IT Security Program

The IT Portfolio Management Office is responsible for developing a comprehensive University IT Security Program. This is a long-term strategic objective for us!

Authorization for development and implementation of our Security Program is the approved IT Security Policy Framework.  This page outlines our definition of an IT Security Program, its major "foundational" components, and the deliverables of the Program supported by our Office.

Definition: An IT Security Program is both a comprehensive plan and operational services, based on a risk management process, to protect critical applications and IT infrastructure, ensure systems availability and data integrity, comply with external regulations, and protect individual privacy.  This broad definition imbeds IT security within an over-arching Systems Assurance strategy.

"Baseline" Components and Controls:

1) Formal policies, governance, and assigned accountability.
2) "Basic" technical controls: Including network access, identity management, 'end-point' and server protection, application security and change management.
3) Physical security.
4) Security awareness, risk management engagement, appropriate technical training.
5) Audit and compliance verification.

Current Security Program Initiatives:

1. An over-arching IT Security Policy Framework  has been developed, reviewed by ITSC, circulated to the University community, and approved by the President. We will utilize the Framework to guide prioritization of additional enterprise-level security guidance.

2. An IT Asset Inventory/repository is being developed and populated by the PMO.  The repository is an essential deliverable for supporting IT risk management, IT incident response, and prioritizing potential risk mitigation initiatives (e.g. vulnerability management).