Security Policy
One of the most important functions of the Information Security Office is the development of IT security policy, procedures, and guidelines.
Why do we need security policy? Once upon a time it was possible, although always a bit risky, to depend on the good will and good judgement of of our fellow computer users. That time is long past. Cyberspace has become much more dangerous over the past years. People who broke into computers mostly to prove they could do so have been replaced by calculating criminals who hack into computers to steal data for identity theft or direct access to bank accounts, or who take over computers to deliver Spam and distribute pirated software. If you leave your computer unprotected or engage in risky behavior, you put more than yourself at risk, you also risk data and resources belonging to students, University staff, and assets of the University itself.
Legal requirements
Faced with a growing number of cases of data theft, and a growing number of constituents who have been victims of identity theft, governmental bodies from the US Congress to the NSHE Board of Regents have passed laws and issued regulations requiring organizations to protect sensitive data. Many of these acts have policy requirements.
At the federal level, the Family Educational Rights and Privacy Act (FERPA) protects student records. The Health Insurance Portability and Accountability Act (HIPAA), protects health care data covering the College of Dental Medicine and providers of medical and psychological services within the University. The Gramm-Leach-Bliley Act protects financial data including data collected by Student Financial Services and the Bursar's Office.
At the state level, Senate Bill 347 revised Chapter 205 of the Nevada Revised Statutes to require increased protection of personal identifying information. Finally, the Nevada System of Higher Education Board of Regents have issued a directive that explicitly requires each institution to adopt policy to protect sensitive data. UNLV has adopted interim policy (pending review by appropriate committees) to meet the Board of Regents' requirement.
Standards followed
Information security policy structure is based
on ISO 17799/27001 – the International Standard for Information Security,
and enhanced as needed by the Federal Information
Processing Standards (FIPS) Pub 199 Standards
for Security Categorization, the
National Institute of Standards and Technology (NIST)
Special Publication 800-series reports on
the Information Technology Laboratory's research related to information
security controls, standards, and guidelines. The standard reference text
for ISO 17799/27001 policy development is the most current edition of Information
Security Policies and Procedures: a practitioner's reference, Thomas R. Peltier, Auerback Publications or it's replacement.
|
