UTS - Security Standards
OVERVIEW:
Oakland University (OU) is committed to maintaining a high level of community trust by implementing security and compliance initiatives in a manner consistent with all laws, regulations, and industry practices.
As a large public research institution OU is accountable for a wide range of diverse security and compliance objectives that are composed of technical and not-technical aspects.
In some instances these efforts apply institution wide, while others are tightly focused and only apply to certain projects \ functional areas.
The purpose of this KB is to promote awareness for the various security and compliance initiatives University Technology Services (UTS) manages \ tracks along with the available methodology and tools that apply.
COMMON TERMINOLOGY & APPLICATION:
UTS may refer to various compliance and security based acronyms when discussing technology solutions.
The information below is intended to clarify commonly used terms; however it is not comprehensive and each area is responsible for identifying standards that are applicable to their operations.
ADA: The Americans with Disabilities Act (ADA) is a civil rights law the prevents discrimination against individuals with disabilities in all areas of public life, including jobs, schools, transportation, and all public and private places that are open to the general public.
- ADA is an extremely broad act; within the technology realm it typically applies to ensuring electronic content is accessible to all individuals, for example those with visual impairments.
CMMC: The Cybersecurity Maturity Model Certification (CMMC) is a unified standard for implementing cybersecurity across the defense industrial base which includes certain federally funded research projects.
- Typically applies when working with Government Contracts or Research funded by, or pertaining to, the Department of Defense (DoD).
FERPA: The Family Educational Rights and Privacy Act (FERPA) is a federal law that affords parents the right to have access to their children’s education records, the right to seek to have the records amended, and the right to have some control over the disclosure of personally identifiable information from the education records. When a student turns 18 years old, or enters a postsecondary institution at any age, the rights under FERPA transfer from the parents to the student (“eligible student”)
- Broadly speaking most University records are govered by FERPA.
GLBA: The Gramm Leach Bliley Act (GLBA) is a law that applies to how higher education institutions collect, store, and use student financial records (e.g., records regarding tuition payments and/or financial aid) containing personally identifiable information. This law applies to systems or areas on campus that are involved in the processing of student financial information.
- Applies when systems or areas on campus are involved in the processing of student financial information.
HIPAA: The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.
- HIPAA is an extremely broad act; within the technology realm it typically applies to collection Protected Health Information (PHI) and billing for medical services.
Library Privacy Act: Michigan Act 455 of 1982 provides for the confidentiality of certain library records; and to provide for the selection and use of library materials.
- Applies to areas on campus that are providing library services.
PCI: The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards formed in 2004 by credit card companies and is a requirement for any business that processes credit or debit card transactions.
- Applies any time a credit or debit card information is in use. It is important to note PCI is in scope even when a card is not present.
NIST: Publications in the National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800 consists of guidelines, recommendations, technical specifications, and annual reports of NIST’s cybersecurity activities.
Compliance with NIST standards is required for systems involved with the processing of certain federal information such as financial aid, however the University has adopted the NIST 800 Series as a security standard for all systems. The NIST 800 series is comprised of hundreds of documents but those commonly used by the university pertain to Risk Assessment (800-30), Security & Privacy Controls (800-53), HIPAA (800-66), and Auditing (800-171).
TCP: A Technology Control Plan (TCP) is a document that details security controls for information, including research, that are covered by United States Export Control laws.
Applies when working with various research sets such as data that is covered by the Export Administration Regulations (EAR) or International Traffic in Arms Regulation (ITAR).
TOOLS:
At their core all security related standards share a common foundation of best practices, which means there are often many paths to achieving compliance. For example a single configuration may satisfy requirements from multiple, diverse standards. While there is no "one size fits all" approach to performing risk management, and security compliance UTS has complied a catalog of tools that are tailored to addressing specific objectives.
UTS will collaboratively work with you to utilize the following tools to achieve your desired goal. However, we encourage to you to explore the portfolio and familiarize yourself with the tools.
ADA:
Tool:Axe Browser Extension
Description: Accessibility browser extension that automatically tests for accessibility defects directly within your browser.
Directions: Download and Install the Browser using the information at the deque website.
Recommendation: Use this tool anytime you are creating or modifying web content.
Tool: Siteimprove
Description: Siteimprove is managed by University Communications and Marketing (UCM) and is used to routinely check web content for ADA Compliance.
Directions: Promptly respond to notifications from UCM regarding necessary changes.
Recommendation: Partner with UCM to ensure your web content is included in automated scans.
Tool: Various
Description: Additional tools are identified at OU's Accessibility Website.
Directions: Review this site regularly to identify tools that may be useful to your area.
Recommendation: Use the tools as applicable to ensure compliance with Accessibility Standards.
CLOUD VENDOR RISK ASSESSMENT:
Tool: Higher Education Community Vendor Assessment Toolkit (HECVAT)
Description: The HECVAT is a questionnaire framework specifically designed for higher education to measure vendor risk. Before you purchase a third-party solution, ask the solution provider to complete a HECVAT tool to confirm that information, data, and cybersecurity policies are in place to protect your sensitive institutional information and constituents' PII.
Directions: You can DOWNLOAD the HECVAT template and provide to a vendor for completion or request a completed copy from a vendor.
Recommendation: We suggest downloading the tool and reviewing the content to better understand risk vectors the university evaluates during the procurement process.
CMMC:
Tool: CMMC Model
Description: CMMC reviews and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to advanced. For a given CMMC level, the associated controls and processes, when implemented, will reduce risk against a specific set of cyber threats.
Directions: You can DOWNLOAD the CMMC Model and follow inline instructions to complete.
Recommendation: We suggest downloading the tool and reviewing the content to better understand risk vectors impacting your project / environment.
GLBA:
Tool: Please refer to 800-171 in the NIST section below
HIPAA:
Tool: Security Risk Assessment tool (SRA)
Description: The Office of the National Coordinator for Health Information Technology (ONC), in collaboration with the HHS Office for Civil Rights (OCR), developed a downloadable Security Risk Assessment (SRA) Tool to help guide you through the process.
Directions: You can DOWNLOAD the SRA tool and and follow the inline directions to conduct a risk assessment
Recommendation: We suggest downloading the tool and reviewing the content to better understand risk vectors impacting your heath environment.
Tool: NIST 800-66 “An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule”
Description: Discusses security considerations and resources that may provide value when implementing the requirements of the HIPAA Security Rule, was written to help educate readers about information security terms used in the HIPAA Security Rule and to improve understanding of the meaning of required security standards.
Directions: You can DOWNLOAD NIST 800-66 and follow the inline instructions to complete.
Recommendation: We suggest downloading the tool and reviewing the content to better understand risk vectors impacting your heath environment.
NIST:
Tool: NIST 800-53
Description: Security and Privacy Controls for Federal Information Systems and Organizations
Directions: You can access information HERE.
Recommendation: We suggest familiarizing yourself with the requirements
Tool: NIST 800-30
Description: Guide for Conducting Risk Assessments
Directions: You can DOWNLOAD NIST 800-30 and follow the inline instructions to complete.
Recommendation: We suggest familiarizing yourself with the requirements
Tool: NIST 800-171
Description: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
Directions: You can access a blank read only template HERE. We suggesting making a duplicate of the template specific to the project and year. For systems co-manged by UTS a partially completed template can be requestedby submitting a request to [email protected]
Recommendation: We suggest familiarizing yourself with the requirements
PCI:
Tool: PCI Data Security Standard Self Assessment Questionnaire (PCI-DSS SAQ)
Description: The Self-Assessment Questionnaire includes a series of yes-or-no questions for each applicable PCI Data Security Standard requirement. If an answer is no, your organization may be required to state the future remediation date and associated actions. There are different questionnaires available to meet different merchant environments.
Directions: You can DOWNLOAD SAQs and follow the inline instructions to complete.
Recommendation: We suggest downloading the tool and reviewing the content to better understand the requirements necessary to obtain PCI compliance.
TCP:
Tool: Technology Control Plan (TCP) Template
Description: OU provides a TCP eform that is suitable for most needs. We suggest using the eform unless you have been provided specific guidance by a data owner.
Directions: You can access the eform HERE
Recommendation: We suggest familiarizing yourself with the eform and requirements