||Review and update university level information security policy, standards, and procedures.
- Data Access Requirements and Data Security Requirements documents approved and posted.
- Draft changes to the university policy UNIV 1.50 for executive level review.
- 901.3 Sensitive Data Security Procedures updated and published
- Completion of Information Security Program maturity self-assessment.
||Examine the feasibility of designating a Data Trustee and Steward for Personal Data.
- Decision on establishment of a Data Trustee and Steward for Personal Data
||Discover, assess, and address Social Security numbers and payment card numbers in storage on all university IT devices.
- Discovery solution in production March 2015. All relevant documentation communicated and made available university wide
- Encryption solution in production
- Secure File Sharing solution available for early adopters
||Establish new training and certification standards for those who administer or access university information assets.
- Published certification standards and training program for system administrators
- User security awareness training program for faculty and staff university wide December 2014
||Develop a process to discover, assess, and address existing information security risks in all university information assets.
- Published critical server / log assessment criteria documents August 2013
- Vulnerability Management Standard published and communicated February 2015
||Implement proactive scanning and monitoring for critical systems and processes, to discover risks and active threats to university information assets.
- Framework (Established Infrastructure) is in place
- Agent deployed. All relevant documentation communicated and made available university wide March 2015.
- Onboarding identified source systems
||Ensure the integration of appropriate information security provisions and processes in all UTS IT processes, projects, systems, and staff.
- Working with UTS partners on all initiatives
- Enterprise service contract for professional breach management support services and security breach professional investigative services are in place.
||Ensure the integration of appropriate information security provisions and processes in all university IT acquisitions and development efforts.
- Updates to 901.1 Procurement and Contracts Procedure published Feb 2015
||Ensure the integration of appropriate information security provisions and processes in the university’s enterprise IT projects, systems, and staff (e.g. OneCarolina, Banner, Mainframe).
- Formally documented provisions and processes for OneCarolina phase I
||Assist university business and academic units in establishing local security and privacy procedures compliant with university level procedures.
- Published Information Security Plan Guide (Executive and Technical) 2013
- Interaction with business and academic units is ongoing
||Establish processes for periodic review of information security standards, and procedures.
- Initial review performed May - Nov 2013
- Review process and formalized thresholds have been established
||Establish processes for periodic assessment and/or auditing of university units for compliance with established information security procedures.
- Map the Information Security standards to the Audit framework
- Fill open positions
- Complete a high level risk assessment
||Develop a strategy for implementing a centralized university system for Identity and Access Management (IAM).
- Multi-factor authentication service in production March 2015. All relevant documentation communicated and made available university wide
||Develop a strategy for supporting information security regulatory requirements in research.
||Currently on-hold until resources are available