System and Communications Protection Policy
The purpose of this policy is to demonstrate adherence to a Systems and Communication Protection program, ensuring security compliance with minimally acceptable requirements.
This IT policy, and all policies referenced herein, shall apply to all members of the University community, including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.
- Fordham University adopted the System and Communications Protection security principles, established in the National Institute of Standards (NIST) SP 800-53 Revision 4, to protect and safeguard the University’s IT Resources.
- Data Owners and Custodians must develop/adopt and adhere to a formal, documented process to ensure that, commensurate with risk, the confidentiality, integrity, and availability of IT Resources, both in storage and during transmission, are protected per the Data in Transit and Data at Rest policies.
- The process must protect and monitor information transmitted or received by critical IT Resources, employ architectural designs, software, development techniques, and engineering principles that promote adequate information security per Information Technology Security Policy.
- Data Owners and Custodians must monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and critical internal boundaries of Fordham University’s IT Resources per the Firewall/Network Access Control Policy.
- Data Owners and Custodians must prevent unauthorized and unintended information transfer via shared IT Resources per Data Classification Policy and Guidelines.
- Data Owners and Custodians must prevent remote devices from simultaneously establishing non-remote connections with Fordham University’s IT Resources and communicating via some other connection to resources in external networks per IT Resources Remote Access Policy.
- Data Owners and Custodians must employ Federal Information Processing Standards (FIPS) validated cryptography to protect the confidentiality of information per the Disk Encryption Policy.
- Data Owners and Custodians must protect the authenticity of communications sessions, per the Server Certificate Security Policy.
- As summarized in the Information Security and Risk Management Program, mandatory security controls for IT Resources are University-wide controls required to be consistently designed, implemented, monitored, and assessed by the University Information Security Office.
- Refer to the IT Policy Library for additional respective policies.
Custodian is the individual to whom day-to-day actions have been assigned by the data owner and is responsible for storing, maintaining, and protecting information.
Data Owner(s) are responsible for the information, security, and use of a particular set of information.
Federal Information Processing Standards (FIPS) are standards issued to establish requirements for various purposes, such as ensuring computer security and interoperability, and are intended for cases in which suitable industry standards do not exist. Many FIPS specifications are modified versions of standards used in the technical communities, such as the American National Standards Institute (ANSI), the Institute of Electrical and Electronics Engineers (IEEE), and the International Organization for Standardization (ISO).
IT Resources include computing, networking, communications, application, telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and any related materials and services.
Related Policies and Procedures
- Data Classification Guidelines
- Data Classification Policy
- Data at Rest Policy
- Data in Transit Policy
- Firewall/Network Access Control Policy
- Information Security and Risk Management Program
- Information Technology Security Policy
- IT Resources Remote Access Policy
- System and Communications Protection Procedure
|Responsible Person:||Director, IT Risk and Data Integrity|
|Approval Date:||April 14, 2020|
|1.1||05/11/2021||Annual review, changes to the purpose statement|
Policy Disclaimer Statement
Deviations from policies, procedures, or guidelines published and approved by the University Information Security Office (UISO) may only be done cooperatively between the UISO and the requesting entity with sufficient time to allow for appropriate risk analysis, documentation, and possible presentation to authorized University representatives. Willful failure to adhere to UISO written policies may be met with University sanctions.