Information Security Policy
Introduction
The New School is committed to protecting information that is critical to teaching, research, the university’s many activities, its business operations, and the communities it supports, including students, faculty, staff, visitors, alumni, donors, and the public. These protections may be governed by legal, regulatory, contractual, or university policy considerations.
Definitions
Special terms used in this document will be Capitalized and underlined, signifying that they have special meaning. A comprehensive glossary of terms, with examples, can be found at ispo.newschool.edu/glossary.
Purpose
This policy establishes The New School’s approach to information security based on the generally accepted principles of
- confidentiality—information is not made available or disclosed to unauthorized individuals, entities, or processes;
- integrity—the accuracy and completeness of information is maintained and assured over its entire lifecycle; and
- availability—authorized users are able to access information and information systems when they are needed.
Adherence to these principles will ensure that university Institutional Information and IT Resources remain properly protected while they are being used in the pursuit of The New School’s academic, research, and public service mission.
This policy is intended to:
- promote the proactive assessment, reduction, and management of risk in a manner that enables Data Owners, IT personnel, and the larger New School community to be more aware of the risks to information, identify controls to reduce those risks, and understand the risks that remain after controls have been implemented;
- improve the security of critical system and network services through enterprise-wide, defense-in-depth approaches to reduce risks commonly associated with hybrid cloud computing environments;
- enhance crisis and information security incident response and management to enable the university to quickly recover its Institutional Information and IT Resources in the event of a catastrophic event and to manage information security events and data breaches more efficiently and effectively, thereby reducing or minimizing the damages to the New School community;
- encourage a “security aware” culture across the university and advocate that information security is everyone’s responsibility;
- support compliance with contractual, legal, and regulatory obligations concerning information security; and
- provide assurance to other parties that The New School deals with information security in a proactive manner and has a robust control environment in place.
The New School’s approach to information security is guided by the National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF), which has been widely adopted by both public and private sector organizations throughout the United States. The NIST CSF provides a framework for cybersecurity management, including asset identification, information and system protection, threat detection, incident response, and recovery. The university’s approach also leverages NIST Special Publication 800-53, which provides a catalog of security and privacy controls for information systems and organizations and a process for selecting controls to protect organizational operations, organizational assets, individuals, and other organizations from a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors (both intentional and unintentional).
Scope
This policy and its supporting standards apply to all university Institutional Information and IT Resources, irrespective of whether they are maintained by The New School or a third party on the university’s behalf or whether they are accessed from on-campus or off-campus locations, and to any individual who accesses or in any way makes use of them, regardless of affiliation. This includes, but is not limited to, Workforce Members, students, and alumni.
Policy statement
The New School manages and produces information that is private, confidential, or sensitive in nature, together with information that is regarded as being readily available for general sharing. The university recognizes that it is imperative that all information is protected from compromise of confidentiality, integrity, and availability. All individuals within the scope of this policy must therefore ensure that:
- Institutional Information is identified, Classified, and protected. Any security controls that are implemented must be proportionate to the assigned Classification. Key information assets are governed by an appointed Data Owner in accordance with the key responsibilities described under Roles and responsibilities.
Supporting standards: Standard for Information and System Classification, Standard for Handling Institutional Information, Data Protection Handbook - All processes, technology, services, and facilities are protected through information security controls.
Supporting standards: Standard for Information and System Security Controls - University Institutional Information and IT Resources are used responsibly, ethically, and in a manner consistent with both the law and the rights of others.
Supporting standards: Standard for Handling Institutional Information, Data Protection Handbook
Related policies: Acceptable Use Policy, Privacy & Data Protection Policy - Information security incidents and data breaches are identified, contained, eradicated, investigated, and reported.
Supporting standards: Standard for Incident and Breach Response - Where appropriate, a risk assessment is carried out on all processes, technology, services, and facilities to manage risk. This includes situations in which a third-party service provider is used to provide services that involve access to Institutional Information.
Supporting standards: Standard for Security and Privacy Risk Management - Back-up and disaster recovery plans, processes, and technology are in place to mitigate risk of loss or destruction of information and/or services and to ensure that contingency arrangements are in place to maintain availability of data and services.
Supporting standards: (under development) - Where off-site working takes place, appropriate security controls are implemented.
Supporting standards: (under development)
In addition, all individuals within the scope of this policy must:
- Complete the Information Security Awareness Training.
- Take reasonable care to protect the university’s Institutional Information and IT Resources from accidental or unauthorized access, modification, or destruction.
The supporting standards referenced above represent the “baseline,” or minimum acceptable, requirements for information security at The New School. In some situations it may be necessary to augment the baseline with additional information security controls to meet specific legal, regulatory, or contractual requirements. The Information Security and Privacy Office can provide advice and assistance in selecting and implementing these additional controls when required.
Roles and responsibilities
Every person at The New School has a responsibility to protect the Institutional Information and IT Resources that they use or are otherwise within their control. These responsibilities vary based on the functional role of the individual. Depending on those functions, some individuals may have more than one role.
President’s Leadership Team
The members of the President’s Leadership Team are accountable for exercising due diligence in protecting Institutional Information and IT Resources used within their area of responsibility by ensuring that adequate and effective information security controls are in place that comply with this policy, its supporting standards, and applicable laws and regulations. They are also accountable for compliance in any subsidiary unit within their management (e.g., institutes, centers, research groups, and multi-disciplinary organizations).
Data Owners
Data Owners are responsible for maintaining the security of Institutional Information datasets by:
- maintaining records of where the dataset (including copies) is stored, what it is used for, who has access to it, and with whom it is shared;
- determining and documenting the policies, guidelines, and business rules by which others are granted access to the dataset or portions thereof;
- reviewing and approving ad-hoc requests for access to the dataset (e.g., view access, data feeds, or copies);
- working with the Information Security and Privacy Office to:
- determine the security Classification of the dataset;
- perform a risk assessment and identify an acceptable level of risk for the dataset; and
- specify and document security controls to protect the dataset from unauthorized disclosure, modification, loss, or destruction;
- reviewing access granted to the dataset on a regular basis and adjusting user access permissions as necessary;
- ensuring that authorized data users understand their responsibilities with regard to their approved access; and
- reporting any possible breach in security or misuse of the dataset to the Information Security and Privacy Office.
Application Owners
Application Owners are responsible for maintaining the security of IT Resources by:
- maintaining records of where the resource (including development and test instances) is hosted, what it is used for, and who has access to it;
- determining and documenting the policies, guidelines, and business rules by which others are granted access to the resource;
- reviewing and approving ad-hoc requests for access to the resource;
- working with the Information Security and Privacy Office to:
- determine the security Classification of the resource;
- perform a risk assessment and identify an acceptable level of risk for the resource; and
- specify and document security controls to protect the resource from unauthorized access and loss of availability;
- reviewing access granted to the resource (or the business rules that grant access automatically based on user role) on a regular basis and adjusting user access permissions as necessary;
- ensuring that authorized resource users understand their responsibilities with regard to their approved access; and
- reporting any possible breach in security or misuse of the resource to the Information Security and Privacy Office.
Workforce Members
Workforce Members are responsible for protecting the university’s Institutional Information and IT Resources and for complying with this policy and its supporting standards.
Workforce Members are responsible for promptly reporting any material violation of this policy and its supporting standards to the Information Security and Privacy Office.
Students
Students must accept responsibility for their use of university facilities, and must take reasonable steps to protect the university’s IT Resources. Students are expected to comply with the requirements of this policy.
Alumni
Alumni are expected to comply with the requirements of this policy.
References
- National Institute of Standards and Technology. Framework for Improving Critical Infrastructure Cybersecurity. April 16, 2018. Available from doi.org/10.6028/NIST.CSWP.04162018.
- National Institute of Standards and Technology. Security and Privacy Controls for Federal Information Systems and Organizations. Special Publication 800-53, Revision 5. September 2020. Available from doi.org/10.6028/NIST.SP.800-53r5.
Compliance and review
Failure to comply with this policy or its supporting standards, whether deliberate or due to careless disregard, will be treated as serious misconduct and may result in actions including (but not limited to) disciplinary action, dismissal, and civil and/or criminal proceedings.
This policy is reviewed on a periodic basis and updated as necessary by the Information Security and Privacy Office to ensure it remains accurate, relevant, and fit for purpose.