Information Security Program

An Administrative Procedure Governing Information Security

Document #: Pol-slu-it-0004

Effective: August 7, 2025

Owner: Information Technology – Information Security Office

1. PURPOSE

The purpose of this Information Security Program is to plan, implement and document the comprehensive administrative, technical and physical safeguards the institution implements to:

• Ensure the security, confidentiality, integrity, and availability of personal and other sensitive information St. Lawrence University collects, creates, uses, and maintains.
• Protect against any anticipated threats or hazards to the security, confidentiality, integrity, or availability of such information.
• Protect against unauthorized access to or use of St. Lawrence University-maintained personal, protected, and other sensitive information that could result in substantial harm or inconvenience to any customer or employee.
• Ensure the implemented safeguards are appropriate to St. Lawrence University's size, scope, and business, its available resources, and the amount of personal and other sensitive information that St. Lawrence University owns or maintains on behalf of others, while recognizing the need to protect both customer and employee information.
• Ensure compliance with laws, regulations, and requirements applicable to the institution.
• Fulfilling these objectives enables St. Lawrence University to implement a comprehensive system-wide Information Security Program. (Refer to the “New York Six” Information System Management System (ISMS) guidelines” document.

2. SCOPE

This information security program shall apply to all members of the St. Lawrence University community, including faculty, students, administrative officials, staff, alumni, authorized guests, and independent contractors who use, access, or otherwise employ, locally or remotely, the institution’s Information Resources.

SLU Information resources include all systems and services, whether individually controlled, shared, stand-alone, or networked. Devices or data may be physically located on institution grounds or remotely, e.g., wherever a person is working or, in the case of servers, potentially in the cloud. Devices or data could also exist either physically or virtually in either environment.

3. ROLES AND RESPONSIBILITIES (GLBA ELEMENT #1)

St. Lawrence University has designated the following roles for the oversight of its Information Security Program (GLBA Element #1):

1. Information Security Coordinator: Typically, this role is held by the CISO or, if the institution doesn’t have a CISO, the CIO of the institution. The Information Security Coordinator is responsible for Implementation of this Information Security Program. St. Lawrence University’s Leadership has designated a qualified individual, provided by a third-party service provider, to implement, coordinate, and maintain this Information Security Program. The individual designated as the Information Security Coordinator is listed in Appendix A.
2. Senior Oversight Coordinator: St. Lawrence University has also designated a senior member of the institution responsible for oversight of the designated third-party Information Security Coordinator. The Senior Oversight Coordinator shall be responsible for: Vice President of Finance and Administration.
   1. Retaining responsibility for compliance with designating an Information Security Coordinator.
   2. Ensuring the third party providing the qualified individual as its Information Security Coordinator maintains an Information Security Program to protect the institution.
   3. Ensuring the institution remains responsible for compliance with federal and local laws and regulations, including the Gramm–Leach–Bliley Act (“GLBA”).
3. University Senior Staff: Senior staff is responsible for the oversight and compliance functions of the Information Security Program for St. Lawrence University. The group consists of individuals who report directly to the University President who have operational responsibilities.
4. Information Security Committee: The Information Security Committee is responsible for the development and maintenance of information security policies and procedures. The committee monitors compliance with the written information security program and addresses security issues as they arise. The committee also works closely with department heads and data stewards to ensure the sensitive data is properly classified and adequately protected.
5. Service Providers: St. Lawrence University hosts systems and provides information security controls and services for systems on its network that may be directly managed by other entities. While each entity accepts responsibility for the risk decisions related to the configuration of their systems, the institution’s Chief Information Officer (“CIO”) must be notified of any decisions or significant changes affecting the information security posture or logical risk position of the campus Infrastructure.
6. Data Stewards: St. Lawrence University data stewards are responsible for ensuring the data within their respective areas are appropriately classified and access is controlled. Data stewards are also responsible for ensuring that the data security practices align with university policies and that employees and contractors handling sensitive data are adequately trained.
7. Additional Roles: In addition to the roles of Information Security Coordinator and Senior Oversight Coordinator, St. Lawrence University assigns specific information security responsibilities to senior staff members to ensure comprehensive oversight and implementation of the Information Security Program. These roles are defined in the information security policy.

4. RISK ASSESSMENT, SAFEGUARDS AND TESTING (GLBA ELEMENTS #2, #3, #4))

St. Lawrence University conducts and bases its information security program on an annual, documented risk assessment using the CIS Risk Assessment Methodology for Implementation Group One Controls. Additional targeted assessments will be performed whenever a material change in St. Lawrence University's business practices may implicate the security, confidentiality, integrity, or availability of records containing personal or other sensitive information.

The risk assessment:

1. Identifies reasonably foreseeable internal and external risks to the security, confidentiality, integrity, or availability of any electronic, paper, or other records containing personal or other sensitive information and includes criteria for evaluating and categorizing those identified risks.
2. Defines assessment criteria and assesses the likelihood and potential impact that could result from such risks, including the unauthorized disclosure, misuse, alteration, destruction, or other compromise of personal or other sensitive information, taking into consideration the sensitivity of such data.
3. Evaluates the sufficiency of relevant policies, procedures, systems, and safeguards in place to control such risks to an identified level of acceptable risk (risk appetite) for the institution, in areas that include, but may not be limited to:
   1. Employee, contractor, and (as applicable) stakeholder training and management.
   2. Employee, contractor, and (as applicable) stakeholder compliance with this Information Security Program and related policies and procedures.
   3. Information systems, including network, computer, and software acquisition, design, implementation, operations, and maintenance, as well as data processing, storage, transmission, retention, and disposal.
   4. St. Lawrence University's ability to prevent, detect, and respond to attacks, intrusions, and other security incidents or system failures.
4. Defines requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the information security program will address the risk.
   Results of the risk assessments will be used to create an action plan to implement identified safeguards and will include an estimated timeline for remediations. The action plan will include actions required to maintain compliance with applicable laws, including the Graham Leach Bliley Act (GLBA), PCI-DSS and HIPAA where applicable.

5. INFORMATION SECURITY POLICIES AND PROCEDURES (GLBA ELEMENT #5)

St. Lawrence University develops and maintains the following information security policies in accordance with applicable laws and standards and distributes them to relevant employees, contractors, and (as applicable) other stakeholders. Policies will be reviewed and updated at least annually.

5.1 DATA GOVERNANCE

Recognizing the importance of comprehensive data management, St. Lawrence University adopts a holistic approach to data governance that encompasses the entire institution, beyond just the information systems department. To address data governance needs from an institutional perspective instead of solely an information systems or technology perspective, St. Lawrence University has established a Information Security Committee to deliberate on matters of governance. All St. Lawrence University owned data adheres to the policies and procedures set forth by the institutional Information Security Committee:

1. The Information Security Committee has defined classification levels to reflect the sensitivity of the institution’s data. All St. Lawrence University data is assigned a classification that determines appropriate controls, policies, and processes to be applied to protect that data.
2. All St. Lawrence University owned data types will be cataloged in its Data Inventory, which defines classification, Data Owner, Data Custodian, Data Users, source, and location for all sensitive data owned by the institution.
3. All St. Lawrence University owned data will follow the minimum and maximum retention periods set forth in St. Lawrence University's Data Retention Policy.
4. All St. Lawrence University owned data will follow the procedures outlined in Data Disposal Policy once the data is outside of its defined retention period.
5. All St. Lawrence University owned data will adhere to additional policies and procedures set forth by the Information Security Committee, comprising a data management process; for a complete list of information security policies, see Appendix B.

St. Lawrence University's Information Security Committee will review and update the above policies and procedures periodically, but at least annually, to ensure they remain aligned with institutional needs and regulatory requirements.

Data Classification

The various units and departments at the institution have a multitude of types of documents and data. To the extent particular documents or data types are not explicitly addressed within this Information Security Program, Data Owners in each business unit or department are responsible for the classification of data by considering the potential for harm to individuals or the institution in the event of unintended disclosure, modification, or loss.

Data Stewards will classify institutional data into one of the institution’s four (4) sensitivity levels, which the Information Security Committee has defined. These classifications are identified as Confidential, Restricted, Internal Use, and Public. Although all the enumerated data values require some level of protection, particular data values are considered more sensitive, and correspondingly, tighter controls are required for these values.

All institutional data is to be reviewed on a periodic basis and classified according to its use, sensitivity, and importance to the institution and in compliance with federal and/or state laws.

5.2 ENTERPRISE ASSET INVENTORY AND CONTROL

SLU ensures technology assets are properly managed throughout the lifecycle of the asset, from procurement through disposal, ensuring only authorized devices are allowed to access the organization’s network and to protect the organization’s data that is stored, processed or transmitted on its assets.

5.3 CONFIGURATION MANAGEMENT

SLU establishes and maintains the integrity of systems. Without properly documented and implemented configuration management controls, security features can be inadvertently or deliberately omitted or rendered inoperable, allowing processing irregularities to occur or the execution of malicious code.

5.4 CHANGE MANAGEMENT

SLU manages changes in a well-communicated, planned and predictable manner that minimizes unplanned outages and unforeseen system issues. Effective change management includes planning, communication, monitoring, rollback, and follow-up procedures to reduce negative impact to the user community.

5.5 VULNERABILITY MANAGEMENT

St. Lawrence University regularly tests and monitors the implementation and effectiveness of its information security program to ensure that it is operating in a manner reasonably calculated to prevent unauthorized access to or use of personal or other sensitive information or infrastructure. St. Lawrence University reasonably and appropriately addresses any identified gaps. St. Lawrence University's testing and monitoring program addresses the effectiveness of St. Lawrence University's safeguards, specifically their key controls, systems, and procedures, including those St. Lawrence University uses to detect attempted and actual attacks on or intrusions into its networks and systems that handle personal or other sensitive information. Specifically, St. Lawrence University implements and maintains, as appropriate for its networks and systems that handle personal or other sensitive information:

1. Continuous monitoring to detect, on an ongoing basis, changes to the environment that may create vulnerabilities.
2. Annual penetration testing, targeting areas of potentially high risk as identified by the annual risk assessments.
3. Periodic vulnerability assessments for critical infrastructure, including scans and reviews designed to identify publicly known security vulnerabilities, conducted at least every six months and whenever there are material changes to St. Lawrence University's operations or business arrangements, or circumstances occur that may have a material impact on St. Lawrence University's information security program.
4. Remediation of identified findings using a risk-based remediation strategy.
5. Operating system and application patch management for St. Lawrence University assets on a monthly or more frequent basis.
6. A security review team meets weekly to review security vulnerabilities and other related information security tasks.

5.6 IDENTITY, AUTHENTICATION AND CONTROL

St. Lawrence University will enforce the concept of “least privilege” consistently across all systems, applications and services for individual, group and service accounts through a documented and standardized Identity and Access Management (IAM) capability. Relevant systems will have Multi-factor Authentication (MFA) or appropriate mitigating controls deployed.

5.7 PHYSICAL SECURITY

St. Lawrence University will minimize physical access to the organization’s systems and data by addressing applicable physical security controls and ensuring that appropriate environmental controls are in place and continuously monitored to ensure equipment does not fail due to environmental threats.

5.8 EMPLOYEE TRAINING

St. Lawrence University provides security awareness training to all personnel as well as other institution community members, at least once per year, with the intent of teaching all information systems users how to securely interact with enterprise assets and data in a secure manner. St. Lawrence University's security awareness training is updated periodically to reflect risks identified by the risk assessment and includes training on the following topics:

1. Recognizing social engineering attacks, such as phishing, pre-texting, and tailgating.
2. Authentication best practices. Example topics include MFA, password composition, and credential management.
3. How to identify and properly store, transfer, archive, and destroy sensitive data. This also includes training workforce members on clear screen and desk best practices, such as locking their screen when they step away from their enterprise asset, erasing physical and virtual whiteboards at the end of meetings, and storing data and assets securely.
4. Causes for unintentional data exposure. Example topics include mis-delivery of sensitive data, losing a portable end-user device, or publishing data to unintended audiences.
5. Recognizing a potential incident and be able to report such an incident.
6. Understanding how to verify and report out-of-date software patches or any failures in automated processes and tools. Part of this training should include notifying IT personnel of any failures in automated processes and tools.
7. Dangers of connecting to, and transmitting data over, insecure networks for enterprise activities. If the enterprise has remote workers, training must include guidance to ensure that all users securely configure their home network infrastructure.

5.9 SERVICE PROVIDER MANAGEMENT (GLBA ELEMENT #6)

St. Lawrence University interacts with and utilizes the services of multiple third-party vendors to serve its information technology needs. Third parties may provide personnel, hardware tools, software tools, consultation, and other resources or services required for St. Lawrence University to perform its operational objectives. St. Lawrence University takes precautions to select and retain each of its service providers that may have access to or otherwise create, collect, use, operate, or maintain personal or other sensitive information or infrastructure on its behalf by:

1. Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue, including requesting a HECVAT risk assessment for potential vendors.
2. Requiring the service provider, by contract, to implement and maintain reasonable security measures, consistent with this Information Security Program and all applicable laws and St. Lawrence University's obligations.
3. Monitoring and periodically assessing the service provider’s performance to verify compliance with this Information Security Program and all applicable laws and St. Lawrence University's obligations.

5.10 RESILIENCE AND RESTORATION PLANNING

St. Lawrence University security architectures are managed with the organization’s risk strategy to protect asset confidentiality, integrity, availability, and organizational resilience. Network and system redundancy are implemented where practicable to maintain system and service availability. Backups are maintained of college data to ensure the ability to restore from data loss.

5.11 MONITORING

St. Lawrence University will establish and maintain ongoing situational awareness across the enterprise through the centralized collection and review of security-related event logs. Without comprehensive visibility into infrastructure, operating system, database, application and other logs, the organization will have “blind spots” in its situational awareness that could lead to system compromise, data exfiltration, or unavailability of needed computing resources.

5.12 INCIDENT RESPONSE (GLBA ELEMENT #8)

To effectively address both internal and external threats, St. Lawrence University has developed comprehensive policies, plans, and procedures. These are grounded in industry best practices and designed to safeguard the confidentiality, integrity, and availability of all information assets it owns or manages. St. Lawrence University has established a robust incident response methodology to include:

1. Defining:
   1. The incident response plan’s goals.
   2. St. Lawrence University's incident response processes, including the initial reporting of the incident to the incident response team.
   3. Roles, responsibilities, and levels of decision-making authority, a primary incident response team lead and backup.
   4. Processes for internal and external communications and information sharing, including identifying the contact information for all parties that need to be notified in the event of an incident.
2. Documenting the response to any security incident or event that involves a breach of security.
3. Performing a post-incident review of events and actions taken.
4. Reasonably and appropriately addressing any identified gaps.
5. Identifying remediation requirements to address any identified weaknesses in St. Lawrence University's systems and controls.
6. Documenting and appropriately reporting information security incidents and St. Lawrence University's response activities.
7. Performing post-incident reviews and updating the plan as appropriate.

These policies and procedures are tested, reviewed, and updated periodically, but at least annually, to ensure currency and continued adherence to best practices.

6. PROGRAM REVIEW & REPORTING (GLBA ELEMENTS #7, #9)

St. Lawrence University reviews this Information Security Program and the security measures defined herein at least annually, when indicated by St. Lawrence University's risk assessment or program monitoring and testing activities, or whenever there is a material change in St. Lawrence University's business practices that may reasonably implicate the security, confidentiality, integrity, or availability of records containing personal or other sensitive information. St. Lawrence University shall retain documentation regarding any such program review, including any identified gaps, and action plans to implement adjustments. (GLBA Element #7)

Periodically, but at least annually, the Information Security Coordinator will report to St. Lawrence University's Board of Directors in writing regarding the status of the information security program and St. Lawrence University's safeguards to protect personal and other sensitive information. This reporting includes the program’s overall status, compliance with applicable laws and regulations, material matters related to the program, such as risk assessment, risk management and control decisions, service provider arrangements, testing results, documented policy exceptions, cyber incidents or policy violations and management’s responses, and recommendations for program changes.

In addition, the Information Security Coordinator will periodically, but at least quarterly, report to St. Lawrence University's leadership regarding the status of the information security program. This reporting can be more in-depth than the reporting to the board. By maintaining a dialogue between information security and leadership, the Information Security Coordinator fosters a more cohesive institutional approach to its systems.

7. DEFINITIONS

For purposes of this Information Security Program, “sensitive information” includes information:

• The institution is under obligation to protect due to laws, regulations, or other requirements.
• St. Lawrence University considers to be confidential information.
• If accessed by or disclosed to unauthorized parties, it could cause significant or material harm to Prairie State College, its customers, or its business partners.
• Sensitive information includes, but is not limited to, personal information.

See the supporting Information Security Definitions document for a list of additional Information Technology and Security definitions.

8. EXCEPTIONS

St. Lawrence University recognizes there may be rare, legitimate business needs to deviate from the standards, policies, and procedures detailed within this Information Security Program. In such cases, all exceptions must be approved by the Information Security Committee in writing prior to the exception being made. Where possible, the Information Security Coordinator will determine and apply mitigating controls to areas of exception to mitigate risk stemming from deviation. All exceptions must be formally documented, along with any mitigating controls, the purpose for the exception, and the reasoning.

9. PRIVACY

St. Lawrence University will make every reasonable effort to respect a user’s privacy. However, faculty, staff and students do not acquire a right of privacy for communications transmitted or stored on university resources.

In addition, in response to a judicial order or any other action required by law or permitted by official University policy or as otherwise considered reasonably necessary to protect or promote the legitimate interests of the University and the University community, the President may authorize the Chief Information Officer, or an authorized agent, to access, review, monitor and/or disclose computer files associated with an individual’s account.

10. ENFORCEMENT

The University may temporarily suspend or block access to any individual or device when it appears necessary to do so in order to protect the integrity, security, or functionality of institution and computer resources.

Violations of this policy may result in penalties and disciplinary action in accordance with the Student Handbook, Faculty Handbook and/or rules governing employment at St. Lawrence University.

11. DISCLAIMER

St. Lawrence University disclaims any responsibility for and does not warrant information and materials residing on non- St. Lawrence University systems or available over publicly available accessible networks. Such materials do not necessarily reflect the attitudes, opinions or values of St. Lawrence University, its faculty, staff or students.

12. PROCEDURE AUTHORITY

This procedure is issued by the St. Lawrence University’s Vice President of Finance and Administration.

13. RELATED PROCEDURES

14. REFERENCES

Elements of this program have been drawn from numerous sources, including:

• Model Written Information Security Program, 2023, iapp.org/resources/article/model-written-information-security-program/. (See https://iapp.org/resources/article/model-written-information-security-program/)
• “Creating a Written Information Security Plan for Your Tax & ...” IRS.Gov, 2022, www.irs.gov/pub/irs-pdf/p5708.pdf. (See https://www.irs.gov/pub/irs-pdf/p5708.pdf)
• “Information Protection @ MIT.” Protecting Information at Massachusetts Institute of Technology | Information Protection @ MIT, 2024, infoprotect.mit.edu/. (See https://infoprotect.mit.edu/)
• “Minimum Security Standards.” Minimum Security Standards | University IT, 2024, uit.stanford.edu/guide/securitystandards. (See https://uit.stanford.edu/guide/securitystandards)

APPENDIX A – CONTACT INFORMATION

APPENDIX B – POLICY LINKS

The following policies and procedures are available at: https://www.stlawu.edu/offices/information-technology

15. REVISION HISTORY

16. APPROVALS