IT Security Policy

IT Security Policy

Purpose

The IT (Information Technology) Security Policy provides the authority and requirements to protect all digital information and equipment at the Saint Louis Art Museum (SLAM). The policy contains definitive information on the prescribed measures used to establish and enforce the IT security program at SLAM.

SLAM is committed to protecting its visitors, partners, volunteers, staff, collections, and digital assets from damaging acts that are intentional or unintentional. Effective security is a team effort involving the participation and support of every SLAM user who interacts with electronic data and information systems. Therefore, it is the responsibility of every user to know these policies and to conduct their activities accordingly.   

Protecting company information and the systems that collect, process, and maintain this information is of critical importance. Consequently, the security of information systems must include controls and safeguards to offset possible threats, as well as controls to ensure accountability, availability, integrity, and confidentiality of the data:

• Accountability – Accountability requires users to take responsibility for their activities and how they comply with data protection principles.
• Confidentiality – Confidentiality addresses preserving restrictions on information access and disclosure so that access is restricted to only authorized users and services.
• Integrity – Integrity addresses the concern that sensitive data has not been modified or deleted in an unauthorized and undetected manner.
• Availability – Availability addresses ensuring timely and reliable access to and use of information.

Security measures must be taken to guard against unauthorized access, alteration, disclosure or destruction of SLAM data and information systems. This also includes accidental loss or destruction.

The purpose of the IT Security Policy is to prescribe the necessary elements of a comprehensive framework for:

• Creating an IT Security Program in accordance with industry standard best practices including NIST Cyber Security Framework (CSF) and ISO 27001.
• Protecting the confidentiality, integrity, and availability of SLAM data and information systems.
• Protecting SLAM, its employees, its visitors, donors, and collections from illicit use of SLAM information systems, data, and specifically, sensitive Personal Information.
• Ensuring the effectiveness of security controls over data and information systems that support SLAM’s operations.
• Recognizing the highly networked and cloud-hosted nature of the current computing environment and provide effective company-wide management and oversight of those related Information Security risks.
• Providing for development, review, and maintenance of industry standard security controls required to protect SLAM data and information systems.

This overarching IT Security Policy will refer to subordinate policies describing each necessary element of the required framework. Each subsequent policy will be seen as a policy statement that could stand-alone for guidance and enforcement by users. 

The formation of the policies is driven by many factors, with the key factor being risk. These policies set the ground rules under which SLAM operates and safeguards its data and information systems to both reduce risk and minimize the effect of potential incidents. These policies, including their related standards, procedures, and guidelines, are necessary to support the management of information risks in daily operations. The development of policies provides due care to ensure SLAM users understand their day-to-day security responsibilities and the threats that could impact the company.

Implementing consistent security controls across the company will help SLAM comply with current and future legal obligations to ensure long term due diligence in protecting the confidentiality, integrity and availability of SLAM data.

Definitions

In the realm of IT security terminology, the National Institute of Standards and Technology (NIST) IR 7298, Revision 1, Glossary of Key Information Security Terms, is the primary reference document that SLAM uses to define common IT security terms. Key terminology to be aware of includes:

• Control: A term describing any management, operational, or technical method that is used to manage risk. Controls are designed to monitor and measure specific aspects of standards to help SLAM accomplish stated goals or objectives.
• CIA: Confidentiality, Integrity, and Availability of company information systems and the underlying electronic data.
• Systems: Information Technology systems (e.g., networks, operating systems, applications and databases)
• Privileged User Accounts: Those accounts granted special access rights for particular business needs pursuant to approved procedures. 

Scope and Governance

The IT Security Policy and the implementation of the IT Security Program is overseen by the SLAM IT Director, and the organizational reporting hierarchy to the Deputy Director and Controller Office.

These policies, standards and procedures apply to all SLAM electronic data, information systems, activities, and assets owned, leased, controlled, or used by SLAM, its agents, contractors, or other business partners on behalf of SLAM. These methods, policies, standards and procedures apply to all SLAM staff, contractors, sub-contractors, and their respective facilities supporting SLAM business operations, wherever SLAM data is stored or processed, including any third-party contracted by SLAM to handle, process, transmit, store, or dispose of SLAM data.

Some policies are explicitly stated for persons with a specific job function (e.g., a System Administrator); otherwise, all personnel supporting SLAM business functions shall comply with the policies.

The Security Program is governed by the IT Director with support from the IT group. The program will perform ongoing assessments of Information Security risks to the organization and continually evaluate protection priorities based on resulting risks. The program will take appropriate measures to detect, respond, and recover from Information Security events; and will report on the effectiveness of the program to the organization’s executive leadership and Board of Commissioners as appropriate.

The IT Director will establish metrics to measure the program’s progress throughout the year and report the progress to executive leadership.

This policy supersedes all previous Information Security policies and supplements other applicable SLAM policies. These policies do not however supersede any other applicable law or higher-level company directive in effect as of the effective date of this policy.

SLAM reserves the right to revoke, change, or supplement these policies, procedures, standards, and guidelines at any time without prior notice. Such changes shall be effective immediately upon approval, unless otherwise stated. Questions about how to implement the policy should be directed to the IT group. Changes will be posted to the internal policy website and common dissemination vehicles (such as Dayforce) within 10 business days of approval.

Security Program

To reduce the cybersecurity risk to the organization, SLAM is required to design, implement and maintain a coherent set of policies, standards and procedures (collectively the Security Program) to manage risks to its data and information systems. Users are required to protect and ensure the Confidentiality, Integrity, and Availability (CIA) of data and information systems, regardless of how data is created, distributed, or stored. Security controls will be tailored accordingly so that cost-effective controls can be applied commensurate with the risk and sensitivity of the data and information system. Security controls must be designed and maintained to ensure compliance with all legal requirements.

Policy Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Every decision about the involvement of law enforcement with information security incidents or problems shall be made in conjunction with Deputy Director and Controller, HR, and the Director’s Office coordinating with the Assistant Director of Building Operations and Security. As part of establishing the roles and responsibilities for both information systems contingency planning and information systems recovery, working relationships with local emergency personnel (fire and rescue, utilities, etc.) and law enforcement should be with close coordinate with Building Security prior to any contingency requiring them.

Compliance Measurement

The IT Team will verify compliance to this policy through various methods, including but not limited to, periodic walk-throughs, monitoring, reports, internal and external audits, and inspection, and will provide feedback to the user and appropriate business unit manager.

Exceptions

While every exception to a policy or standard potentially weakens protection mechanisms for information systems and underlying data, occasionally exceptions will exist. Any exception to the policy must be approved by the IT Director in advance.

Security Subordinate Policies

The SLAM Information Security Program is authorized by this IT Security Policy. In order for the program to properly protect SLAM digital assets and manage cybersecurity risks, the following sub policies are required:

Information Security Policy	Main Audience
Appropriate Use	All Staff, Volunteers, and Contracts
Security Policy Awareness and Security Awareness Training	All Staff, Volunteers, and Contracts
Access Controls and Passwords	All Staff, Volunteers, and Contracts
Systems and Network Security Protections	All Staff, Volunteers, and Contracts
Removable Media Controls	All Staff, Volunteers, and Contracts
Mobile Device Access	All Staff, Volunteers, and Contracts
Asset Inventory	IT Staff
Disaster Recovery and Backup	IT Staff, Business Stakeholders
Systems and Application Development	IT Staff, Digital Media
Vendor and Service Provider Management	IT Staff, Procurement, Vendor Management / Legal
Remote Access	IT Staff
Risk Management	IT Staff, Controller

The policy table reflects the target audience for each of the sub policies and indicates where broad user acknowledgment is necessary.

References

GLBA – Safeguard Rules for Written Information Security Program (WISP)

ISO 27001 – Written Information Security Policy

NIST CSF – Information Security Policy

Approval and Ownership

Revision History