Documenting Security
The Information Security Assessments of Compliance Program ensures and catalogs procedures to meet security policies.
Members of the university expect IT services that work reliably and securely. Behind the scenes, the “owners” of these services have their work cut out for them, to stay on top of their services’ reliability, updates and other issues that could affect campus. In addition, the owners are responsible for making sure that the services comply with the university’s 16 different information security policies.
The Information Security Assessments of Compliance (ISAC) Program is a new, systematic process to help service owners ensure they are meeting policy standards. The UITS Leadership Team has identified 70 of the most critical university IT services to be evaluated through ISAC. These are managed by 48 service owners—some of whom are responsible for more than one service.
The ISAC Program has two phases that have been built into a ServiceNow workflow for each policy. For each service, the owner:
- Acknowledges that they have read and understood the policy
- Attests that they have a documented plan for fulfilling the policy
Dayon Harris manages the ISAC program for the Information Security Office. He has been working with Cecilia Gunn and her IT Service Management team for a year and a half building the workflow. Last November, Dayon began piloting the ISAC workflow in ServiceNow with 7 of the service owners. Last month, he sent out emails to the remaining 41 service owners to complete the first round of assessments.
The focus of the first ISAC round is the Vulnerability and Patch Management Policy. If a service owner does not have a documented standard operating procedure for meeting the policy, or has insufficient documentation, Dayon can provide them with a template built from industry best practices to work with. He can also connect them with the ISO Vulnerability Management Program, who will assist them with developing a process to identify, classify, prioritize, remediate, and mitigate vulnerabilities.
Most of the critical services are managed by UITS staff, though some fall within the purview of research. Some services are run and provided by outside vendors. In that case, the vendor contract must be reviewed to ensure that the service meets university policy requirements.
The current review cycle on vulnerability and patch management will run through May 2026. The next cycle will cover a different information security policy.
Dayon emphasizes that he is here to help IT service owners, to support standardization and audit readiness. “We're here to make the best use of your time and provide you with the tools to allow you to be successful with creating procedures.”
With standardized documentation, IT staff will be in a better position to hand off work during vacations or when staff changes. Additionally, the university is better positioned for a security audit. The ISAC program is a further step in standardizing and professionalizing the university’s IT functions.
This article is the first in a series of three stories highlighting Information Security Office programs dedicated to helping service owners keep campus IT resources secure.