Information assets and technology resources are both valuable and essential to the mission of 福利理伦.\u00a0Administrative, technical, and physical safeguards are required to protect the assets and resources to support that mission; meet legal, regulatory, and contractual obligations; and protect privacy.<\/p>\n
The 福利理伦 Cybersecurity Program Plan provides high-level information describing the university Cybersecurity Program and its major components including the appointment of a coordinator, the selection and implementation of safeguards, ongoing risk assessments, training, and the management of service providers.<\/p>\n
Specific cybersecurity policies, standards, and guidelines as well as detailed plans and procedures are represented in separate documents.<\/p>\n
The Chief Information Security Officer (CISO) has been appointed to coordinate this program.<\/p>\n
The Office of Information security, under direction of the CISO and reporting to the Chief Information Officer (CIO), maintains a dedicated staff of trained cybersecurity professionals. The Office of Information Security is responsible for organization-wide IT risk management, vulnerability management, security operations, incident management and response, and management of the Information Security Program.<\/p>\n
Deans, department heads, and designate contacts assist in implementation of the Information Security Program. Their responsibilities include:<\/p>\n
Any institutional data classified as Private or Restricted per the University Information Security Policy (UPGA-10)<\/a> including\u00a0regulated data (e.g., FERPA, HIPAA, GLBA, etc.) and information governed by specific policies or requirements (e.g., PCI, GDPR, etc.).<\/p>\n Mission critical systems including infrastructure, applications, equipment, etc.<\/p>\n Collection and management of covered data assets are governed by this plan and associated policies, rules, and standards.\u00a0Data retention and destruction complies with the University Records Retention Policy (UPGA-3)<\/a>.<\/p>\n Risk assessments are conducted at least annually to identify foreseeable risks to covered assets.\u00a0Risk assessments are used to inform the selection and implementation of safeguards. \u00a0Identified risks without mitigating safeguards are documented, appropriately reviewed, approved, and monitored.<\/p>\n Units are responsible for conducting unit-level risk assessments to identify risks that are unique to their area of operation and for implementing appropriate safeguards to address these risks in addition to the common safeguards. Units can perform risk assessments independently, or units can request support from the Office of Information Security to complete unit-level assessments.<\/p>\n Program safeguards include physical, administrative, and technical safeguards across five high level functions:\u00a0 identification, protection, detection, response, recovery, and governance.\u00a0\u00a0 Taken together these safeguards constitute a common control environment for university systems.<\/p>\n The Office of Information Security, the Office of Purchasing, and the Office of General Counsel ensure service providers implement appropriate safeguards and that contractual agreements detailing privacy and security requirements are in place. The administrative procedure (ITP-1) Technology Governance and Procurement<\/a> defines the coordination between the Office of Purchasing and the Office of Information Security to ensure appropriate measures are in place to protect covered information.<\/p>\n This Program is evaluated and adjusted continuously. Feedback from risk assessments, security operations, and incident response activities inform the design and implementation of program components and safeguards by the program coordinator.<\/p>\n This plan is reviewed at least annually.<\/p>\n Units with data covered by the GLBA policy will also be covered by the University Fair and Accurate Credit Transactions Act Compliance Policy (UPFA-7)<\/a>.<\/p>\n Any questions concerning the content of this Plan and associated Policies, Standards and Guidelines should be addressed to the Chief Information Security Officer, ciso@marshall.edu<\/a> .<\/p>\n <\/p>\n <\/p>\n Overview Information assets and technology resources are both valuable and essential to the mission of 福利理伦.\u00a0Administrative, technical, and physical safeguards are required to protect the assets and resources to support that mission; meet legal, regulatory, and contractual obligations; and protect privacy. The 福利理伦 Cybersecurity Program Plan provides high-level information describing the university Cybersecurity<\/p>\n","protected":false},"author":144,"featured_media":0,"parent":127,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"page-sidebar-left.php","meta":{"_acf_changed":false,"footnotes":""},"class_list":["post-15539","page","type-page","status-publish","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.marshall.edu\/it\/wp-json\/wp\/v2\/pages\/15539","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.marshall.edu\/it\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.marshall.edu\/it\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.marshall.edu\/it\/wp-json\/wp\/v2\/users\/144"}],"replies":[{"embeddable":true,"href":"https:\/\/www.marshall.edu\/it\/wp-json\/wp\/v2\/comments?post=15539"}],"version-history":[{"count":14,"href":"https:\/\/www.marshall.edu\/it\/wp-json\/wp\/v2\/pages\/15539\/revisions"}],"predecessor-version":[{"id":19412,"href":"https:\/\/www.marshall.edu\/it\/wp-json\/wp\/v2\/pages\/15539\/revisions\/19412"}],"up":[{"embeddable":true,"href":"https:\/\/www.marshall.edu\/it\/wp-json\/wp\/v2\/pages\/127"}],"wp:attachment":[{"href":"https:\/\/www.marshall.edu\/it\/wp-json\/wp\/v2\/media?parent=15539"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Data Management Lifecycle<\/h2>\n
Risk Assessments<\/h2>\n
Safeguards<\/h2>\n
Identification\u00a0\u2013 measures for identifying threats and risks<\/h2>\n
\n
Protection\u00a0– measures to prevent breaches and associated impacts<\/h2>\n
\n
Detection\u00a0– measures to detect security incidents<\/h2>\n
\n
Response\u00a0– measures for responding to attack or breach conditions<\/h2>\n
\n
Recovery\u00a0\u2013 measures for ensuring recovery to normal operations<\/h2>\n
\n
Governance<\/h2>\n
\n
Service Providers<\/h2>\n
Program Monitoring and Maintenance<\/h2>\n
Plan Review and Approval<\/h2>\n
Red Flags Rule Compliance and Identity Theft Protection<\/h2>\n
Questions<\/h2>\n
References<\/h2>\n
\n
Plan Revision and Review<\/h2>\n
\n\n
\n Date<\/td>\n Reviewer<\/td>\n Description<\/td>\n<\/tr>\n \n 2021-05<\/td>\n CISO \/ jbc<\/td>\n Submission of initial program plan<\/td>\n<\/tr>\n \n 2022-06<\/td>\n CISO \/ jbc<\/td>\n Annual plan review<\/td>\n<\/tr>\n \n 2023-07<\/td>\n CISO \/ jbc<\/td>\n Edits, annual plan review<\/td>\n<\/tr>\n \n 2024-07<\/td>\n CISO \/ jbc<\/td>\n Edits, annual plan review<\/td>\n<\/tr>\n \n 2025-08<\/td>\n CISO \/ jbc<\/td>\n Edits, annual plan review<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"