70 likes | 231 Views
HUIT Information Security Compliance. November 20, 2013. Information Security Compliance Report - Recap. What is it? An annual process through which we gather information regarding School and Central Admin compliance with Harvard Information Security Policy How is it conducted?
E N D
HUIT Information Security Compliance November 20, 2013
Information Security Compliance Report - Recap • What is it? • An annual process through which we gather information regarding School and Central Admin compliance with Harvard Information Security Policy • How is it conducted? • The process has two components: • An assessment template whose questions are aligned with policy • A cover letter to the University CIO in which the School CIOs, Central IT Directors, and HUIT Managing Directors describe their level of compliance, disclose any gaps, and describe remediation plans • When are the reports due? • Both are due in February, 2014. • What do we gain from this process? • Understand the compliance status of each School and Central; roll up to University level • Identify compliance challenges and risks and where we can assist • What’s new this year? • Alignment with the University Risk Assessment process; each CIO will confirm that their report has been reviewed with their local School Risk Committee
HUIT’s Complex Role in Compliance • HUIT has a University leadership role in Information Security • We are responsible for University Information Security Policy • We staff and manage the Cyber Security Center, detecting and responding to threats • We deploy the information security tools required for units to maintain compliance • We consult with Schools and units to identify and remediate risk • We own institutional compliance obligations (HIPAA, FERPA, DMCA etc.) • HUIT has a two-part role in Information Security Compliance reporting • As an IT service provider, we provide a HUIT Security Starter Kit for our customers, describing our security related services • As a major IT unit, we respond to the annual assessment survey and have developed an appropriately ‘tiered’ approach for our organization
HUIT Security Starter Kit Process • Step 1 (complete): We identified the groups providing security-related services and pre-populated an assessment template with relevant answers for the HUIT Security Starter Kit • Infrastructure • SOC • NOC • Support Services • Security • Step 2 (in progress): We will identify other services HUIT provides to the University (e.g. web services, email) to include in the Security Starter Kit • Step 3 (planned): We will work with HUIT customers as needed on completing their assessment
HUIT and FAS Response Process • We developed a tiered approach that reflects the complexity of our responsibilities • For HUIT • Most HUIT Managing Directors (MDs) will submit one response for their unit in Feb, 2014 • ATS and Infrastructure sub-groups will complete a spreadsheet • Each of these group leads will provide a cover letter to the MD • The letter will identify areas of non-compliance, risks, and accomplishments in the sub-group • The MD will provide us with a cover letter describing remediation activities • The MD will provide us with all spreadsheets and cover letters by Feb 1, 2014 • For FAS • High risk units were identified and reviewed with Mary Ann Bradley • Each high risk unit business lead, assisted by a HUIT security officer, will submit a spreadsheet and cover letter (cc to Mary Ann Bradley) • Each high risk unit will confirm that the response has been reviewed with their Risk Committee chair
Central Administration Response Approach • Units providing their own IT are included (e.g. Campus Services, HUPD, etc) • Senior business lead sends cover letter and confirms review with Risk Committee