Assess the information security and privacy controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the information security and privacy requirements for the system and enforcing those requirements.Select an initial set of baseline information security and privacy controls for the system and tailor the control baseline, as needed.Categorize the University Information and the Information Systems according to the level of impact from loss of confidentiality, integrity, or availability.Risk Management: Information Resource Owners must, in coordination with the ISO, integrate the following information security and privacy activities into their risk management processes:
#INFORMATION SECURITY OVERSIGHT PROCESS ISO#
University-Related Persons: University students and applicants for admission, University employees and applicants for employment, Designated Campus Colleagues (DCCs), alumni, retirees, temporary employees of agencies who are assigned to work for the University, and third-party contractors engaged by the University and their agents and employees.Ī. University Information: Any communication or representation of knowledge, such as facts, data, or opinions, recorded in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual, owned or controlled by or on behalf of the University. Unit: A college, department, school, program, research center, business service center, or other operating Unit of the University. ISO: The University's Information Security Office, responsible for coordinating the development and dissemination of information security policies, standards, and guidelines for the University. This individual or Unit is responsible for making risk tolerance decisions related to the owned Information Systems on behalf of the University and is responsible for the loss, limited by the bounds of the Information System, associated with a realized information security risk scenario. Information System Owner: The individual(s) or Unit responsible for the overall procurement, development, integration, modification, and operation and maintenance of an Information System. Additionally, an Information System and its constituent subsystems generally have the same function or mission objective, essentially the same operating characteristics, the same security needs, and reside in the same general operating environment. Subsystems typically fall under the same management authority as the parent Information System. An Information System may contain multiple subsystems. Information System: A major application or general support system for storing, processing, or transmitting University Information.
Information Resources: University Information and related resources, such as equipment, devices, software, and other information technology. Information Resource Owner: Collective term used to refer to Information Owners and Information System Owners. This individual or Unit is responsible for making risk tolerance decisions related to the owned University Information on behalf of the University and is responsible for any loss associated with a realized information security risk scenario. Information Owner: The individual(s) or Unit with operational authority for specified University Information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal. CISO: The senior-level University employee with the title of Chief Information Security Officer.
0 kommentar(er)
