July 1, 2015

Information Security

The purpose of this policy is to provide direction for the information security program in support of the mission of the university and to ensure compliance with laws and regulatory requirements. The policy establishes the governance structure for information security throughout all university campuses and offsite facilities, and expresses management expectations and role-based responsibility.

The policy applies to all university employees (faculty, staff, and other any other employee categories), students (including postdoctoral fellows) and iVIP (guests with electronic access). In addition, all third parties, including vendors, consultants, and contractors who have access to or control of USC sensitive or restricted information, described in this policy, must agree in writing to maintain such information in accordance with USC policies and federal and state laws.

Governance

Information security is governed through the authority of the university Chief Information Officer (CIO). The operational aspects of the security program are carried out through the Office of the Chief Information Security Officer (CISO), who is a direct report to the university CIO. The CISO will collaborate with various groups across the entire university to develop a comprehensive information security program. The following bodies help to guide and implement the security program across the university:

  • Information Risk Committee (IRC): This committee assists university leadership in managing information risk relating to information security, business continuity and disaster planning, compliance, information sharing and information integrity.
  • Committee on Information Services (CIS): This committee advises the CIO and Academic Senate on matters related to federated information resources and technologies and on policies associated with the use of technology for scholarly work, teaching, learning, and academic administration. The CIO informs the committee of the current issues and challenges associated with these resources and endeavors.
  • University Technology Committee (UTC): This committee operates under charter established by the CIO and serves, in part, as a steering committee for the information security program. Members of the committee are appointed by university executives and are responsible for keeping the appropriate executive informed of security initiatives and for representing the interest of their area in security strategy discussions. See the official charter for the UTC at: https://cio.usc.edu/advisory-committees/

Data Classification

All university data will be reviewed on a periodic basis and classified according to its use, sensitivity, and importance to the university. Classification and handling standards will be at the discretion of the Office of the CISO and published on the ITS website. The general classifications used by the university are:

  • Restricted
  • Sensitive
  • Public

See below for detailed definitions of these and other data classifications.

Restricted information

Information or data in this classification is typically regulated or would cause a significant business impact if it were disclosed. Data protected by Health Insurance Portability and Protection Act (HIPAA), Gramm-Leach Bliley Act (GLBA), Payment Card Industry Data Security Standard (PCI DSS), the Family Education Rights Privacy Act (FERPA), California Financial Information Privacy Act  (CFIPA), personal information and personally identifiable information are all examples of restricted data. Other data and information may be classified as restricted if it is in the best interest of the university.

Two types of restricted data that bear additional definition here are personally identifiable information and personal information. For the purposes of this policy we will define them as follows:

Personally identifiable information

As defined under the Gramm-Leach-Bliley Act and the California Financial Information Privacy Act, includes personal identifiable financial information that USC collects about an individual in connection with providing a financial product or service, unless that information is otherwise publicly available. Financial products or services offered by USC include: (1) Student financial aid packages, and (2) Faculty housing loans. USC’s Gramm-Leach-Bliley policy can be found at http://policy.usc.edu/consumer-info-privacy/.

Personal information

Protected under state law, applies to California residents – an individual’s first name or initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:

  • Social security number
  • Driver’s license or California identification card number
  • Account number, credit or debit card number in combination with any required password, security or access code that permits access to the financial account
  • Medical information such as medical history, mental or physical condition, or treatment/diagnosis by a healthcare professional
  • Health insurance information, which means an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including appeal records
  • Username or email address in combination with a password or security question and answer that would permit access to an online account

Sensitive information

Information or data that has the potential for significant negative impact to the university if disclosed outside the university community, or which by policy or agreement is available only to members of that community. Donor listings, in-process contracts and agreements and performance evaluation data are examples.

Public information

Information or data in this classification is not regulated and generally made available through public interfaces. The university would experience no harm if this data or information were exposed to outside parties. Academic calendars and course catalogs are examples.

Role Definitions

Custodians

Individuals responsible for the implementation of the necessary controls or safeguards to protect the information asset, as determined by the information owner. Typically these are the technical units responsible for system and or application administration; the term would also apply to the person(s) responsible for hardcopy storage (such as materials in a filing cabinet).

Designated security liaisons

Individuals designated by the deans or vice presidents of their respective units to serve as the liaison between that school or unit and the Office of the CISO for all matters relating to information security. This individual coordinates with the Office of the CISO to implement the university’s policies, procedures and education at the unit level and is the information security office’s contact for information security issues relating to that unit. This individual may be the unit’s UTC representative or another individual appointed by the dean or vice president.

Executives

For the purposes of this policy, deans of academic units and vice presidents of administrative units.

Information owners

Members of the university community responsible for a particular subset of USC-generated or maintained information which is created, collected or maintained for the operation of university business.

Users

Any USC employee or student who creates, accesses, uses or stores USC information.

Role-based Responsibility

Individuals can fill a variety of roles in the context of information security. For example, all members of the USC community are considered users but many members of the community will take on additional roles by virtue of their position. The following section delineates the responsibilities attached to those roles.

Chief Information Security Officer (CISO) must:

  • Inform the IRC and Executive Information Security Committee of major security or information assurance initiatives
  • Collaborate with relevant stakeholders or their designees to develop university policy and standards regarding information security
  • Implement enterprise-wide technologies to detect and respond to information security incidents and confirm compliance with university information security policies as well as federal and state regulations
  • Provide education and awareness programs regarding information security to the university community
  • Provide guidance to schools and units regarding information security
  • Investigate known or suspected breaches of USC information systems, coordinating with the Office of Compliance and other appropriate members of the university community to ensure that notification requirements under federal and state law are met, and taking action to remediate

Deans and vice presidents must:

  • Appoint a designated security liaison to represent their area and respond to security events
  • Periodically meet with the designated security liaison to discuss information security needs and issues as well as ensure adequate resources are being applied
  • Ensure systems within their units are maintained so as to actively mitigate unacceptable risks to those systems and/or the data passing through or residing on those systems
  • Ensure compliance with security policies and standards as well as regulatory requirements within their unit

Designated security liaisons must:

  • Maintain current knowledge of all policies and procedures disseminated by the CIO, Office of the CISO, Office of Compliance, and other relevant officials
  • Attend UTC and other relevant university security meetings
  • Maintain lists of the location of restricted and sensitive information within their unit
  • Assist the Office of the CISO in responding to security events and investigations consistent with the university’s incident response procedure
  • Provide security training and pre-purchasing advice to users and other members of the USC community within their respective units
  • Keep their unit executives and senior leaders current on security initiatives and issues within or affecting the unit
  • Assist the dean or vice president in ensuring systems within their units are maintained so as to actively mitigate unacceptable risks to those systems or the data passing through or residing on those systems
  • Compile and submit an annual information security report to the Office of the CISO

Information owners must:

  • Consult with the Office of Compliance, the Office of the CISO and the designated security liaison, and appropriately identify safeguards required to protect the information.
  • Actively engage with custodians to ensure systems are secured in an appropriate manner, including any requirements for specific categories of university data
  • Maintain current lists of users with access to restricted information

Custodians must:

  • Maintain current knowledge of all policies and procedures disseminated by the CIO, Office of the CISO, Office of Compliance, and other relevant officials
  • Maintain IT systems in compliance with relevant USC policies and procedures, as well as any other appropriate industry standards
  • Deploy and maintain systems so as to actively mitigate unacceptable risks to those systems and/or the data passing through or residing on those systems
  • Maintain appropriate documentation for systems with restricted information
  • Report the location of restricted information to the appropriate designated security liaison
  • Complete training as directed by the Office of the CISO or Office of Compliance
  • Serve as the primary signatory for server hardening checklists

Users (defined as all members of the USC community) must:

  • Report concerns and known or suspected breaches of information security to the USC Office of the CISO at consult@usc.edu or via phone at (213) 740-5555.
  • Understand the various roles and responsibilities regarding information stewardship, as applicable
  • Take reasonable precautions to protect information and information systems, such as encrypting USC restricted or sensitive information during both transfer and storage
  • Protect passwords, never sharing them with other individuals
  • Comply with policies, standards, procedures, guidelines and directives from the Office of the CISO, Office of Compliance, Office of the CIO, or their designees

Monitoring, Auditing and Enforcement

The Office of the CISO, the Office of Compliance and the Office of Audit Services will collectively monitor compliance with this policy, USC’s information security policies and standards and applicable federal and state laws and regulations.

At least once annually the CIO will present to the Executive Steering Committee a briefing (prepared by the CISO) on the status of the information security program. The Executive Steering Committee is comprised minimally of the following individuals or their respective designees:

  • Senior Vice President, Finance and Chief Financial Officer
  • Senior Vice President, Administration
  • Provost and Senior Vice President for Academic Affairs

Violation of this policy is serious misconduct that is grounds for discipline in accordance with the Faculty Handbook, staff employment policies and SCampus, as appropriate. Any disciplinary action under this policy will take into account the severity of the offense and the individual’s intent, and could include termination from the USC network, USC systems and/or applications, as well as employment actions up to and including termination, and student disciplinary actions up to and including expulsion.

Additional Resources

HIPAA policies

Protection of Consumer Financial Information policy

Privacy of Personal Information policy

Intellectual Property policy

Misappropriation of University Assets policy

Payment Card Industry Data Security Standards policy

Faculty Handbook

USC Employment and Workplace policies

SCampus

Responsible Office

Office of the Chief Information Security Officer

http://itservices.usc.edu/security/
security@usc.edu
(213) 740-5555

Issued by

Michael Quick, Provost and Senior Vice President, Academic Affairs
Todd R. Dickey, Senior Vice President, Administration
University of Southern California