ISO developing new rules for security policy at the U - University Information Technology

By Emily Rushton

Information security policy at the University of Utah is getting an overhaul that's long overdue.

The Information Security Office (ISO), along with the input of multiple collaborators, is revising Policy 4-004 and drafting 15 brand new supporting rules that aim to provide more clarity about security requirements and expectations at the U. The policy’s terminology will also be brought up to date to help it better align with the new rules.

“This policy has been in place for a while, but it never had the clarification of supporting rules that establish the rules of engagement with our data at the University,” said Kiston Finney, security specialist for ISO.

“We’re collaborating with a tremendous number of groups across all three entities,” she added. “There are 78 collaborators in our Box folder alone.”

Some of the groups they’ve been working with include the Office of General Counsel, University Information Technology (UIT) leadership, Information Technology Services (ITS) leadership, and the IT Infrastructure Portfolio.

“So far we’ve gotten primarily supportive and positive comments,” said Finney.

The Institutional Policy Committee just recently approved the revised policy and correlating rules to move on to the Academic Senate Executive Committee. If the committee approves, the policy and rules will progress to the Academic Senate for a final vote in early April.

So what exactly do these rules mean for University of Utah faculty, staff, and students?

“What we’re doing is shifting the focus from who you are to the data itself,” said Finney. In the past, the policy was written from a user’s perspective – in other words, this is what you do if you’re faculty, this is what you do if you’re a student, and so on.

“Now, no matter who you are, if it’s PHI data then you have to handle it and secure it a certain way,” said Finney. “If it’s student information protected by FERPA, it has to be handled a certain way, no matter if you’re faculty, staff, or student.”

The policy and its supporting rules are just the first step in stating what needs to be implemented at a minimum. Departments will still need to create their own procedures that describe how they’ll meet those requirements.

“We’ll work with IT Professionals to help them develop those procedures,” Finney said. “Operationally, IT Professionals are already doing the right things to secure the data.”

“I don’t think you’ll see a whole lot of scrambling to comply operationally,” she added. The work will be in helping to formalize in a written procedure what is already being done on a daily basis.”

Since they’re only making minor revisions to the policy itself, ISO expects full policy compliance immediately upon senate approval. There will, however, be a grace period for complying with the 15 supporting rules.

“We’ll ask that they’re effective immediately, but delay full compliance expectations to within one year of the publish date,” Finney said. “Next year, we’ll do awareness training on the rules and the requirements, and guide people into compliance.”

ISO has already started to develop its own procedures in order to better show other departments what they’ll need to do.

“The most important thing I want everyone to know is that we did not write these rules in a bubble,” said Finney. “We have taken the time over the last 6 months to carefully develop these based on industry-regarded best practice, create awareness around them, and invite feedback.”

If everything goes as planned, you can expect the new policy and rules to be approved and published by June 30, 2015.