University Edition Cyber Security and Data Privacy Policies
The University Edition Cyber Security and Data Privacy policies are tailored for implementation by research units and services supporting research with sensitive research data, especially sensitive human subjects research data, and are consistent with the cyber security and data privacy policies of the University of Chicago Medical Center and the Biological Science Division. The cyber security policies themselves are representations of NIST SP-800-171 and also incorporate necessary references to support HIPAA compliance where that may be needed.
Each unit, department, lab, project, or service (an “Organization”) that wishes to adopt this policy suite does so by revising and executing the Responsibility and Oversight Policy, which is written as a template. The executed Responsibliity and Oversight Policy incorporates the rest of the University Edition Cyber Security and Data Privacy policies by refrerence and also provides a mapping between standard terms used throughout the policy suite and their meanings in the context of the adopting Organization.
An adopting Organization will also need to notify the University’s Chief Information Security Officer (CISO) and the Office of Legal Counsel (OLC) of its intention to implement this policy framework within their operation. This can be accomplished by contacting CISO@uchicago.edu. Both Offices are needed to help the Organization achieve a satisfactory cyber security and data privacy implementation.
Each of the cyber security policies contain a section of “risk based controls” that are classified as Core, Low, or Moderate. Low and Moderate have the meanings assigned them by FISMA; Core controls are basic measures that should be in place across the Organization. Most research with sensitive data at UChicago is sufficiently secured by meeting the Core and Low control statements. This determination must be established for each adopting Organization in consultation with the CISO and OLC.
University Edition Cyber Security and Data Privacy policies https://uchicago.box.com/v/univ-ed-cyber-policies