Carnegie Mellon University Website Home Page
 
Skip navigation and jump directly to page content
Report Concerns
Training & Awareness
Policies & Guidelines
Policy Framework
ISO Services
About ISO
Contact Us

Information Security Policy Framework

The Information Security Office (ISO) has developed an Information Security Policy Framework to help shape and support future policy initiatives within Computing Services and the University.  Click on the thumbnail to the right to view a current draft of the framework.  As you can see, the framework illustrates a hierarchy of policies, standards, procedures and guidelines.  Click here to gain a more clear understanding of the differences between each.  The color of each block illustrates the current status of the document.  While this framework lists all policies and standards that are part of the roadmap for the next 3 years, it does not provide a complete list of procedures and guidelines.  Procedures and guidelines depicted in the framework play a greater role in achieving the Mission of the Information Security Office.  It is important to note that this framework is meant to be dynamic in order to accomodate changing requirements over time. 
Carnegie Mellon University Information Security Policy Framework

Policy Framework vs. Current Policies

As mentioned above, the Information Security Policy Framework was developed to help shape and support future policy initiatives.  As a result, not all current policies are represented.  The following is a list of policies that are not depicted in the framework and the justification for why they are not present.

Current Policies  Relationship to Framework
 Timeline 
Data and Computer Security Policy
 This policy will be replaced by the Information Security Policy depicted in the framework.
 Development of the Information Security Policy began in January 2008 and is expected to continue through the remainder of 2008.
Computing Policy
 Pending approval the President's Council, this policy will be replaced by 2 new policies depicted in the framework:  1)  Appropriate Use Policy and 2) Privacy Policy.  It is common practice for these subjects to be addressed in separate Policy documents and the separation will also allow for easier maintenance over time.  Additionally, the Computing Policy was last revised in 2003 making it due for extensive content review (based on a 5 year lifecycle). Given that ISO will be spending much of 2008 publishing the Information Security Policy, work is not expected to begin on the Appropriate Use Policy or the Privacy Policy until 2009 at the earliest.
Policy on Student Privacy Rights
 This policy is maintained by Enrollment Services, not the Information Security Office.  As a result, it is not depicted in the framework.  The Data Classification Standards depicted in the framework and scheduled for development in 2008 will supplement this policy. Not Applicable

Policy Framework vs. ISO 27002 Standards

ISO 27002 (previously known as ISO 17799) is an international standard for information security management.  It is published by the International Organization for Standardization which is comprised of 150+ member countries.  The U.S. representative within this organization is the American National Standards Institute (ANSI).  Many organizations use ISO 27002 standards as a framework for building their information security program.  The Policy requirements of ISO 27002 will be largely satisfied by the Information Security Policy that is currently under development.  The Information Security Policy is being developed to replace the existing Data and Computer Security Policy.  As development of the Information Security Policy progresses, information will be posted here to illustrate how it fulfills ISO 27002 standards.

Policy Framework vs. Regulatory Requirements

The University is governed by a number of state, federal and international regulations.  The following table illlustrates how the Information Security Policy Framework aligns with these varying regulations.

Regulation  Summary  Relationship to Framework 
Family Educational Rights and Privacy Act (FERPA)
 This regulation was enacted in part to protect the privacy of student information. The University has published the Policy on Student Privacy Rights to help ensure compliance with FERPA.  This policy is maintained outside the Information Security Office and is therefore not reflected in the framework. 
Gramm-Leach Bliley Act (GLBA)
 This regulation was enacted in part to protect the security and privacy of financial information. The University has published the GLBA Information Security Program Policy, depicted in the framework, to address compliance with GLBA.
Health Insurance Portability and Accountability Act (HIPAA)
 This regulation was enacted in part to protect the security and privacy of health information. The Information Security Office has developed the HIPAA Information Security Policy, depicted in the framework, to address the security requirements of HIPAA.  This policy is pending approval by the President's Council.
State Breach Notifiation Laws
 Numerous states have passed regulations stating that an resident of that state must be notified when their personally identifiable information is compromised. The Information Security Policy under development in 2008 will contain provisions that address security breaches.  The Information Security Office is also working to publish an updated Incident Response Procedure to help address these requirements.  This procedure is depicted in the framework.
State Information Security Laws
 Numerous states have passed regulations that require the implementation of appropriate security procedures to safeguard personally identifiable information.
 All documents illustrated in the policy framework play a role in addressing these state laws.