Technical Division Policies - Information Security

§1. Definition of Terms

  1. The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in the IETF’s RFC 2119, excluding the changes made in RFC 8174 (both UPPERCASE and lowercase usage of the key words have the defined special meanings).

§2. Authority to Enforce

Epoch Bylaws - Title 2, Chapter 1

§3. Classifications

The following set of classifications shall be used to classify Epoch data and systems:

  1. Low Risk

  2. Medium Risk

  3. High Risk

§3.1 Definition of Low Risk data and systems

Low risk data and systems are defined as those that are not medium or high risk, and:

  1. The data is intended to be publicly disclosed at some future time, or,

  2. Information that would not severely harm the reputation, mission, or safety of Epoch.

Examples

Examples of low risk data may include, but are not limited to, the following:

  • Public policies

  • Directory information

  • Course information

  • Public information

  • Open-source code

  • Research data stored on Epoch systems (at the data owner’s option)

Examples of low risk systems may include, but are not limited to, the following:

  • Epoch Wiki

  • Helpdesk tickets, excluding account issuance

  • monday.com

  • Link Shortener

§3.2 Definition of Medium Risk data and systems

Medium risk data and systems are defined as those that are not high risk, and:

  1. The data is not available to the general public, or to the Epoch community, without access restrictions, or,

  2. Information that could have a slightly adverse impact on the reputation, mission, or safety of Epoch.

Examples

Examples of medium risk data may include, but are not limited to, the following:

  • Non-public policies

  • Non-public documentation

  • Epoch IDs/accounts with associated identifying information

  • Non-public donor information

  • Proprietary source code

  • Financial information not already made public as part of compliance with IMSA policies

  • Unpublished research data stored on Epoch systems (at the data owner’s option)

Examples of medium risk systems may include, but are not limited to, the following:

  • Epoch Cluster

  • Account issuance helpdesk tickets

  • Azure AD

  • MaaS

§3.3 Definition of High Risk data and systems

High risk data and systems are defined as those that:

  1. Contain or process information which is required to be protected by law/regulation,

  2. Epoch is required to report to external parties the unauthorized or inappropriate access of the data or systems, or,

  3. Information that could have a gravely adverse impact on the reputation, mission, or safety of Epoch.

Examples

Examples of high risk data may include, but are not limited to, the following:

  • Security-focused proprietary source code

  • Export controlled information

  • Epoch credentials with access to medium or high-risk information

Examples of high risk systems may include, but are not limited to, the following:

  • Active Directory

  • Bitwarden

§4. Collaboration with IMSA IT and Other Parties

The Epoch Technical Division shall collaborate with members of the IMSA IT department, as well as other technical experts in the industry, to improve and expand upon these guidelines as is neccessary to remain in compliance with industry best practices. These policies shall also be modified as necessary to remain compliant with Illinois State guidelines.

Changelog

  1. Adopted: February 20, 2021

  2. Amended: March 18, 2021

  3. Amended: December 14, 2021