In 2016, the University of Wisconsin Information Assurance Council (UWIAC) made significant progress in the creation of a system-wide information Security Program and foundational policies. The following describes the progress of the team’s work in Phase I of a three phased approach.
Background of Phase I
In January of 2016, a cross-functional team, comprised of Chief Information Officers (CIOs), Chief Information Security Officers (CISOs), Information Security Officers (ISOs), as well as specialists in data classification, audit and legal affairs was established to focus on the creation of a UW System-wide information security effort. The team’s mission was to create an information security program, and related policies and procedures.
The course of action in Phase I was to:
- Author a Security Program document, which describes the components, methodology and content of the overall
- Prioritize the areas in which policies would be authored and The five policy areas of highest priority as determined by the team, were:
- Authentication Policy and Procedures (e.g., Password Management)
- Data Classification Policy and Procedures
- Security Awareness Policy and Procedures
- Incident Response Policy
- Acceptable Use Policy
In order to make the review and updating of documents more efficient, as well as make the contents easier to understand to both technical and non-technical audiences, the UWIAC decided to separate the information security policies and their procedures into discrete documents.
Current Status of Phase I Work
All five information security policies, and their companion procedures, have been authored and undergone multiple reviews by the key stakeholders identified above. All five policies and associated procedures were submitted to the UW System Financial and General Administrative Policy Committee (FGAPC) on July 21, 2016. The subsequent FGAPC process, which is expected to take approximately six weeks, will include internal review by other offices within UW System Administration followed by external review by the UW System Chancellors, Provosts and Chief Business Officers. Meanwhile, work on the overarching Security Program document is nearing completion.
- Within the UW System it is always necessary to create a healthy balance between central oversight and institutional That balance is continually being reassessed throughout this process.
- The implementation timelines for the policies and procedures will vary by institution depending upon the number and complexity of information systems present in each environment, the amount of available resources made available to perform system inventories and gap analyses,
and the amount and complexity of whatever remediation may be necessary. The UW System CIO Council will appoint two CIOs to assist in determining reasonable implementation timelines for the policies and procedures.
At the end of Phase 1, an assessment will be conducted during Fall 2016 to determine whether it would be more beneficial for the risk posture of the UW System to continue developing additional policies/procedures or to focus for a period of time on addressing the gaps revealed by the first set of five policies. Final edits will also be made to the overarching Security Program document.
Phase II Challenges:
- Many of the same people at the UW System institutions are required for both policy development and remediating security These people already have full time day-to-day operational responsibilities at their respective institutions. Aggressively addressing security gaps will result in slower policy development.
- Bringing in additional resources to work in parallel on both policy development and gap remediation is challenging from the perspectives of cost, the lack of sufficient qualified information security staff available in the workforce, and the inability of the UW System to pay competitive salaries in this
- The five initial policies and their associated procedures will be reviewed in March 2017 to determine whether the experience of implementing the policies and procedures has revealed any significant flaws in their
- Thereafter, all information security policies and procedures, as well as the overarching Security Program document, will be reviewed on an annual
- Additional policies will be developed as is feasible while remediation work is
The UWIAC has made signification progress toward the completion of a system-wide Information Security Program and the five most important security policies from a risk perspective. The five policies should be completely through the UW System Finance and General Administration Policy Process and ready for the President’s signature in early fall 2016.