130 likes | 367 Views
The U. T. System Action Plan to Enhance Information Security Compliance The Compliance Role. Institutional Compliance Advisory Council (ICAC) March 26, 2007. Lewis Watkins, CISSP lwatkins@utsystem.edu. 3-7-2007. PCI. HIPAA. FERPA. TAC 202. GLB. SOX.
E N D
The U. T. System Action Plan to Enhance Information Security ComplianceThe Compliance Role Institutional Compliance Advisory Council (ICAC) March 26, 2007 Lewis Watkins,CISSP lwatkins@utsystem.edu 3-7-2007
PCI HIPAA FERPA TAC 202 GLB SOX What do we mean by “Information Security Compliance”? The Mission: 1) Comply with regulations having information security requirements. 2) Protect the University and meet our obligations to the people we serve.
Program Implementation Roadmap Technology Standards Oversight
Some High Level Strategies • Change Culture to heighten awareness and concern about information security • Define Information Security Program Expectations and Requirements • Improve Reporting and Communications • Ensure Appropriate Training Occurs • Deploy Appropriate Technologies
Action Plan Implementation Communications • Chancellor wants verifiable information. • Automated Reporting is desirable • Multiple perspectives are appreciated • UT System will look for institutional information from three perspectives: • Information Security Office (CISO Reports) • Internal Audit Office • Compliance Office
Audit Committee Compliance Committee Internal Audit Compliance Risks Monitor Plans Reports Inspections Audits Department (ISA) Department (ISA) Department (ISA) Department (ISA) Department (ISA) Department (ISA) Department (ISA) Department (ISA) Institutional Information Security Compliance Communications President • CISO Reports to IRM/CIO • CISO Reports to IRM/CIO • IRM/CIO should report • to President or other • executive officer. • CISO has access to • president if needed. • IRM/CIO should report • to President or other • executive officer. • CISO has access to • president if needed. Central IT IRM/CIO Central IT Functions CISO • CISO communicates • to Departments. Services Training Alerts Warnings • Compliance works • to ensure high risks are • identified and monitored. • Internal Audit performs • audits based on risk.
Audit Committee Compliance Committee Internal Audit Compliance Audits Risks Monitor Plans Reports Inspections Audits Risks Registrations Vulnerabilities _______________________ ISA Meetings Interventions Department (ISA) Department (ISA) Department (ISA) Department (ISA) Department (ISA) Department (ISA) Department (ISA) Department (ISA) Institutional Information Security Compliance Communications President • NEW: Department IT audit • reports will be sent to • institutional CISO • & UT System CISO • for review and • follow-up if • necessary. Central IT IRM/CIO Central IT Functions CISO • NEW: CISO will • receive risks, • server registrations • and reported • vulnerabilities. CISO • will provide and receive • information at ISA meetings, • and will meet with departments • as needed to address critical audit findings. Services Training Alerts Warnings
Audit, Compliance and Management Review Committee of the Board of Regents Chancellor Executive Compliance Committee BMC SLC Incident and Quarterly Reports CISO Council IT Audit Reports UT-FAC UT-SAC UT-EAC Quarterly Reports System-wide Information Security Compliance Communications • Institutions submit reports. UT System • Reports are reviewed and acted upon as needed. • CISO reports quarterly to the Chancellor, ECC, and BOR – ACMR. • CISO converses with university community UT Institution 3 1 4 CISO Audit Compliance UT System Audit Office Reports will be analyzed to determine program compliance and areas of potential high risk needing intervention. Feedback and Follow-up to CISO and Depts. 2
Specific Compliance Responsibilities • Ensure Training occurs: • General information security compliance training for all employees • Annual specialized training for Information Owners and Information Security Administrators (ISA) • ISO and ISA training regarding applicable regulations • Monitoring the Information Security Program • Inspections • Reporting
Reporting This is a Work in Progress . . . Reporting elements will evolve to reflect the Information Security Program standards defined by the CISO Council. We need to work together to reduce any redundancy in reporting.
Initial Institutional Reporting • Reporting relationships of the IRM and CISO. • Communications and assertion of Institutional CISO’s institutional-wide authority. • Activities relating to budget preparations for Information Security. • Appointment of Information Security Administrators (ISAs). • Scheduling of ISA Meetings. • Current status of the institution’s security training. • Current status of the institution’s Risk Assessment & Information Security Plan.
Future Reporting will focus on.….. • Implementation of System Action Plan elements. • Information Security Program elements as defined by the CISO Council • Implementation of Institutional action, training and monitoring plans.
Questions? Institutional Compliance Advisory Council (ICAC) March 26, 2007 Lewis Watkins,CISSP lwatkins@utsystem.edu 3-7-2007