This is draft documentation for the new Information Security Policy. We are actively developing this content and are soliciting feedback on it.
Service administrators must ensure there is a written plan that describes how the standards established in the Information Security Policy apply to each specific information service under their purview. These plans must at a minimum contain the following information:
- A general description of the service, including its purpose, components, and the parties responsible for overseeing and maintaining the service.
- A description of the institutional information and research data, that is stored, processed or transmitted on the information service.
- Document what categories of institutional information and research data the information service is capable of supporting.
- Describe the information security controls for the information service that support the expected categories of institutional information and research data.
- Identify, document, and address risks to the information technology systems, institutional information and research data.
Centrally Provided Information Services
The Chief Technology Officer and Chief Information Security Officer will develop architecture and standards for information services. The service administrators must develop service security plans that adhere to these standards for information services provided by central IT.
Research Information Services
Researchers who develop and maintain information services as part of their research activity must ensure service security plans are developed in alignment with architecture and standards as developed by Research Administration in coordination with the Chief Technology Officer and Chief Information Security Officer, and to meet regulatory (such as HIPAA or DFARS) and contractual requirements.
Other Information Services
Service Administrators will develop all other service security plans, including those designed to meet regulatory or contractual compliance (such as HIPAA or DFARS), with guidance from UMass Amherst IT and Emergency Management and Business Continuity. In addition, Vice Chancellors and Deans, in their role as identified in policy, may identify architecture and standards to which service security plans under their purview must adhere.
An example Service Security plan is provided as a template.