How Does the UIC IT Security Program Affect Me?
The UIC IT Security Program is an extensive program designed to protect the university’s data assets. Accordingly, the full document is hundreds of pages long. We understand that most people just want to know how it will affect them during their normal business routine.
The most obvious ways that the Security Program will impact staff and faculty are:
Security Awareness Training – Faculty and staff will be required to complete bi-annual security awareness training. UIC has acquired a web based training solution called SANS: Securing the Human available from uic.securingthehuman.org. The training consists of a series of video modules (ranging from 3-5 minutes each) to watch, with each module followed by several questions that reinforce the information presented. The training can be completed all at once or one module at a time when you have time available. For most people, the total training time is about 42 minutes. Depending on your role at the university, you may have other training required by your unit.
Assist with Identifying and Classifying data in your possession – The program requires all units to identify and classify their data. As part of this effort, you may be contacted by your unit’s IT staff with questions regarding what data you work with, how sensitive the data is and where the data is stored.
University Messaging Systems (email) – University business must be conducted using university administered messaging systems. This means that you must conduct university business from your UIC email address. There are many reasons for this requirement such as backups, security, identity verification, business continuity, etc.
Personal Device Security – If you use personal devices to access university data, you must maintain them in accordance with the requirements of the Security Program. Just as IT administrators on campus secure university computers, you must do the same for your own devices if you are going to use them to access university data. This requirement is in place to ensure that personal computers don’t become the weak link that results in a breach of data.
Portable Device Encryption – You may be required to encrypt your university laptop depending on the classification of data that you store and process on the device. If you are part of the university’s HIPAA covered entity (the portions of the university defined as being involved with health related data), all of your portable storage devices including your university laptop must be encrypted using an approved encryption method.
Access Control – The policy requires units to create formal processes to grant, remove and review access to data. Depending on your job functions, you may be required to complete a data access request.
Physical Security – Data security doesn’t just mean putting a password on your computer or running antivirus. The physical security of your devices is just as important. The program requires you to think about things like:
- Do you lock your workstation when you leave your desk?
- Can someone visiting you see sensitive information displayed on your screen?
- Do you have portable devices sitting on your desk that someone could easily take?
- Do you lock your office door when you leave, even for a few minutes?
System Security Settings – The program defines system security settings that are required (standards) as well as recommended (guidelines) settings. Typically, these will be set by your system administrator, but if you administer your own system you will want to familiarize yourself with the requirements and recommendations, and adjust your settings accordingly.
Security Incident Reporting – The program documents reporting requirements and procedures for system compromises. Typically, you should alert your IT administrator who will report the incident in the appropriate manner.