What are Cybersecurity Policies?
Cybersecurity Policies are a formal set of rules issued by an organization to ensure all authorized users of information technology resources and assets comply with rules and guidelines. Security Policies can provide additional benefits to an organization as well:
- Allows for policy consistency across an organization. Policies should be clear, concise, and leave no room for interpretation.
- Details and upholds discipline and accountability. Policies should inform users about their responsibilities related to what they can and cannot do while using an organizations technology resources and assets. They should also outline the disciplinary actions for violating policy.
- Helps to educate users on security.
If policies set the rules and expectation for use of information technology resources and assets, then what are Security Standards?
Security Standards provide the methods, guidelines, references to frameworks to ensure efficiency. They establish a common language, and contain technical specification or other criteria, with the goal being to improve the security of information technology.
When do new policies come into enforcement?
Policies are considered living documents and should be reviewed annually, at the very least. This allows Information Technology staff and other stakeholders an opportunity to update documentation when necessary. There should always be an announcement to vested parties when a new policy is being published or an existing policy has been revised, which should include details – e.g., where to locate the policy, date it comes into enforcement.
What if our current processes are not in compliance, or we expect a process will not be compliant with a new policy?
While we ask all business units to make reasonable efforts to comply with policies and standards, we understand there are situations where 100% compliance may not be possible. If your group has a process or system which cannot comply with USNH policies or standards, we ask you contact the Cybersecurity GRC group assist with an exception.
We need an exception. How do we start the process?
You can email the Cybersecurity GRC group at Cybersecurity.GRC@usnh.edu or submit a ticket via TeamDynamix
We have an exception, now what?
Exceptions are not meant to be a set and forget solution. Rather, the exceptions should be reviewed annually to determine if updates are required as often times processes and systems can change.
Who can we contact for more information regarding policies, standards, exceptions, or simply to ask a question?
Please reach out to Cybersecurity.GRC@usnh.edu with any questions you may have.
What is a Security Review?
The Security Assessment Review (SAR) process, administered by Cybersecurity Governance, Risk, and Compliance (GRC), is required whenever institutional information classified as anything other than Public will be captured, stored, processed, transmitted, or otherwise managed by a third party (e.g., vendor, service provider). Reviews can also be performed if requested by the relevant data steward, Service Line Leaders (SLL), Chief Information Security Officer (CISO) or the Chief Information Officer (CIO).
Information classification types are identified in the USNH Information Classification Policy.
Why is a Security Review necessary?
When USNH information is captured or stored in non-USNH information technology resources, stored in non-USNH facilities, or handled by non-USNH persons, it is subjected to unknown risks. Those who are responsible for appropriate handling of such information must understand what type of information is involved, what level of protection it requires, what the risks are to the information, and how those risks will be mitigated.
The USNH Security Assessment Review (SAR) process assists in the identification of the risks associated with information being placed into non-USNH information technology resources or handled by non-USNH persons. The key factor used to assess risk in these circumstances is the institutional information that will be captured, stored, processed, transmitted, or otherwise managed by a third-party.
What Documentation is needed from the vendor?
USNH uses the HECVAT (Higher Education Community Vendor Assessment Tool) developed and maintained by Educause as the basis of its security assessment review program. Often, we work with vendors who engage with other higher education institutions and may have previously completed the HECVAT, which we will accept if it is a recent version - v2.10, v2.11, or v3.0. More information can be found on the Educause HECVAT site.
We will also accept a SOC 2 Type 2 Report in lieu of the HECVAT. A SOC 2 Type 2 report is an assessment of a company’s safeguards and controls used to protect customer data over a given time frame performed by a third-party.
We may also request the vendor provide additional documentation to assist with our review; including but not limited to:
- Information Security Policy
- Disaster Recovery Plan
- Business Continuity Plan
- Terms and Conditions
What determines which HECVAT the vendor should complete?
There are two versions of the HECVAT – the HECVAT Full and the HECVAT Lite. Any third-party product that will capture, store, process, transmit, or otherwise manage RESTRICTED information must complete the HECVAT Full. Simple engagements and LTIs that will integrate into Canvas can use the HECVAT Lite as long as there is no financial transaction processing.
When should the documentation be obtained from the vendor?
As early in the procurement/implementation process as possible. However, we do understand vendors may not provide this information to the institution prior to a contract or agreement being in place. If there is a contract or agreement, we would request an opportunity to review any language pertaining to information security. Upon reviewing the contract, we reserve the right to request the addition of the USNH Data Security Addendum if we determine it is within the best interest of USNH.
How can I request a Security Assessment Review?
You can request a review by submitting a ticket - Security Assessment Review Request.
The requested documentation has been submitted for a review. What happens next?
Once we receive a completed HECVAT and the supplement, we will begin our review. During this time we will identify any concerns, questions which may need more information or clarification, or the need for additional documentation from the vendor. Once our initial review has been completed, we will provide feedback to the business unit which may include requests for more information, if necessary.
Who should I contact if we have questions regarding a Security Review?
If there are questions regarding a Security Review, please contact:
- William Sames - Cybersecurity GRC Analyst
- Tomi Gibson - Cybersecurity GRC Analyst
- Dr. David Yasenchock - Director, IT Governance, Risk, and Compliance
- Tom Nudd - CISO
Enterprise Technology & Services (ET&S) recognizes that there are times when business needs, academic activities, and/or research project requirements make it impossible or impractical to comply with the established Technology/Cybersecurity Policies & Standards and understands that there are circumstances where exceptions must be allowed.
Exceptions are temporary exemptions from Policy or Standard compliance.
Some examples of exceptions are:
- Use of software that requires a device running on old operating system
- Processes involving community members or administrators sharing accounts
- Servers or other information technology resources with vulnerabilities that cannot be fixed because of extenuating circumstances
- Business processes that cannot meet requirements because of resource constraints
The exception process, defined in the Cybersecurity Exception Standard, provides members of the USNH community with a single point of contact to request exceptions to all Technology/Cybersecurity Policies & Standards. Requiring documented exceptions enables Cybersecurity & Networking to better manage cybersecurity risk across all USNH institutions.
To request an exception, submit a ticket via TeamDynamix and provide as much of the information below as possible:
- The Policy or Standard for which the exception is being requested
- Business reason or justification explaining why an exception is needed
- Administrative, academic, or business unit requesting the exception
- Head of the requesting unit
- Describe why compliance is not possible (e.g. the total cost to comply with the Policy or Standard or the negative impact to USNH community members including an estimate of the number of community members that may be negatively impacted)
- List of the business units, business processes, information technology resources, and institutional information to which the exception applies
- How long will the exception be needed
Requests for exceptions are handled by Cybersecurity Governance, Risk, & Compliance (GRC). When a request is submitted, a ticket is created which allows the requester to view the status of the request and communicate directly with the Cybersecurity GRC team in the USNH TeamDynamix Client Portal.
Submit an exception request ticket via the Cybersecurity Services page
The ticket will include fields highlighted in the USNH Risk Exception Form (downloads word document ). Please provide as much information as possible. If you have any questions, contact Cybersecurity GRC.
Ever have one of your emails get reported to IT as a Phishing attempt? Microsoft incorrectly tag your email as Spam? This document provides tips on how to draft an email you can feel confident about sending to coworkers.
Enterprise Technology & Services (ET&S) places significant value on our ability to establish and maintain a trusted relationship with the USNH community. In order to maintain that trust, it is essential that all ET&S employees, sponsored users, and student workers understand their responsibilities in relation to maintaining the confidentiality, integrity, and availability of University System of New Hampshire (USNH) institutional information and information technology resources and protecting the privacy of each individual community member.
The purpose of this agreement is to codify the responsibilities of all ET&S employees, sponsored users, and student workers for maintaining the confidentiality, integrity, availability, and privacy of institutional information and information technology resources. The following agreement is between you and USNH, on behalf of its component institutions.
The full agreement can be reviewed here - USNH ET&S Confidentiality Agreement