Secure UD Data Governance & Security Program
The Secure UD Data Governance & Security Program (Secure UD DGSP) is the cornerstone of Secure UD. It is the University's comprehensive plan for information security and risk management across the institution. It describes the roles and responsibilities for information security and risk management and establishes security standards and controls for the protection of IT resources. The Secure UD DGSP is built on the premise that information risk management is an organizational issue, not exclusively an IT issue. IT provides some security centrally, but much of the risk to IT resources can only be feasibly managed within units' day-to-day operations.
The Secure UD DGSP creates an institutional model for managing risk and protecting IT resources. It defines the security standards to which all IT resources are held.
This site provides guidance and tools to guide units through Secure UD policy and enhance their security in support of their missions and goals. IT is available for consultation to help units understand and manage risk.
All end users of IT resources are responsible for protecting IT resources. End users are not responsible for reading this document, but they must be aware of and follow their unit's and the University's security practices.
What does Secure UD policy mean for your unit?
Secure UD policy creates a standard for information security and organizes information risk into ten broad areas. Many of the requirements established by policy are addressed centrally by IT, and not all requirements apply to all units.
The Secure UD policy requirements applicable to most units include:
Information security program risk
IT resource acquisition risk
- Partner with IT, General Counsel, and Procurement Services to negotiate contract terms that manage risks presented by outsourced (cloud) computing services.
Application security risk
- If your unit develops applications, implement security throughout the software development lifecycle.
Contingency planning risk
- Back up unit data to ensure its availability.
- Develop and maintain a business continuity plan.
Data management risk
- Appropriately manage data throughout its lifecycle based on business needs, laws, regulations, and contractual obligations.
- Manage and review user access to IT resources on a regular basis.
- Encrypt Level III (sensitive) data to protect its confidentiality.
- Securely dispose of IT devices and sensitive data.
Human resources risk
Identification and authentication risk
Incident response risk
- Reinforce to employees their responsibility to report potential security incidents.
Physical security risk
- Don't leave IT devices or paper records unattended in public areas.
Risk management model
The Secure UD DGSP creates a risk management model:
- Risk areas—10 broad groups of IT and information-related risks posed to the University.
- Risk management objectives—25 specific goals for managing and mitigating information risk to the University.
- Security standards—Requirements for achieving information risk management objectives and compliance with laws, regulations, and policies.
- Security controls—Administrative, operational, and technical prescriptions for meeting information security standards.
The Secure UD DGSP categorizes information-related risk to the University into 10 risk areas. Apart from the risk area IS (Information Security Program), which is listed first due to its primacy in the University's risk management model, the risk areas are ordered alphabetically.
Each of the risk areas contains risk management objectives as well as security standards and controls.
Risk management objectives
The Secure UD DGSP establishes 25 risk management objectives (RMOs) that serve as specific goals for managing and mitigating information-related risk to the University. Each risk area has one or more RMOs.
Security standards and controls
Each RMO has one or more security standards, and each security standard has one or more security controls.
Security controls are the discrete requirements of the Secure UD DGSP. Each security control defines administrative, operational, and/or technical requirements for securing IT resources. In order to comply with the Secure UD DGSP, units must implement security controls where applicable.
Exceptions to security standards and controls must be justified by technical or operational needs and must be approved by the unit head.
IT will work in an advisory capacity to assist units in finding alternatives to security standards and controls that cannot be administratively, operationally, or technically implemented.