The BSD Information Security Office (ISO), UCM and University Information Security Offices have collaboratively developed a set of cyber security policy documents that will direct and guide our Organizations through the new landscape of cyber security threats and regulations. These Policies apply to employees and students of the Organizations, individuals who fall within the definition of “Workforce” of an Organization, and third parties with access to the Organizations’ Information Systems and/or the Organization’s Information Assets (“Covered Individuals”).
For further information or to request assistance, please contact us at security@bsd.uchicago.edu.
Policy: Access Control Policy
Description: This policy defines access to information and Information Systems will be limited to only properly identified, authenticated and authorized users or devices, and processes acting on behalf of such users or devices.
Policy: Audit and Accountability Policy
Description: This policy sets forth the security requirements that will support the Organizations’ ability:
- To review key auditable events to verify the appropriateness of access to Information Systems, and the Data they contain,
- To assist the Organizations in detecting, containing and correcting security violations.
Policy: Awareness and Training Policy
Description: This policy defines the Organizations that train Covered Individuals, on the policies and procedures, to promote a secure environment and the Acceptable Use of technology, as necessary and appropriate for the individuals to carry out their specific functions in accordance with the Security Obligations.
Policy: Configuration Management Policy
Description: This policy ensures the Organizations’ Information Assets are managed in a secure manner, and that the information stored, transmitted or processed is protected and secure.
Policy: Cybersecurity Incident Response Policy
Description: This policy describes the procedures to be followed to address a Cybersecurity Incident involving (a) Information Assets operated by the Organizations’ Covered Individuals, or (b) the Organizations’ Information that are transmitted, stored or processed on any Information Asset that is or may have been inappropriately accessed.
Policy: Data Classification Policy and Handling Procedures
Description: This policy classifies the Organizations’ information, and third-party information in our possession or under our control, and governs the protection, use, and disclosure of information to protect its confidentiality, integrity, and availability. This policy also provides the steps to take to apply appropriate protections, including access controls, to the materials containing the information based upon the classification level.
Policy: Media Protection Policy
Description: This policy sets forth the procedures for safeguarding the Electronic Media, that stores Organizational information to ensure the Restricted or Information Use Only information’s privacy, security, and integrity is maintained, and to guard against the improper disclosure and access to unauthorized individual consistent with the Security Obligations.
Policy: Personally Owned Devices Policy
Description: This policy sets forth the minimum set of expectations for the use of personally-owned devices (such as phones, smartphones, laptops, and/or tablets) by Covered Individuals to access the Organizations’ Information and Information Assets.
Policy: Physical and Environmental Protection Policy
Description: This policy sets forth the requirements for the physical, environmental and facility access controls to ensure the protection of Information Assets and Information Systems from unauthorized access, and safeguard against environmental threats.
Policy: Responsibility and Oversight Policy
Description: The goals of the Cyber Security Programs and policies are to: a) Support the core missions of the Organizations, including their shared mission of clinical care, education and research, b) Create an environment that supports and enables its initiatives (e.g. community service, strategic growth, strategic operations, world-wide education in areas of science, clinical, translational and basic science research, preeminence of the Biological Sciences Division and the UChicago Medicine and scholarship) and to flexibly manage the risks based upon the environments, goals and information covered, and c) Safeguards information in a manner that reduces risk and complies with the Security Obligations.
Policy: Risk Assessment & Management Policy
Description: This policy ensures that the Organizations conduct risk assessments to organizational operations, assets, and individuals resulting from the operation of Organizations’ Information Systems and its associated processing, storage or transmission of the Organizations’ information. This policy also ensures that identified risks are managed according to the Organizations’ expectations.
Policy: System and Communications Protection Policy
Description: This policy sets forth the general framework for how Information Systems will be configured to communicate, and the protections that must be in place in order to ensure the security of those communications.
Policy: System and Information Integrity Policy
Description: The purpose of this policy is to mitigate the risk of malicious intrusion or unintentional mistakes that undermine the integrity of server based applications.
Policy: System and Service Acquisition Policy
Description: This policy ensures the sufficient protection of Information Assets or technology services during the acquisition. This is accomplished by setting procedures with regard to life-cycle management and resource allocation.
Policy: Identification and Authentication Policy
Description: This policy sets forth a general framework for identification, user account creation, authentication requirements and service account management and sets the rules under which systems shall operate to reduce the risk, and minimize the effect of security incidents.
BSD Information Security Standards
The BSD Information Security Office (ISO) has developed standards to guide a system owner or administrator in reviewing a system configuration and ensuring the system is properly protected. These Standards apply to Systems in the BSD research and academic enterprise, which includes BSD basic sciences, the Pritzker School of Medicine, and various other BSD units engaged in research. System Administrators, researchers and staff with system administration responsibilities are expected to safeguard information and systems they use and/or support. Non-compliance with these standards will result in revocation of access to the data, system, and/or network.
For further information or to request assistance, please contact us at security@bsd.uchicago.edu.
Standard: STA-01 BSD Minimum Security Standards for Servers
Description: This document defines the BSD minimum security standards required for systems that may be used to access, store or process (input, output, transmit, receive, display, calculate, etc.) information owned and used by the University of Chicago Biological Sciences Division (BSD).
Standard: STA-02 BSD Security Standards for Databases
Description: This document defines the BSD Security Standards for Databases including Access, Data, Database Applications, and Build and Configuration controls that a database owner or administrator must take to review and ensure that the database is properly protected.
Standard: STA-03 BSD Security Standards for Networked Printers
Description: This document defines the BSD Security Standards for Networked Printers including Access, Logging and Configuration controls that a printer owner or administrator must take to review and ensure that the network printer is properly protected.
Standard: STA-04 BSD Password Management Standards
Description: This document defines the BSD Password Management Standards required for configuring and protecting passwords to reduce the risk of account compromise in the Biological Sciences Division.
Standard: STA-05 BSD IT Asset Inventory and Categorization Standards
Description: This document defines the BSD IT Asset Inventory and Categorization Standards required for identifying and prioritizing BSD information technology assets that contain University information.
Standard: STA-06 BSD Media Sanitization Standards
Description: This document defines the BSD Media Sanitization Standards required for the secure removal of restricted information from media used to store information owned and used by the Biological Sciences Division.
Standard: STA-07 BSD Security Standards for Web Applications
Description: This document defines the BSD Security Standards for Web Applications. This standard ensures that web applications used by the Biological Sciences Division are properly and safely developed.
Standard: STA-08 BSD Vulnerability Management Standards
Description: This document defines the standards required for reducing the risks posed by breaches in security caused by the exploitation of vulnerabilities in the Biological Sciences Division.
Standard: STA-09 BSD IT Security Exception Standard
Description: This document defines the standards for requesting an IT Security exception to compliance with established Biological Sciences Division information security policies, standards, and procedures.
Standard: STA-10 BSD Minimum Security Standard for Endpoints
Description: This document defines the BSD Security Standards for Endpoints (Windows and Mac). This standard ensures that endpoints used by the Biological Sciences Division are properly and safely secured.
BSD Information Security Guidelines and Procedures
BSD Data Research Guidelines for Research Health Information (RHI)
The purpose of this guideline is to ensure information security and data privacy for Research Health Information (RHI).
- BSD Guideline for the Use of Software with Research Health Information
- Office of Clinical Research – HIPAA Privacy and Research
Securing Devices Guidelines
The purpose of these guidelines is to ensure greater security on individual assets.