Information Security Policy
Security of information assets of MAHE is of paramount importance. We are committed to maintaining the confidentiality, integrity and availability of these assets at all times through controls commensurate with the nature of information assets and its value.
The MISP provides management directive for information security and recommends appropriate security controls that need to be implemented to maintain and manage the information security in MAHE by:
- Establishing and maintaining an Information Security Program consisting of an Information Security Policy document, supporting Procedures and a Risk Management Framework;
- Ensuring that the designed policies and related procedures align themselves to the Risk Management Framework;
- Ensuring that Risk Assessment is performed on a periodic basis to identify & minimize the impact of the risks, posed by various threats and vulnerabilities, to an acceptable level across the universities associated with MAHE;
- Deploying appropriate technology, resources and infrastructure at MAHE for reasonable, practical and affordable level of protection required for MAHE’s information and information technology;
- Establishing a documentation framework that details all the information and information assets to support effective implementation of this policy;
- Educating Users on MISP, its supporting normative standards, and guidelines;
- Ensuring that Users handle, distribute and dispose information as mandated in the Information Classification and Handling Policy;
- Identifying, classifying and protecting the confidentiality, integrity and availability of the information during all stages of the information life cycle;
- Ensuring that access to information and information technology assets are controlled, monitored, and authorized based upon the user’s identified job function, ‘need-to-know’ and ‘need-to-perform’ criteria;
- Improving the effectiveness of the Information Security program by performing constant monitoring, review, exception-reporting and taking appropriate corrective & preventive actions;
- Ensuring that compliance violations are documented, reported and investigated by authorized personnel or team at MAHE;
- Creating and maintaining a security conscious culture across MAHE and its associated universities;
- Ensuring conformance to all information security requirements specified by University/ internal functional owners in adherence to regulatory requirements; and
- Ensuring that information security management system requirements are integrated into academic processes. Ensuring that the information security policies must be reviewed and revised annually based on academic and (or) technological requirements. The revised and approved documents must be published on the internal/ intranet portal.
Review and Evaluation
The MISP document must be reviewed at the time of any major change(s) in the existing environment affecting policies and procedures or once every year, whichever is earlier. The MISP document must be reviewed by the Assistant/Deputy Director, IT and approved by the Information Security Steering Committee (hereafter referred to as ‘ISSC’). The reviews must be carried out for assessing the following:
- Impact on the risk profile due to, but not limited to, the changes in information assets, deployed technology/ architecture, regulatory and/ or legal requirements; and
- The effectiveness of the policies.
As a result of the reviews, additional policies could be issued and/ or existing policies could be updated, as required. These additions and modifications would be incorporated into the MISP document. Policies that are identified to be redundant must be withdrawn.