MSU Information Security Program Plan

Version 1.0: Effective 9/20/2021

Purpose

The MSU Chief Information Officer has charged the MSU Chief Information Security Officer (CISO) to establish a university-wide information security program with the intent to ensure the confidentiality, integrity, and availability of the information assets of Michigan State University (“MSU” or “the University”) from unauthorized access, disclosure, damage/loss, or modification while supporting the open, information-sharing needs of our academic IT environment.

Scope

This Program Plan (“Program” or “Plan”) is applicable to all members of the MSU community and applies to all locations and operations of MSU. Specifically, the scope of this Program includes:

• Faculty, staff, students, visitors to MSU, including, but not limited to visiting scholars, lecturers/instructors, and/or all units and other persons who are acting on, for, or on behalf of the University.

• All institutional data, including but not limited to administrative, teaching and learning, clinical, licensed, or any other data related to the University.

• Third-party vendors who collect, process, share, transmit, or maintain MSU institutional data, whether managed or hosted internally or externally; and

• All devices that access or maintain institutional data.

Program Plan

1. General Information Security

This Plan establishes MSU-wide strategies and responsibilities for protecting the confidentiality, integrity, and availability of information assets that are created, accessed, managed, and/or controlled by the University. Information assets addressed by this Plan include data, information systems, computers, network devices, as well as paper documents.

With this Plan and associated policies, standards, and guidelines, the University will:

• Establish and maintain a university-wide information security program and risk management framework.

• Establish and maintain institution-wide security policies, standards, and guidelines which provide boundaries within which individuals and units will operate.

• Protect institutional data, systems, resources, and services against unauthorized access and other threats or attacks that could potentially result in financial, legal, or reputational harm to the University, members of the University community, or third parties to which the University owes a reasonable duty of care.

• Educate faculty, staff, students, and units on the need for appropriate information security, and protecting themselves against breach of their systems and unauthorized access to their personal information.

• Establish an exception process for individuals and units with unique needs.

• Support compliance with applicable federal, state, or local laws or regulations, and University policies, guidelines, contracts, and agreements that obligate the University to implement security safeguards; and

• Ensure Michigan State University’s core academic, research, and service missions are supported while ensuring the confidentiality, integrity, and availability of university information assets, and reducing and better managing information security risks.

2. Guiding Principles of Information Security

All persons and entities in scope have an obligation to protect institutional data in accordance with this Program Plan and its supplemental policies, standards, and guidelines, which take into consideration MSU's mission, as well as the levels of confidentiality and criticality of the information. The University promotes, supports, and adopts an institutional culture that elevates the importance of its overall information security posture by implementation of the following principles:

• Uniform Information Security Program
  • The University will remain consistent and adopt unified approaches to information security across all MSU sites and units. It will incorporate security, privacy, risk management, and disaster recovery practices throughout the information lifecycle, including, but not limited to, MSU's enterprise architecture, system and application development, research projects, clinical applications, and IT hardware and software.

The University recognizes that it is organizationally and functionally complex and that academic units, research programs, clinical care settings, and infrastructure will have unique needs, as well as differing threats and risk tolerances. Consequently, variation in how this Program Plan and its supporting policies, standards, and guidelines are implemented will be managed and tracked by MSU Information Security through an exception process.

• Shared Responsibilities

  • All members of the MSU community have individual and shared responsibilities to protect the University’s information assets and comply with applicable federal and state laws and regulations, and University policies.

• Information Focus

  • Required security controls are based on two factors, the confidentiality of the information, and a combined availability and integrity value called business criticality of the information systems involved. High-risk systems, determined by the highest level of confidentiality of information present on the system, will have more restrictive controls, while low-risk systems will have less restrictive controls. We acknowledge that some MSU information technology systems provide critical functionality to the University while only hosting/processing low-risk information. 

• Location Independence

  • Information will be hosted by central IT, unit IT organizations, and third-party cloud providers. Regardless of where the information resides, the same standards will apply to all University data.

• Acceptable Use

  • All persons and entities in scope will act in accordance with the principles included in the Acceptable Use Policy for MSU Information Technology Resources (AUP).

• Risk Management and Acceptance

  • The MSU Information Security team will establish, implement, and maintain a University-wide information security risk management framework based upon the NIST Cyber Security Framework (CSF). The University, individual units, and, where appropriate, research environments will be responsible for ensuring faculty, staff, students, and units are educated in the area of risk level and management and conducting annual risk assessments of information systems and applications which store, process, or transmit information classified as "Private" and "Confidential." These assessments help to identify risk and appropriately prioritize mitigation strategies that reasonably protect critical infrastructure and services. Having appropriately trained faculty, staff, students, and units allows MSU to appropriately allocate resources to reduce information security risk to a level deemed appropriate by university leadership.

• Standards-based

  • The University will leverage nationally recognized security standards where appropriate and in compliance with applicable state and federal laws and regulations.

• Privacy

  • The University will balance its information security obligations with the reasonable privacy expectation of its faculty, staff, students, and units in relation to their personally identifiable information. MSU Information Security will collaboratively develop and maintain privacy policies, standards, guidelines, and best practices to meet legal and compliance obligations.

• Continuous Monitoring

  • The University will monitor, on an ongoing basis: the security technologies and controls that support this Program Plan; compliance with applicable state and federal requirements; and changes to MSU's information systems and technology environment.

---

Confidential (Tier 1)   Confidential Data is a Protection Classification of Institutional Data whose public disclosure is restricted by law, contract, University policy, professional code, or practice within the applicable unit, discipline, or profession. Confidential Data includes both Institutional Data that Michigan State University is legally obligated to protect and Institutional Data that Michigan State University has elected to protect in order to safeguard its interests and reputation. Confidential Data also means data that could, by itself or in combination with other such data, be used for identity theft, fraud, or other such crimes. Tier 1 is for the most restrictive category of confidential. Examples: HIPAA (PHI) PCI (credit card data) SSN Additions Examples of Confidential Data can be found in the MSU Institutional Data Policy.

---

Confidential (Tier 2)   Confidential Data is a Protection Classification of Institutional Data whose public disclosure is restricted by law, contract, University policy, professional code, or practice within the applicable unit, discipline, or profession. Confidential Data includes both Institutional Data that Michigan State University is legally obligated to protect and Institutional Data that Michigan State University has elected to protect in order to safeguard its interests and reputation. Confidential Data also means data that could, by itself or in combination with other such data, be used for identity, theft, fraud, or other such crimes. Tier 2 is more restrictive than Private data, but less restrictive than Tier 1 Confidential (above). Examples: PII (not SSN) FERPA (student records) Financial Additions Examples of Confidential Data can be found in the MSU Institutional Data Policy.

---

Private   Private Data is a Protection Classification of Institutional Data that is shared internally within Michigan State University for business or academic purposes but is not to be shared outside the University except as negotiated via controlled and explicit contractual agreements. Private data is more restrictive than Public.  Examples: Employee Preferred Name/Prior Name Employee home addresses Student contact information Employee Position Information/Description Employee Part-time/full-time indicator Technical documentation Security procedures Exam questions and answers/scoring keys which the professor has not released as Public Data Threat assessments and preparedness strategies Any individual instance of this data could also be restricted at the request of the individual, regulation, law, or policy.

---

Public   Public Data is a Protection Classification of Institutional Data that have become generally available to the public because a person with authority to do so has intentionally released or distributed them without restriction or limitation. Examples: Student Name Employee names and addresses Employee compensation Employee job title Employee previous work experience Employee education and training background Any individual instance of this data could also be restricted at the request of the individual, regulation, law, or policy.

---

The MSU Information Security Governance, Risk, and Compliance (GRC) team, along with the IT Services Analytics and Data Solutions (ADS) Data Stewardship team will work with Data Owners to determine appropriate classification, as necessary. The Chief Information Security Officer (CISO) will make the final determination when the Data Owner and the aforementioned teams cannot agree. For questions regarding your information classification, please contact grc@msu.edu.

4. Use of Approved IT Services

Approved information technology infrastructure, services, staff training, and facilities are a key method to securing information at the University. All persons and entities in scope should give preference to utilization of approved IT services where such services are available and appropriate to meet the individual's needs. These approved IT services will be designed to follow specific, level-appropriate information security requirements based on the strategic risk the information represents as well as regulatory and contractual compliance requirements. Approved IT services have undergone an Application Security Risk Assessment which is based on the NIST 800-171 control families.

5. Adherence to IT Security Standards and Requirements

This Program Plan also recognizes the need to accommodate unique research, teaching, and clinical needs that may not be feasible to accomplish through use of approved IT services. If an approved IT service is not appropriate to meet the needs of faculty, staff, students, or units, unit specific solutions may be implemented. These solutions are required to meet level-appropriate information security requirements as identified through an Application Security Risk Assessment.

This Program Plan is supported and supplemented by specific operational, procedural, and technical standards and guidelines. These standards will be enforced in the same manner as this Plan.

Each standard will be owned by a Standard Working Group. The Working Group will be representative of the standard stakeholders and will be led by a GRC staff member and will include members of faculty and/or staff. The Standard Working Groups will be chartered by the CISO. The Standard Working Groups will review their standard at least quarterly, incorporating input from the University community, changes in the threat landscape, compliance standards, technology, and industry best practices.

6. Certification of Unit-based System Security

Any unit or individual that operates IT systems and/or applications that process information classified as Confidential Tier 1 or Confidential Tier 2 (“Confidential”) under this Program must have Authority to Operate granted by the Chief Information Security Officer or their delegate. The CISO will grant this authority after performing proper due diligence confirming that the information is properly secured and meeting any compliance requirements. Prior to obtaining the Authority to Operate, a unit or individual may have Provisional Authority to Operate by informing the CISO and certifying to the CISO that the information is properly secured and meeting compliance requirements. The CISO is responsible for the processes that grant Authority to Operate and Provisional Authority to Operate certification.

7. Acceptable Use

To create a secure environment in which all persons and entities in scope may feel free to create and collaborate without fear that the products of their efforts will be violated by misrepresentation, tampering, destruction, or theft, all individuals must follow the Acceptable Use Policy for Information Technology Resources (AUP).

8. Security Liaison

Each unit at the University will appoint a security liaison. This person will be a conduit for communication between MSU Information Security and the unit. This person does not have to be a security specialist or an IT specialist. However, if the unit has dedicated security staff or an individual who has security duties, then they are the preferred liaison. MSU Information Security will maintain a list, complete with contact information. MSU Information Security will provide training to all security liaisons.

Roles and Responsibilities in Security Decisions

The University has established the Information Security function within the MSU Information Technology Services (“IT Services”) department. The Chief Information Security Officer (CISO) is responsible and accountable to the university for the execution of the Information Security Program Plan. The CISO facilitates institutional risk decisions with university units by consulting with the University leadership responsible or accountable for various university information assets. In the case of emergencies, the CISO may have to make immediate decisions and will then be responsible for informing University leadership.

The CISO will facilitate risk decision with units through the guidance of the NIST Cyber Security Framework (CSF).

Responsibilities

All persons and entities in scope when acting on behalf of the University, and others granted

use of MSU-owned information are expected to:

• Follow the Acceptable Use Policy for MSU Information Technology Resources (AUP).

• Understand this Information Security Program Plan.

• Be aware of the type of information they store, transmit, process, or otherwise handle

  and ensure that appropriate action is taken to protect the information in accordance with MSU policies and guidelines.

Governance and Oversight

The CISO has chartered the CISO Risk and Advisory Council to serve as the primary governance capability for the MSU Information Security Program. An additional group, the Identity and Access Management (IAM) Council, is planned to support the complex decision- making associated with account access and service provisioning inherent to IT systems’ authorized access.

Reporting Security Incidents

If any MSU department or unit reasonably suspects/believes a security incident has occurred, they must immediately notify their local IT staff and the MSU Information Security Incident Response team (Call 517-432-6200 or email ithelp@msu.edu). The local IT staff and the Incident Response team will partner to assess the potential implications of the incident, notify the appropriate stakeholders, and take any remedial and necessary actions.

Exceptions and Exemptions

Exceptions to, or exemptions from, any provision of this Program Plan and/or supplemental policies, standards, or guidelines must be approved by MSU Information Security. Any questions about the contents of this Plan and/or supplemental policies, standards, or guidelines should be referred directly to the CISO and the GRC team (grc@msu.edu) who has the responsibility to interpret the security standards.

Violations

Any MSU department or unit found to operate in violation of this Program may be held accountable for remediation costs associated with a resulting information security incident or other regulatory non-compliance penalties, including but not limited to financial penalties, legal fees, and other costs.

All persons and entities in scope who violate this Program and/or supplemental policies, guidelines, or standards may be subject to disciplinary action. Visitors and affiliates will be subject to loss of IT service access, coordinated through their MSU sponsor.

Further Information

For questions, additional details, or to request change this Program, please contact the Governance, Risk, and Compliance team at grc@msu.edu.

Cross References

Other polices may be referenced, especially the following:

• MSU AUP (Acceptable Use Policy for MSU Information Technology Resources)

• MSU IDP (MSU Institutional Data Policy)

Information Security Policies and Guidelines

MSU Information Security uses the NIST Cyber Security Framework (CSF) for program guidance. CSF consists of the following phases:

• Identify: Knowing and reporting the location, type, and sensitivity of information assets in the area of responsibility.

• Protect: Implementation of the safeguards required to adequately protect the information in the area of responsibility.

• Detect: Detecting attempts, unauthorized access, misuse of information, or any other information security event.

• Respond: Conduct appropriate actions in response to an information security event.

• Recover: Conduct the appropriate activities to restore any capabilities impacted by an information security event.

MSU Information Security use NIST 800-171 for guidance on specific controls. NIST 800-171 consists of the following control families:

• Access Control: Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).

• Audit and Accountability: To minimize risk to the University by providing the ability to detect malicious or anomalous activity, and to allow for the forensic reconstruction of events.

• Awareness and Training: This applies to any University systems, resources, or data, and any persons or accounts that access any University systems or resources, or store, process, or transmit any University data.

• Configuration Management: To minimize risks to the University systems by ensuring all systems have basic security controls and are configured properly to support their designated function, and changes to those systems are properly analyzed, documented, and approved prior to implementation.

• Identification and Authentication: This applies to any University systems, resources, or data, and any persons or accounts that access any University systems or resources, or store, process, or transmit any University data.

• Incident Response: To minimize risk to the University by ensuring plans, procedures, and training are in place that support the timely analysis, reporting, and resolution of security incidents.

• Maintenance: To minimize risk to the University by establishing proper maintenance processes that reduce the likelihood of hardware and software failures.

• Media Protection: To minimize risk to the University by protecting digital and non-digital media, limiting access to the information on media to authorized users, and providing processes to sanitize or destroy media before its disposal or release for reuse.

• Personnel Security: To minimize risk to the University by providing processes to screen personnel for potential security risks, and by ensuring that University resources are protected during and after personnel actions, such as terminations and transfers.

• Physical Protection: This applies to any University systems, resources, or data, and any persons or accounts that access any University systems or resources, or store, process, or transmit any University data.

• Risk Assessment: To minimize risk to the University by establishing an information security program that is designed to reduce risk to an acceptable level, coordinates with and is supportive of the University’s mission and business needs.

• Security Assessment: To minimize risk to the University by providing a means to monitor and assess security controls to ensure their continued effectiveness.

• Systems & Communications Protection: To minimize risk to the University by ensuring that University communications are monitored, controlled, and protected at external boundaries and key internal boundaries

• Systems & Information Integrity: To minimize risk to the University by providing protection from malicious code, monitoring security alerts and advisories, and ensuring that system flaws are identified, reported, and corrected in a timely manner.

Definitions

• Availability: Ensuring that information is ready and suitable for use.

• Chief Information Security Officer (CISO): Oversees MSU Information Security and is responsible for developing and implementing an information security program, which includes policies, standards, guidelines, and procedures designed to protect enterprise communications, systems, and assets from both internal and external threats.

• Confidentiality: Ensuring that information is not disclosed to unauthorized individuals.

• Data: Unstructured facts and figures without added organization, interpretation, or analysis.

• Data Owner: Individual responsible for university information.

• Person and Entities in Scope: Any person or entity that interacts with MSU Information Systems, i.e. Faculty, Staff, Student, Alumni, Visitors.

• Information: Contextualized, categorized, calculated, and condensed data.

• Information Assets: Any MSU-owned data, information, software, or hardware that is used in the course of business activities. This includes information that is processed or resides on privately owned devices that are used for university purposes.

• Integrity of Data: Ensuring accuracy, completeness, and consistency.

• Institutional Data: Information created, collected, maintained, transmitted, or recorded by or for the University to conduct University business, including, but not limited to, information in paper, electronic, audio, or visual formats.

• Security Incident: An adverse, or potentially adverse event/action in an information system and/or a network that poses a threat to computer or network security in respect to the confidentiality, integrity, and availability of information (e.g. unauthorized disclosure of sensitive information, theft or loss of equipment that contains potentially sensitive information, malware traffic, denial of service attacks, attempts (either failed or successful) to gain unauthorized access to a system and/or its information, etc.).

• Security Staff: MSU employees who have information security listed as part of their official duties.

• Unauthorized Access or Access in Excess of Authorization: Viewing, modifying, or destroying information without proper authorization/approval and/or legitimate business need.