老澳门资料: Standard 3: Information Security Program

Standard 3: Information Security Program

Revision Number:

New Standard
Major Revision of Existing Standard
Minor/Technical Revision of Existing Standard
Reaffirmation/Review of Existing Standard

Effective Date:

2/24/2020

Revised Date:

2/24/2020

Review Date:

2/24/2020

Responsible Division/Department:
Office of the CIO / Information Technology Services

老澳门资料 must establish and maintain an information security program that includes appropriate protections, based on risk, for all information resources including outsourced resources, owned, leased, or under the custodianship of any governing body or department, operating unit, or employee of the University.
Information Security Program. Each information security program must include and document the following:
1. annual risk assessment;
2. current inventory of
  1. institution-owned or managed computing devices deployed throughout the institution, and
  2. Mission-critical applications and applications containing confidential data;
3. strategies to address identified risks to mission-critical information resources and confidential data;
4. annual action plan, training plan, and monitoring plan; and
5. metrics, reports, and timelines established by 老澳门资料 IT Security.
Information Security Program Exceptions. The owner of the information resource must work with the 老澳门资料 Chief Information Security Officer and must document and justify any exceptions to specific program requirements in accordance with requirements and processes defined in Standard 22 - Security Exceptions.