University Edition Cyber Security and Data Privacy Policy Templates

The University Edition Cyber Security and Data Privacy policy templates are intended to be tailored for implementation by research units and services supporting research with sensitive research data, especially sensitive human subjects research data, and are consistent with the cyber security and data privacy policies of the University of Chicago Medical Center and the Biological Sciences Division. The cyber security policy templates are representations of NIST SP800-171 and also incorporate necessary references to support HIPAA compliance where that may be needed.

Some units, departments, labs, projects, or services that store or process sensitive research data may be required to implement a security plan that meets a standard defined by the University Edition Cyber Security and Data Privacy policies to demonstrate sufficient ability to manage associated institutional liability. A unit, department, lab, project, or service (an “Organization”) adopts this policy suite by revising and executing the Responsibility and Oversight Policy, which is written as a template. The executed Responsibility and Oversight Policy template incorporates the rest of the University Edition Cyber Security and Data Privacy policy templates by reference and also provides a mapping between standard terms used throughout the policy suite and their meanings in the context of the adopting Organization. With an executed Responsibilities and Oversight Policy, the Organization can then assert to external parties that its security and data privacy policies are the University Edition Cyber Security and Data Privacy policies.

An adopting Organization will also need to notify the University’s Chief Information Security Officer (CISO) and the Office of Legal Counsel (OLC) of its intention to implement this policy framework within their operation. This can be accomplished by contacting CISO@uchicago.edu. Both Offices are needed to help the Organization achieve a satisfactory cyber security and data privacy implementation.

Each of the cyber security policy templates contain a section of “risk based controls” that are classified as Core, Low, or Moderate. Low and Moderate have the meanings assigned them by FISMA; Core controls are basic measures that should be in place across the Organization. Most research with sensitive data at UChicago is sufficiently secured by meeting the Core and Low control statements. This determination must be established for each adopting Organization in consultation with the CISO and OLC.

Reference:

University Edition Cyber Security and Data Privacy policy templates https://uchicago.box.com/v/univ-ed-cyber-policies

Category:Security
Policy Owner:UChicago CISO