Table of Contents
- Information Security Policies | Information Security Policies | Information Security Policies | Information Security Policies
- Management Direction for Information Security (ISO 5.1)
Getting Started
The initial process in developing an information security policy is to identify which laws, regulations, and information security drivers are applicable to your institution.
Perform a high level gap analysis of each regulatory requirement and driver that is applicable to determine where policy is needed.
Develop a prioritized action plan that will help you organize your efforts.
Prepare a summary document of the impact that the information security policy or policies will have on the institution. The document should:
Describe the policy
Communicate the reason or business justification for the policy, as well as the risks and negative impact of not implementing the policy
Identify regulatory, technical, cultural, and organizational dependencies for implementation of the policy
Identify milestones and possible roadblocks of implementation, compliance, and enforcement
Identify impacted stakeholders
Develop the policy in collaboration with other key stakeholders at your institution.
Ensure the policy is vetted by impacted subject matter experts and business owners, including information security, legal counsel, human resources, and any other applicable steering committees.
Review resources in the Guide such as the GRC FAQ, as well as standards and regulations that address specific requirements (e.g., PCI DSS 3.0, HIPAA, GLBA).
Publish, communicate, train, and implement.
Information Security Policies of page
Overview
The adoption of one or more information security policies is the first step that institutions of higher education take to express their commitment to the protection of institutional information resources and the information entrusted to them by constituencies and partners. The policy statement should clearly communicate the institution's beliefs, goals, and objectives for information security.
The information security policy also provides institutional leaders with an opportunity to set a clear plan for information security, describe its role in supporting the missions of the institution, and its commitment to comply with relevant laws and regulations. The policy should be brief, clear to understand, enforceable and focused on desired behaviors and outcomes, and most importantly, balanced in affording security while enabling and preserving productivity.
At institutions of higher education, the overarching information security policy document is often (though not always) drafted through a consensus building process with solicitation and feedback from all identified stakeholders. Once approved and published, its effective communication and periodic reviewing and updating ensures that the policy stated intent and corresponding expectations are consistent and relevant over time to reflect changes in technology, laws, business practices, and other factors.
Information Security Policies of page
Management Direction for Information Security (ISO 5.1)
Objective: Executive Management should define a policy or set of policies to clarify their direction of, and support for, information security.
If a policy is a statement of intent (according to most definitions), then a policy for information security can be defined as a formal high-level statement that embodies the course of action adopted by an institution regarding the use and safeguarding of institutional information resources. The policy statement should clearly communicate the institution's beliefs, goals, and objectives for information security.
To be effective an information security policy must:
- Require compliance (i.e., it should be mandatory to the intended audience)
- Be implementable (e.g., impact on legacy systems and current infrastructure)
- Be enforceable. (i.e., failure to comply should result in disciplinary actions)
- Be brief and easy to understand
- Balance protection with productivity
Also, the information security policy should:
- State why the policy is needed (i.e., business reasons)
- Exemplify the institution's commitment to information security
- Express leadership support for the role of information security in the carrying out of the institution's missions,
- Focus on desired behaviors (e.g., acceptable use) and outcomes
- Define roles and responsibilities
- Outline the standards and procedures to be followed.
A careful balance must be reached to ensure that the policy enhances institutional security by providing enough detail that community members understand their expected role and contribution but not so much detail that the institution is exposed to unnecessary risk.
See Making the Case for IT Policy: An event kit for campuses seeking to host a workshop where they can develop IT policy through facilitated discussion and collaboration.
Information Security Policies of page
Policies for Information Security
There are a number of standards that can be used as a foundation for an institution's information security policy framework. The Standards box below lists a few popular industry standards. Choosing the right policy framework is all about what will work best for the institution and its missions. Institutions of higher education should consider the following when selecting a framework for their information security policy:
- What works for the institution?
- What has not worked before?
- What fits the institutions culture?
- What regulatory requirements must be met?
- What are the organizational drivers?
- What future technology is on the institution's roadmap?
- What resources (staff, budget, skill sets) are needed to obtain the desired outcomes?
See A Framework for IT Policy Development, which supports the ideas expressed in an EDUCAUSE Review article that suggested "colleges and universities should adopt a more holistic framework that takes into account considerations of law, values, ethics, and morality."
It is important to keep in mind that one of the main goals of an information security policy is to issue directives. The difficult part is deciding on the appropriate level of control to exert. The appropriate level should be informed by the following facts:
- If policies are too restrictive or hard to implement, people will find ways to circumvent the controls.
- Technical controls are not always possible or, at times, desirable.
- Ensure that directives are ‘top-down’—i.e., fully supported by top management.
Organizational Drivers
Since most information security practitioners would agree that it is impossible to protect everything the same way all the time, institutions should identify the business and technical drivers that will guide the creation and implementation of the information security policy as well as assist in its vetting, approval, and socialization. These drivers can be high-level statements that convey the institution's priorities and direction and help stakeholders make the right decisions regarding what standards to require, what technology to deploy, and how to build the architecture required to implement the policy.
The information security CIA triad exemplifies the highest level driver - to preserve the confidentiality, integrity, and availability of institutional information resources. More specific examples include:
- Uniquely identify and authenticate all users and entities affiliated with the institution.
- Provide users the least access required to perform their job function
- Adopt information security industry standards where appropriate.
- Implement mitigating controls proactively and based on risk and cost of risk mitigation
- Identify what information the institution maintains, where is it located, and who owns is responsible for it
- Classify institutional data and safeguard it based on risk
- Balance the business need to offer and deploy new applications and services against the security risks it might pose to the institution
Review of Information Security Policy
Most institutions of higher education will have a documented periodic policy review process in place (e.g., annually) to ensure that ensure that policies are kept up to date and relevant. In some institutions, a policy manager would be the individual who would determine the need for a new policy or the update to an existing policy. In other institutions, the role of policy manager may be played by the Business Owner (e.g., the Chief information Security Officer may be the owner/manager of the information security policy.)
Policy Review and Update Drivers
The information security policy owner or manager will review and update the policy at the required intervals or when external or internal drivers require the review and update of the policy. The following are the most common drivers that would prompt a review of the institution's information security policy.
- Changes in Federal or State laws and regulations
- Changes in technology (e.g., increased use of mobile devices on campus)
- Major information security project deployments (e.g., deployment of Mobile device Management (MDM)
- Audit findings
- Policy format changes (e.g., new policy management function and process)
- Increased reliance on third-party service providers (e.g., outsourcing, cloud)
- New business practices (e.g., online education, telecommuting, telemedicine)
Policy Review and Update Process
The process to review and update the information security policy should include the following steps:
- Document needed changes
- Make changes to a draft version of the policy
- Are the changes significant or alter the intent of the original policy?
- If Yes, ensure the changes are vetted by impacted subject matter experts and business owners, information security, legal counsel, human resources if applicable, any other applicable steering committee
- Publish, communicate, train, and implement
Information Security Policies of page
Information Security Policies
In an effort to assist in developing important security policy, below you will find institutional policies identified as examples of good policies for the topics corresponding to the chapters of the Information Security Guide.
Risk Management
- EDUCAUSE Risk Management Framework
- UT Health Science Center at San Antonio Electronic Information Security Risk Management Policy
Organization of Information Security
General Information Security Resources
- EDUCAUSE Security Policies Resource Page (General)
- ISO Standards in Plain English
- NIST SP800-53 rev 3: Recommended Security Controls for Federal Information Systems and Organizations
- Computing Policies at James Madison University
- Computing Policies at University of Iowa
- University of California at Los Angeles (UCLA) Electronic Information Security Policy
- University of Notre Dame Information Security Policy
Information Services Privacy
- EDUCAUSE Campus Privacy Policies Resource Page
- University of Texas Health Science Center at San Antonio Information Resources Privacy Policy
- University of Minnesota Selecting an Online Privacy Policy
Institutional Data Protection
- Carnegie Mellon Guidelines for Data Protection
- UCLA Protection of Electronically Stored Personal Information Policy
Policy Creation, Review, and Exceptions
Portable Computing
- EDUCAUSE Campus Cellular Telephone Policies
- EDUCAUSE Mobile Internet Device Security Guidelines
- EDUCAUSE Securing Mobile Devices: A Security Professionals 2011 Pre-Conference Seminar
- EDUCAUSE BYOD Resources
- University of Texas Health Science Center at San Antonio Portable Computing Policy
- University of Texas at Austin Handheld Hardening Checklists
- University of Oregon Mobile Device Security Policy Recommendations and Questions
- University of Pennsylvania Server-Managed Personal Digital Assistant (PDA) Policy with Disclaimer
Human Resources Security
Acceptable Use Policy
- University of Texas Health Science Center at San Antonio Acceptable Use Policy: http://www.uthscsa.edu/hop2000/5.8.10.pdf
- University of Minnesota Acceptable Use of information Technology Resources Policy: http://www.policy.umn.edu/Policies/it/Use/ITRESOURCES.html
- Purdue University Acceptable Use Policy: http://www.purdue.edu/policies/information-technology/viia2.html
Security Training
- EDUCAUSE Security Training resource page: http://www.educause.edu/library/security-training
- UT Health Science Center at San Antonio Information Security Training and Awareness Policy: http://www.uthscsa.edu/hop2000/5.8.17.pdf
Social Media
- State of Texas Social Media Policy: http://www.texas.gov/en/about/Pages/social-media-policy.aspx
- Stanford University Chat Rooms and Other Forums Policy: http://adminguide.stanford.edu/66.pdf
- Ball State University Social Media Policy: http://cms.bsu.edu/about/administrativeoffices/umc/whatwedo/interactive-marketing/gettingstarted/webpolicies/socialmedia
- University of California Santa Barbara Social networking guidelines for administrators: http://www.policy.ucsb.edu/policies/advisory-docs/social-networking-guide.pdf
- University of Florida Social Media Guidelines: http://www.hr.ufl.edu/emp_relations/policy/social_media.asp
- State University of New York Social Media Policy: https://www2.sysadm.suny.edu/EmployeeServices/pdf/SocialMediaPolicyMay.17.2011.pdf
Asset Management
Roles and Responsibilities
EDUCAUSE Information Security Governance: http://www.educause.edu/library/information-security-governance
NIST SP800-100 Information Security Handbook: A Guide For Managers: http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007.pdf
NISTIR 7359 Information Security Guide for Government Executives: http://csrc.nist.gov/publications/nistir/ir7359/NISTIR-7359.pdf
University of Iowa Information Security Framework: http://cio.uiowa.edu/policy/policy-information-security-framework.shtml
Carnegie-Mellon Information Security Roles and Responsibilities: http://www.cmu.edu/iso/governance/policies/information-security-roles.html
Stanford University Computer and Network Usage Policy: http://adminguide.stanford.edu/62.pdf
Acquisition of Technology
EDUCAUSE Data Protection [RFP] Contracting Language Toolkit: https://spaces.at.internet2.edu/display/2014infosecurityguide/Data+Protection+Contractual+Language
Northwestern University Policy for Information Technology Acquisition, Development and Deployment: http://www.it.northwestern.edu/policies/acquisition.html
Data Classification
State of Texas Department of Information Resources Data Classification Guide: http://publishingext.dir.texas.gov/portal/internal/resources/DocumentLibrary/Data Classification Guide.docx
EDUCAUSE Data Classification Toolkit: https://spaces.at.internet2.edu/display/2014infosecurityguide/Data+Classification+Toolkit
EDUCAUSE – Campus Data Classification Policies: http://www.educause.edu/library/data-classification-policies
FIPS 199 Standards for Security Categorization of Federal Information and Information Systems: http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf
University of Texas at Austin Data Classification Standard: http://security.utexas.edu/policies/data_classification.html
University of Texas Health Science Center at San Antonio Data Classification Policy http://www.uthscsa.edu/hop2000/5.8.21.pdf
Carnegie-Mellon Guidelines for Data Classification: http://www.cmu.edu/iso/governance/guidelines/data-classification.html
Stanford University Data Classification: http://www.stanford.edu/group/security/securecomputing/dataclass_chart.html
Purdue University Data Classification and Governance Policy: http://www.purdue.edu/policies/information-technology/viib6.html
Access Control
Access Control/Data Access (see also Network Access)
University of South Carolina Data Access Policy: http://www.sc.edu/policies/univ150.pdf
Virginia Polytechnic Institute and State University Administrative Data Management and Access Policy: http://www.policies.vt.edu/7100.pdf
Administrative / Special Access
University of Texas Health Science Center at San Antonio Administrative and Special Access Policy: http://www.uthscsa.edu/hop2000/5.8.19.pdf
Carnegie-Mellon Guidelines for Appropriate Use of Administrator Access: http://www.cmu.edu/iso/governance/guidelines/appropriate-use-admin-access.html
Authentication Requirements (Framingham)
NIST SP800-63 rev 1 Electronic Authentication Guideline: http://csrc.nist.gov/publications/drafts/800-63-rev1/SP800-63-Rev1_Dec2008.pdf
EDUCAUSE Two-Factor Authentication Resource https://spaces.at.internet2.edu/display/2014infosecurityguide/Two-Factor+Authentication
University of Iowa Enterprise Authentication Policy: http://cio.uiowa.edu/policy/EnterpriseAuthenticationV15.shtml
Purdue University Authentication and Authorization Policy: http://www.purdue.edu/policies/information-technology/viib1.html
Identity Management Access Structure
Passwords
University of Texas Health Science Center at San Antonio Access Control and Password Management Policy: ttp://www.uthscsa.edu/hop2000/5.8.4.pdf
Carnegie-Mellon Guidelines for Password Management: http://www.cmu.edu/iso/governance/guidelines/password-management.html
University of Iowa Enterprise Password Policy: http://cio.uiowa.edu/policy/Enterprise-Password.shtml
Cryptography
Encryption
University of Texas at Austin Data Encryption Guidelines: http://security.utexas.edu/policies/encryption.html
Northwestern University Data Encryption Policy: http://www.it.northwestern.edu/policies/dataencryption.html
Physical and Environmental Security
Data Center Security
University of Texas at Austin University Data Center Security Policy: http://www.utexas.edu/its/udc/help/udc-security.php
Disposal of Computers, Hard Drives
EDUCAUSE Guidelines for Data Media Sanitization and Disposal: http://www.educause.edu/library/resources/guidelines-data-sanitization-disposal
NIST SP800-88 Guidelines for Media Sanitization: http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf
University of Texas Health Science Center at San Antonio Storage Media Control Policy http://www.uthscsa.edu/hop2000/5.8.22.pdf
Northwestern University Disposal of Computers Policy: http://www.it.northwestern.edu/policies/disposal.htmlEDUCAUSE Guidelines for Data Media Sanitation: https://wiki.internet2.edu/confluence/display/itsg2/Guidelines+for+Information+Media+Sanitization
Carnegie-Mellon Guidelines for Data Sanitation and Disposal: http://www.cmu.edu/iso/governance/guidelines/data-sanitization.html
Physical Access
University of Texas at Austin University Identification Card Guidelines: http://www.utexas.edu/cio/policies/university-identification-card-guidelines
University of Texas Health Science Center at San Antonio Physical Security for Electronic Information Resources http://www.uthscsa.edu/hop2000/5.8.27.pdf
Cornell University Responsible Use of Video Surveillance Systems: http://www.dfa.cornell.edu/dfa/treasurer/policyoffice/policies/volumes/riskandsafety/surveillance.cfm
Operations Security
Backup and Data Recovery
University of Texas Health Science Center at San Antonio Data Backup Policy http://www.uthscsa.edu/hop2000/5.8.23.pdf and Guideline http://ims.uthscsa.edu/InfoSec/guidelines/Backup.pdf
University of Iowa Backup and Recovery Policy: http://cio.uiowa.edu/policy/policy-backup-recovery.shtml
Computer Configuration
University of Minnesota Basic Security for Computers and Other Electronic Devices: http://www.policy.umn.edu/Policies/it/Use/SECUREDATA_PROC01.html
Copiers/Printers
EDUCAUSE Security Guide Copier and MFD Security Hot Topic: https://spaces.at.internet2.edu/display/2014infosecurityguide/Copier+and+MFD+Security
Desktop Management
University of Texas Health Science Center at San Antonio Administration of Security on Workstation Computers Policy http://www.uthscsa.edu/hop2000/5.8.28.pdf
Log Management
NIST SP800-92 Guide to Computer Security Log Management: http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf
Security Monitoring
University of Texas at Austin Network Monitoring Guidelines: http://security.utexas.edu/policies/monitoring.html
University of Texas Health Science Center at San Antonio Security Monitoring Policy: http://www.uthscsa.edu/hop2000/5.8.13.pdf
Server/Network Device Hardening
NIST SP800-123 Guide to General Server Security: http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf
University of Texas at Austin Minimum Security Standards for Systems: http://security.utexas.edu/policies/standards_systems.html
University of Texas Health Science Center at San Antonio Administration of Security on Server Computers Policy http://www.uthscsa.edu/hop2000/5.8.14.pdf
University of Texas at Arlington Server Management Policy http://www.uta.edu/policy/hop/adm/5/602
UCLA Minimum Security Standards for Network Devices Policy: http://www.adminpolicies.ucla.edu/app/Default.aspx?&id=401
Northwestern University Server Certificate Policy: http://www.it.northwestern.edu/policies/server-cert.html
Communications Security
DNS Policies
EDUCAUSE – Campus Domain Name Policies: http://www.educause.edu/library/domain-name-policies?filters=sm_cck_field_super_facet%3A%22EDUCAUSE%20Library%20Items%22%20tid%3A33182
Carnegie-Mellon Recursive DNS Server Operations Guideline: http://www.cmu.edu/iso/governance/guidelines/dns-servers.html
Registration and Use of UCLA Domain Names Policy: http://www.adminpolicies.ucla.edu/app/Default.aspx?&id=411
EDUCAUSE Email Policies: http://www.educause.edu/library/e-mail-policies
State of Texas Department of Information Resources Internet and Email Domain Name Policy: http://www2.dir.state.tx.us/SiteCollectionDocuments/Security/Policies%20and%20Standards/email_policy.pdf
University of Texas Health Science Center at San Antonio Electronic Mail Use and Retention Policy: http://www.uthscsa.edu/hop2000/5.2.6.pdf
Purdue University Electronic Mail Policy: http://www.purdue.edu/policies/information-technology/viia1.html
University of Texas at Austin University Electronic Mail Student Notification Policy (Use of E-mail for Official Correspondence to Students): http://www.utexas.edu/cio/policies/university-electronic-mail-student-notification-policy
E-mail (bulk) Approvals
University of Iowa Mass Email Mailings Policy: http://cio.uiowa.edu/policy/MassMail.shtml
File Sharing
EDUCAUSE File Sharing Resources: http://www.educause.edu/library/p2p-file-sharing
University of Texas Health Science Center at San Antonio Peer-To-Peer Access Policy: http://www.uthscsa.edu/hop2000/5.8.11.pdf
Firewall Maintenance
Instant Messaging (IM)
Carnegie-Mellon Instant Messaging Security and Use Guidelines: http://www.cmu.edu/iso/governance/guidelines/im.html
Internet Use
University of Texas Health Science Center at San Antonio Internet Use Policy: http://www.uthscsa.edu/hop2000/5.2.8.pdf
Network Access
University of Texas Health Science Center at San Antonio Network Access Policy: http://www.uthscsa.edu/hop2000/5.8.7.pdf
University of California at Berkeley: Guidelines and Procedures for Blocking Network Access: https://security.berkeley.edu/blocking.html
Network Configuration
University of Texas Health Science Center at San Antonio Computer Network Security Configuration Policy: http://www.uthscsa.edu/hop2000/5.8.8.pdf
VPN Usage
Northwestern University Usage of the NU SSL VPN Policy: http://www.it.northwestern.edu/policies/vpnusage.html
Web Applications
University of Texas Health Science Center at San Antonio Web Application Security Policy http://www.uthscsa.edu/hop2000/5.8.29.pdf
Carnegie-Mellon Web Server Security Guidelines: http://www.cmu.edu/iso/governance/guidelines/web-server.html
System Acquisition, Development and Maintenance
Change Management
University of Texas at Austin Change Management Guidelines: http://security.utexas.edu/policies/change_management.html
University of Texas Health Science Center at San Antonio Change Management Policy http://www.uthscsa.edu/hop2000/5.8.24.pdf
Data File Security (Confidentiality)
EDUCAUSE Confidential Data Handling Blueprint: https://spaces.at.internet2.edu/display/2014infosecurityguide/Confidential+Data+Handling+Blueprint
SQL Databases and Proxy Servers
Supplier Relationships
Academic Applications Hosting
University of North Carolina at Greensboro Blackboard Use Policy: http://policy.uncg.edu/blackboard_use/
Administrative Application Hosting
Stanford University Administrative Computing Policies: https://adminguide.stanford.edu/chapter-6/subchapter-1/policy-6-1-1
Application Service Provider
University of Texas at Austin Minimum Security Standards for Application Development and Administration: http://security.utexas.edu/policies/standards_application.html
Cloud Computing
EDUCAUSE Cloud Computing Policy resource page: http://www.educause.edu/library/cloud-computing-policy
Cloud Security Alliance Resource Page: http://www.cloudsecurityalliance.org/
Cloud Security Alliance Security Guidance for Critical Areas of Focus in Cloud Computing: https://cloudsecurityalliance.org/research/security-guidance/
NIST SP800-145 Draft NIST Definition of Cloud Computing: http://csrc.nist.gov/publications/drafts/800-145/Draft-SP-800-145_cloud-definition.pdf
NIST SP800-144 Draft Guidelines on Security and Privacy in Public Cloud Computing: http://csrc.nist.gov/publications/drafts/800-144/Draft-SP-800-144_cloud-computing.pdf
University of California Cloud Computing Task Force: https://spaces.ais.ucla.edu/display/uccctf/Home
Cornell University Outsourcing and Cloud Computing resource page: http://www.cit.cornell.edu/policies/publications/cloud/index.cfm
Purdue University Cloud Computing Consumer Guidelines: http://www.purdue.edu/securePurdue/bestPractices/Cloud%20Consumers.cfm
Research Application Hosting
Third-Party Application Hosting
Information Security Incident Management
Incident Management
EDUCAUSE Data incident Notification Toolkit
NIST SP800-61 rev 1 Computer Security Incident Handling Guide
University of Iowa Computer Security Breach Notification Policy
UCLA Notification of Breaches of Computerized Personal Information Policy
University of Minnesota Reporting and Notifying Individuals of Security Breaches Policy
Information Security Aspects of Business Continuity Management
Compliance
Federal Laws and Guidelines
- Family Educational Rights and Privacy Act, 20 U. S. C. § 1232g
- Health Insurance Portability and Accountability Act (HIPAA)
- Gramm-Leach-Bliley Act (GLBA) (financial records)
- Digital Millennium Copyright Act (DMCA)
- Federal Trade Commission ID Theft Red Flags Rule
- Federal Trade Commission 16 CFR Part 314 Standards for Safeguarding Customer Information, Final Rule
- Uniform Electronic Transactions Act 1999 (UETA)
- Electronic Signatures in Global and National Commerce Act (ESign)
- FDA 21 CFR Part 11 Electronic Record; Electronic Signatures; Final Rule
- Higher Education Opportunity Act of 2008 (HEOA)
- FIPS – 200 Minimum Security Requirements for Federal information and Information Systems
- Federal Information Security Management Act (FISMA)
Copyright Section
- EDUCAUSE Campus Copyright and Intellectual Property Policies
- Carnegie-Mellon Copyright Violation Guideline
DMCA Policies
PCI
- EDUCAUSE PCI DSS Resource Page
- University of Texas at Austin Minimum Security Standards for Merchant Payment Card Processing
- Stanford University Credit Card Acceptance and Processing Policy
Software Licensing
- EDUCAUSE Campus Licensing Policies
- University of Texas Health Science Center at San Antonio Software Policy
SSN’s
- University of Iowa SSN Policy
- Purdue University Social Security Number Policy
- Northwestern University Secure Handling of Social Security Numbers Policy
See the EDUCAUSE library collection of sample policies from colleges and universities, including policies on privacy, passwords, data classification, security, e-mail, and many more.
Information Security Policies of page
Resources
EDUCAUSE Resources
- Sample Information Security Policies, an EDUCAUSE library collection of sample policies from colleges and universities, including policies on privacy, passwords, data classification, security, e-mail, and many more.
- EDUCAUSE/Cornell Institute for Computer Policy and Law
- EDUCAUSE Policy Initiatives
- FERPA Resources and Compliance, a Blog
- Gramm-Leach-Bliley (GLB) Act
- Higher Education Compliance Alliance Matrix
- HIPAA
- ID Theft Red Flags
- PCI DSS
- Policy and Law
- Policy and Law: Campus
- Policy and Law: Federal
- Policy and Law: State
- Outline of Model Security Policy Elements, An EDUCAUSE Toolkit that provides examples of security policy and procedures that may be edited to fit the needs of institutions of higher education.
- A Framework for IT Policy Development, an EDUCAUSE Review article
Initiatives, Collaborations, & Other Resources
- Higher Education Compliance Alliance
- SANS Information Security Policy Templates (Note: These templates may need customization for the higher education environment.)
- Toolkit to Support Federal Agencies Implementing Bring Your Own Device (BYOD) Programs (includes several sample policies)
- Making the Case for IT Policy: An event kit for campuses seeking to host a workshop where they can develop IT policy through facilitated discussion and collaboration.
Information Security Policies of page
Standards
27002:2013 Information Security Management | 800-53: Recommended Security Controls for Federal | APO01.03 | Req 12 | ID.GV-1 | 45 CFR 164.316(a) |
Information Security Policies of page
Questions or comments? Contact us.
Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).