Date: Thu, 28 Mar 2024 19:59:36 +0000 (UTC) Message-ID: <1239011871.6901.1711655976474@ip-10-10-7-29.ec2.internal> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_6900_631351238.1711655976471" ------=_Part_6900_631351238.1711655976471 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
The initial process in developing an information security po= licy is to work with appropriate offices across campus to identify which la= ws, regulations, and information security drivers are applicable to your in= stitution.
Perform a high level gap analysis of each regulator= y requirement and driver that is applicable to determine where policy is ne= eded.
Develop a prioritized action plan that will help yo= u organize your efforts.
Prepare a summary document of the impact that the i= nformation security policy or policies will have on the institution. The do= cument should:
Describe the policy
Communicate the reason or business justification for the policy, as = well as the risks and negative impact of not implementing the policy
Identify regulatory, technical, cultural, and organizational depende= ncies for implementation of the policy
Identify milestones and possible roadblocks of implementation, compliance,= and enforcement
Identify impacted stakeholders
Develop the policy in collaboration with other key = stakeholders at your institution.
Ensure the policy is vetted by impacted subject mat= ter experts and business owners, including information security, legal coun= sel, human resources, operational staff, and any other applicable steering = committees.
Review resources in the Guide such as the GRC FAQ, as well as standards and regulations that ad= dress specific requirements (e.g., PCI DSS 3.0, HIPAA, GLBA, GDPR).
Publish, communicate, train, and implement.= span>
Top of page
=
The adoption of one or more information security policies is the f= irst step that institutions of higher education take to express their commi= tment to the protection of institutional information resources and the info= rmation entrusted to them by constituencies and partners. At institutions o= f higher education, institutional policies, including information security = policies, are often drafted through a consensus building process with solic= itation and feedback from all identified stakeholders. Once approved and pu= blished, its effective communication and periodic reviewing and updating en= sures that the policy=E2=80=99s stated intent and corresponding expectation= s are consistent and relevant over time to reflect changes in technology, l= aws, business practices, and other factors.
A policy for information= security is a formal high-level statement that embodies the institution=E2= =80=99s course of action regarding the use and safeguarding of institutiona= l information resources. The policy statement should clearly communicate th= e institution's beliefs, goals, and objectives for information security. It= also provides institutional leaders with an opportunity to set a clear pla= n for information security, describe its role in supporting the missions of= the institution, and its commitment to comply with relevant laws and regul= ations. To be effective an information security policy must:
Also, the information security policy should:
A careful balance must be reached to ensure that the policy = enhances institutional security by providing enough detail that community m= embers understand their expected role and contribution but not so much deta= il that the institution is exposed to unnecessary risk.
Some elements to be included in information security policies include th= e following:
There are a number of frameworks that can be used as a foundation for th= e subject matter included in an institution's information security policy. = These frameworks can be used as the basis of one large, overarching informa= tion security policy, or for smaller policies devoted to discrete informati= on security topics. Higher education institutions have found success follow= ing either model. The Standards box at the end of this page lists a few p= opular industry frameworks/standards that may be consulted when drafting in= formation security policies. The 2016 EDUCAUSE Core Data Service found that the following in= formation security frameworks/standards are most popular in higher educatio= n:
Choosing the right policy framework is all about what will work be= st for the institution and its missions. Institutions of higher education s= hould consider the following when selecting a framework for their informati= on security policy:
Top of page
= span>
Most institutions of higher education=
will have a documented periodic policy review process in place (e.g., annu=
ally) to ensure that ensure that policies are kept up to date and relevant.=
In some institutions, a policy owner or manager would be the individual wh=
o would determine the need for a new policy or the update to an existing po=
licy. In other institutions, the role of policy manager may be played by th=
e Business Owner (e.g., the Chief information Security Officer may be the o=
wner/manager of the information security policy.) We use the term policy manager in this section.
In most instances, the information se= curity policy manager will review and update the policy at the required int= ervals or when external or internal factors require the review and update o= f the policy. The following are the most common factors that would prompt a= review of the institution's information security policy.
The process to review and update the information security policy s= hould include many of the steps identified in the Getting Star= ted section of this chapter. Many institutions have a =E2=80= =9Cpolicy on policies,=E2=80=9D or a process to follow to implement institu= tion-wide policies from inception to maintenance and review. That document = may also list steps to follow in order to properly update an institutional = policy. At a minimum, the policy manager must:
Top of page
Policies are not the only documents that end users should look to = when trying to understand an institution=E2=80=99s information security sta= nce. While policies may state the high-level institutional goals around exp= ected information security behaviors and outcomes, other documents may be u= sed to state a threshold of acceptable behavior, step-by-step processes to = follow, or recommended (but not required) actions to take. You may see thes= e other types of documents used in an institution=E2=80=99s information sec= urity program to supplement information security policies. The hierarchy fo= r institutional governance documents is typically:
Policies: The highest level of a governance document. Policies typically h= ave general applicability and they rarely change (or are hard to change). T= hey are leadership=E2=80=99s high level statement of information security g= oals and expectations.
Standards:= span> Standards state the actions needed to meet policy goals. They a= re more specific than policies and easier to update in response to changing= circumstances. Often standards set the minimum level of action needed to c= omply with a policy.
Procedures:<= /span> Procedures are often step-by-step checklists that are particul= ar to a task, technology, or department. They are easily updated in respons= e to changing technical or business influences.
Guidelines:<= /span> Guidelines are documents that specify recommended actions and = advice. Institutional employees may not be required to follow guidelines as= part of their jobs, but the guidelines are shared in order to promote good= information security hygiene practices. Guidelines are flexible and easily= updated.
Top of page
EDUCAUSE Resources
Initiatives, Collaborations, & Other Resources
Top of page
27002:2013 Information Security Manag=
ement |
800-53: Recommended Security=
Controls for Federal |
APO01.03 |
Req 12 |
ID.GV-1 |
45 CFR 164.316(a) |
Top of page
Questions or= comments? Contact us.
Except wher= e otherwise noted, this work is licensed under a Creative Commons Attributi= on-NonCommercial-ShareAlike 4.0 International License (= CC BY-NC-SA 4.0).