What are Cybersecurity Policies?
Cybersecurity Policies are a formal set of rules issued by an organization to ensure all authorized users of information technology resources and assets comply with rules and guidelines. Security Policies can provide additional benefits to an organization as well:
- Allows for policy consistency across an organization. Policies should be clear, concise, and leave no room for interpretation.
- Details and upholds discipline and accountability. Policies should inform users about their responsibilities related to what they can and cannot do while using an organizations technology resources and assets. They should also outline the disciplinary actions for violating policy.
- Helps to educate users on security.
If policies set the rules and expectation for use of information technology resources and assets, then what are Security Standards?
Security Standards provide the methods, guidelines, references to frameworks to ensure efficiency. They establish a common language, and contain technical specification or other criteria, with the goal being to improve the security of information technology.
When do new policies come into enforcement?
Policies are considered living documents and should be reviewed annually, at the very least. This allows Information Technology staff and other stakeholders an opportunity to update documentation when necessary. There should always be an announcement to vested parties when a new policy is being published or an existing policy has been revised, which should include details – e.g., where to locate the policy, date it comes into enforcement.
What if our current processes are not in compliance, or we expect a process will not be compliant with a new policy?
While we ask all business units to make reasonable efforts to comply with policies and standards, we understand there are situations where 100% compliance may not be possible. If your group has a process or system which cannot comply with USNH policies or standards, we ask you contact the Cybersecurity GRC group assist with an exception.
We need an exception. How do we start the process?
You can email the Cybersecurity GRC group at Cybersecurity.GRC@usnh.edu or submit a ticket via TeamDynamix
We have an exception, now what?
Exceptions are not meant to be a set and forget solution. Rather, the exceptions should be reviewed annually to determine if updates are required as often times processes and systems can change.
Who can we contact for more information regarding policies, standards, exceptions, or simply to ask a question?
Please reach out to Cybersecurity.GRC@usnh.edu with any questions you may have.
What is a Security Review?
The Security Assessment Review (SAR) process, administered by Cybersecurity GRC, is required whenever institutional information classified as anything other than Public will be captured, stored, processed, transmitted, or otherwise managed by a third party (e.g., vendor, service provider). Reviews can also be performed if requested by the relevant data steward, SLL, CISO or the CIO.
Information classification types are identified in the USNH Information Classification Policy.
Why is a Security Review necessary?
When USNH information is captured or stored in non-USNH information technology resources, stored in non-USNH facilities, or handled by non-USNH persons, it is subjected to unknown risks. Those who are responsible for appropriate handling of such information must understand what type of information is involved, what level of protection it requires, what the risks are to the information, and how those risks will be mitigated.
The USNH Security Assessment Review (SAR) process assists in the identification of the risks associated with information being placed into non-USNH information technology resources or handled by non-USNH persons. The key factor used to assess risk in these circumstances is the institutional information that will be captured, stored, processed, transmitted, or otherwise managed by a third-party.
What Documentation is needed from the vendor?
USNH uses the HECVAT (Higher Education Community Vendor Assessment Tool) developed and maintained by Educause as the basis of its security assessment review program. Often, we work with vendors who engage with other higher education institutions and may have previously completed the HECVAT, which we will accept if it is a recent version - v2.10 or v2.10. More information can be found on the Educause HECVAT site.
We will also accept a SOC 2 Type 2 Report in lieu of the HECVAT. A SOC 2 Type 2 report is an assessment of a company’s safeguards and controls used to protect customer data over a given time frame performed by a third-party.
We may also request the vendor provide additional documentation to assist with our review; including but not limited to:
- Information Security Policy
- Disaster Recovery Plan
- Business Continuity Plan
- Terms and Conditions
What determines which HECVAT the vendor should complete?
There are two versions of the HECVAT – the HECVAT Full and the HECVAT Lite. Any third-party product that will capture, store, process, transmit, or otherwise manage RESTRICTED information must complete the HECVAT Full. Simple engagements and LTIs that will integrate into Canvas can use the HECVAT Lite as long as there is no financial transaction processing.
When should the documentation be obtained from the vendor?
As early in the procurement/implementation process as possible. However, we do understand vendors may not provide this information to the institution prior to a contract or agreement being in place.
How can I request a Security Assessment Review?
You can request a review by submitting a ticket - Security Assessment Review Request.
The requested documentation has been submitted for a review. What happens next?
Once we receive a completed HECVAT and the supplement, we will begin our review. During this time we will identify any concerns, questions which may need more information or clarification, or the need for additional documentation from the vendor. Once our initial review has been completed, we will provide feedback to the business unit which may include requests for more information, if necessary.
Who should I contact if we have questions regarding a Security Review?
If there are questions regarding a Security Review, please contact:
- William Sames - Cybersecurity GRC analyst
- Tom Nudd - CISO
- Ivy Finglas – Director of Cybersecurity Operations Engineering and Identity Access Management