Carnegie Mellon University

Information Security Policy Roadmap

The University instituted a new Information Security Policy in December 2008 as a measure to protect the confidentiality, integrity and availability of institutional data.  Over the coming months, the Information Security Office will work closely with the Executive Steering Committee on Computing and other stakeholders to publish a collection of guidelines and procedures that will aid in the interpretation of this policy.  The following is a roadmap of planned activities.

Horizontal Rule

Phase 1 - Policy Development

The first phase of this effort involes the development of a draft Information Security Policy.  The Information Security Policy will go through an extensive review process and follow the University's Policy Creation and Review Process.  The Information Security Office will also work closely with the Executive Steering Committee on Computing ("ESCC") throughout this effort.  This proposed policy must be approved by the President's Council prior to publication.

Tasks
Create initial draft of Information Security Policy
Review with Vice Provost of Computing Services
Review with Office of General Counsel
Review with Executive Steering Committee on Computing
Review & Approval by Management Team Light
Review with Business Manager's Council and Staff Council
Review with Departmental Administrators
Approval of the Policy by President's Council
Publication
Communicate Publication of the Policy

Deliverables Version
Status
Last Updated
Information Security Policy 1.0 Published 12/17/2008
 
Back to the Top
Horizontal Rule

Phase 2 - Guidance & Procedure Development

The second phase of this effort will involve the development of numerous guidelines and procedures to aid in the interpretation and implementation of the Information Security Policy.  These documents will go through an extensive review process and be approved by the Executive Steering Committee on Computing prior to publication.  The following process will be followed for each document published:

Tasks
Create initial draft
Review of draft by the Director of Information Security
Review of draft by the Information Security Policy Advisory Committee
Review of draft by the Vice Provost of Computing Services
Review of draft by the Office of General Counsel
Review of draft by Departmental Computing Forum
Review and approval of draft by the Executive Steering Committee on Computing
Publication
Communicate Publication

Deliverables Version
Status
Last Updated
Information Security Roles & Responsibilities  [.html] | [.pdf] 1.0 Published 09/15/2011
Guidelines for Data Classification  [.html] | [.pdf] 1.0 Published 09/15/2011
Guidelines for Data Protection  [.html] | [.pdf] 1.0 Published 09/15/2011

Guidelines for Data Sanitization and Disposal (Update)

NOTE: Merged with the Guidelines for Data Protection and renamed Media Sanitization and Disposal.

1.0 Published 09/15/2011
Guidelines for Data Handling N/A Not Started N/A
Procedure for Policy Exception Handling N/A Not Started N/A
Procedure for Responding to a Security Breach N/A Not Started N/A
Guidelines for Data Retention N/A Not Started N/A
 
Back to the Top
Horizontal Rule

Phase 3 - Awareness Campaign

The Information Security Office is currently piloting an updated version of its Security 101 awareness program, which incorporates the Information Security Policy and supporting guidance. The slides for this updated awareness program can be found here. Details regarding additional awareness and training opportunities are still being formalized.

Back to the Top
Horizontal Rule

 Additional Information

If you have any questions or concerns related to this roadmap, the Information Security Policy or any of the supporting documents being developed as part of this effort, please send email to the Information Security Office at iso@andrew.cmu.edu.  Suggestions and feedback related to documents that are currently under review are also welcome.

Back to the Top