Information Security

Information Security Program

Last modified 10/14/2020

Overview and Purpose

It is the mission of the Illinois State University Information Security Office (ISO) to (i) support the missions, goals, and objectives of the University, (ii) reduce the risk posed to the University due to loss, disruption, or corruption of information and information systems, and (iii) assure that the University is in compliance with applicable state, federal, and industry laws, rules, and regulations related to information security.

This document describes the institution-wide information security program that implements, controls, and maintains the functions, procedures, and standards supported or managed by the ISO in its mission.


To ensure that the information security program is efficient and effective, the University has chosen to align with the standards and frameworks published by the Information Technology Laboratory (ITL) of the National Institute of Standards and Technology (NIST). Most notable is the NIST Cyber Security Framework (CSF) that this program is modeled after.

  • NIST Cyber Security Framework

The NIST Cyber Security Framework (CSF) integrates industry standards and best practices to help organizations manage their cybersecurity risks. It provides a common language that allows staff at all levels within an organization—and at all points in a supply chain—to develop a shared understanding of their cybersecurity risks.

The Framework not only helps organizations understand their cybersecurity risks (threats, vulnerabilities and impacts), but how to reduce these risks with customized measures. The Framework also helps them respond to and recover from cybersecurity incidents, prompting them to analyze root causes and consider how they can make improvements.



The following functions of the information security program are in direct alignment with the NIST CSF. The activity categories managed by these functions are included in each section. Given the breadth and depth of these functions, many of them will operate in conjunction with each other.

  • Identify

Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.

Asset Management

The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy.

Business Environment

The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions.


The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk.

Risk Assessment

The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.

Risk Management Strategy

The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.

Supply Chain Risk Management

The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing supply chain risk. The organization has established and implemented the processes to identify, assess and manage supply chain risks.

  • Protect

Develop and implement appropriate safeguards to ensure delivery of critical services.

Identity Management and Access Control

Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions. Includes authentication mechanisms.

Awareness and Training

The organization’s personnel and partners are provided cybersecurity awareness education and are trained to perform their cybersecurity-related duties and responsibilities consistent with related policies, procedures, and agreements.

Data Security

Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.

Information Protection Processes and Procedures

Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets.


Maintenance and repairs of industrial control and information system components are performed consistent with policies and procedures.

Protective Technology

Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.

  • Detect

Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.

Anomalies and Event

Anomalous activity is detected and the potential impact of events is understood.

Security Continuous Monitoring

The information system and assets are monitored to identify cybersecurity events and verify the effectiveness of protective measures.

Detection Processes

Detection processes and procedures are maintained and tested to ensure awareness of anomalous events.

  • Respond

Develop and implement appropriate activities to take action regarding a detected cybersecurity incident.

Response Planning

Response processes and procedures are executed and maintained, to ensure response to detected cybersecurity incidents.


Response activities are coordinated with internal and external stakeholders (e.g. external support from law enforcement agencies).


Analysis is conducted to ensure effective response and support recovery activities.


Activities are performed to prevent expansion of an event, mitigate its effects, and resolve the incident.


Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities.

  • Recover

Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.

Recovery Planning

Recovery processes and procedures are executed and maintained to ensure restoration of systems or assets affected by cybersecurity incidents.


Recovery planning and processes are improved by incorporating lessons learned into future activities.


Restoration activities are coordinated with internal and external parties (e.g. coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors).

Key Roles and Responsibilities

Information security is a shared responsibility that must be integrated into all aspects of the University administrative and academic operations. This section focuses on the specific roles and responsibilities involved in securing information and supporting the information security program.

  • Chief Information Security Officer

The Chief Information Security Officer (CISO) is the designated individual responsible for the coordination of the information security program. They are also responsible for the development, implementation, and maintenance of the program components.

  • Information Security Staff

The information security staff of the University are responsible for promoting awareness of this program and its underlying functions, procedures, and standards. They are also responsible for direct action within various activities of the information security program.

  • IT Staff

The IT staff of the University are responsible for operating in accordance with this program for the systems and data they directly support, maintain, and manage.

Applicable Laws, Rules, and Regulations

This policy seeks to ensure compliance with applicable state and federal laws, rules, and regulations.

  • Applicable Laws, Rules, and Regulations

The following is a non-exhaustive list of applicable laws, rules, and regulations used to inform the creation of this policy:

  • Illinois Freedom of Information Act (5 ILCS 140)
  • Illinois Identity Protection Act (5 ILCS 179)
  • Illinois Personal Information Protection Act (815 ILCS 530)
  • The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99)
  • Federal Bureau of Investigations Criminal Justice Information Services (CJIS) Security Policy
  • Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of Federal
    Information and Information Systems
  • Federal Information Processing Standard (FIPS) 200, Minimum Security Requirements for Federal
    Information and Information Systems
  • Federal Internal Revenue Service (IRS) Publication 1075 Tax Information Security Guidelines for
    Federal, State and Local Agencies
  • Federal Information Security Modernization Act of 2014, which amends the Federal Information
    Security Management Act of 2002 (FISMA)
  • Freedom of Information Act (FOIA), 5 U.S.C. § 552, as amended by Public Law No.104-231, 110 Stat.
    3048, Electronic Freedom of Information Act
  • Gramm-Leach-Bliley Act (GLB Act or GLBA), also known as the Financial Modernization Act of 1999
    • In accordance with the Safeguards Rule of the Gramm-Leach Bliley Act (GLBA), the University must develop, implement, and maintain an information security program.

    • As defined under GLBA, an information security program is the administrative, technical, and physical safeguards in place to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer (student) information. 

  • Health Insurance Portability and Accountability Act (P.L. 104-191)
  • National Institute of Standards and Technology (NIST) Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations
  • Payment Card Industry (PCI) Data Security Standard (DSS)
  • Privacy Act of 1974 (P.L. 93-579)
  • State Officials and Employees Ethics Act (5 ILCS 430)


To assist in the awareness and understanding of key terms used within the information security program, the following glossary has been compiled for reference using the same language provided in the NIST CSF specification.

Critical InfrastructureSystems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on cybersecurity, national economic security, national public health or safety, or any combination of those matters.
CybersecurityThe process of protecting information by preventing, detecting, and responding to attacks
Cybersecurity EventA cybersecurity change that may have an impact on organizational operations (including mission, capabilities, or reputation).
Cybersecurity IncidentA cybersecurity event that has been determined to have an impact on the organization prompting the need for response and recovery.
Privileged UserA user that is authorized (and, therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform.
RiskA measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.
SupplierProduct and service providers used for an organization’s internal purposes (e.g., IT infrastructure) or integrated into the products of services provided to that organization’s users.