To provide policies for establishing information security plans and data breach notification procedures.
1. Each campus and institute is responsible for
creating, approving, maintaining, and implementing an information
security plan based on the National Institute of Standards and
Technology (NIST) Risk Management Framework.
a. The security plan must detail
who is responsible for accepting risk at each campus and institute.
b. The security plan must include
a data breach notification policy specific to their local campus.
i. Data breach notification policies must comply with state and federal laws and regulations as well as industry security standards such as the Payment
Card Industry-Data Security Standard (PCI-DSS.)
c. The security plan must include
a plan of action and milestones for implementation of controls.
d. The security plan must be
developed within one year of the effective date of this policy, or the
responsible party must have a documented schedule for its development.
2. Each CIO is responsible for the
information security plan specific to their campus or institute.
3. The CIO for University Wide
Administration (UWA) is responsible for the information security plan
specific to UWA.