USNH Cybersecurity Policy - Proposed

OVERVIEW 

The new USNH Cybersecurity Policy consolidates existing policy provisions from multiple USNH and institution level policies and expands upon what already exists to establish a current, comprehensive, USNH-wide Policy that covers all aspects of Cybersecurity.

You can review the proposed USNH Cybersecurity Policy here.

This Policy is currently open for Public Comment.  You can submit feedback, questions, or comments here.

 

MAPPING TO CURRENT POLICIES

For the most part, the new USNH Cybersecurity Policy does not fundamentally change the intent of the mapped provisions in the existing policies, but focuses on: 

  • Updating language to reflect current terminology and concepts
  • Adjusting responsibilities to address organizational changes 
  • Using consistent terminology across all Cybersecurity Policies & Standards
  • Breaking vague or general provisions into explicit Policy requirements
  • Ensuring the entire Policy is written at the appropriate level of detail and moving implementation or compliance details to the related Standards, where they belong
  • Removing provisions that are outside the purview of Enterprise Technology & Services (ET&S)

New sections that represent material changes to the intent of the existing policies are outlined below.

The following existing policies will be replaced in full by the new USNH Cybersecurity Policy.   A complete mapping of each institution's existing policy to the new Policy is provided at the links below. 

A comprehensive map of all impacted institutional policies to the new Policy can be found here.
(This is the same mapping information as the institutional maps, just in aggregate.)

 

ADDITIONAL SECTIONS ADDED

While much of the content in the new USNH Cybersecurity Policy can be mapped to provisions in existing policies, the following new provisions were added to this Policy and represent material changes to the original intent of the existing policies.

 

Expansion - Section 5.8 Identity and Access Management

  • Added provision formalizing existing practices at all institutions around the use of a single, primary identity for each USNH community member which is supported by the Identity Management Standard
  • Added provision outlining requirements for management of accounts that mirror existing practices for most enterprise level accounts (those managed by ET&S).  Detailed compliance requirements that will be documented in the Account Management Standard may require that administrative, academic, and business units who are currently managing information technology resources (e.g., vendor cloud applications) without the assistance of ET&S implement new processes and procedures.  Detailed compliance requirements for the use of Non-Primary Identities (Secondary Accounts, Service Accounts, Pool Accounts) and for Sponsored and Guest Access that will be documented in those Standards may constitution material changes for some administrative, academic, and business units at one or more of the institutions.  

Standards related to this section:

 

New Section – 5.6 Personnel Security

This section formalizes in Policy existing practices related to ensuring employees and other community members who are given access to information technology resources have been vetted properly and understand and acknowledge specific cybersecurity responsibilities based on their role or access that is provided to them.  

  • 5.6.1 relates to the existing employee background check performed by HR at each institution and does not constitute a material change to existing practices.
  • 5.6.2 relates to a new ET&S Confidentiality & Cybersecurity Agreement that will replace the existing institution specific agreements that were signed by information technology employees.  This does not constitute a material change to current practices.
  • 5.6.3 relates to the current practices that require community members to sign or acknowledge data specific agreements (e.g., Banner HR/Fin Agreement) before being granted access to those information technology resources.  The provision provides a policy basis for the existing requirement and allows for expansion to other types of access in the future, if needed.  As such, it does not constitute a material change to existing practices. 

Standards related to this section:

  • Personnel Security Standard (Phase 3+ Standard)


New Section – 5.14 Incident Management

This section formalizes in Policy existing practices for the management of cybersecurity incidents, including data breaches, predominantly at UNH and expands those practices to cover all USNH institutions.  As Incident Management is completely within the purview of ET&S, this expansion does not constitute a material change for any community members outside of ET&S.  Training needed to make all USNH community members aware of their responsibilities in relation to the new provisions will be provided as part of a new Cybersecurity Awareness and Training program planned for 2021. 

Standards related to this section:

  • Cybersecurity Incident Response Plan (Distribution Limited)
  • Data Breach Notification Standard (Phase 3+ Standard)

 

New Concept – 7 Exceptions

The new Policy introduces the concept of Policy exceptions and directs community members to the detailed requirements related to these exceptions provided in the  Cybersecurity Exception Standard.  This concept, section, and Standard reference will be consistent across all Cybersecurity Policies and the related Standards.

Standards related to this section: