Left Nav

 
Home
Policy and Compliance Roadmap
Submitted by admin on Thu, 03/18/2010 - 13:35
Printer-friendlyPrinter-friendly

 Executive Summary - Current Status and Vision

The Policy and Compliance Program is comprised of two sub-programs: Information Security Policies and Assessments. The Policy sub-program provides the guidance for the creation of Institute-wide information security policies, issue-specific policies, standards, processes, and guidelines. These documents are created in a collaborative effort that involves stakeholders from the campus's constituencies, including data stewards and the various academic, research, and administrative groups. The policies, standards, guidelines, etc are used to guide the campus in the implementation of technology as well as ensure that Georgia Tech is compliant with various regulatory and legal requirements (e.g. GLBA, FERPA, PCI, HIPAA). The Assessment sub-program focuses on providing different types of security assessments to campus. These include:

  • Annual Institute Risk Posture Report
  • Unit Risk Assessments
  • Service Assessments
  • Compliance Assessments
  • Unit Self Assessments

 

Governance

 

  • Provost
  • Sr. VP Finance Administration
  • CIO
  • Director, Information Security
  • Director, Internal Audit

 

Program Leadership

Richard Biever - Information Security Policy and Complance Manager
404-894-6318     richard.biever@oit.gatech.edu

System Information and Metrics

Operational Information:

  • Conducted 3 Unit Risk Assessments
  • Conducted 5 Service/Product Assessments
  • Conducted annual HIPAA review for Health Services Unit

Interesting Findings: 
In general, the Unit risk assessments came back with positive findings. However, in each case, the main concerns that were noted centered around:

  • Lack of consistent backup solutions (if any at all) for employee PC's
  • System vulnerabilities
  • Account provisioning/termination
  • Lack of process documentation
  • Lack of business continuity plans
  • Need for central management of Unit computers

Improvements implemented:

  • Policy website update
  • Policies reviewed and created
  • Approval process
  • Exception process

 

Goals for 2009-2010

 

  • Review and update the core CNUSP policy and procedure. The process involves the core constituency groups on campus and will result in an updated acceptable use policy that is the basis for all other IT security policies on campus.
  • Create a series of standards to provide the technical community with the recommended guidance on securing desktops/laptops and servers.
  • Implement a Self Assessment service for Units to annually assess their security/risk posture.

Projects to Support Goals - 2009