Written Information Security Program (WISP)

Purpose

The University of Chicago Program is intended to:

• Ensure the security, confidentiality, integrity, and availability of personal and other sensitive information that the University of Chicago collects, creates, uses, and maintains.
• Protect against any anticipated threats or hazards to the security, confidentiality, integrity, or availability of such information.
• Protect against unauthorized access to or use of University of Chicago-maintained personal and other sensitive information that could result in substantial harm or inconvenience to any member of the University community or employee.
• Define an information security program that is appropriate to the University of Chicago’s size, scope, and business, its available resources, and the amount of personal and other sensitive information the University of Chicago owns or maintains on behalf of others while recognizing the need to protect both customer and employee information.
• Ensure adherence to the University of Chicago’s Information Security Policy.

Applicability

Per the University of Chicago’s Information Security Policy, this Program applies to “all University faculty, associates, other academic appointees, students, staff, volunteers, and contractors (“Covered Persons”).”

This Program applies to all University information technology resources used to conduct University activities in support of the academic, research, and service mandates of the University, connect to the University network, or store University data or information. This includes data processed or stored and applications used by the University in hosted environments where the University does not operate the technology infrastructure.

Program Ownership

• Responsible University Officer(s): Assistant Vice President and Chief Information Security Officer
• Responsible Office: Information Security, a department of IT Services
• Effective date: June 26, 2024
• Last Updated: February 13, 2025

Roles and Responsibilities

The University of Chicago has designated the Assistant Vice President and Chief Information Security Officer (CISO) and the Information Security team to implement, coordinate, and maintain this Program. University of Chicago Information Security shall be responsible for:

• Implementation and maintenance of this Program, including:
  • Assessing internal and external risks to personal and other sensitive information and maintaining related documentation, including vendor and infrastructure risk assessment reports;
  • Coordinating the development, distribution, and maintenance of information security policies, standards and procedures;
  • Coordinating the design of reasonable and appropriate administrative, technical, and physical safeguards to protect personal and other sensitive information;
  • Ensuring that the safeguards are implemented and maintained to protect personal and other sensitive information throughout the University of Chicago, where applicable;
  • Overseeing service providers that access or maintain personal and other sensitive information on behalf of the University of Chicago;
  • Monitoring and testing the Program’s implementation and effectiveness on an ongoing basis;
  • Defining and managing incident response procedures; and
  • Establishing and managing enforcement policies and procedures for this Program in collaboration with the University of Chicago human resources and management.
  • Maintaining this Program.
• Engaging qualified information security personnel, including:
  • Providing them with security updates and training sufficient to address relevant risks; and
  • Verifying that they take steps to maintain current information security knowledge.
  • Making available to staff, researchers, and privileged users, including:
    • Providing periodic training on relevant information security policies, including the University of Chicago’s Information Security Policy.
    • Retaining training and acknowledgment records.
• Defining and managing an exceptions process to review, approve or deny, document, monitor, and periodically reassess any necessary and appropriate, business-driven requests for deviations from this Program or the University of Chicago’s cyber security policies, procedures, standards, and guidelines.

• Periodically, but at least annually, reporting to the University of Chicago’s management and the Board of Trustees in writing regarding the status of the Program and the University of Chicago’s safeguards to protect personal and other sensitive information, including the Program’s overall status, compliance with applicable laws and regulations, material matters related to the Program, such as risk assessment, risk management and control decisions, service provider arrangements, testing results, cyber incidents or policy violations and management’s responses, and recommendations for Program changes, per the University of Chicago’s Information Security Policy.

Related Security Policies and Procedures

As a part of this Program, the University of Chicago will develop, maintain, and distribute information security policies and standards with applicable laws and regulations.

Establish and Maintain the following policies:

• University of Chicago Acceptable Use Policy
• University of Chicago Information Security Policy
• Information Technology Resources and Account Privacy Policy
• University of Chicago Information Classification Guideline
• University of Chicago CNetID Account Management Practices and Password Requirements
• University of Chicago Policy 601 – Treatment of Confidential Information
• Network Border Firewall Security Zone Policy

Maintain all cybersecurity standards established to protect institutional data;

• Information Security Standards
• Physical Environmental Standards
• Sanitization of Digital Storage Media Standard
• Network Security Zones Standard
• IT Disaster Recovery Plan

Ensure policies and standards are in alignment with applicable federal, state, and local regulations;

• Family Educational Rights and Privacy Act (FERPA)
• General Data Protection Regulation (GDPR)
• Gramm-Leach-Bliley Act (GLBA)
• Health Insurance Portability and Accountability Act (HIPAA)
• Payment Card Industry (PCI)
• UCMC SSA Addendum

Identification and Assessment of Risks to the University of Chicago

As a part of developing and implementing this Program, the University of Chicago will conduct and base its information security Program on a periodic, documented risk assessment, at least annually or whenever there is a material change in the University of Chicago’s business practices that may implicate the security, confidentiality, integrity, or availability of records containing personal or other sensitive information. This process is outlined by the University of Chicago’s Security Framework Assessment.