The university’s overarching mission is being a world-class teaching and research institution. The goal of the Illinois Security Program is to enable instructors, researchers, staff, and students to achieve this mission while keeping education and research data they work with secure, available, and ensuring its integrity. Being a world class research institution we deal with a vast array of data that makes us a target. Failure to secure this data can lead to costly financial penalties and a loss of the institution’s reputation. The Illinois Security Program lessens the cost of security incidents ensuring that the university’s resources are focused on the main mission of teaching and research.
- Simplified. The program’s standards and framework are a simplified version of the National Institute of Standards and Technology (NIST) Special Publication 800-53 Our standards cover 30 specific risk areas that map back to one or more NIST requirements. NIST was chosen because The Federal Information Security Management ACT (FISMA) designates NIST as the organization responsible for developing standards and guidelines for most federal grants and agencies.
- Unified. Settle the “best practices” question by tying information security requirements to an externally recognized framework of security controls, the NIST standards.
- Prioritized. Standards typically don’t offer a way to prioritize risks. The new program specifies three risk levels, making it clear which risk to address first:
- Critical Priority (P1)
- High Priority (P2)
- Medium Priority (P3)
- Shared. The Illinois Information Risk Management Program is built on the premise that information security and risk management is a shared university responsibility, not exclusively an IT responsibility.
The Information Technology Security Policy (INFOSEC) establishes high-level information security requirements. The INFOSEC provides the mandate for the Security Program. It establishes the overall intent of the university to support and promote information security in all its practices.
The Information Security Standards define 30 risk areas for the university. Each risk area includes a security objective. These risk areas are used to organize, measure, and manage risk levels consistently across the university. These standards are built around data classification, which can be found in DAT01. Some of these standards are intended to be implemented by IT Pros, others place requirements on business units. The standards take their mandate from the Information Technology Security Policy.
The Information Security Controls provide implementation information for each standard at various risk levels. The controls could be interpreted as a “how-to” version of the standards. As such, a coding scheme makes it easy to cross-reference between the documents. To better guide prioritization efforts, the detailed controls are specified according to the level of data being protected, as defined by the Data Management Policy.
We continue to develop documentation (procedures, checklists, templates) and software tools as needed to support the implementation of the standards and controls. These help organizations implement controls and control requirements effectively and efficiently.