New and Revised Information Security Guidance and Framework Realignment

View All

All-UA

Printer-friendly version Send by email PDF version

New and Revised Information Security Guidance and Framework Realignment

Subject: New and Revised Information Security Guidance and Framework Realignment

To: Deans, Directors, and Department Heads
From: Teresa E. Banks, Information Security Office
Date: November 13, 2012
Subject: New and Revised Information Security Guidance and Framework Realignment

 

The Information Security Office has been working with campus stakeholders to update several of our standards and guidelines so that they include appropriate HIPAA Security Rule requirements, as well as other compliance program requirements.  These documents have been vetted by stakeholders, and approved by the Information Security Advisory Committee.

The revised documents are:

  1. Information Security Terms Guideline (IS-G100):  Revised to include additional terms for compliance programs
  2. Data Facility Physical Security Standard (IS-S501):  Revised to include requirement for data facility repairs and modifications must be documented, and that plans must be kept up to date.
  3. Server Security Standard (IS-S603):  Revised to include requirements for audit logs, access reports and incident tracking reports, and review of these documents on a regular basis, as indicated in the Information System Activity Review Guideline (IS-G603 – new guideline).

The new documents are:

  1. Compliance Program Documentation Standard (IS-S101):  Created to provide guidance on documentation requirements for units that have legal, regulatory, or contractual obligations related to any compliance program.
  2. Compliance Program Documentation Guideline (IS-G101):  Accompanying guideline to the above standard for specific compliance program documentation requirements.
  3. Information System Activity Review Guideline (IS-G603):  Guideline that accompanies Server Security Standard (IS-S603).  This document provides guidelines for ensuring the regular review of information system activity, such as audit logs, access reports, and security incident tracking reports.  This guideline is especially critical for all units, especially those that interact with Confidential University Data or data covered by regulatory or contractual requirements.

As well, we have worked to realign our standards, procedures and guidelines so that they better align with the ISO 27001 compliance standard that comprises best practices in information security.  The remaining documents have not been changed, other than being renumbered to reflect the realignment.  The old numbers have been included as a reference point.

We will be working with our campus stakeholders in the next few months in order to provide further documentation updates, and will announce the changes after they are thoroughly vetted and then approved.

If you have any questions, please contact the Information Security Office at 621-UISO (8476).

UA@Work is produced by University Communications

888 N. Euclid Ave., Ste. 413 (or) 
P.O. Box 210158, Tucson, AZ 85721

T 520.621.1877  F 520.626.4121

Feedback

2018 © The Arizona Board of Regents on behalf of the University of Arizona