Several university IT security policies receive updates
Unless you’ve browsed the University of Utah Regulations recently, you might not know that some sections of Policy 4-004: Information Security Policy look a little different, thanks to updates and additions requested by the Information Security Office (ISO) and approved by the Academic Senate.
The ISO requested changes to three items and the addition of one procedure:
- Rule 4-004A Acceptable Use
- Rule 4-004B Information Security Risk Management
- Procedure to Rule 4-004G IT Resource and Information System Security and Vulnerability Management
- G4-004B Guidelines for Security and HIPAA Champs
The modifications were reviewed by the Institutional Policy Committee, Senate Advisory Committee on IT, Senate Advisory Committee, and Senate Executive Committee. The Academic Senate approved them on February 1, 2021.
The process included numerous revisions, based on input from those committees, according to ISO Governance, Risk & Compliance Associate Director Trevor Long. Now that they have been approved, Long said his team will start work on another batch of policy changes in order to stay current with the ever-changing cybersecurity landscape and organizational requirements.
Summaries of the policy changes are below.
Rule 4-004A Acceptable Use
Rule 4-004A Acceptable Use now states that unauthorized access is no longer allowed on university networks.
“We need to know who's on the network,” Long said, noting that includes “a minimum amount of information that can be shared with law enforcement agencies in case a crime is committed and they come to the university with the appropriate documentation, like a subpoena.”
Since the university’s central wireless networks already require authentication, the policy update primarily impacts IT staff who manage department networks not supported by UIT. To comply with the rule, the staff must now retain adequate information that can be passed to law enforcement, if necessary.
“It can be as complicated or as simple as needed,” Long said. “We just need to be able to respond appropriately to law enforcement when presented with the proper documentation.”
Rule 4-004B Information Security Risk Management
The update to Rule 4-004B Information Security Risk Management removes a specific information security control framework for the university. A security control framework includes standards, guidelines, and best practices that organizations can use to better understand and manage their cybersecurity risk.
Initially, the rule said the university’s information security control framework was based on International Organization for Standardization (ISO) 27002:2013. Now it states that the university “leverages numerous government and industry recognized information security control frameworks, depending on the situation, risk tolerance, data types, and as specified in applicable regulations.”
Long said the framework was removed because it’s not universally accessible since there’s a fee to use it.
“No one else would be able to use [ISO 27002:2013], especially an organization our size, because there's a cost. Since we already use the Center for Internet Security (CIS) and National Institute of Standards and Technology (NIST) frameworks, this was a matter of updating policy to reflect that the correct framework is used in the right situation,” he said.
Long noted that anyone — researcher, student, or IT professional — can access the CIS and NIST frameworks. He also said they align better with grant requirements.
“It's becoming more and more common that researchers or organizations that share money or data want some assurance about what you're doing to protect their interests. And the easiest thing to do in that regard is to select a common framework,” he said.
Procedure supporting Rule 4-004G (IT Resource/Information System Security and Vulnerability Management Rule)
The new procedure clarifies the Information Security Office’s process for Rule 4-004G IT Resource and Information System Security and Vulnerability Management, or the notification and escalation of exceptions to policy and/or known vulnerabilities.
In particular, the procedure outlines a notification process and timeline for remediation or exception to policy, depending on classification (urgent, critical, serious, medium, or low) — and what will happen if the ISO does not receive a response within that timeframe.
“It establishes that the Information Security Office will contact you about these issues … and if you don't respond within a certain time frame, we will begin an escalation procedure,” he said.
The procedure, Long said, emphasizes that people need to communicate to the ISO their remediation plans, which has been an issue in the past.
“Departments and their staff need to be responsive, and they need to show that they have a plan,” he said, adding, “and we're trying to be transparent about the process.”
G4-004B Guidelines for Security and HIPAA Champs
The G4-004B Guidelines for Information Security and Privacy Liaisons, renamed Guidelines for Security and Privacy Champs, has been updated to reference the university’s current information security policy and provide clarity regarding the expectations for staff participating in Security Champs and HIPAA Champs (authentication required) efforts.
The guideline was last updated in 2011, when the ISO and the University of Utah Health Information Privacy Office (PO) were one department that oversaw an Information Security and Privacy Liaisons group, Long said. Organizational changes interrupted the security awareness effort, leaving each unit to pursue its own program.
Security Champs relaunched in January 2020. Members, who help promote information security/privacy awareness and best practices, meet quarterly to receive related news, resources, training, and more, as outlined in the guideline.
The ISO updated the guideline because “we wanted to restart the Security Champs effort,” Long said. “We also wanted to give a little more backing to the HIPAA Champs program, to actually have it referenced in university policy.”
Our monthly newsletter includes news from UIT and other campus/ University of Utah Health IT organizations, features about UIT employees, IT governance news, and various announcements and updates.