Information Security Policy Roadmap
The University instituted a new Information Security Policy in December 2008 as a measure to protect the confidentiality, integrity and availability of institutional data. Over the coming months, the Information Security Office will work closely with the Executive Steering Committee on Computing and other stakeholders to publish a collection of guidelines and procedures that will aid in the interpretation of this policy. The following is a roadmap of planned activities.
Phase 1 - Policy Development
The first phase of this effort involes the development of a draft Information Security Policy. The Information Security Policy will go through an extensive review process and follow the University's Policy Creation and Review Process. The Information Security Office will also work closely with the Executive Steering Committee on Computing ("ESCC") throughout this effort. This proposed policy must be approved by the President's Council prior to publication.
| Tasks |
| Create initial draft of Information Security Policy |
| Review with Vice Provost of Computing Services |
| Review with Office of General Counsel |
| Review with Executive Steering Committee on Computing |
| Review & Approval by Management Team Light |
| Review with Business Manager's Council and Staff Council |
| Review with Departmental Administrators |
| Approval of the Policy by President's Council |
| Publication |
| Communicate Publication of the Policy |
| Deliverables | Version |
Status |
Last Updated |
| Information Security Policy | 1.0 | Published | 12/17/2008 |
Phase 2 - Guidance & Procedure Development
The second phase of this effort will involve the development of numerous guidelines and procedures to aid in the interpretation and implementation of the Information Security Policy. These documents will go through an extensive review process and be approved by the Executive Steering Committee on Computing prior to publication. The following process will be followed for each document published:
| Tasks |
| Create initial draft |
| Review of draft by the Director of Information Security |
| Review of draft by the Information Security Policy Advisory Committee |
| Review of draft by the Vice Provost of Computing Services |
| Review of draft by the Office of General Counsel |
| Review of draft by Departmental Computing Forum |
| Review and approval of draft by the Executive Steering Committee on Computing |
| Publication |
| Communicate Publication |
| Deliverables | Version |
Status |
Last Updated |
| Information Security Roles & Responsibilities [.html] | [.pdf] | 1.0 | Published | 09/15/2011 |
| Guidelines for Data Classification [.html] | [.pdf] | 1.0 | Published | 09/15/2011 |
| Guidelines for Data Protection [.html] | [.pdf] | 1.0 | Published | 09/15/2011 |
|
Guidelines for Data Sanitization and Disposal (Update) NOTE: Merged with the Guidelines for Data Protection and renamed Media Sanitization and Disposal. |
1.0 | Published | 09/15/2011 |
| Guidelines for Data Handling | N/A | Not Started | N/A |
| Procedure for Policy Exception Handling | N/A | Not Started | N/A |
| Procedure for Responding to a Security Breach | N/A | Not Started | N/A |
| Guidelines for Data Retention | N/A | Not Started | N/A |
Phase 3 - Awareness Campaign
The Information Security Office is currently piloting an updated version of its Security 101 awareness program, which incorporates the Information Security Policy and supporting guidance. The slides for this updated awareness program can be found here. Details regarding additional awareness and training opportunities are still being formalized.
Additional Information
If you have any questions or concerns related to this roadmap, the Information Security Policy or any of the supporting documents being developed as part of this effort, please send email to the Information Security Office at iso@andrew.cmu.edu. Suggestions and feedback related to documents that are currently under review are also welcome.