Secure UD policy FAQ

Use the following questions and answers to learn more about Secure UD policy. If you don't see your question or would like clarification, contact the IT Support Center.

Note: These FAQs are about Secure UD policy. For FAQs about general topics in information security, including FAQs about other Secure UD offerings, read the IT Security FAQs.

To get your unit started with the essentials of Secure UD, contact IT Security for a consultation.

About Secure UD policy

1. What is Secure UD policy?
2. What is information security?
3. What are the risks to IT resources?
4. How can I use Secure UD to manage my unit's data risks?
5. Isn't information security an IT issue?
6. What are University information classifications?
7. What makes information sensitive?
8. What are integrity, availability, and criticality?

Roles and responsibilities

1. Who is responsible for information security in my unit?
2. What are my information security roles and responsibilities?
3. I have other job responsibilities. Will these new responsibilities prevent me from fulfilling them?
4. What are functional areas and units?
5. What if I'm a part of multiple units?
6. How can IT help my unit manage security and risk?

Secure UD Data Governance & Security Program (Secure UD DGSP)

1. What is the Secure UD Data Governance & Security Program?
2. Do I need to read the Secure UD DGSP?
3. I'm a unit head. How do I use the Secure UD DGSP?
4. What are security controls?
5. How should security controls be applied?

Unit information security plans

1. What is a unit information security plan?
2. Who is responsible for the unit information security plan?
3. What does the unit information security plan need to include?
4. I'm a unit head. How do I write my unit information security plan?
5. I'm a local support provider. How do I use my unit's information security plan?
6. I'm a regular employee. How do I use my unit's information security plan?

Resources FAQ

1. Is there training available for employees?
2. Is there guidance available to unit heads and local support providers?

---

About Secure UD FAQs

1. What is Secure UD policy?

Secure UD is the University's comprehensive, community-oriented information security initiative. Secure UD policy forms the core of this initiative and provides for organized, consistent, and institutional information security and risk management efforts through University-wide roles and responsibilities for data governance and standards for information security.

Secure UD policy includes IT policies and the University's institutional information security program. IT provides supporting tools and awareness resources (including training). Together, these components empower the University's widely varied units to understand and consistently manage the risks to IT resources, including the University's data, systems, and network. Further, they equip every unit to take an active role in securing the University and its community against cyber threats.

2. What is information security?

Information security is the practice of protecting data and devices to preserve their confidentiality, integrity, and availability. To do this, they must be protected from unintentional, unlawful, or unauthorized disclosure, modification, or destruction. It encompasses the security of all IT resources, including both University information and the IT devices that access, process, store, or transmit it, from central IT servers to unit computers, smartphones, and tablets.

3. What are the risks to IT resources?

Data and technology are vital strategic assets. They greatly expand the University's capabilities and are powerful tools for decision making, management, and improvement. But they also come with risks. Increasing cyber threats, such as software vulnerabilities and phishing attacks, put the University, its data, and its community at risk of harm.

The University has a responsibility to manage the risks to its IT resources in order to protect its community and itself from harm. Your unit plays a role in protecting the University: by committing to security and proactively protecting your IT resources, you can reduce the risk to your unit, the University, and the community.

4. How can I use Secure UD to manage my unit's data risks?

In order to ensure the greatest degree of operational freedom and the most appropriate application of security controls, Secure UD focuses on unit-level information security and risk management efforts. It establishes a baseline for security across the University, and each unit adapts the framework's flexible requirements to suit its needs.

Each unit is generally responsible for managing its IT resources—and their associated risks—as part of its University activitieses. Secure UD gives units a common language for understanding and describing risks to IT resources. It provides guidance and other resources to assist units in appropriately managing these risks. IT is available to assist units in understanding, planning, and implementing information security and risk management.

Ultimately, Secure UD aims to make information security and risk management as straightforward as possible for all units. Security, properly approached, supports the University's missions. Every unit has a responsibility to manage security as part of its operations.

To get your unit started with Secure UD, contact IT for an initial consultation. Contact IT via email to secadmin@udel.edu or by calling the IT Support Center at (302) 831-6000.

5. Isn't information security an IT issue?

Information security is an organizational issue, not exclusively an IT issue. Security is needed wherever University information or systems are involved. IT provides security to central systems and the University network. However, much of the risk to IT resources can only be managed within units' day-to-day operations. We all share responsibility for properly managing the University's IT resources, including University information and IT devices.

Secure UD policy respects the essential autonomy units need in order to fulfill their University activities and processes. Each unit is empowered to determine which security controls are relevant to its needs; not all security controls will apply to all units, and many will apply only to IT. Each unit has a responsibility to manage its own security posture just like each individual has a responsibility for his or her own actions. Secure UD policy is a balance between the organizational need for information security and the individual need for information use.

6. What are University information classifications?

University information classifications are the three classifications or categories used to describe the sensitivity of the University's data:

1. Level I—Low Impact information
2. Level II—Moderate Impact information
3. Level III—High Impact Information

Data is classified according to how confidential, or sensitive, it is. For example, public event information is not particularly sensitive, and access to it does not need to be restricted. However, Social Security numbers are extremely sensitive and must be protected from unauthorized or unintentional distribution and access.

University information is protected according to the security controls commensurate with its classification. The more sensitive the information, the greater its protection requirements.

7. What makes information sensitive?

Information's sensitivity is based on what the impact might be if it were exposed. Information may represent a risk to an individual, a group, an organization, or even the nation, and the risk may be financial, legal, safety, or reputational (or even multiple such risks). Information is generally considered sensitive if its exposure would have a significant impact on the parties responsible for or represented by that information.

Information sensitivity is associated with its confidentiality, or the need to protect it from unintentional, unlawful, or unauthorized disclosure (including through theft, misplacement, or sharing).

Examples of kinds of information that are generally considered sensitive:

• Social Security numbers (SSNs)
• Bank account or credit card numbers
• Driver's license numbers
• Passport or Visa numbers
• Protected health information (PHI/ePHI)
• Protected research data, especially export-restricted data
• UDelNet passwords

Every University employee is responsible for protecting sensitive University information as they access and use it to fulfill their other job responsibilities.

8. What are integrity, availability, and criticality?

Integrity is a measure of the need to protect information from unintentional, unlawful, or unauthorized alteration, including changes and destruction. If an IT resource has high integrity concerns, then it's vital that the IT resource remain authentic and unaltered.

Availability is a measure of the need to ensure that information can be accessed by those who have a legitimate interest in using it. If an IT resource has high availability concerns, then it's vital that the IT resource remain available so University activitieses can be completed.

Criticality is a measure of both integrity and availability. It indicates how essential the information is to the University's operations. An IT resource's criticality is the higher of its integrity and availability concerns. For example, an IT resource with moderate integrity concerns and low availability concerns would have moderate criticality concerns.

Roles and responsibilities FAQs

1. Who is responsible for information security in my unit?

Your unit head is already responsible for overseeing your unit's operations. He or she ensures that your unit conducts University activities effectively and efficiently, but also securely. By establishing the need for information security within your unit, your unit head sets the tone for employees and helps ensure that the University, its community, and its IT resources are guarded against cyber threats.

Other employees help implement security as they work. Everyone at the University shares the responsibility to protect IT resources.

IT provides security to central systems and the University network. However, much of the risk to IT resources can only be managed within units' day-to-day operations.

2. What are my information security roles and responsibilities?

All members of the University community—students, faculty, and staff alike—are responsible for protecting the IT resources they use or manage. Access to the University's information, devices, and systems is a privilege, and everyone who has access has a duty to use it responsibly and in accordance with information security procedures and requirements.

Within your unit, you may have information security roles and responsibilities based on how you use IT resources. In some cases, you may fulfill multiple roles.

• Everyone who has access to IT resources, including University information, is an end user of those IT resources. End users are responsible for protecting IT resources as they fulfill their other job responsibilities.
• Unit heads have the highest level of authority over the day-to-day management of their units' operations.unit head.
• Local support providers are appointed by the unit head to manage the installation, configuration, security, or ongoing maintenance of IT devices.

3. I have other job responsibilities. Will these new responsibilities prevent me from fulfilling them?

Not at all. Security requirements aren't meant to distract you from your other responsibilities; they're meant to equip you to keep yourself, the University, and the community safe from cyber threats.

Information security is already a part of your workday. Each time you sign in to your computer or UDelNet account, you're practicing security. Many security requirements are exactly these kinds of small tasks; if they aren't already part of your daily routine, they will take you only moments to complete and will soon become second nature.

4. What are functional areas and units?

In order to better organize and manage the University's activities and risk, the University is divided into functional areas and units. At each of these levels, data governance and information security roles clarify the accountability and responsibility for securing IT resources.

A functional area is one or more units that have primary responsibility for managing a core University mission or function. For example, Human Resources is a functional area. Data governance and information security responsibility within a functional area is assigned to that functional area's data steward.

A unit is a University department, school, institute, program, office, initiative, center, or other operating unit. For example, Benefits is a unit within the functional area of Human Resources. Information security responsibility within a unit is assigned to that unit's unit head.

5. What if I'm a part of multiple units?

Your responsibility to protect IT resources is something you carry with you no matter where you go or how you use those IT resources: you're responsible for protecting all of the IT resources to which you have access.

Each unit should have information security plans and procedures, which you're responsible for following. If you have questyions about your responsibilities within your units, contact your unit heads or local support providers for clarification.

6. How can IT help my unit manage security and risk?

IT is available for personalized consultations with units regarding their security needs and the risk to their IT resources. These consultations may include assistance with identifying next steps, applying security and risk management tools, and formally planning for information security.

To get your unit started with Secure UD, contact IT for an initial consultation. Contact IT via email to secadmin@udel.edu or by calling the IT Support Center at (302) 831-6000.

Secure UD Data Governance & Security Program (Secure UD DGSP) FAQs

1. What is the Secure UD DGSP?

The Secure UD DGSP is the University's comprehensive plan for information security and risk management across the institution.

The Secure UD DGSP is an extension of the University Information Security Policy. It describes the roles and responsibilities for information security and risk management and establishes security standards for the protection of IT resources. The Secure UD DGSP covers all data used to support University activities as well as the units and employees engaged in those activities.

2. Do I need to read the Secure UD DGSP?

It depends on your role within your unit and at the University. The Secure UD DGSP is meant to be a reference; unit heads and local support providers must understand the Secure UD DGSP, and every employee must understand their own unit's security procedures, but the vast majority of employees are not responsible for reading the Secure UD DGSP.

If you are a unit head or local support provider, you must understand the Secure UD DGSP and its requirements because you are responsible for managing your unit's IT resources.

If you are just an end user of University information and do not fulfill any of the other administrative or technical roles listed above, then you are responsible generally for complying with your unit's information security plan, but you are not responsible for reading the Secure UD DGSP itself. Your unit's information security plan will explain the procedures you should follow to protect your unit's IT resources. In addition, the Secure UD website highlights the most common information security topics in easy-to-understand terms. You can use this website to further explore information security.

3. I'm a unit head. How do I use the Secure UD DGSP?

As a unit head, you are principally responsible for your unit's information security efforts, including your unit information security plan.

The Secure UD DGSP provides the information you need in order to appropriately protect your unit's IT resources:

• Roles and responsibilities that all University employees have for information security and risk management. You can use these definitions as a starting point for assigning roles and responsibilities within your unit.
• A model for organizing and understanding the risks that affect the University and your unit.
• A comprehensive set of security standards that you can selectively and appropriately apply to protect your unit's IT resources.

The Secure UD DGSP is a starting point for your unit information security plan. Use the risk areas, risk management objectives, security standards, and security controls defined in the Secure UD DGSP to inform your unit information security plan, which describes the requirements and procedures your unit will take to secure its IT resources. IT has created the Secure UD Security Plan Tool to assist you in creating your unit information security plan.

4. What are security controls?

Security controls are the requirements and recommended best practices established by the Secure UD DGSP for the protection of IT resources.

Each security control applies based on the classification and/or the criticality of the IT resource in question. Not all security controls apply to every unit or to every IT resource; units have significant autonomy to determine which security controls are relevant and how to implement them consistently with their business needs.

5. How should security controls be applied?

The Secure UD DGSP established security controls for the protection of IT resources across the institution. The Secure UD DGSP is a complete list of these security controls, but not every security control will apply to every unit, and many will apply only to IT. Units have significant autonomy to determine which security controls are relevant and how to implement them consistently with their business needs.

Each security control indicates the classification(s) and/or the criticality of the IT resources to which it applies. Occasionally, data stewards or unit heads may decide that an IT resource warrants protections beyond those assigned based on its normal classification. In these cases, the data steward or unit head may require that additional security controls be applied to protect that IT resource. For example, some security controls prescribed for Level III IT resources may be applied to other IT resources as a best practice.

Some security controls are required for all classifications of IT resources because they are fundamental to the unit's and University's security posture. For example, anti-virus protection is important irrespective of classification or criticality because each device on the network represents a potential target or entry point for an outside attacker.

Unit information security plan FAQs

1. What is a unit information security plan?

A unit information security plan is a written document intended to inform unit employees about their responsibility to protect IT resources and the procedures the unit will use in order to fulfill that responsibility.

Each unit information security plan is based on the Secure UD DGSP and driven by the needs of the unit. Each unit must have its own information security plan.

2. Who is responsible for the unit information security plan?

Every unit employee is responsible for following the requirements of the unit information security plan.

The unit head is responsible for overseeing the unit's security practices. This includes determining the unit's security needs and writing the unit information security plan as a guide for how the unit will satisfy those needs. The Secure UD DGSP can be used as a reference during this process, and the Secure UD Security Plan Tool can be used to write the unit information security plan.

Local support providers will configure and support unit IT devices based on the unit information security plan. Local support providers may also be consulted about the appropriateness of security controls to the unit's needs.

3. What does the unit information security plan need to include?

The unit information security plan must include, for each applicable risk management objective in the Secure UD DGSP, a summary of how the unit will meet that objective in the course of its operations. It should also reference other applicable documents, such as policies, procedures, or plans. A listing of unit security and technical staff is useful for reference. The Secure UD Security Plan Tool provides a template and guidance for writing a unit information security plan that includes these elements.

The function of the unit information security plan is to clearly convey the unit's information security requirements to unit employees. Therefore, the unit information security plan should be written with appropriate technical detail, but it does not need to describe exhaustively the exact steps for certain operational or technical processes.

4. I'm a unit head. How do I write my unit information security plan?

IT provides the Secure UD Security Plan Tool to assist you with organizing and writing your unit information security plan. It includes a template and guidance for creating an effective plan and is the starting point for unit information security and risk management. The Secure UD DGSP can be referenced for additional information.

When writing your unit information security plan, you should focus on your unit's business needs, including its security needs, and how security can be implemented to support University activitieses. Reference other documents and resources as necessary, especially if they explain procedures in greater detail, but be aware that you are not required to exhaustively describe each security-related process within the unit information security plan itself. Your unit information security plan is meant to be a general reference document for your employees and should help contextualize and explain your unit's security practices in a clear and concise manner.

5. I'm a local support provider. How do I use my unit's information security plan?

As a local support provider, you are responsible for the installation and maintenance of one or more unit IT devices. Use your unit information security plan as a resource to guide you in securely and consistently configuring and supporting your unit's IT devices and other IT resources.

You are encouraged to discuss your unit information security plan with your unit head and assist end users in understanding how to integrate security into their work.

6. I'm a regular employee. How do I use my unit's information security plan?

As a end user, you are responsible for being aware of and understanding your unit's security procedures, which are documented in your unit's information security plan. You are encouraged to discuss security within your unit.

Every University employee shares the responsibility to protect IT resources, the University, and the community by practicing security as part of their work.

Resources FAQs

1. Is there training available for employees?

Yes. The University offers information security awareness training to employees.

Secure UD Training is a modular, self-paced, online training program that helps employees identify and address threats and concerns regarding computing and information security. Faculty and staff can take Secure UD Training to improve their awareness of information security issues. If you aren't already enrolled in training, contact the IT Support Center to request your enrollment.

2. Is there guidance available to unit heads and local support providers?

Yes. IT offers a set of implementation tools to assist unit heads with understanding Secure UD policy and its requirements. These tools help simplify several important security tasks, including

• inventorying IT resources
• assessing compliance and risk
• planning unit information security.

The Secure UD Toolkit contains all of the tools and guidance necessary to get started with implementing Secure UD policy in your unit.

To get your unit started with Secure UD, contact IT for an initial consultation. Contact IT via email to secadmin@udel.edu or by calling the IT Support Center at (302) 831-6000.