Information Security @ NEOMED: Update #2, Information Security Program

Hello, everyone,

This is Jonathan Wagner, Co-Director of Compliance and Risk Management, and I wanted to provide you another update on Information Security at NEOMED.

I know your time is valuable, so the “Too Long; Didn’t Read (TL;DR)” version of this article is that we’ve created a new Information Technology policy, the Information Security Program Policy, which you can read on the NEOMED Policy Portal. This policy formalizes several previously informal efforts to reasonably manage and safeguard University Data and Systems.

If you have a few additional minutes, some additional background on information security and an overview of the Information Security Program (ISP) can be found below.

Information Security Background

As mentioned in the previous Information Security Update, the University has grown over the years, so too has the volume of information and types of technology we all use. The ability for each us at NEOMED to meet the needs of our academic, administrative, and research communities is facilitated, in large part, by using University Data (information created, collected, stored and/or managed in association with fulfilling the University’s mission or its required business functions) and University Systems (technology organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of University Data).

While these technology resources are important assets of the University and are fundamental to the carrying out NEOMED’s mission, they also introduce risk, which are increasing in both number and variety (e.g. phishing, identity fraud, etc.). Additionally, the regulatory environment impacting higher education data and systems is increasingly complex. Since the United States tends to adopt data-protection laws based on the underlying industry (as opposed to a singular national data-protection law), data and systems within higher education are protected by a patchwork of different federal and state laws.

With these considerations in mind and in working with the Information Technology department, we have been re-evaluating our approach to Information Security. Our goals are to:

  1. Develop Information Security policies and procedures that are relevant for the current technology environment;
  2. Enable the effective, efficient, and secure use of University Data and Systems; and
  3. Align with federal and state laws related to the safeguarding of University Data and Systems.

As you may have read above, the news we have to share with you today is that we have created a new policy, the Information Security Program Policy to help supplement our approach to Information Security and assist us in achieving our goals mentioned above. While I encourage you to read through the Information Security Program (ISP) when you have some time, I am sympathetic to everyone’s various time commitments; therefore, a brief overview of the ISP’s 5 W’s (What, Why, Who, Where, When) is provided below.

Information Security Program Policy

What is the Information Security Program (ISP)?
The ISP is a combination of policy, security architecture design, and descriptions of current Information Security services and control procedures. When integrated, the ISP describes administrative, physical, and technical security safeguards to effectively manage Information Security risks to the University’s assets and community. The ISP was designed to be appropriate based upon the University’s size, complexity, and the nature of its activities.

Why have an ISP?
In addition to complying with federal and state laws and regulations, NEOMED’s ISP provides value by enabling a timelier delivery of Information Technology to more individuals, with appropriate University Data and Systems necessary to achieve the University’s mission. Appropriate Information Security is crucial to the University so that risks inherent to a distributed, open technology environment can be managed accordingly.

Who is responsible for the ISP?
The ISP’s organizational structure was designed considering the University’s distributed environment; as such, all users of University Data and Systems have a responsibility to ensure appropriate Information Security controls and procedures are practiced within their areas of responsibility. Additionally, the ISP is administered and overseen by the University’s Information Security Program Coordinators in coordination with other University offices and departments. The Chief Information Technology Officer and Co-Director of Compliance and Risk Management have been identified as NEOMED’s ISP Coordinators.

Where and how does the ISP affect me?
Users of University Data and Systems are responsible for  ensuring that their use, wherever that may be, is in compliance with the Acceptable Use of Computing Resources Policy, institutional training, and other Information Technology policies, laws and regulations. Additionally, ISP Coordinators will be working with departments to identify Data Stewards and System Stewards that will assist in the management and risk assessments of University Data and Systems, respectively.

When do efforts of the ISP occur and when is the ISP updated?
In short, throughout the year. There are various efforts, such as risk assessments and training and awareness efforts, that occur on a continuous basis. As the ISP evolves and matures, it is anticipated that there will be more of a structured cadence to activities within the Program. The ISP Coordinators will evaluate and adjust the ISP as needed, based upon risk assessment activities undertaken, any material changes to the University’s operations, or other circumstances that may have a material impact on the ISP.

Wrap Up

Again, I encourage you to read through the Information Security Program Policy, as it serves to supplement the new trajectory of Information Security at NEOMED. As further changes are made to our Information Security policies and procedures, opportunities to learn more about these efforts, whether it be through webinars, in-person presentations, online training, and The Pulse articles like this will soon follow. If you have any questions about these changes, please don’t hesitate to ask. If you’ve made it to the end of this update, you have my sincere thanks for your interest and time reading!

Share this post