources.
- Uniquely identify and authenticate its Information Technology Resources users, processes, and/or devices.
- Limit access to its Information Technology Resources and Data to authorized users, processes, and/or devices with legitimate business needs.
- Evaluate, review, and limit privileged access to only those users and applications with legitimate and sufficient business needs.
3.3 Protection
To protect its Information Technology Resources and Data, Brown University will:
- Allocate sufficient resources (e.g., capital funds, operating funds, software and hardware, staffing) to adequately protect its Information Technology Resources and Data throughout their respective lifecycles.
- Develop and maintain record retention practices for Data, including addressing retention periods required by law and business practices, and storage and disposal processes.
- Perform periodic and timely maintenance on its Information Technology Resources and provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance.
- Regularly assess the security controls implemented in its Information Technology Resources or applied to Data to determine if the controls are effective and develop and implement appropriate plans to correct deficiencies.
- Monitor, control, and protect Brown communications (e.g., Data transmitted or received by Brown Information Technology Resources) at the external boundaries and key internal boundaries of the Brown network and employ architectural designs, software development techniques, encryption, and systems engineering principles that promote effective information security within its Information Technology Resources.
- Use encryption, or equivalent protections, wherever possible to protect Data.
- Ensure that Data stored on Information Technology Resources is securely destroyed when such resources are no longer needed.
- Limit physical access to its Information Technology Resources to authorized individuals, protect the physical plant and operating environments for Information Technology Resources, and implement appropriate environmental controls in facilities containing Information Technology Resources.
- Ensure that individuals occupying positions of privilege and responsibility within Brown University meet established security criteria for those positions.
- Ensure that Information Technology Resources and Data are protected during and after personnel actions such as separations, terminations, and transfers.
- Ensure that third-party providers employ adequate security measures to protect Brown Information Technology Resources and Data, and periodically review third-party providers and services to ensure that related security agreements are being adhered to and enforced.
3.4 Detection
To detect potential threats to its Information Technology Resources and Data, Brown University will:
- Identify, report, and correct Information Technology Resources and system flaws promptly and protect from malicious code within its Information Technology Resources.
- Monitor information system security alerts and advisories and take appropriate actions in response.
- Ensure that, wherever possible, the actions of individual users of Information Technology Resources can be uniquely traced for all actions impacting Brown Information Technology Resources and Data.
- Create, protect, and retain Information Technology Resource audit (logging) records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate activity on Information Technology Resources.
3.5 Response/Recovery
To respond and recover from information security events impacting its Information Technology Resources and Data, Brown University will:
- Establish and maintain an operational incident handling capability and process to identify, detect, respond, and recover from information security incidents.
- Establish, maintain, and implement plans for emergency response, backup operations, and post-disaster recovery to ensure the availability of those Information Technology Resources and Data critical to the continuity of Brown University operations.
3.6 Exception Requests
Brown University recognizes that there may be business needs or academic pursuits that require deviations from the requirements of this policy or the Brown Information Security Program. Such exception requests must be approved by OIT. Exception requests should be submitted to the OIT Service Center.
4.0 Definitions
For the purposes of this policy, the terms below have the following definitions:
Data: Any information, regardless of electronic or printed form or location, that is created, acquired, processed, transmitted, or stored on behalf of Brown University on an Information Technology Resource. This includes data processed or stored by Brown University in hosted environments in which Brown University does not own or operate the technology infrastructure.
Information Technology Resources: Brown University-owned facilities, technologies, and information resources used for Brown University processing, transfer, storage, and communications. Included, without limitations, in this definition are computer labs, classroom technologies, computing and electronic devices and services, email, networks, telephones (including cellular), voice mail, fax transmissions, video, multimedia, and instructional materials. This definition is not all-inclusive but rather reflects examples of equipment, supplies, and services. This also includes services that are Brown University-owned, leased, operated, or provided by Brown University or otherwise connected to Brown resources, such as cloud and Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), or any other connected/hosted service.
Information Security Program: A set of coordinated services and activities designed to protect Information Technology Resources and Data, and manage the risks associated with the use of such resources. The program includes the policies, standard operating procedures, guidance, assessments, protocols, controls, and training needed to protect Information Technology Resources and Data.
5.0 Responsibilities
All individuals to whom this policy applies are responsible for becoming familiar with and following this policy. University supervisors and employees with student oversight duties are responsible for promoting the understanding of this policy and for taking appropriate steps to help ensure and enforce compliance with it.
Users of Information Technology Resources: All users of Brown University Information Technology Resources are responsible for:
- Following Brown's information security policies and other information issued by the Information Security Program.
- Completing information security training.
- Promptly reporting potential information security incidents to the OIT Service Center.
President and President’s Cabinet: The President and President’s Cabinet are accountable for providing executive oversight and support of the Information Security Program.
Vice President for Information Technology and Chief Information Officer (CIO): The Vice President for Information Technology and CIO is responsible for:
- Advising the President and President’s Cabinet on Brown information security needs and resource investments.
- Overseeing the implementation and enforcement of the Information Security Program.
Chief Information Security Officer (CISO): The CISO is responsible for:
- Leading the implementation, maintenance, and enforcement of this policy and the Brown Information Security Program.
- Facilitating information security governance and collaboration across Brown University.
- Advising OIT leadership on security needs and resource investments.
- Leading the development of information security standard operating procedures, rules, standards, technical specifications, and any other guidance issued to secure Information Technology Resources and Data.
- In conjunction with the Vice President for Information Technologies and CIO, regularly, and at least annually, reporting to the President, President’s Cabinet, and Brown University Corporation regarding the overall status of the Information Security Program and material matters related to the program.
6.0 Consequences for Violating this Policy
Failure to comply with this and related policies is subject to disciplinary action, up to and including suspension without pay, or termination of employment or association with the University, in accordance with applicable (e.g., staff, faculty, student) disciplinary procedures.
7.0 Related Information
Brown University is a community in which employees are encouraged to share workplace concerns with University leadership. Additionally, Brown’s Anonymous Reporting Hotline allows anonymous and confidential reporting on matters of concern online or by phone (877-318-9184).
The following information complements and supplements this document. The information is intended to help explain this policy and is not an all-inclusive list of policies, procedures, laws, and requirements.
7.1 Related Policies
7.2 Related Procedures
7.3 Related Forms
N/A
7.4 Frequently Asked Questions
N/A
Policy Owner and Contact(s)
Policy Owner: Vice President for Information Technology and Chief Information Officer
Policy Approved by: President
Contact Information:
Policy History
Policy Issue Date:
Policy Effective Date:
Policy Update/Review Summary:
N/A
Webpage updated November 2, 2023