President Randall approves revised information security policy
Policy 4-004: University of Utah Information Security Policy and its rules, procedures, and guidelines have received an overhaul.
Earlier this month, President Taylor R. Randall approved revisions to Policy 4-004; Rules 4-004A, C, D, F, G, J, and Q; and the integration and/or retirement of the remaining rules, procedures, and guidelines, effective immediately. As interim policy and rules, they are in full effect while they proceed through the U’s regulation review and approval process for eventual signoff by the Board of Trustees.
The changes, which also were reviewed by the U’s Institutional Policy Committee, comply with the recently updated Utah Board of Higher Education Policy Utah System of Higher Education Board Policy R345: Information Technology Resource Security and strengthen the university’s information security policy to address the present and increasing risks of cybersecurity incidents. The revised information security regulations apply to all University of Utah entities, including all main campus, Health Sciences, and University of Utah Health organizations.
“The cybersecurity landscape constantly changes, and it was time for a policy update,” Chief Information Security Officer Corey Roach said. “The revised policy better aligns with current industry standards and the Utah System of Higher Education cybersecurity requirements. It supports the improvement efforts of IT professionals across the university. But, most importantly, it clearly outlines the roles and responsibilities of all U employees in securing the data of our students and patients.”
Please review each section below for a summary of the major updates to the regulations.
Interim Policy 4-004
- A “Roles and Responsibilities” section has been added to provide clarity regarding which roles perform specific information security functions and duties in their day-to-day work.
- Vague and ambiguous language has been removed.
- Section O: Cybersecurity awareness and training is now a requirement for all employees.
- Section Q: A “Sanctions Matrix” has been added.
Interim Rule 4-004C
- A new data type, “Authentication Data,” has been added under the “Restricted” section.
- The term “Encryption requirements” has been clarified: “Data at Rest Requirements — All devices storing, processing, creating, or transmitting University data, where technically feasible, shall be encrypted.”
Interim Rule 4-004D
- The term “Authentication services” has been clarified: “All University IT Resources, IT Systems, and Electronic Resources must use University Information Technology authentication services wherever technically feasible.”
Integrated and retired rules
The following rules have been retired with applicable content moved to the corresponding section in the policy. Instructional content will be added to forthcoming procedures:
- Rule 4-004B: Information Security Risk Management
- Rule 4-004E: Change Management
- Rule 4-004H: Remote Access
- Rule 4-004I: Network Security
- Rule 4-004K: Backup and Recovery
- Rule 4-004L: Information System Media Handling
- Rule 4-004M: Business Continuity and Disaster Recovery Planning
- Rule 4-004N: Information Security Incident Management
- Rule 4-004O: Information Security Awareness and Training
The following guidelines have been retired. Any still-relevant information has been included in the proposed policy and rules, or as applicable, articles on the UIT website:
- Guideline G4-004D: Cloud Computing — Opportunities Used Safely
- Guideline G4-004E: Termination Check List for Information Technology
- Guideline G-4004J: Vendors and Business Services Agreements
- Guideline G4-004N1: Media Sanitization and Destruction
- Guideline G4-004Q: Guidelines for Privacy and Information Security Training and Awareness Contacts (TACs)
- Guideline G4-004S: Potential Sanctions for Privacy and Security Violations
The updated information security regulations had been reviewed and updated by the Governance, Risk & Compliance (GRC) team in the U’s Information Security Office (ISO), which solicited feedback from the Department of Internal Audit, the Information Privacy Office, the Office of General Counsel, University Human Resource Management (UHRM), University Information Technology (UIT) Partner Relations, UIT Strategic Communication, University of Utah Hospitals and Clinics Human Resources (UUHC HR), the director for University Regulations, and the Institutional Policy Committee.
To access the updated policy and rules, please visit the U’s Regulations site.
Our monthly newsletter includes news from UIT and other campus/ University of Utah Health IT organizations, features about UIT employees, IT governance news, and various announcements and updates.