1 / 23

What the Campus IT Security Policy Means for You

Learn about the new collaborative and risk-based systemwide policy at UC, including terminology, protection levels, roles & responsibilities, and next steps for compliance. Contact jdenune@uci.edu for more info.

maryj
Download Presentation

What the Campus IT Security Policy Means for You

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. What the Campus IT Security Policy Means for You John Denune OIT Security Risk and Compliance Program Manager

  2. UC Electronic Information Security Policy IS-3 2007

  3. Goals for a new systemwide policy

  4. More collaborative across the UC system But still retain local campus control

  5. A more uniform approach to information security

  6. A risk based approach to security Additional controls applied where there is more risk

  7. Consistent terminology

  8. The New IS-3

  9. The development of the new IS-3 • Years in the making • Collaborative effort from most campuses and medical centers • Draft review May 2017, signed September 2018 • Intended as a minimum baseline • Locations can add controls as appropriate • Shared security responsibilities with defined roles and accountability • Risk-based approach with scoped control language • Multiple ways to comply with a documented exception approval process • Implemented as a single policy with nine supporting standards

  10. IS-3 standards • IT Resource Classification • Minimum Security • Accounts and Authentication • Encryption Keys and Certificates • Event Logging • Secure Software Development • Secure Software Configuration • Incident Response • Disposal of Institutional Information

  11. IS-3 Terminology

  12. Institutional Information and IT Resources • Institutional Information - A term that broadly describes all data and information created, received and/or collected by UC. • IT Resource - A term that broadly describes IT infrastructure, software and/or hardware with computing and networking capability.

  13. Locations and Units • Location - A discrete organization or entity governed by the Regents of the University of California. • Unit - A point of accountability and responsibility that results from creating/collecting or managing/possessing Institutional Information or installing/managing IT Resources.

  14. Protection Levels

  15. Protection Levels • Includes both Confidentiality and Integrity • Protection Level may change depending on the context • Not just for data anymore! • Includes both Institutional Information as well as IT Resources • Sometimes more than the sum of the parts • How many records are involved? • How comprehensive is the information? • Are there risks for specific use cases? Understanding Protection Levels is key to understanding IS-3

  16. Availability Levels

  17. Roles and Responsibilities

  18. Workforce Member • An employee, faculty, staff, volunteer, contractor, researcher, student worker, student supporting/performing research, medical center staff/personnel, clinician, student intern, student volunteer, or person working for UC in any capacity or other augmentation to UC staffing levels.

  19. Unit Head and UISL’s • Unit Head - A person in a senior role who has the authority to allocate budget and is responsible for Unit performance and administration. Examples: deans, department chairs, VC’s or AVC’s, principal investigators, directors, senior directors, or senior managers. • Unit Information Security Lead (UISL) - The Workforce Member(s) assigned responsibility for tactical execution of information security activities including, but not limited to: implementing security controls; reviewing and updating Risk Assessments and Risk Treatment Plans; devising procedures for the proper handling, storing and disposing of electronic media within the Unit; and reviewing access rights.

  20. Proprietor • The individual, group, committee or board responsible for Institutional Information, IT Resources and/or processes supporting a University function. Proprietor responsibilities include, but are not limited to: ensuring compliance with University policy regarding the classification, protection, access to, location, and disposition of Institutional Information and IT Resources including the release of Institutional Information according to procedures established by UC, the Location, or the Unit, as applicable to the situation.

  21. Next Steps

  22. Next steps for UCI • Align UCI policy, standards and processes to IS-3 • New documentation • Policy, standards, procedures, guidelines (simplify!) • Campus feedback • Create crosswalks and addendums for other compliance needs • PCI, CJIS, NIST 800-171, etc. • Documented risk exception and acceptance processes • New risk assessment processes and tools • EIR, SRAQ, etc. • Create new risk treatment plans • Training and awareness (and even more training and awareness)

  23. Questions? jdenune@uci.edu

More Related