Unit guide to managing data risks
In order to achieve its missions, the University must practice a careful balancing act. Units need the freedom to operate efficiently and effectively, but the University also has a duty to manage the risks it incurs as it operates. Part of managing operational risks is managing data risks—data and information technology are indispensable assets, but they present unique challenges and must be managed correctly to protect the University and its community.
Information security and risk management can help ensure that the missions of the University—teaching, research, and service—can be realized. Appropriately applied, they help support the success of the University's missions and minimize the risk of failure.
This guide contains a high-level overview of the Secure UD policy requirements applicable to most units and a step-by-step plan for partnering with IT for implementation.
IT also provides the Secure UD Toolkit, which contains all of the tools and guidance (including this guide) necessary to implement effective information security and risk management practices in your unit. The implementation process has been simplified and does not require exhaustive detail. Each step, including the assessment of the unit's security and risk posture, is based on a high-level, conversational understanding of your unit's operational environment, including your business processes and IT devices.
IT is available to assist your unit in understanding and managing your information- and IT-related risks. To get your unit started with Secure UD, contact IT Security for an initial consultation.
What does Secure UD policy mean for your unit?
Secure UD policy creates a standard for information security and organizes information risk into ten broad areas. Many of the requirements established by policy are addressed centrally by IT, and not all requirements apply to all units.
The Secure UD policy requirements applicable to most units include:
Risk area
Policy requirements
Information security program risk
- Complete a unit compliance and risk survey.
- Develop and maintain a unit information security plan.
IT resource acquisition risk
- Partner with IT, General Counsel, and Procurement Services to negotiate contract terms that manage risks presented by outsourced (cloud) computing services.
Application security risk
- If your unit develops applications, implement security throughout the software development lifecycle.
Contingency planning risk
- Back up unit data to ensure its availability.
- Develop and maintain a business continuity plan.
Data management risk
- Appropriately manage data throughout its lifecycle based on business needs, laws, regulations, and contractual obligations.
- Manage and review user access to IT resources on a regular basis.
- Encrypt Level III (sensitive) data to protect its confidentiality.
- Securely dispose of IT devices and sensitive data.
Human resources risk
- Ensure that employees complete Secure UD Training and the Secure UD End User Ackowledgement annually.
Identification and authentication risk
- Use unique, non-administrator acounts for routine work.
- Use strong passwords and two-factor authentication to protect accounts and IT resources.
Incident response risk
- Reinforce to employees their responsibility to report potential security incidents.
Physical security risk
- Don't leave IT devices or paper records unattended in public areas.
Implementing Secure UD in your unit
To get your unit started with Secure UD, contact IT Security for an initial consultation. IT is available to assist your unit in understanding and managing your information- and IT-related risks. The rollout plan below can be customized as necessary to suit your unit's needs.
Objectives:
- Discuss and understand your unit's security practices in the context of your operational needs and IT environment.
- Walk your unit through a lightweight survey of your unit's security and risk posture.
- Identify next steps for your unit and facilitate security actions and planning.
Estimated time needed: 2-3 hours
Deliverables:
- Information risk report card
- Three year risk management strategy template
- Unit information security plan
Units may also apply the Secure UD Toolkit on their own; the included tools are designed to be usable with or without IT involvement. Completion time for each step may vary according to a number of factors, including unit size, availability of key personnel, and current unit security practices. IT is available to assist units in applying the Secure UD Toolkit and improving security practices.
Step
Description
Step 1: Assess your unit's security and risk posture.
Conduct a lightweight, streamlined security and risk survey (Secure UD Compliance and Risk Survey) or a more thorough data risk assessment (Secure UD Risk Assessment Tool) to identify your unit's baseline security and risk posture.
Objectives:
- Produce an initial compliance and risk report card to establish your unit's baseline security and risk posture, including control gaps.
- Identify a high-level, three-year risk management strategy, including planned improvements, for your unit.
- Facilitate risk management actions and planning.
Estimated time needed: 1-3 hours
Step 2: Secure unit client systems.
Ensure that your unit's client systems are consistently and appropriately protected using desktop management and other security software.
Objectives:
- Implement security controls to protect your unit's client systems.
- Identify additional opportunities to implement security within your unit.
Estimated time needed: Varies
Step 3: Develop your unit's information security plan.
Develop your unit's information security plan consistent with your unit's operational needs, current security capabilities, and planned future security capabilities. The Secure UD Security Plan Tool can assist in developing a unit information security plan that aligns with policy and your unit's goals.
Objectives:
- Develop your unit's information security plan.
Estimated time needed: 1-3 hours (using the Secure UD Security Plan Tool)
Step 4: Educate and equip your employees to continue managing security and risk.
IT will provide you with tools, training, and guidance to enable your unit to continuously manage your security and risk initiatives as part of its business processes. Secure UD Training is available to employees to provide ongoing security education and awareness. Your unit is advised to make Secure UD Training a requirement for unit employees and to hold employees accountable for training completion during performance appraisals.
Objectives:
- Increase your unit's participation in Secure UD Training.
- Support ongoing unit information security and risk management efforts.
Estimated time needed: Ongoing
