Effective: 12/31/17 Last Revised: 8/28/17. Responsible University Administrator: Vice Chancellor for Information Services & CIO

Similar documents
OneUConn IT Service Delivery Vision

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

The University of Queensland

Standard for Security of Information Technology Resources

STRATEGIC PLAN

Accelerate Your Enterprise Private Cloud Initiative

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017

NEN The Education Network

Number: USF System Emergency Management Responsible Office: Administrative Services

INFORMATION TECHNOLOGY ONE-YEAR PLAN

Vulnerability Management Policy

Cyber Security Program

Information Technology Branch Organization of Cyber Security Technical Standard

Simplifying IT through Virtualization

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

Security Awareness, Training, And Education Plan

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017

Keys to a more secure data environment

Subject: University Information Technology Resource Security Policy: OUTDATED

Information Security Controls Policy

Cyber Security Strategy

Subject: Audit Report 18-84, IT Disaster Recovery, California State University, Sacramento

General Information Technology Controls Follow-up Review

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

DETAILED POLICY STATEMENT

SECURITY PLAN CREATION GUIDE

IT Governance Framework at KIT

Overcoming IT Challenges in the Education Segment Leveraging Cloud and On-Premise Resources for Maximum Impact

INFORMATION RESOURCE SECURITY CONFIGURATION AND MANAGEMENT

Sage Data Security Services Directory

IT Governance Committee Review and Recommendation

MSU IT Update. Rob McCurdy Chief Information Officer

Information Security Controls Policy

DRAFT 2012 UC Davis Cyber-Safety Survey

State Governments at Risk: State CIOs and Cybersecurity. CSG Cybersecurity and Privacy Policy Academy November 2, 2017

STRATEGIC IT ACCOUNTABILITY BOARD (SITAB) MEETING NOTES WEDNESDAY, SEPTEMBER 8, 2010

The CISO is the owner of the vulnerability management process. This person designs the process and ensures is implemented as designed.

Cybersecurity and the Board of Directors

STATE OF NORTH CAROLINA OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA FAYETTEVILLE STATE UNIVERSITY

How Cisco IT Improved Development Processes with a New Operating Model

Symantec Data Center Migration Service

Centralized Directory Services and Accounts Management Project

CA Security Management

Symantec Security Monitoring Services

DIGITAL TRUST Making digital work by making digital secure

IT Town Hall Meeting. IT Town Hall - October 6,

University of Hawaii REQUEST FOR INFORMATION Strategic Communication Service Platform

Information Security Data Classification Procedure

Computing Accreditation Commission Version 2.0 CRITERIA FOR ACCREDITING COMPUTING PROGRAMS

BFB-IS-3: Electronic Information Security

Testimony. Christopher Krebs Director Cybersecurity and Infrastructure Security Agency U.S. Department of Homeland Security FOR A HEARING ON

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Minimum Security Standards for Networked Devices

Security and Privacy Governance Program Guidelines

Table of Contents. Sample

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

The Center for Internet Security

College of Agricultural Sciences UNIT STRATEGIC PLANNING UPDATES MARCH 2, Information Technologies

Master Information Security Policy & Procedures [Organization / Project Name]

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

UW-Madison Cybersecurity Risk Management Policy

Effective energy management services for all your needs

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

SYSTEMS ASSET MANAGEMENT POLICY

UF CEMP Support Group Annex: IT Group

Background FAST FACTS

POLICY 8200 NETWORK SECURITY

Information technology statement of directions

Training and Certifying Security Testers Beyond Penetration Testing

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

Information Technology General Control Review

Higher Education Privacy Update

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Any observations not included in this report were discussed with your staff at the informal exit conference and may be subject to follow-up.

The NIS Directive and Cybersecurity in

Run the business. Not the risks.

Virginia Commonwealth University School of Medicine Information Security Standard

Information Security Incident Response and Reporting

INTELLIGENCE DRIVEN GRC FOR SECURITY

IT Consulting and Implementation Services

STATE OF NORTH CAROLINA

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Risk Mitigation Strategies 2017 Tier 1 Risk Profile Interim Report UNCW Institutional Risk Management

TEL2813/IS2820 Security Management

CYBER RISK MANAGEMENT

Carbon Black PCI Compliance Mapping Checklist

Cloud Security Standards

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

HP Fortify Software Security Center

Security by Default: Enabling Transformation Through Cyber Resilience

Back to the Future Cyber Security

CyberUSA Government Cyber Opportunities for your Region: The Federal Agenda - Federal, Grants & Resources Available to Support Community Cyber

VMware Cloud Operations Management Technology Consulting Services

The Honest Advantage

Data Governance Framework

E-guide CISSP Prep: 4 Steps to Achieve Your Certification

Transcription:

Effective: 12/31/17 Last Revised: 8/28/17 Responsible University Administrator: Vice Chancellor for Information Services & CIO Responsible University Office: Information Technology Services Policy Contact: Chief Information Security Officer, security@nebraska.edu 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 ITS-03 IT Risk Management Policy Scope This policy is applicable to all University of Nebraska academic and administrative sub-units, auxiliary units, and any affiliated organizations (collectively referred to as Units ) on all campuses that make use of any of the University s Information Technology (IT) infrastructure, systems or services. Policy Statement Reliable and secure technology is a critical necessity for the tripartite research, teaching and outreach mission of the University. All University data will be secured by ITS in a University Data Center, or the Unit will be required to provide a comprehensive review of their IT security. ITS is responsible for delivering agile, scalable, and trusted technology services that meet the common, evolving needs of all campuses and units. This may include providing advice, contracting for commodity services via off-site providers, customized local services to meet specific academic and business needs or any number of additional services. Collaboration with University Procurement Services in the negotiation and contracting of services, whether they are to be hosted in the cloud, placed in one of our data centers or located off-site at a service provider's location is required to ensure the University will obtain the lowest price possible and adhere to all security considerations. In order for IT services to be reliable, secure, and scalable for the needs of the entire University system; ITS is responsible for operating IT facilities that maximize physical security, provide reasoned protections from natural disasters, and minimize IT security risks for NU data and systems. All Units of the University will deploy and use IT systems and services in a manner that vigilantly identifies and mitigates IT security risks, maximizes physical security for IT systems, and minimizes unacceptable risks to IT systems and data from natural disasters (collectively, "IT Risk"). A. The primary means of reducing and mitigating IT Risk at the University is for units to use the secure facilities, common IT infrastructure, and services managed by ITS to the greatest extent practicable for achieving their work. B. To the extent that the primary means of IT Risk mitigation is not practicable for achieving a unit s work, the secondary means is for distributed IT providers to formally document, and obtain approval from ITS, the unit s role, responsibilities, and ongoing actions to mitigate IT Risk for the University. Reason for Policy The lifecycle of a university; admissions, registration, student life, teaching and learning, and business efficiency across the institution is dependent upon technology. As the university uses more data to inform decision-making and produces increasingly valuable data as part of our research mission, the vulnerability of our data increases. Downtime of any system, whatever the IT Risk that caused it, has a significant impact on the business of the University. Meanwhile, the sophistication and frequency of attacks against IT systems and data continue to grow. The University handles tens of millions of cyber-attacks against our IT resources every day. The increasing number of IT security

37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 incidents and documented threats create a concerning picture of a very sophisticated and persistent array of attacks against higher education. Adding to the sophistication and persistence, many attacks have been identified as coming from nation states, organized crime, and even corporate businesses. For both 2016 and 2017, the industry group for IT in higher education, Educause, has identified IT security as the most important issue that member institutions must address. IT Risk has traditionally focused on servers and endpoint devices like desktop and laptop computers. Each of these devices represents a target for IT attacks and a liability for loss or damage of both the device and the data it has access to. These devices must be physically secured, powered, cooled, maintained, patched, and monitored for malicious activity. At any scale, service owners have key responsibility in understanding and properly identifying IT Risk so that adequate mitigations can be put in place. This is especially true in the case of data being consumed, created, or shared via that service. The goal of this policy is to ensure that the University community minimizes, to the greatest extent practicable, the unnecessary creation of IT Risk while also enabling the productive work of all units. This requires a balanced approach to activities that (a) create IT Risk and (b) activities that help mitigate IT Risk to support the university s research, education, and outreach mission. The policy creates a framework and procedures to formally review and document units IT Risk mitigation approaches and responsibilities. Means to Reduce IT Risk: The University continues to make substantial institutional investments in secure physical facilities, IT infrastructure, IT services, and professional staff with expertise in IT security and management to support the university s common IT needs. Use of these investments is the primary means to reduce IT Risk by having fewer physical devices as targets, fewer devices in less secure facilities, and more comprehensive and consistent practices to manage IT risk across the institution. Thus, whenever practicable, establishing physical security for servers in a highly secure, 24 x 7 monitored, protected facility is an essential first step for risk mitigation. Servers that operate outside of the University s secure data centers increase reputational, financial, and data loss risks for the University and may contribute to other risks/concerns for the University: A. Increases risk of permanent data loss from natural causes, building failures (e.g., leaking pipes or cooling outages), or malicious acts if data that are stored outside the Data Centers are not backed up to a remote and highly secure data storage facility. (University Data Centers provide protection from all of these risks). B. Introduces avoidable risks of disruption of critical functions due to potential inadequate system maintenance, redundancy planning, and/or disaster recovery/business continuity planning. C. Uses increasingly scarce resources to duplicate core services offered by ITS, many of which are offered in a highly automated fashion with full-time IT experts with formal security training; local resources can be redirected to supporting units' specific needs that require human attention and local expertise. D. Increases the University s use of energy and carbon footprint as the use of virtualized servers and aggregation of power/cooling in the data centers make them the most energy efficient facilities for housing IT systems on campus. Exceptions: The policy also recognizes that unique needs for some faculty-led research and teaching (academic uses) or unique administrative uses may not be practicable within the common IT infrastructure and services provisioned by ITS. The use of distributed IT providers is a means to achieve the goal of this policy and must follow the secondary means specifications including providing documentation of risk mitigation, responsibilities, prior to obtaining ITS approval. ITS reserves the right to monitor exceptions for adherence to mitigation factors and responsibilities.. The policy creates a framework to further the University s organizational partnerships for vigilant efforts to identify, manage and mitigate IT Risk for the entire University. It ensures that our collective risks for IT are understood, mitigated, managed and communicated. When fully implemented, this policy will ensure that the balance between IT Risk mitigation and residual risk to the University will be reviewed and approved by the appropriate unit leadership. Procedures

89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 A. Information Technology Services: ITS is responsible for maintaining secure facilities; provisioning high-quality, secure, and reliable IT infrastructure; and providing common services with ample capacity and commensurate technical and user support. In particular ITS will: 1. Continue its funding philosophy that minimizes to the greatest extent practicable specific chargeback for IT systems and services to organizational units. Where it is necessary to pass specific costs to an organizational unit, the rates will reflect the lesser of (a) the actual, scaled cost for the provided service or (b) the full cost of a highly comparable service in the marketplace. 2. Provide advanced technical expertise, and physical access to secure facilities for approved distributed IT staff to access and manage their systems. 3. Actively engage with organizational units (through meetings, committees, surveys) to ensure the timely evolution of facilities, systems and services so that the University s IT assets continue to be protected by and responsive to a well-informed partnership of the university community. 4. Assist units for analyzing their local IT environment and identifying needs relative to current and future common service capabilities. 5. Assist units that wish to increase use of ITS services (moving physical devices to Data Centers, migrating services to virtual or cloud environments, etc.), and wish to increase the security of distributed IT services. 6. Assist units with their IT Risk Assessment process. B. Administrative/Academic Users and Auxiliary Units: Within one year of the adoption of this policy, all University Units and other such organizations that depend upon the University IT environment will perform an initial, comprehensive evaluation of their IT needs relative to the requirements of this policy. Following that review, organizational units will: 1. Determine what distributed IT systems and services are candidates for use of ITS services. 2. Develop a plan for policy compliance with target dates agreed to by the dean or director. 3. Prepare a formal risk assessment and risk mitigation plan to be discussed and approved jointly by the unit head (e.g., Dean of a school, Vice President, Director, etc.) and the Chief Information Officer & Vice President for IT (CIO). Units will be required to establish and maintain appropriate capacity and expertise for risk mitigation, University policy compliance, and quality management of IT services that remain within an organizational unit. C. Academic Uses: Academic uses of University systems, software, and services for research and education merit especially broad faculty discretion in how to best achieve these critical parts of the University s mission. In support of this discretion, heads of academic units may formally choose to take responsibility for broad categories of academic uses by providing sufficient resources for distributed IT Risk mitigation vigilance. Within one year of the adoption of this policy, all University academic units and other such organizations that depend upon the University IT environment will perform an initial, comprehensive evaluation of their IT needs relative to the requirements of this policy. Following that review, organizational units will: 1. Identify any unit level IT systems and services within an academic unit for teaching, research, and service that could be served by ITS services and those that are not practicable for use of ITS services. 2. Determine what distributed IT systems and services are candidates for migration to ITS or shared IT provider(s). 3. Develop an action plan for policy compliance with target dates agreed to by the dean or director. 4. Prepare a formal risk assessment and risk mitigation plan to be discussed and approved jointly by the unit head (e.g., Dean of a School, Vice Chancellor / Provost / Vice Chancellor for Research, etc.) and the CIO. Units will be required to establish and maintain appropriate capacity and expertise for risk mitigation, University policy compliance, and quality management of IT services that remain in an organizational unit.

137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 D. Review Updates: The ongoing nature of IT services is such that new opportunities will continually arise and sometimes with short notice. It is expected that organizational units and ITS will proceed in a spirit of full partnership in taking advantage of these opportunities within approaches that comply with University policies, the spirit of IT-03, and vigilant IT Risk mitigation efforts. Organizational units are required to update the reviews of their IT needs every two years. Definitions A. IT Risk: Collective label for IT security risks, physical system security risks, and risks arising from natural disasters or potential infrastructure failure (broken water pipes, cooling failures, etc.). B. Services Unique to a Specific Organizational Unit or Across a Group of Units: Those services that are highly specific to the academic, administrative, or research operations of a unit or a small set of units. Examples include computers connected to scientific, lab, and medical devices. C. Secure Facilities: University Data Centers located on the UNK, UNL, UNMC, and UNO campuses. D. IT Infrastructure and Common Services: Basic infrastructure components that will include core campus and inter-campus networks, connections to commodity Internet, Domain Name System (DNS), central Identity and Access Management services including Active Directory (AD), Lightweight Directory Access Protocol (LDAP), Shibboleth, Central Authentication Service (CAS) Single Sign On (SSO), Dynamic Host Configuration Protocol (DHCP), or any core technology-based services that are required by a significantly portion of University campuses and organizational units, whether provided directly by ITS or contracted for (Office 365, Canvas, Box, etc.). E. Distributed IT Provider: An IT function that provides support to a department, a group of departments or other units that have similar and unique IT needs. Examples are an IT support function that supports all of the academic departments, a set of labs, a research center, administrative functions within a college, or across a single vice-president s set of responsibilities. The capacity of the IT support unit, resources, and expertise of the staff within it must be adequate to effectively manage the IT systems and services. Sanctions Failure to comply with University IT policies may result in sanctions relating to the individual's use of IT resources or other appropriate sanctions via University personnel and student policies. Units which do not comply with the requirements to complete a comprehensive evaluation and the development of an action plan may be denied access to University IT resources. Additional Contacts Subject Contact Phone Email 172 173 174 175 Responsible Parties Forms The CISO s are responsible for monitoring and enforcing this policy.

176 177 178 179 180 Application for a Secure Computing Zone (link) Related Information History This is the original policy adopted regarding IT Risk 0.1 Created by Rick Haugerud

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback