IT Security Program Review
Date of Current Revision or Creation:泭November 1, 2021
The purpose of an Information Technology Standard is to specify requirements for compliance with 圖朸厙 Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.
Purpose
The purpose of this standard is to establish the management responsibilities and define the elements to be examined in information security program reviews.
Definitions
Information Security Officer (ISO) is responsible person for developing, reviewing, evaluating, and managing the University's Information Security Program.
Information Security Program is the framework of general principles, guidelines and security controls and elements used to protect University data and assets and to satisfy the laws and regulations relevant to information security.
Information Security Review is a summary of security recommendations and safeguards to be developed by the University, the IT Security Team and the technical staff for the continued protection of information technology assets.
Standards Statement
The 圖朸厙 Information Security Program elements are reviewed on an annual cycle and when significant changes occur to ensure its continuing suitability, adequacy, and effectiveness.
The IT Security Program Reviews include assessing opportunities for improvement of information security policy and the approach to managing information security in response to changes to the organizational environment, business circumstances, legal conditions, or technical environment.
The ISO reviews should include information on these topics as appropriate:
- feedback from interested parties
- results of independent reviews
- status of preventive and corrective actions
- results of previous ISO reviews
- process performance and information security policy compliance
- changes to the organizational environment, business circumstances, available resources, contractual, regulatory, and legal conditions, or to the technical environment
- trends related to identified threats or vulnerabilities
- reported information security incidents
- recommendations provided by relevant authorities
ISO management reviews will document decisions and\or actions related to:
- improvement of the organization's approach to managing information security and its processes
- improvement of control objectives and controls
- improvement in the allocation of resources and\or responsibilities
Based on the results of the reviews, the ISO Office develops an IT Security Review outlining strategies and actions for the protection of the confidentiality, integrity, availability, and accountability of the University's information technology assets.
Procedures, Guidelines & Other Related Information
- Federal and State Law
- University Policy 3505 - Security Policy
History
Date | Responsible Party | Action |
April 20, 2010 |
CIO/ITAC |
Approved |
October 2011 |
CIO/ITAC |
Reaffirmed |
August 2015 |
IT Pollicy Office/ISO |
Three year review, updated links. |
July 2018 | IT Policy Office | Definitions and links checked |
November 2021 | IT Policy Office | Definitions and links checked |