Hello everyone,
This is Jonathan Wagner, Information Security, Training and Compliance Manager, and I wanted to provide you another update on Information Security at NEOMED.
I know your time is valuable, so the “Too Long; Didn’t Read” (TL;DR) version of this article is that we’ve made updates to our Information Security Incident Response Plan Policy, which you can be found on the NEOMED Policy Portal. This update integrates the former PCI Incident Response Plan, reflects changes in University personnel, roles and responsibilities, including how to report a Security Incident, and incorporates a custom version of the Security Incident Response process as outlined within National Institution of Standards and Technology (NIST) 800-61.
If you have a few additional minutes, some additional background on these efforts as well as an overview of the policy updates can be found below.
Background
As the University has grown over the years, so too has the volume of information and types of technology we all use. The ability for each us at NEOMED to meet the needs of our academic, administrative, and research communities is facilitated, in large part, by using University Data (information created, collected, stored and/or managed in association with fulfilling the University’s mission or its required business functions) and University Systems (technology organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of University Data).
While these technology resources are important assets of the University and are fundamental to the carrying out NEOMED’s mission, they also introduce risk, which are increasing in both number and variety (e.g. phishing, identity fraud, etc.). Additionally, the regulatory environment impacting higher education data and systems is increasingly complex. Since the United States tends to adopt data-protection laws based on the underlying industry (as opposed to a singular national data-protection law), data and systems within higher education are protected by a patchwork of different federal and state laws.
What is Information Security? Information Security refers to the protection of University Data and Systems from unauthorized access, use, disclosure, disruption, modification and destruction with the intent to provide confidentiality, integrity and availability to such Data and Systems.
With these considerations in mind, we reassessed our approach to Information Security at NEOMED. As a result, our goals are to:
- Develop Information Security policies and procedures that are relevant for the current and emerging technology environments;
- Enable the effective, efficient, and secure use of University Data and Systems through training, awareness and understanding; and
- Align with federal and state laws related to the safeguarding of University Data and Systems.
As you may have read at the beginning, we have made updates to our Information Security Incident Response Plan Policy. I encourage you to read through this policy when you have time; however, for the purpose of summarizing these changes, a brief overview is provided below.
Information Security Incident Response Plan Policy Updates
This policy is an update to the previously titled “Data Security Incident Response Plan” policy and aims to provide a consistent, well-defined and organized approach for handling Security Incidents, including when a Security Incident at an external organization is traced back to and reported to the University.
What is a Security Incident you may ask? A Security Incident refers to an adverse event that results in a suspected or known unauthorized disclosure, misuse, alteration, destruction, or other compromise of University Data or System.
While more detailed information can be found within the policy, the most notable changes include:
- The integration of the previously separate PCI Incident Response Plan, including guidelines and notification details for reporting Security Incidents involving credit/payment cards;
- Please see Section (8) of the policy for more information.
- The incorporation of the Security Incident Response process as outlined within National Institution of Standards and Technology (NIST) 800-61, adapted to NEOMED’s environment; and
- This process encapsulates five phases: Preparation; Detection and Reporting; Analysis; Containment; and Eradication and Recovery.
- Please see Section (5) of the policy for more information.
- Reflecting changes in University personnel, roles and responsibilities; and
- Roles and responsibilities have been clarified to better assist in Incident Response, including those of the NEOMED Information Security Incident Response Team.
- Please see Section (2) of the policy for more information.
- Also, to assist with the efficiency of and flexibility in reporting Security Incidents, internal reporting methods and associated contact information can be found within Section (5)(d)(ii) – Internal Reporting.
- Roles and responsibilities have been clarified to better assist in Incident Response, including those of the NEOMED Information Security Incident Response Team.
Wrap Up
Again, I encourage you to read through the updated policy to become familiar with our updated Information Security Incident Response Plan, most notably our Internal Reporting methods. As further changes are made to our Information Security policies and procedures, learning and awareness opportunities will be made available, whether it be through webinars, in-person presentations, online training, or The Pulse articles like this. If you have any questions about these changes, please don’t hesitate to ask. Thanks for your interest and time reading!
-Submitted by Jonathan Wagner