Table of Contents
- #Overview | #Standards | #Getting Started | #Resources
- Management Direction for Information Security (ISO 5.1)
Overview
Security Policy is how an institution expresses its intent with regard to information security. This overarching policy is where the Board of Trustees or the executive management of an institution give clear evidence of their intent to secure information, of the guidance and governance of the security effort, and of the institution's root belief in the primacy of efforts to secure information.
Within such a policy, institutional leaders are able to set a clear plan for information security, describing its important role in supporting organizational goals, as well as compliance with relevant laws and regulations. It can additionally set out operating plans and processes to arrive at the institution's goals for information security. The policy can also establish required standards, behaviors and outcomes, depending on the specificity sought.
In the context of higher education, the overarching security policy document is often (though not always) arrived at through a consensus building process; with solicitation and feedback from parties within an institution's governance structure. Once established, effectively communicating, maintaining and updating the security policy ensures that the stated intent and corresponding community expectations are consistent and maintain their relevancy over time to reflect changes in technology, laws, organizational approach, and other factors.
#Top of page
Standards
27002:2013 Information Security Management |
800-53: Recommended Security Controls for Federal |
APO01.03 |
Req 12 |
ID.GV-1 |
45 CFR 164.316(a) |
#Top of page
Getting Started
Useful resources for those just getting started with an information security policy, or IT policies in general.
- A Framework for IT Policy Development: EDUCAUSE Review article suggesting that "colleges and universities should adopt a more holistic framework that takes into account considerations of law, values, ethics, and morality."
- Outline of Model Security Policy Elements: Provides examples of security policy and procedures that may be edited to fit the needs of institutions of higher education.
- Making the Case for IT Policy: An event kit for campuses seeking to host a workshop where they can develop IT policy through facilitated discussion and collaboration.
- Sample Policies: EDUCAUSE library collection of sample policies from colleges and universities, including policies on privacy, passwords, data classification, security, e-mail, and many more.
#Top of page
Management Direction for Information Security (ISO 5.1)
Objective: The governing entity at every institution needs to establish security policy, targets, processes, and various procedures related to their risk management and information security improvements to deliver results in accordance with stated objectives.
- defining what information security means to the institution,
- stating leadership support for information security in relation to the goals of the institution,
- defining roles, responsibility, and accountability,
- describing mechanisms for ensuring security (including managing & mitigating risks), and
- outlining any standards or requirements to be followed. (These might include legislative or other legal requirements, education or awareness training, methods for reporting information security incidents, and other requirements.)
- Detail of what additional documentation may support the security policy
NOTE: A careful balance must be reached to ensure that the policy enhances organizational security by providing enough detail that community members understand their expected role & contribution, but not so much detail that the organization is exposed to unnecessary risk.
#Top of page
Resources
EDUCAUSE Resources
- Information Policies
- Security Policies
- EDUCAUSE/Cornell Institute for Computer Policy and Law
- EDUCAUSE Policy Initiatives
- Federal Privacy Law
- FERPA
- Gramm-Leach-Bliley (GLB) Act
- Higher Education Act
- Higher Education Compliance Alliance Matrix
- HIPAA
- ID Theft Red Flags
- Outline of Model Security Policy Elements
- PCI DSS
- Policy and Law
- Policy and Law: Campus
- Policy and Law: Federal
- Policy and Law: State
Initiatives, Collaborations, & Other Resources
- Higher Education Compliance Alliance
- SANS Information Security Policy Templates (Note: These templates may need customization for the higher education environment.)
- Toolkit to Support Federal Agencies Implementing Bring Your Own Device (BYOD) Programs (includes several sample policies)
Questions or comments? Contact us.
Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).