New security rules officially enforceable April 30, 2016
15 security rules were approved and published May 2015 (along with the newly revised Policy 4-004), and are now fully enforceable – so what does that mean for you?
“The policy and rules are a reflection of what laws we have to comply with, what our culture is, and what our leadership believe we need to implement to secure our data and our assets,” said Kiston Finney, security specialist for the University’s Information Security Office. “The general University community should expect to know where to go to reference them.”
There are a total of 15 rules supporting Policy 4-004, but the two most important rules for University staff, faculty, and students to be aware of are the Acceptable Use rule and the Data Classification and Encryption rule.
When should you refer to the Acceptable Use rule?
Some examples:
- If you choose to store personal data on University-owned resources, such as Box
- If you would like to post to social media on behalf of, or as a representative of, the University
- If you’re considering soliciting business from your University colleagues using your University email address
When should you refer to the Data Classification and Encryption rule?
Some examples:
- If you’re trying to determine whether or not the data you manage in a project is considered Restricted or Sensitive
- If you’re trying to determine whether or not encryption is required for emailing data (such as Protected Health Information, PHI) to an outside email recipient
A third rule, Remote Access, is especially important for IT technicians on campus to be familiar with. Its purpose is to ensure a user’s remote access connection is given, at minimum, the same consideration as the user’s on-site connection.
What the policy and rules don’t do is tell departments, divisions, and organizations how to comply – and that’s intentional.
“It’s up to the departments to make sure their procedures are in accordance with the policy and rules,” said Finney. “We didn’t dictate ‘how to implement’ in the policy and rules, so there’s a lot of flexibility.”
“As long as departments are implementing either technologies, methodologies, or processes that meet at a minimum what the policy and rules say, then we’re not going to tell them they have to use this tool or that tool to do it,” she added.
If a department would like their procedures to be converted into official University regulation, ISO is happy to help with that, Finney said. Simply email uofu_iso@utah.edu with the request.
“Once the department has developed the content of the procedure, we can help them with the process to get it referenced within the rule, in a way that is fully enforceable,” said Finney.
Thanks to the persistent, hard work of Finney and the rest of ISO, the U’s security policy and rules are now up-to-date and written in such a way that is dynamic and can be applied to various situations over a long period of time.
“For the University, it establishes our information security program. It is the framework for how we make other decisions,” said Finney. “I think the end result of going through this comprehensive process really is going to make us thought leaders, not only in PAC-12, but our other peers in other college systems as well.”
Node 4
Our monthly newsletter includes news from UIT and other campus/ University of Utah Health IT organizations, features about UIT employees, IT governance news, and various announcements and updates.