Presentation is loading. Please wait.

Presentation is loading. Please wait.

Peer Information Security Policies: A Sampling Summer 2015.

Published byTeresa Harris Modified over 8 years ago

Similar presentations

Presentation on theme: "Peer Information Security Policies: A Sampling Summer 2015."— Presentation transcript:

1 Peer Information Security Policies: A Sampling Summer 2015

2 Universities, with Rankings ARWUAR-EngAR-MedAR-CSQSQS-EEngQS-CS Harvard13214444 Oxford951-7514255103 UWash15303466551-10020 Toronto24 2710202716 UBC37101-150 414351-10024 Purdue6014101-150211024351-100 CMU6210n.r.765274

3 All Have: Data Classification Classification of data risk sensitivity. 3 levels most common, up to five. Names not standard: “Restricted, Private, Public” “Confidential, Restricted, Public” “Restricted, Sensitive, Public” “Level 5, level 4, level 3, level 2, level 1”

4 UBC Policy CIO develops and issues Information Security Standards “which must be consistent with this policy” “The University is committed to the principle of academic freedom. This policy should be interpreted in that context.” “Academic and administrative units that wish to deviate from the Information Security Standards are required to request the authorization of the CIO before proceeding”

5 UBC Oversight Advisory committee established by the CIO, consists of “representatives from the Office of the University Counsel, Human Resources, Faculty Relations, and the units responsible for maintaining and/or operating significant UBC Electronic Information and Systems” “If a disagreement arises and cannot be resolved in a timely manner between the CIO and the head of an academic or administrative unit in respect of the requested deviation then either party may refer the disagreement to the relevant Responsible Executive, who will decide the matter.” The responsible Executive for Security is the Provost and Vice- President Academic

6 U Washington Policy Chief Information Security Officer responsible for “creation and maintenance of UW information security and privacy policies” Unit heads responsible for risks to own units’ assets Information Security Plan required for units. A set of (26) controls must be present (policy doesn’t specify what they must be, only that they must be present) Change and configuration management. Flaw remediation process. Remote access procedure. Monitoring capability for critical systems …

7 U Washington Oversight Privacy Assurance and Systems Security (PASS) Council “promotes a collaborative approach to information security and privacy” Develop, implement and maintain University-wide strategic plans… policies, standards, guidelines and operating procedures related to University technology and institutional information in any form (e.g. electronic or paper) Senior officials and management staff representing key areas of the university (e.g. Registrar, Chief of police, IT Director for Medicine, etc.)

8 Harvard University Policy All users of confidential information need to follow a set of specified controls (password protection, limit use to authorized users, etc.). Stricter controls for higher-risk information. All schools and major units produce annual Information Security Assessment. Assessment consists of accountability questions Yearly meeting with University Information Security Officer Annual inventory of servers with “level 4” data (SSN, credit card, bank account etc.)

9 Harvard University Oversight CIO Council Members are IT leads of schools within Harvard “lead and advance university-wide IT strategies, policies and standards”… Harvard Academic Computing Committee (HACC) Faculty and senior IT administrators from across the University “frames academic IT principles, policies, and standards that have University-wide impact”

10 Oxford University Policy “Given the University’s devolved structure, heads of Department are responsible for information security within their departments.” Department must have local information security policy. Risk assessment required: “Degree of security control required depends on the sensitivity or criticality of the information”. “Given the devolved nature of the University’s structure, the risk assessment should be carried out in the first instance by departments… the departmental assessment must be consistent with the general principles in this section. ” Head of department must approve the policy, ensure it is implemented, and kept under regular review.

11 Oxford University Oversight Council has ultimate responsibility for information security within the University. Council is the governing body of the University. PRAC ICT sub-committee (PICT) or a future equivalent body responsible to Council for user awareness, adequate resources, monitoring compliance, regular policy reviews, ensuring management support. Information Technology Committee, reporting directly to Council, replaced PICT in 2012.

12 CMU Policy “All Institutional Data shall be protected in a manner that is considered reasonable and appropriate…” “Any Information System that stores, processes or transmits Institutional Data shall be secured in a manner that is considered reasonable and appropriate…” Individuals who are authorized to access Institutional Data shall adhere to the appropriate Roles and Responsibilities...”

13 CMU Oversight “… as defined in documentation approved by the Executive Steering Committee on Computing (ESCC) and maintained by the Information Security Office” ESCC: committee appointed by Provost and includes: Provost, Vice Provost for Computing and Chief Information Officer, Vice President and General Counsel, Vice President and Chief Financial Officer, Vice President for Campus Services, Vice President for University Advancement, Vice President for Research, two academic deans appointed by the Provost, a member appointed by the Administrative Leadership Group and the Executive Director of Computing Services.

14 Purdue University Policy University Vice Presidents are “Information Owners” Information Owner is the “unit administrative head who is the final authority and decision maker with respect to data used in university business” Information Owner provides “policies and guidelines for the proper use of the information and may delegate… [their] interpretation and implementation” CIO serves as (or designates an) Information owner for “enterprise- wide directories and applications that serve a multitude of university functions and do not have a cross-functional team that acts as the Information Owner” Data Stewards are “responsible for facilitating the interpretation and implementation of data policies and guidelines” Data Custodians are “responsible for implementing the policies and guidelines”

15 Purdue University Oversight Intrinsic: University Vice Presidents are the Information Owners Data handing security requirements are reviewed by Data Stewards and Information Owners “at least annually and/or whenever significant changes are made to data or systems.”

16 Peer University Observations Highly variable approaches to policy and oversight. Some interesting ideas worth looking at more closely.

Download ppt "Peer Information Security Policies: A Sampling Summer 2015."

Similar presentations

Board Governance: A Key to Quality Organizations

Board Governance: A Key to Quality Organizations
Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Cash Collection and Deposit Training Financial Services.

Cash Collection and Deposit Training Financial Services.
1 Governance, Leadership and Management in Universities Gareth Evans, Chancellor, Australian National University What is the shape of power in university.

1 Governance, Leadership and Management in Universities Gareth Evans, Chancellor, Australian National University What is the shape of power in university.
Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,

Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
Auditing, Assurance and Governance in Local Government

Auditing, Assurance and Governance in Local Government
Proposal for the Process of Faculty Selection to Committees in the School of Undergraduate Studies History As the School of Undergraduate Studies (UGS)

Proposal for the Process of Faculty Selection to Committees in the School of Undergraduate Studies History As the School of Undergraduate Studies (UGS)
Core principles in the ASX CGC document. Which one do you think is the most important and least important? Presented by Casey Chan Ethics Governance &

Core principles in the ASX CGC document. Which one do you think is the most important and least important? Presented by Casey Chan Ethics Governance &
ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.

ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.

The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.

Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.
NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.

NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
August 9, 2005 UCCSC -- 2005 IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Risk Management at ANZ Banking Group Jun 18, 2008 Patrick Zhu Head of Retail Risk China Partnerships.

Risk Management at ANZ Banking Group Jun 18, 2008 Patrick Zhu Head of Retail Risk China Partnerships.
Data Management Awareness January 23, 2008 1 University of Michigan Administrative Information Services Data Management Awareness Unit Liaisons January.

Data Management Awareness January 23, University of Michigan Administrative Information Services Data Management Awareness Unit Liaisons January.
University Council Shared Leadership for Integrated Planning and Consultative Decision-Making.

University Council Shared Leadership for Integrated Planning and Consultative Decision-Making.
University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.

University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.
Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.

Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.

Similar presentations

Ads by Google