Carnegie Mellon University Website Home Page
 
Skip navigation and jump directly to page content
Report Concerns
Training & Awareness
Policies & Guidelines
Drafts (WebISO)
Policy Framework
Policies
Standards
Guidelines
Procedures
HIPAA Resources
Documentation List
ISO Services
About ISO
Contact Us

Policies, Standards, Procedures and Guidelines 

The Information Security Office (ISO) is responsible for coordinating the development and dissemination of Information Security Policies, Standards Procedures and Guidelines for the University.  ISO is also responsible for coordinating various regulatory compliance efforts.  For example, specific Policies and Procedures have been developed to help ensure compliance with the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA).  Click here for an index of all Policies, Standards, Procedures and Guidelines published by ISO or follow the appropriate link in the left menu for more specific information about each type of document.

Policies are high-level statements, equivalent to organizational law, that drive decision making within the University.  University Policies are subject to a rigorous review process and are approved by the President's Council, a senior level decision making body of the University.  More...

Standards are a technical specification for achieving compliance with University Policies.  Standards are similar to Guidelines in their structure but are requirements, not recommendations.  Standards are subject to a rigorous review process prior to publication.  More...

Procedures are step-by-step instructions for accomplishing a task.  Procedures published by the Information Security Office are designed to reinforce University Policies and help ensure timely and consistent service delivery.  Procedures may also play an important role in maintaining compliance with varying state, federal or internation regulations.  More...

Guidelines are general recommendations or instructions that provide a framework for achieving compliance with one or more Policies.  They are more technical in nature than Policies and are updated on a more frequent basis to account for changes in technology and/or University practices.  Guidelines published by the Information Security Office are subject to a formal review process that includes analysis by Computing Services, the Departmental Computing Group and other University stakeholders identified on a case-by-case basis.  More...

Horizontal Rule

Recent Publications

Name  Version  Date
Procedure for Responding to a Compromised Computer 2.0
 04/18/2008
HIPAA Information Security Policy
 1.0
 02/15/2008
HIPAA Security Frequently Asked Questions 1.0
 02/15/2008
HIPAA Security Rule Policy Map
 1.0
 02/15/2008