About the Office of Campus Information Security (OCIS)
The Office of Campus Information Security (OCIS) was created in 2006 in recognition of the critical and complex nature of information security on the UW-Madison campus. The Office reports directly to the CIO and Vice Provost for Information Technology.
OCIS works with campus data custodians and end users to minimize security risks and put programs in place to properly protect their data. OCIS also responds to reported security breaches and provides a variety of software tools, training, support and best practices to help the hundreds of different computing environments on campus (i.e., departments, schools, business units, end user desktops) and their users stay secure.
Information Technology Security Strategy
The general proposed strategy is to optimize risk management for information security incrementally and over time. Ultimately, campus will operate with reduced risk before an incident occurs and at all times thereafter (see appendix A). Threats will continue to change and become more complex. Therefore, we are required to continuously improve the level of our Internal Controls Maturity (see appendix B). This implies that security will be a process rather than project.
Achievement of the goal, optimized risk management, requires a multi-faceted approach. The program outlined below provides effective practices, is supported with automated real-time monitoring for accountability and decision metrics for current risk estimation. Employees are proactively involved with continuous improvements. The university will be able to benchmark to external best practices and seek external advice on effectiveness. For critical processes and systems, independent reviews need to take place to provide assurance that the controls are at the desired level of maturity and working as planned.
To accomplish the goal, we need a motivating factor for change and a series of near term objectives that roll up into the larger strategy over time. Our efforts should be focused on preventing losses of restricted data, followed by refining the processes and procedures for our intellectual property and other sensitive information.
The long term strategy is presented in three parts. Each part is intended to operate in parallel with the other two.
Strategy 1: Establish Governance and Information Classification
Strategy 2: Enriching People though Consulting, Awareness, and Training
Strategy 3: Optimize Services, Measurement and Compliance Assistance
The near term operational objectives presented below are incorporated into our three strategies. They are modeled on the successful implementation of the PCI Compliance Assistance Team’s approach to campus PCI compliance. The PCI Compliance Assistance Team utilizes a governance process, technical expertise, and a collaborative IT service model to meet the requirements for compliance (see Appendix E). The PCI Compliance Assistance Team’s governance and implementation model is being utilized for the VC for Administration restricted data remediation protocol (see Appendix F). Working with the academic and administrative units to develop a common understanding for how to secure and manage personally identifiable data will provide a framework that can be leveraged across campus. Measuring the status of our environment and comparing it to industry standards will provide valuable information for governance. This process will achieve the long term Internal Controls Maturity in an incremental and actionable fashion.
Objective 1: Central data collection and aggregation for analysis resulting in a unified measurement of the Maturity of Internal Controls.
Objective 2: Completion of UW Madison PCI compliance project and the application of the successful UW PCI model to the VC for Administration Restricted Data Remediation project.
Objective 3: Use the central measurements to elucidate the next UW Madison campus unit most appropriate for the expansion of the successful Restricted Data remediation project.
Read the full strategy document including appendices.