Educause Security Discussion mailing list archives
Re: IT security policies and procedures
From: "Shamblin, Quinn" <qrs () BU EDU>
Date: Fri, 21 Mar 2014 15:39:57 +0000
Hi Dan, The BU Data Protection Standards break down the control and security of data into a related series of six documents * Data Classification Guide: Defines and describes the categories under which University Data can be classified: Public, Internal, Confidential, Restricted Use * Data Management Guide: Defines the roles for managing data-Data Trustee, Departmental Security Administrators, Data Custodian-and the responsibilities of each. Also provides a list of types of data and the offices that act as trustees or owners of that data * Access Management and Authentication Requirements: Defines how access to systems and applications is to be managed. Includes standards for the use, configuration, and care of: passwords, two-factor authentication, single sign-on and shared accounts * Data Protection Requirements: Defines the requirements for protecting information based on the classification of the information. Standards are provided for the collection, storage, access, transmission, and destruction of the information as well as for auditing and incident handling functions. (This standard is about process, not technology.) * Minimum Security Standards: Provides standards of security for electronic devices. Computers, laptops, tablets, ipads, smartphones, cloud services, etc. may all be used to store and access information. The level of security required of these devices is based on the level of sensitivity of the information that they may be used to access. (This standard is about technical controls.) * Education, Compliance and Remediation: Defines responsibilities for education, compliance and remediation activities that may be required by the data protection standards and provides the authority to conduct such activities. (This is the enforcement portion of the standard.) You're more than welcome to review them here and use anything from them you feel may help: http://www.bu.edu/infosec/policies/data-protection-standards/ Our HIPAA policies may be found here: http://www.bu.edu/infosec/policies/hipaa/ I'm happy to send you the word document format of any of these if you prefer that to the web version Quinn R Shamblin . Executive Director of Information Security, Boston University From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dan Navarro Sent: Friday, March 21, 2014 11:05 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] IT security policies and procedures Hello Educause IT Security colleagues, Here at the University of Maryland we are in the process of reviewing our policies on data management/access and IT security in general. I have an IT policy from Indiana, but if any of your universities have such policies, I would certainly appreciate receiving a copy or link. Thanks in advance. -Dan Dan Navarro Director Office of Academic Computing Services A unit of the College of Behavioral and Social Sciences University of Maryland dnavarro () umd edu<mailto:dnavarro () umd edu> 301-405-1661
Current thread:
- IT security policies and procedures Dan Navarro (Mar 21)
- Re: IT security policies and procedures Peter Setlak (Mar 21)
- Re: IT security policies and procedures Pedersen, Krystal (Mar 21)
- Re: IT security policies and procedures Joel L. Rosenblatt (Mar 21)
- Re: IT security policies and procedures Pedersen, Krystal (Mar 21)
- Re: IT security policies and procedures Shamblin, Quinn (Mar 21)
- Re: IT security policies and procedures Swick, Forrest (Mar 21)
- Re: IT security policies and procedures Dan Navarro (Mar 21)
- Re: IT security policies and procedures Donna Volpe Strouse (Mar 21)
- Re: IT security policies and procedures Dan Navarro (Mar 21)
- <Possible follow-ups>
- Re: IT security policies and procedures Evelyn Pidgeon (Mar 21)
- Re: IT security policies and procedures Peter Setlak (Mar 21)