Re: IT security policies and procedures

["Shamblin, Quinn" <qrs () BU EDU>]

Hi Dan,

The BU Data Protection Standards break down the control and security of data into a related series of six documents


*         Data Classification Guide: Defines and describes the categories under which University Data can be 
classified: Public, Internal, Confidential, Restricted Use

*         Data Management Guide: Defines the roles for managing data-Data Trustee, Departmental Security 
Administrators, Data Custodian-and the responsibilities of each. Also provides a list of types of data and the offices 
that act as trustees or owners of that data

*         Access Management and Authentication Requirements: Defines how access to systems and applications is to be 
managed. Includes standards for the use, configuration, and care of: passwords, two-factor authentication, single 
sign-on and shared accounts

*         Data Protection Requirements: Defines the requirements for protecting information based on the classification 
of the information. Standards are provided for the collection, storage, access, transmission, and destruction of the 
information as well as for auditing and incident handling functions.  (This standard is about process, not technology.)

*         Minimum Security Standards: Provides standards of security for electronic devices. Computers, laptops, 
tablets, ipads, smartphones, cloud services, etc. may all be used to store and access information. The level of 
security required of these devices is based on the level of sensitivity of the information that they may be used to 
access.  (This standard is about technical controls.)

*         Education, Compliance and Remediation: Defines responsibilities for education, compliance and remediation 
activities that may be required by the data protection standards and provides the authority to conduct such activities. 
 (This is the enforcement portion of the standard.)

You're more than welcome to review them here and use anything from them you feel may help:
http://www.bu.edu/infosec/policies/data-protection-standards/

Our HIPAA policies may be found here:
http://www.bu.edu/infosec/policies/hipaa/

I'm happy to send you the word document format of any of these if you prefer that to the web version

Quinn R Shamblin                                                            .
Executive Director of Information Security, Boston University

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dan 
Navarro
Sent: Friday, March 21, 2014 11:05 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] IT security policies and procedures

Hello Educause IT Security colleagues,

Here at the University of Maryland we are in the process of reviewing our policies on data management/access and IT 
security in general.  I have an IT policy from Indiana, but if any of your universities have such policies, I would 
certainly appreciate receiving a copy or link.

Thanks in advance.

-Dan

Dan Navarro
Director
Office of Academic Computing Services
A unit of the College of Behavioral and Social Sciences
University of Maryland
dnavarro () umd edu<mailto:dnavarro () umd edu>
301-405-1661