Hello everyone,
This is Jonathan Wagner, co-director of compliance and risk management, and I wanted to provide you an update on Information Security at NEOMED.
I know your time is valuable, so the “Too Long; Didn’t Read” (TL;DR) version of this article is that we’ve made updates to two of our existing Information Technology policies: the Information Security Policy and the Classification of University Data and Systems Policy, which you can read on the NEOMED Policy Portal.
If you have a few additional minutes, some additional background on these efforts as well as an overview of the policy changes can be found below:
Background
As the University has grown over the years, so too has the volume of information and types of technology we all use. The ability for each us at NEOMED to meet the needs of our academic, administrative, and research communities is facilitated, in large part, by using University Data (information created, collected, stored and/or managed in association with fulfilling the University’s mission or its required business functions) and University Systems (technology organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of University Data).
While these technology resources are important assets of the University and are fundamental to the carrying out NEOMED’s mission, they also introduce risk, which are increasing in both number and variety (e.g. phishing, identity fraud, etc.). Additionally, the regulatory environment impacting higher education data and systems is increasingly complex. Since the United States tends to adopt data-protection laws based on the underlying industry (as opposed to a singular national data-protection law), data and systems within higher education are protected by a patchwork of different federal and state laws.
What is Information Security?
Information Security refers to the protection of University Data and Systems from unauthorized access, use, disclosure, disruption, modification and destruction with the intent to provide confidentiality, integrity and availability to such Data and Systems.
With these considerations in mind and in working with the Information Technology department, we have been re-evaluating our approach to Information Security. Our goals are to:
- Develop Information Security policies and procedures that are relevant for the current technology environment;
- Enable the effective, efficient, and secure use of University Data and Systems; and
- Align with federal and state laws related to the safeguarding of University Data and Systems.
As you may have read above, the news we have to share with you today is that we have made updates to two of our existing Information Technology policies: the Information Security Policy and the Classification of University Data and Systems Policy. I encourage you to read through these two policies when you have time, which are available through the NEOMED Policy Portal; however, for the purpose of summarizing these changes, brief overviews are provided below.
Information Security Policy
The most significant change to the Information Security policy is its intent and use as the policy now serves as the overarching foundation for Information Security efforts moving forward. This policy outlines the core elements that will be used across the University and will allow us to expand information security, as needed, through supplemental policies or procedures. Additionally, this updated policy incorporates new and updated definitions, including the integration and consideration of risk and how risk affects the way we manage Information Security.
Classification of University Data and Systems Policy
This policy is an update to the previously titled “Classification of Data” policy. As indicated in its title, this policy now includes University Systems in addition to University Data. Like the Information Security policy, this policy includes new and updated definitions, many of which align with the Information Security policy. The most notable changes are related to the classification categories of University Data and Systems and how each are classified. While more detailed information can be found within the policy, below is a comparison between the classifications used in the previous policy and the current, updated policy:
|
Classification Category |
Previous Policy Classification (from most to least sensitive) |
Current Classification (from most to least sensitive) |
|---|---|---|
|
University Data |
Restricted, Confidential, and Public |
Restricted, Private, Internal, and Public |
|
University Systems |
N/A (new to current version) |
High Risk, Moderate Risk, and Low Risk |
The University uses risk assessment methods to identify appropriate University Data and System classifications. This is done by assessing the adverse effects that could be expected by a loss of confidentiality, integrity, and availability of each University Data and System and then determining a classification category for each resource. The purpose of classifying University Data and Systems is that it allows us to utilize the appropriate security controls, such as encryption, based upon the classification category it falls within. For example, if someone needed to transmit Restricted Data, they would utilize multiple, specific security controls; on the other hand, someone sending Public Data would not need to utilize any.
Wrap Up
Again, I encourage you to read through both policies, as they both serve to outline our Information Security trajectory. As further changes are made to our Information Security policies and procedures, opportunities to learn more about these efforts, whether it be through webinars, in-person presentations, online training, and The Pulse articles like this will soon follow. If you have any questions about these changes, please don’t hesitate to ask. If you’ve made it to the end of this article, thanks for your interest and time reading!
-Submitted by Jonathan Wagner