A policy is a rule which is put in place to help an organization provide requirements on an issue or system.
A standard is a requirement which must be met, and supports a policy. It may also provide guidelines on how to be compliant with a policy.
A procedure is a repeatable series of steps to implement a standard or policy in a consistent manner.
Clayton State has decided to follow the general guidelines of the Association of College and University Policy Administrators (ACUPA) model for policy development.
The federal government maintains a series of documents Federal Information Processing Standard (FIPS) which seek to standardize computer systems and processing across all Federal agencies and contractors. Many of these standards are in turn based on recognized ANSI, IEEE, and ISO standards.
In 2002 the Federal Information Security Management Act (FISMA) was passed. This act was to highlight the importance of information security and set forth guidelines for Federal agencies. Amongst these are
- The inventory of Information Systems
- A Risk Assessment of each system
- An application of the relevant security controls to each Information System.
The risk assessment is outlined in the FIPS 199 document. The control categories are listed in the FIPS 200 document and detailed in the NIST document 800-53.
These documents were created by and for the Federal Government. This is a large group which not only runs normal day-to-day computer systems, but also Information Systems which send people into outer space, control nuclear missles, reactors and subs, manage flights of thousands of planes and so on. The FIPS 199 document lists loss of life, facilities and the high impact of a system security issue. Thankfully we have no such systems we maintain. Some of the standards to implement in the NIST 800-53 reflect these sort of environments.
We have taken an approach to base ourselves off of the FISMA standards, doing a review of the 180+ items in the NIST 800-53, and implementing the ones which make sense for a State University. Clayton State makes use of many standard commodity and off-the-shelf products and software packages. In many ways we are limited to the features and capabilities of these systems and what they provide in the way of security. Thankfully many of the NIST recommendations are based on common sense and other recognized standards. Also, since Microsoft Windows is so widely used, some features required by at the Federal level have been incorporated into the operating system.
The overall goal is to provide reasonable security based on the potential risk to a given Information System. Policies and standards need to be created and documented where they make sense, and not just for the sake of making policy. Policies also need to be reviewed on a regular basis - at a minimum annually. As technology changes, policies may need to be added for new systems or removed for obsolete technologies. Why have a 20 line section in dial-up policies if the dial-up access was removed 4 years ago!
The University is also subject to a number of laws which help guide policy development, as failure to comply with these laws would be detrimental to the ongoing mission of the University to serve students. Among these laws are
Higher Education Act
Gramm-Leach-Bliley Act (GLBA)
Digital Millennium Copyright Act (DMCA)
Georgia Computer System Protection Act
While the policies are available online, the phrase "I didn't know that policy existed" is often heard. Once a year, reminders will be sent out to the campus directing them to the policies. If there are major policy changes they will be communicated individually as needed. For users working with systems, they will be expected to understand the policies before the system is brought online as part of the collaborative process of helping them with their system.