First of all, thank you.
Thank you for your willingness to serve in a role that is crucial to the success of the information security program! We've compiled information below that we hope you'll find helpful. Please don't hesitate to contact our office if you have any questions about the program or your unit's journey toward compliance.
A few policies provide the foundation for the Information Security Program (UNIV 1.51, UNIV 1.52, and IT 3.00). IT 3.00 charges the Information Security Office to administer the Information Security Program and coordinate all incident response. It also empowers organizational units (OUs) to implement appropriate safeguards. OUs appoint Security Liaisons to communicate internally and with our office about local protections.
The university is subject to South Carolina's Information Security & Privacy Standards [xls]. The effective date of these Standards is July 2016. The state bases its program on the NIST 800 Series, supporting risk-based prioritization of controls. Lack of resources is not grounds for inadequate protections. Before the state grants an exception, we must be able to describe the anticipated cost of meeting the need in question.
An asset's classification determines which controls are appropriate. The sensitivity of stored or accessed data dictates classification. The university describes classification in UNIV 1.51 [pdf].
Our office publishes a guide designed for end users and is working to publish Minimum Security Standards for the entire organization. We select these–or equal protections–based on evidence of security incidents at the university and industry research across our peers. Once the Minimum Security Standards are in place, OUs should focus on controls according to the relevance of specific risks.
For OUs seeking help beyond the Minimum Security Standards, we've created a document [xls] that maps some available options to meet state requirements. Our office may develop more resources, such as templates or control-specific guidance, as needed over time. Our office may develop more resources, such as templates or control-specific guidance, as needed over time, such as the Action Plan template.
Whenever practical, we encourage OUs to satisfy state and other requirements in the way most suitable for their users. We support this by offering consultation on Risk Management, Compliance (such as HIPAA and PCI), and Security Architecture.
We recommend Security Liaisons reach out to peers in other units for suggestions on how to address various security concerns. The current list of liaisons [pdf] (login required).
Our office will regularly distribute questionnaires about units' protections. Responses help us:
- track improvement over time;
- report to university leaders and the state;
- supply the Enterprise Risk register;
- influence security service offerings; and
- contribute to annual planning for Audit & Advisory Services.