Overview
Version 2.0
Last Revision Date: October 16, 2008
Approval Date: February 15, 2007
Approval Authority: Chief Information Security Officer
Policy Governance
Case has an overall ITS policy management process
which are the driving factors for information technology usage
and management. The policy implementation is performed in
conjunction with the ITSPAC Security and Policy Subcommittee.
Policy Structure
Case Information Technology Services has two types
of policies- university wide and ITS policies. University wide
policies are broad in scope and will have broader stakeholder approval
and impact. The ITS policies are implementation level policies,
and may affect all users in the university. The Case ITS
Standards and Procedures are functional processes for user interaction
with specific IT services and infrastructure.
I.
University Wide Policies
Specific information technology related university
policies are developed by the ITSPAC Policy and Security
Subcommittee.
The current policies at this level are:
I-1 Case
Acceptable
Use of
Information Technology Policy (AUP)
I-2
Case Policy
on Use of
SSN in IT Systems
II. Case ITS
Policies and Procedures
This policy grouping consists of policies
implemented by Case ITS to manage the operational functionality,
interfaces, and security of IT resources for the university community.
As described in the Case AUP, the Vice President
for Information Technology
Services/CIO will determine operational policies, networking standards
and procedures to implement the principles outlined in this
policy. ITS has the right to protect shared information
technology services.
Procedures and standards are defined for
various services and functional implementations of Case ITS
infrastructure. These are created by ITS operational groups with
the intent of standardization, optimization of resources, and
efficiency of support processes. Standards and procedures are
labeled with an sub-letter according to the parent policy (e.g.
II-1a is a child procedure of Policy II-1).
The current policies at this level are:
II-1 Access and
Identity Management Policy
II-1a Affiliate
Accounts
II-2
Network ID: Account
Establishment & Closure Policy (a.k.a. Leaving Case)
II-3a Active
Directory Policy
II-3b
Early
Account Termination Procedure
II-3
Network Management Policy
II-4 Email Policy
II-4a Email
account standards
II-4b Mass Email procedures
II-5
Firewall
Policy
II-5a Firewall
Change Procedure
II-6
Program/Project Management Policy
II-6a ITS
Project Management Methodology Definition
II-6b Information Techology Project Classifications
II-6c ITS Project Initiation Form
III.
Case Information Security Policies
III-1
Information Tiers and
Sensitivity
III-1a Risk
Management
Procedure and Risk Assessment Methods
III-1b
Non-Disclosure Agreement
III-1c
Standard
network host configurations for Tier I information
III-1d Standard network host configurations and handling
procedures for Tier II
information
III-1e
Standard network host configuration, handling procedures,
and
management requirements for Tier III information
III-1f Handheld computer configuration standards (Palm, WinCE,
Blackberry)
III-1g HIPAA Related
Security
Rule
III-1h
eDiscovery
Procedure
III-1i Payment
Card Industry (PCI) Data Management Standard Procedure
III-3 Incident
Reporting Policy
III-3b Security
Incident Response Procedure (requires logon)
III-3c Copyright Notification Plan
III-4 Physical Access to Critical IT Infrastructure
III-5 Electronic Record Retention Policy
III-5a Media
sanitization standard operating procedure for excess IT equipment
III-5 Use of Encryption
III-6
Vulnerability Management Policy
III-7
University Logon Banner
Review of Policy
The ITS policies may be assessed from time to
time to
reflect substantive change as a result of changes to the Case
information technology resources and/or changes in legal statutes that
impact information technology resources, copyright, or other
intellectual property issues. The Vice President for Information
Technology Services is responsible for determining when the policy
needs to be reviewed and the process for review and revision.
Each policy will list its own review cycle. |
