Search Google Appliance

Information Technology

Information Security Controls

This is draft documentation for the new Information Security Policy. We are actively developing this content and are soliciting feedback on it.

A robust information security program is necessary for effective business operations and continuity, regulatory compliance and risk management.  A security program includes administrative controls (institutional policy, procedures, protocols, documentation, training), technical controls (software and hardware) and physical controls (secure physical access to systems and data) to help protect institutional information and research data.

This documentation maps relevant information security and privacy controls to the institutional information and research data categories established in the Information Security Policy

The user of every device connected to the campus network or that stores or transmits institutional information and research data is responsible for adherence to security control standards.

Foundational Information Security Controls

Per the Information Security Policy, all information technology resources, regardless of ownership, that contain institutional information or research data must have the following foundational information security controls in place and functioning:

  • Anti-virus software
  • Patching & central management of University-owned computers
  • Encryption
  • Firewalls
  • Secure disposal

Alternative, but equally effective, controls may be substituted in accordance with the exception process. Additional controls may be required based on the categorization of the information or data, the nature of the information technology resource, the applicable regulatory or contractual requirements, or other risk management calculations.

Information Security Controls for Institutional Information and Research Data Categories

 

NIST Special Publication 800-53 is the collection of controls referenced in the Information Security Policy. These security and privacy controls apply to an environment based on its overall categorization (Low, Moderate, High) and risk assessment.

The university provides certain services, such as the UMass Amherst Data Center, Active Directory, etc., to assist areas in complying with many of these controls.

The table below is an overview of the twenty control families in NIST 800-53.

Control Families

    Identifier

    Control Family

    Identifier Control Family

    AC

    Access Control

    MP Media Protection

    AT

    Awareness and Training

    PA Privacy Authorization

    AU

    Audit and Accountability

    PE Physical and Environmental Protection

    CA

    Assessment, Authorization, and Monitoring

    PL Planning

    CM

    Configuration Management

    PM Program Management

    CP

    Contingency Planning

    PS Personnel Security

    IA

    Identification and Authentication

    RA Risk Assessment

    IP

    Individual Participation

    SA System and Services Acquisition

    IR

    Incident Response

    SC System and Communications Protection

    MA

    Maintenance

    SI System and Information Integrity