Written by: Adam Travis, Senior Consultant
ITS staff members are usually responsible for the administration of security procedures, in accordance with all institution policies dealing with security, access, and confidentiality of college records. SIG has put together a inclusive list of 21 keys to unlocking a comprehensive security policy.
Steps to Create a Policy
- Look for a template or sample policy. Educause has a great framework worth looking into.
- Meet with data governance group(s) to discuss template and answer the questions identified here.
- Prepare a draft policy.
- Seek input from all stakeholders, including technical and functional.
- Present a revised policy to the appropriate governance groups.
- Work to adopt a final policy and notify all stakeholders.
Steps to Create an Implementation Document
- Start with analysis to determine if there is a gap between current processes/documentation and the requirements of the policy.
- Conduct a BPA with stakeholders to determine the future processes.
- Technical resources may be needed to implement systems for tracking or automating parts of the process. These may turn into separate projects and may need to be done in phases as resources are available.
- Document each step from requesting to approving, to granting access, to auditing and reviewing access. These may be separate documents, and should include appendices with forms and sample communications, but there should be at least a summary which describes the complete process and lifecycle of access.
- Seek legal and expert opinions, if needed, to ensure plans allow the Institution to meet all regulatory requirements, such as GDPR.
- All procedures should be reviewed, revised, and approved by appropriate governance committees.
Adopting New Procedures
- Once procedures are approved, a roll-out plan can be developed. This should include communicating changes to all stakeholders, establishing dates for changes and transitions, and training as needed.
- A phased approach might be needed because of all the other changes happening. Being able to connect changes with other major system events may be useful.
Implementing Security Changes
- If a new setup of security controls is the outcome of the process, it may be easiest to implement changes over a period of time with plans for how to roll-back or quickly fix problems to ensure minimal disruption to business processes.
- For example, new security classes in Banner can be created and users transitioned gradually at a convenient time for each department or user. In the event of a problem, it should be quick to restore prior access until a resolution can be identified.
- Where gradual changes are not possible, thorough testing is recommended to reduce the risk of disruption to business processes.
- For example, Banner PII security policies will affect all users when it is enabled and should be tested thoroughly. However, individual users can be exempted from the policy if problems do occur.
- Whenever possible, use auditing tools ahead of a change to determine what impact there may be after the changes.
- Always communicate the strategic and critical importance of security changes to the institution. Some people resist changes and others may feel that if they can’t see the changes, they are not valuable. It is important to remind people of how important these procedures are to the institution, even if they can’t observe them daily.
- Conduct training over a period to ensure compliance with training requirements.
- Transitioning old records of access to a new system is often not possible or will be incomplete. Therefore, as security is transitioned, you may wish to require that all security be re-approved by initiating the approval process for all current users of all identified systems. Anyone not approved by the deadline will have all access removed. This will give a starting place for approvals in a new tracking system and ensure that appropriate access is paired to approvals.
- Ideally, security changes should not be disruptive to the average user and should help ensure availability and access to the critical information they rely on each day.
If you’re struggling to put together a sound policy, let’s discuss how SIG can help!