1 / 7

HUIT Information Security Compliance

HUIT Information Security Compliance. November 20, 2013. Information Security Compliance Report - Recap. What is it? An annual process through which we gather information regarding School and Central Admin compliance with Harvard Information Security Policy How is it conducted?

carrie
Download Presentation

HUIT Information Security Compliance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HUIT Information Security Compliance November 20, 2013

  2. Information Security Compliance Report - Recap • What is it? • An annual process through which we gather information regarding School and Central Admin compliance with Harvard Information Security Policy • How is it conducted? • The process has two components: • An assessment template whose questions are aligned with policy • A cover letter to the University CIO in which the School CIOs, Central IT Directors, and HUIT Managing Directors describe their level of compliance, disclose any gaps, and describe remediation plans • When are the reports due? • Both are due in February, 2014. • What do we gain from this process? • Understand the compliance status of each School and Central; roll up to University level • Identify compliance challenges and risks and where we can assist • What’s new this year? • Alignment with the University Risk Assessment process; each CIO will confirm that their report has been reviewed with their local School Risk Committee

  3. HUIT’s Complex Role in Compliance • HUIT has a University leadership role in Information Security • We are responsible for University Information Security Policy • We staff and manage the Cyber Security Center, detecting and responding to threats • We deploy the information security tools required for units to maintain compliance • We consult with Schools and units to identify and remediate risk • We own institutional compliance obligations (HIPAA, FERPA, DMCA etc.) • HUIT has a two-part role in Information Security Compliance reporting • As an IT service provider, we provide a HUIT Security Starter Kit for our customers, describing our security related services • As a major IT unit, we respond to the annual assessment survey and have developed an appropriately ‘tiered’ approach for our organization

  4. HUIT Security Starter Kit Process • Step 1 (complete): We identified the groups providing security-related services and pre-populated an assessment template with relevant answers for the HUIT Security Starter Kit • Infrastructure • SOC • NOC • Support Services • Security • Step 2 (in progress): We will identify other services HUIT provides to the University (e.g. web services, email) to include in the Security Starter Kit • Step 3 (planned): We will work with HUIT customers as needed on completing their assessment

  5. HUIT and FAS Response Process • We developed a tiered approach that reflects the complexity of our responsibilities • For HUIT • Most HUIT Managing Directors (MDs) will submit one response for their unit in Feb, 2014 • ATS and Infrastructure sub-groups will complete a spreadsheet • Each of these group leads will provide a cover letter to the MD • The letter will identify areas of non-compliance, risks, and accomplishments in the sub-group • The MD will provide us with a cover letter describing remediation activities • The MD will provide us with all spreadsheets and cover letters by Feb 1, 2014 • For FAS • High risk units were identified and reviewed with Mary Ann Bradley • Each high risk unit business lead, assisted by a HUIT security officer, will submit a spreadsheet and cover letter (cc to Mary Ann Bradley) • Each high risk unit will confirm that the response has been reviewed with their Risk Committee chair

  6. Central Administration Response Approach • Units providing their own IT are included (e.g. Campus Services, HUPD, etc) • Senior business lead sends cover letter and confirms review with Risk Committee

  7. Senior Leadership Recommendations and Questions

More Related