Download presentation
Presentation is loading. Please wait.
Published byTeresa Harris Modified over 9 years ago
1
Peer Information Security Policies: A Sampling Summer 2015
2
Universities, with Rankings ARWUAR-EngAR-MedAR-CSQSQS-EEngQS-CS Harvard13214444 Oxford951-7514255103 UWash15303466551-10020 Toronto24 2710202716 UBC37101-150 414351-10024 Purdue6014101-150211024351-100 CMU6210n.r.765274
3
All Have: Data Classification Classification of data risk sensitivity. 3 levels most common, up to five. Names not standard: “Restricted, Private, Public” “Confidential, Restricted, Public” “Restricted, Sensitive, Public” “Level 5, level 4, level 3, level 2, level 1”
4
UBC Policy CIO develops and issues Information Security Standards “which must be consistent with this policy” “The University is committed to the principle of academic freedom. This policy should be interpreted in that context.” “Academic and administrative units that wish to deviate from the Information Security Standards are required to request the authorization of the CIO before proceeding”
5
UBC Oversight Advisory committee established by the CIO, consists of “representatives from the Office of the University Counsel, Human Resources, Faculty Relations, and the units responsible for maintaining and/or operating significant UBC Electronic Information and Systems” “If a disagreement arises and cannot be resolved in a timely manner between the CIO and the head of an academic or administrative unit in respect of the requested deviation then either party may refer the disagreement to the relevant Responsible Executive, who will decide the matter.” The responsible Executive for Security is the Provost and Vice- President Academic
6
U Washington Policy Chief Information Security Officer responsible for “creation and maintenance of UW information security and privacy policies” Unit heads responsible for risks to own units’ assets Information Security Plan required for units. A set of (26) controls must be present (policy doesn’t specify what they must be, only that they must be present) Change and configuration management. Flaw remediation process. Remote access procedure. Monitoring capability for critical systems …
7
U Washington Oversight Privacy Assurance and Systems Security (PASS) Council “promotes a collaborative approach to information security and privacy” Develop, implement and maintain University-wide strategic plans… policies, standards, guidelines and operating procedures related to University technology and institutional information in any form (e.g. electronic or paper) Senior officials and management staff representing key areas of the university (e.g. Registrar, Chief of police, IT Director for Medicine, etc.)
8
Harvard University Policy All users of confidential information need to follow a set of specified controls (password protection, limit use to authorized users, etc.). Stricter controls for higher-risk information. All schools and major units produce annual Information Security Assessment. Assessment consists of accountability questions Yearly meeting with University Information Security Officer Annual inventory of servers with “level 4” data (SSN, credit card, bank account etc.)
9
Harvard University Oversight CIO Council Members are IT leads of schools within Harvard “lead and advance university-wide IT strategies, policies and standards”… Harvard Academic Computing Committee (HACC) Faculty and senior IT administrators from across the University “frames academic IT principles, policies, and standards that have University-wide impact”
10
Oxford University Policy “Given the University’s devolved structure, heads of Department are responsible for information security within their departments.” Department must have local information security policy. Risk assessment required: “Degree of security control required depends on the sensitivity or criticality of the information”. “Given the devolved nature of the University’s structure, the risk assessment should be carried out in the first instance by departments… the departmental assessment must be consistent with the general principles in this section. ” Head of department must approve the policy, ensure it is implemented, and kept under regular review.
11
Oxford University Oversight Council has ultimate responsibility for information security within the University. Council is the governing body of the University. PRAC ICT sub-committee (PICT) or a future equivalent body responsible to Council for user awareness, adequate resources, monitoring compliance, regular policy reviews, ensuring management support. Information Technology Committee, reporting directly to Council, replaced PICT in 2012.
12
CMU Policy “All Institutional Data shall be protected in a manner that is considered reasonable and appropriate…” “Any Information System that stores, processes or transmits Institutional Data shall be secured in a manner that is considered reasonable and appropriate…” Individuals who are authorized to access Institutional Data shall adhere to the appropriate Roles and Responsibilities...”
13
CMU Oversight “… as defined in documentation approved by the Executive Steering Committee on Computing (ESCC) and maintained by the Information Security Office” ESCC: committee appointed by Provost and includes: Provost, Vice Provost for Computing and Chief Information Officer, Vice President and General Counsel, Vice President and Chief Financial Officer, Vice President for Campus Services, Vice President for University Advancement, Vice President for Research, two academic deans appointed by the Provost, a member appointed by the Administrative Leadership Group and the Executive Director of Computing Services.
14
Purdue University Policy University Vice Presidents are “Information Owners” Information Owner is the “unit administrative head who is the final authority and decision maker with respect to data used in university business” Information Owner provides “policies and guidelines for the proper use of the information and may delegate… [their] interpretation and implementation” CIO serves as (or designates an) Information owner for “enterprise- wide directories and applications that serve a multitude of university functions and do not have a cross-functional team that acts as the Information Owner” Data Stewards are “responsible for facilitating the interpretation and implementation of data policies and guidelines” Data Custodians are “responsible for implementing the policies and guidelines”
15
Purdue University Oversight Intrinsic: University Vice Presidents are the Information Owners Data handing security requirements are reviewed by Data Stewards and Information Owners “at least annually and/or whenever significant changes are made to data or systems.”
16
Peer University Observations Highly variable approaches to policy and oversight. Some interesting ideas worth looking at more closely.
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.