Consolidation of information technology services and resources from each institution into the Enterprise Technology & Services (ET&S) organization requires unification and standardization of the policies and standards that govern technology and cybersecurity across all of USNH.
ET&S is seeking input and feedback from the USNH community on three proposed USNH Policies, which are outlined below. Information about providing feedback on the proposed policies is available here.
Feedback on these proposed policies will be accepted until April 10, 2021.
Once the public comment period closes, all three policies will be finalized and presented for approval to the USNH Admin Board at the April 2021 meeting. If approved, these Policies become effective May 1, 2021.
We have identified five USNH Policies that establish the governance framework needed for a consolidated approach to cybersecurity and unified technology service delivery, two are already in-force and three are being proposed:
- USNH Password Policy (USY.VI.F.8)
- New - USNH Cybersecurity Policy
- New - USNH Acceptable Use Policy
- Revised - USNH Information Classification Policy
To aid review of the proposed Policies, documents mapping existing USNH and institutional policies to each new Policy are available at the links above. Additionally, an institutional overview showing how existing institutional technology policies will be impacted by the new policies and standards is available. (See Institutional Impact below)
In addition to the three new/revised policies, ET&S plans to develop 35-45 Standards over the next 12-18 months. These Standards provide specific requirements to guide community members in complying with the higher-level policies. Implementation of these standards will vary:
- Some became effective on February 15, 2021 in support of the overall Policy and Standard Initiative
- Some will require buy-in from specific administrative, academic, and/or business units across the institutions
- Some may be published for public comment like these Policies
- Some may be brought to each institutional leadership team to ensure buy-in and adoption.
Factors that will drive implementation planning for each individual Standard include:
- Impact to the USNH community
- Amount of change required at one or more of the institutions to enable compliance
- Timing of budget and planning cycles
- Prioritization of risks mitigated by a specific Standard
The following Standards became effective on February 15, 2021. These Standards define new formal requirements and/or processes for all of USNH and will not replace any existing institutional policy provisions or processes.
- Cybersecurity Exception Standard – Provides guidance on exceptions to cybersecurity/technology policies and standards
- Cybersecurity Risk Acceptance Standard – Provides guidance on Risk Acceptance for cybersecurity/technology risks
- Cybersecurity Risk Management Standard - Establishes the Cybersecurity Risk Management Program
- Security Categorization Standard – Provides an outline of how information technology resources are assigned the security categorization used across several governance processes including Risk Management, Risk Acceptance, and Exceptions.
Information about additional Standards that are targeted to become effective on May 1, 2021, including how they map to existing institutional policy provisions and any implementation considerations specific to each USNH institution, will be published for community review in the first three months of 2021.
A full list of in-force, proposed, and planned Technology/Cybersecurity Policies & Standards is available here.
The proposed USNH Policies will replace existing USNH and institution-specific Policies. A list of USNH and institutional Policies that will be replaced, and a detailed mapping of that replacement, is provided for each of the proposed Policies at the links below:
Additionally, the following links provide an institution-specific view of how the ET&S Policy & Standard Initiative will impact existing institutional policies.
A register listing key communications sent to the USNH community about the ET&S Policy & Standard Initiative can be found here.