|
David Kovarik, Director
NUIT Information & Systems Security/Compliance |
Security Awareness 
|
Security Policy Development: What You Need to Know
Fall 2006
The University supported National Cybersecurity Month in October, in partnership with EDUCAUSE, a nonprofit association whose mission is to advance higher education by promoting the intelligent use of information technology. Northwestern's role in this international event included producing and distributing promotional materials that advertised basic and sound security practices.
Following up on the month’s activity, I’d like to provide some information on the process used to produce information security policy and to answer some of the questions I received regarding policy development. I am the first to admit that policy development might not be high (if at all) on the “exciting topics” list, but I think it is important to know that there is a specific process we follow. Information security policy development is a defined process designed to address known or foreseeable threat conditions to the safety of the University’s information assets.
Information and Systems Security/Compliance (ISS/C) is charged with the development and implementation of information security policy and standards for the University. My professional experience is that this is no small task in any organization. The University’s highly distributed processing environment, coupled with the autonomy of schools and departments, makes policy development a somewhat complicated and — by necessity — highly collaborative process. However, the proof of its worth is represented in the product of the process, such as the policy Secure Handling of Social Security Numbers. If you have not already done so, I’d suggest you review the statement; after all, every user is accountable for understanding and complying with University policy and standards.
Leveraging the resources made available through the Information Security Advisory Committee and Coordinator network, we were able to collectively hammer out differences and align University resources behind a statement calling for the protection of intrinsically sensitive and regulated data — your Social Security Number. That’s correct…your SSN. This policy is designed to safeguard your personally identifiable information, as well as that of other students, faculty, and staff.
A policy in early stages of development is referred to as a draft, moving to a proposal as it nears the final stages. NUIT has a policy development and approval process that shares the policy proposal with a large population for review and comment for a minimum of thirty days. Any comments are considered for inclusion in the final document. Once approved, the policy statement is then published. The NUIT policy process is described on the NUIT Web site.
This policy statement, an end product of a fair amount of activity, also represents the beginning of the process known as compliance. But that’s a topic for another day.
If you have questions on this process, or any information security or disaster recovery issue, please contact me at david-kovarik@northwestern.edu.
Happy Holidays to you and yours, and remember that ... You’re the Key!
