Secure UD Data Governance & Security Program

Related information

The Secure UD Data Governance & Security Program (Secure UD DGSP) is the cornerstone of Secure UD. It is the University's comprehensive plan for information security and risk management across the institution. It describes the roles and responsibilities for information security and risk management and establishes security standards and controls for the protection of IT resources. The Secure UD DGSP is built on the premise that information risk management is an organizational issue, not exclusively an IT issue. IT provides some security centrally, but much of the risk to IT resources can only be feasibly managed within units' day-to-day operations.

The Secure UD DGSP creates an institutional model for managing risk and protecting IT resources. It defines the security standards to which all IT resources are held.

This site provides guidance and tools to guide units through Secure UD policy and enhance their security in support of their missions and goals. IT is available for consultation to help units understand and manage risk.

All end users of IT resources are responsible for protecting IT resources. End users are not responsible for reading this document, but they must be aware of and follow their unit's and the University's security practices.

Download the Secure UD DGSP (PDF)

What does Secure UD policy mean for your unit?

Secure UD policy creates a standard for information security and organizes information risk into ten broad areas. Many of the requirements established by policy are addressed centrally by IT, and not all requirements apply to all units.

The Secure UD policy requirements applicable to most units include:

Risk area

Policy requirements

Information security program risk

Complete a unit compliance and risk survey.
Develop and maintain a unit information security plan.

IT resource acquisition risk

Partner with IT, General Counsel, and Procurement Services to negotiate contract terms that manage risks presented by outsourced (cloud) computing services.

Application security risk

If your unit develops applications, implement security throughout the software development lifecycle.

Contingency planning risk

Back up unit data to ensure its availability.
Develop and maintain a business continuity plan.

Data management risk

Appropriately manage data throughout its lifecycle based on business needs, laws, regulations, and contractual obligations.
Manage and review user access to IT resources on a regular basis.
Encrypt Level III (sensitive) data to protect its confidentiality.
Securely dispose of IT devices and sensitive data.

Human resources risk

Ensure that employees complete Secure UD Training and the Secure UD End User Ackowledgement annually.

Identification and authentication risk

Use unique, non-administrator acounts for routine work.
Use strong passwords and two-factor authentication to protect accounts and IT resources.

Incident response risk

Reinforce to employees their responsibility to report potential security incidents.

Physical security risk

Don't leave IT devices or paper records unattended in public areas.

System and communication risk

Ensure that computers are appropriately configured and managed.
Use secure communication channels (e.g., VPN) for sensitive data.

Risk management model

The Secure UD DGSP creates a risk management model:

Risk areas—10 broad groups of IT and information-related risks posed to the University.
Risk management objectives—25 specific goals for managing and mitigating information risk to the University.
Security standards—Requirements for achieving information risk management objectives and compliance with laws, regulations, and policies.
Security controls—Administrative, operational, and technical prescriptions for meeting information security standards.

Risk areas

The Secure UD DGSP categorizes information-related risk to the University into 10 risk areas. Apart from the risk area IS (Information Security Program), which is listed first due to its primacy in the University's risk management model, the risk areas are ordered alphabetically.

Each of the risk areas contains risk management objectives as well as security standards and controls.

Risk management objectives

The Secure UD DGSP establishes 25 risk management objectives (RMOs) that serve as specific goals for managing and mitigating information-related risk to the University. Each risk area has one or more RMOs.

Security standards and controls

Each RMO has one or more security standards, and each security standard has one or more security controls.

Security controls are the discrete requirements of the Secure UD DGSP. Each security control defines administrative, operational, and/or technical requirements for securing IT resources. In order to comply with the Secure UD DGSP, units must implement security controls where applicable.

Security controls apply based on the three University information classifications. Some security controls may apply based on criticality instead of, or in addition to, classification.

Exceptions

Exceptions to security standards and controls must be justified by technical or operational needs and must be approved by the unit head.

IT will work in an advisory capacity to assist units in finding alternatives to security standards and controls that cannot be administratively, operationally, or technically implemented.