Â̾ÞÈËÊÓƵ Cybersecurity Policy - Proposed

°¿³Õ·¡¸é³Õ±õ·¡°ÂÌý

The new Â̾ÞÈËÊÓƵ Cybersecurity Policy consolidates existing policy provisions from multiple Â̾ÞÈËÊÓƵ and institution level policies and expands upon what already exists to establish a current, comprehensive, Â̾ÞÈËÊÓƵ-wide Policy that covers all aspects of Cybersecurity.

You can review the proposed Â̾ÞÈËÊÓƵ Cybersecurity Policy here.

This Policy is currently open for Public Comment.Ìý You can submit feedback, questions, or comments .

Ìý

MAPPING TO CURRENT POLICIES

For the most part, the new Â̾ÞÈËÊÓƵ Cybersecurity Policy does not fundamentally change the intent of the mapped provisions in the existing policies, but focuses on:Ìý

  • Updating language to reflect current terminology and concepts
  • Adjusting responsibilities to address organizational changesÌý
  • Using consistent terminology across all Cybersecurity Policies & Standards
  • Breaking vague or general provisions into explicit Policy requirements
  • Ensuring the entire Policy is written at the appropriate level of detail and moving implementation or compliance details to the related Standards, where they belong
  • Removing provisions that are outside the purview of Enterprise Technology & Services (ET&S)

New sections that represent material changes to the intent of the existing policies are outlined below.

The following existing policies will be replaced in full by the new Â̾ÞÈËÊÓƵ Cybersecurity Policy. ÌýÌýA complete mapping of each institution's existing policy to the new PolicyÌýis provided at the links below.Ìý

A comprehensiveÌýmap of allÌýimpacted institutional policiesÌýto the new Policy can be foundÌýhere.
(This is theÌýsame mapping information as the institutional maps, just in aggregate.)

Ìý

ADDITIONAL SECTIONS ADDED

While much of the content in the new Â̾ÞÈËÊÓƵ Cybersecurity Policy can be mapped to provisions in existing policies, the following new provisions were added to this Policy and represent material changes to the original intent of the existing policies.

Ìý

Expansion - Section 5.8 Identity and Access Management

  • Added provision formalizing existing practices at all institutions around the use of a single, primary identity for each Â̾ÞÈËÊÓƵ community member which is supported by the Identity Management Standard
  • Added provision outlining requirements for management of accounts that mirror existing practices for most enterprise level accounts (those managed by ET&S). ÌýDetailed compliance requirements that will be documented in the Account Management Standard may require that administrative, academic, and business units who are currently managing information technology resources (e.g., vendor cloud applications) without the assistance of ET&S implement new processes and procedures. ÌýDetailed compliance requirements for the use of Non-Primary Identities (Secondary Accounts, Service Accounts, Pool Accounts) and for Sponsored and Guest Access that will be documented in those Standards may constitution material changes for some administrative, academic, and business units at one or more of the institutions. Ìý

Standards related to this section:

Ìý

New Section – 5.6 Personnel Security

This section formalizes in Policy existing practices related to ensuring employees and other community members who are given access to information technology resources have been vetted properly and understand and acknowledge specific cybersecurity responsibilities based on their role or access that is provided to them. Ìý

  • 5.6.1 relates to the existing employee background check performed by HR at each institution and does not constitute a material change to existing practices.
  • 5.6.2 relates to a new ET&S Confidentiality & Cybersecurity Agreement that will replace the existing institution specific agreements that were signed by information technology employees. ÌýThis does not constitute a material change to current practices.
  • 5.6.3 relates to the current practices that require community members to sign or acknowledge data specific agreements (e.g., Banner HR/Fin Agreement) before being granted access to those information technology resources. ÌýThe provision provides a policy basis for the existing requirement and allows for expansion to other types of access in the future, if needed. ÌýAs such, it does not constitute a material change to existing practices.Ìý

Standards related to this section:

  • Personnel Security Standard (Phase 3+ Standard)


New Section – 5.14 Incident Management

This section formalizes in Policy existing practices for the management of cybersecurity incidents, including data breaches, predominantly at UNH and expands those practices to cover all Â̾ÞÈËÊÓƵ institutions. ÌýAs Incident Management is completely within the purview of ET&S, this expansion does not constitute a material change for any community members outside of ET&S. ÌýTraining needed to make all Â̾ÞÈËÊÓƵ community members aware of their responsibilities in relation to the new provisions will be provided as part of a new Cybersecurity Awareness and Training program planned for 2021.Ìý

Standards related to this section:

  • Cybersecurity Incident Response Plan (Distribution Limited)
  • Data Breach Notification Standard (Phase 3+ Standard)

Ìý

New Concept – 7 Exceptions

The new Policy introduces the concept of Policy exceptions and directs community members to the detailed requirements related to these exceptions provided in theÌý Cybersecurity Exception Standard. ÌýThis concept, section, and Standard reference will be consistent across allÌýCybersecurity Policies and the related Standards.

Standards related to this section:

Ìý