Information Security Liaison Policy

Document Sample
Information Security Liaison Policy Powered By Docstoc
					                                                         Responsible University Officer
Information Security Liaison                             Chief Information Officer

Policy                                                   Responsible Office
                                                         Information Technology Services



                                        Scope

This policy applies to all Deans and Vice Chancellors who oversee university
business units that maintain and manage their own Information Technology. This
policy also applies to employees designated as Security Liaisons who must abide
by the Rules and Responsibilities listed in the policy.

                                       Audience

This policy applies to all employees designated as Security Liaisons as well as
Deans and Division Heads of University business units that maintain and
manage their own Information Technology.

                                Policy Statement

Deans or Division Heads, who oversee university business units which maintain
and manages their own Information Technology, must designate employees as
Information Security Liaisons. Information Security Liaisons act as important
intermediaries between the Information Security Office and their respective
university business unit. An Information Security Liaison will assist the university
business unit in implementing information security policies and information
security initiatives as well as act as coordinate with the Information Security
Office with regard to incident management.


                                      Compliance

Failure by a Security Liaison to comply with the role and responsibilities specified
by this policy may result in disciplinary action, in line with the experience of the
staff member.

Failure by a Dean or Division Head to name a Security Liaison consistent with
the rules of this policy may have similar disciplinary consequences.

Exceptions to these policies will be rare. Any requests for exceptions to these
policies should be submitted in writing to the Information Security Office for
approval.
UNC Information Technology Services                                               Page 1
Policy Version:
                               Reason for Policy
In decentralized environments, such as the University of North Carolina at
Chapel Hill, it is necessary to coordinate security initiatives, incident
management and implementation of policies as well as standards in a consistent
and effective fashion. Those managing the university’s information technology
resources have information security responsibilities that come with managing a
university business unit’s information technology. Given the extraordinary risk
frequently associated with information security incidents, as well as its
implications on compliance it is essentials for deans and department heads to be
aware of information security risk and assume their responsibility for their
mitigation.

Due to the growing number of security intrusions and compromises of sensitive
data, the University of North Carolina at Chapel Hill has enacted a policy
framework that safeguards electronic and non-electronic resources containing
sensitive information. Within this policy framework, the Security Liaison Policy
provides guidance as to the duties and responsibilities of employees designated
as Information Security Liaisons as well as defining which working units must
establish Security Liaisons. Security Liaisons play a vital role in protecting the
Information Security assets of UNC-Chapel Hill.

The failure to protect sensitive data can result in significant fines for the
University by regulatory authorities and may also result in significant breach
notification costs and/or legal action. Security Liaisons play an important role in
safeguarding the University’s sensitive information.

             Role of the Information Security Liaison

In line with Information Security Liaison roles and responsibilities at other
universities, Information Security Liaisons and back-up Information Security
Liaison are required for each university business unit that maintains and
manages its own Information Technology (IT). If a department outsources the
management of its IT, it must also ensure that there is a named Information
Security Liaison as well as back-up Information Security Liaison on file with the
Information Security Office. Information Security Liaisons serve as a single point
of contact for the Information Security Office regarding security efforts and
information security incidents affecting their respective university business unit.
Information Security Liaisons aid the Information Security Office in improving
Information Security at UNC Chapel Hill by coordinating with the ISO on security
matters.
UNC Information Technology Services                                          Page 2
Policy Version:
The Information Security Liaison will work with the Information Security Office in
incident management and response as well as assist, as needed, the Information
Security Office in certain activities including the ones described below. The
Information Security Liaison will act as the primary point of contact for their
respective university business unit for the Information Security Office when
handling security intrusions.

Specifically, the Information Security Liaison will coordinate with the Information
Security Office with the following:
   • Ensure the proper identification and classification of computer resources
       storing Sensitive Information or deemed mission critical within their area.

   • Advise their unit’s systems development and application Data Stewards of
     the implementation of appropriate security controls for information on
     systems, from the point of system design, through testing and production
     implementation.

   • Meet periodically with Information Security Office staff to move forward
     enterprise security initiatives for their respective university business units.

   • Maintain an up-to date list of staff with access to sensitive information in
     their working group and promptly notify the Information Security Office of
     any personnel changes, including transfers within the University. Provide
     basic security advice for all assigned systems and user. Ensure timely
     compliance with the departmental security awareness requirements,
     including yearly refresher training as well as training of new employees.
     The Data Steward, in consultation with the Information Security Liaison,
     will work towards ensuring that the department or working group is
     compliant with applicable state and federal laws as well as University
     policies, such as the Information Security Policy. The Liaison may perform
     periodic assessments for their respective university business unit to
     determine compliance with any applicable security policies, procedures,
     and standards.

   • Ensure that any detected vulnerabilities are remediated in a timely manner
     consistent with the Vulnerability Management Policy.

   • The Information Security Liaison will advise their university business unit
     and/or their respective other assigned areas of responsibility regarding the
     implementation of appropriate security controls consistent with the
     University’s Information Security Policy.

   • Collect incident response information and metrics, including development
     and maintaining the department’s or university business unit’s incident
UNC Information Technology Services                                          Page 3
Policy Version:
       response plan. The Information Security Liaison must ensure a timely
       notification of the University’s Information Security Office regarding any
       information security incidents for their respective university business unit
       consistent with the Incident Management Policy. In addition, the
       Information Security Liaison must ensure a timely and comprehensive
       response to information security incidents in coordination with the
       University’s Information Security Office.

   • Report incident and incident metrics to the University’s Information
     Security Office consistent with the Incident Management Policy.

   • Coordinate with the Information Security Office regarding the University’s
     Information Security strategic Initiatives, including security improvements
     for the liaison’s university business unit or department. Periodically report
     to University administrators/deans/division heads/University Information
     Security Office regarding the entity’s status with respect to information
     security initiatives and policy compliance.

                                        Impact

As necessary, deans and division heads must ensure that Security Liaisons are
appointed and employee time is allocated to perform the duties of a Security
Liaison. In addition, deans and division heads may incur additional costs
associated with the work of Security Liaisons, such as time set aside for
awareness training and inventory of critical assets. Security Liaisons must
incorporate the roles and responsibilities of the Information Security Liaison as
defined in this policy as part of their current responsibilities and must cooperate
with the University Information Security Office on topics such as incident
handling, vulnerability management or awareness training in their respective
university business unit.

In many cases, some or all of these responsibilities as defined in this policy may
already be carried by university business unit personnel.

                                      Related Data

Information Security Policy

Vulnerability Management Policy

                         Glossary and Definitions

For an explanation of the terminology relevant to the Information Security
UNC Information Technology Services                                          Page 4
Policy Version:
Policies at UNC-Chapel Hill, refer to website http://xxxxxxxx.

                                      Contacts

Subject             Contact              Telephone           FAX/E-mail
Policy Questions    The     University’s
                    Information
                    Security Office
Report a Violation  The     University’s
                    Information
                    Security Office
Request Information The     University’s
Security Consulting Information
                    Security Office


                                      History

Effective Date:
Revised Date:
Next Review Date:




UNC Information Technology Services                                       Page 5
Policy Version: