IT Security Program
The IT Portfolio Management Office (PMO) is responsible for developing a comprehensive University IT Security Program. This is a long-term strategic objective for us!
Authorization for development and implementation of our Security Program is the approved IT Security Policy Framework. This page outlines our definition of an IT Security Program, its major "foundational" components, and the deliverables of the Program supported by our Office.
Definition: An IT Security Program is both a comprehensive plan and operational services, based on a risk management process, to protect critical applications and IT infrastructure, ensure systems availability and data integrity, comply with external regulations, and protect individual privacy. This broad definition imbeds IT security within an over-arching Systems Assurance strategy.
"Baseline" Components and Controls:
1) Formal policies, governance, and assigned accountability.
2) "Basic" technical controls: Including network access, identity management, 'end-point' and server protection, application security and change management.
3) Physical security.
4) Security awareness, risk management engagement, appropriate technical training.
5) Audit and compliance verification.
Current Security Program Initiatives:
1. An over-arching IT Security Policy Framework has been developed, reviewed by ITSC, circulated to the University community, and approved by the President. The Framework essentially provides organizational structure to the security program components.
2. Included in the PMO's Integrated Plan is a reference to embracing the SANS 20 Critical Security Controls and increasing use of automated tools to advance the University's security posture. A "roadmap" which describes this strategic and tactical strategy is available here.
3. An IT Asset repository is being developed and populated by the PMO. The repository is an essential deliverable for supporting IT risk management, IT incident response, and prioritizing potential risk mitigation initiatives (e.g. vulnerability management). N.B. The Repository is restricted to University staff and faculty and utilizes the Single Sign-on Service for authentication.