Information Security Plan

The Information Security Plan establishes and states the policies governing Michigan Technological University’s IT standards and practices. These policies define the University’s objectives for managing operations and controlling activities. These top-level policies represent the plans or protocols for achieving and maintaining internal control over information systems as well as compliance with the requirements imposed on the University.

Approval by Information Security Board of Review Members
Rev: 3 (10/13/2011)

Table of Contents

1 Executive Summary

2 Purpose

3 Scope

4 Definitions

5 IT Governance Commitments & Responsibilities

6 University Policy Statement

7 Enforcement

8 Information Security Program

  • 8.1 Risk Assessment
  • 8.2 Control Activities
  • 8.2.1 Internal Controls
  • 8.2.2 Preventative Controls
  • 8.2.3 Detective Controls
  • 8.2.4 Corrective Controls
  • 8.3 Control Environment
  • 8.3.1 Michigan Tech's Security Policy
  • 8.4 Organization of Information Security
  • 8.5 Accountability for Assets
  • 8.6 Information Classification
  • 8.6.1 Tier I: Confidential
  • 8.6.2 Tier II: Internal/Private
  • 8.6.3 Tier III: Public
  • 8.7 Information Handling
  • 8.8 Identity & Access Management
  • 8.8.1 Identification
  • 8.8.1 Authentication
  • 8.8.2 Authorization
  • 8.8.3 Remote Access
  • 8.8.4 Privileged Access
  • 8.8.5 Segregation of Duties
  • 8.9 Communication and Operations Management
  • 8.9.1 Network Security
  • 8.9.2 Network Monitoring
  • 8.9.3 Encryption
  • 8.9.4 Virus Protection
  • 8.9.5 Backup and Recovery
  • 8.10 Systems & Application Security
  • 8.10.1 Systems Development and Maintenance
  • 8.10.2 Change Control
  • 8.11 Physical Security Measures
  • 8.11.1 Physical Entry Controls
  • 8.11.2 Provisioning Process
  • 8.11.3 Visitors
  • 8.11.4 Alarms & Surveillance
  • 8.11.5 Equipment Control
  • 8.11.6 Computer Data and Media Disposal Policy
  • 8.12 Business Continuity
  • 8.12.1 Business Impact Analysis
  • 8.12.2 Disaster Recovery
  • 8.13 Information Security Incident Response

9 Regulations

  • 9.1 Family Education Rights and Privacy Act
  • 9.2 Health Insurance Portability and Accountability Act
  • 9.3 Health Information Technology for Economic and Clinical Health Act
  • 9.4 International Traffic in Arms Regulations/Export Administration Regulations
  • 9.5 Gramm-Leach-Bliley Act for Disclosure of Non-public Personal Information
  • 9.6 Red Flag Rules
  • 9.7 Payment Card Industry Data Security Standards

10 Compliance

11 Related Policies & Procedures

12 ISP Revision History