7.10.06 Information Security Management System
Approved on: 03/04/2009
By: Administrative Council
Effective Date: 03/04/2009
The University selected the Information technology--Security techniques-- Information security management systems-- Requirements (ISO 27001) as a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS). The adoption of an ISMS was a strategic decision which was influenced by the needs and objectives, security requirements, and processes employed at the University. ISMS implementation has been incremental and will continue to be scaled in accordance with University requirements.
Administration of Policy
Information Systems and Technology, 13th floor, Commerce Building, 3-4357
Responsible Executive(s): Associate Provost and CIO
|Position Title||Campus Location||Phone Number and/or E-mail Address|
|Information Systems and Technology||13th floor, Commerce Building||404-413-4357|
Full Policy Text
- Document Control. Relevant versions of applicable documents will be available at points of use. When a new procedure, or version of a procedure, is issued for inclusion in the University´s Information Security Management System it will include (at a minimum):
- A revision level showing the new document(s)/version(s)
- Point(s) of contact for questions or comments
- Date of last update or issuance
- Data classification (if sensitive or confidential)
- Internal Audit. Internal audits of the ISMS shall be conducted at planned intervals at least annually or as the need arises (internal audits do not necessarily involve University Auditing and Advisory Services).
- Personnel who are independent of the current work or project shall perform the internal audits.
- Auditors shall possess personal attributes to enable them to act in accordance with the principles of auditing and have successfully completed at least 32 hours of formal ISMS training or possess internationally recognized certifications such as the Certified Information Systems Auditor (CISA) or Certified Internal Auditor (CIA).
- Management Review. Semiannual meetings will be held and at a minimum the input to the management reviews shall include:
- Results of ISMS audits and reviews
- Feedback from interested parties
- Techniques, products or procedures, which could be used at the University to improve the ISMS´s performance and effectiveness
- Status of preventive and corrective actions
- Vulnerabilities or threats not adequately addressed in the previous risk assessments
- Results from effectiveness measurements
- Follow-up actions from previous management reviews
- Records Retention. Unless specified otherwise, ISMS records will be maintained in the department or college in which they were produced for a minimum of 30 days.
- Training. All relevant personnel shall be made aware of the relevance and importance of their information security activities and how they contribute to the achievement of the ISMS objectives.
Rationale or Purpose
Information security is not an "IT problem," it is a business issue. Organizations that are within the scope of the University´s ISMS must establish, operate, and continuously ensure the appropriateness of safeguards against security threats. Beyond technology, crucial elements of the ISMS include managed planning, the creation of and adherence to policy/procedures, and properly recorded activities. The University´s ISMS depends on people who, with appropriate training and awareness, are its greatest strength.
|Word, Phrase, or Acronym||Definition|
|Information Security||Preservation of confidentiality, integrity and availability of information; in addition, other properties, such as authenticity, accountability, non-repudiation, and reliability can also be involved (from ISO 27002:2005).|
|Information Security Management System||The key concept of ISMS is for an organization to design, implement and maintain a coherent suite of processes and systems for effectively managing information accessibility, thus ensuring the confidentiality, integrity and availability of information assets and minimizing information security risks.|
|Risk Assessment||Overall process of risk analysis and risk evaluation (from ISO/IEC Guide 73:2002).|
|Threat||A potential cause of an unwanted incident, which may result in harm to a system or organization (from ISO/IEC 13335-1:2004).|
|Vulnerability||A weakness of an asset or group of assets that can be exploited by one or more threats (from ISO 27002:2005).|
|Control||A means of managing risk, including policies, procedures, guidelines, practices or organizational structures, which can be of administrative, technical, management, or legal nature NOTE: Control is al|
- Digital Millennium Act
- Family Educational Rights and Privacy Act (FERPA)
- FTC Red Flag rule
- Health Insurance Portability and Accountability Act (HIPAA)
- VISA Payment Card Industry (PCI) Compliance
Additional Helpful Resources