Effective Date:

March 10, 2020

Revised:

March, 12, 2020

POLICY

INFORMATION MANAGEMENT, PRIVACY AND SECURITY

Cybersecurity Training, Compliance, and Remediation

RESPONSIBLE OFFICE

Office Of The CTO

REVIEWED: JUNE 2021 BY CTO GOVERNANCE

Purpose and Overview

The Information Security program has a critical role in ensuring the QTIS community has a practical understanding of cybersecurity risks. Working within the Information Security Policy, Information Security promulgates the BU Data Protection Standards to provide guidance and direction for protecting data in this complex environment. To be effective, Information Security must communicate and provide training on cyber risks and the Standards, monitor for compliance, and remediate issues.

Scope

The Data Protection Standards, including all subparts, apply to all QTIS Data, both physical and electronic, throughout QTIS This policy defines the responsibilities of Information Security to train, monitor, and remediate cybersecurity issues across the QTIS.

QTIS Information Security Responsibilities

To promote cybersecurity awareness and ensure policy compliance, Information Security will:

Provide additional strategic direction and guidance to the QTIS on cybersecurity topics, including meeting the Standards’ requirements as needed.
Provide training and consulting on cybersecurity and the Standards to the QTIS community.
Conduct cybersecurity policy compliance reviews as defined below.
Alert individuals and organizations that are not complying with the Standards and provide additional training and consulting services to remediate issues.

Training Program

QTIS Information Security will conduct and/or coordinate training programs designed to guide the QTIS’s efforts to protect Sensitive Information by increasing the community’s awareness of information security issues, including the requirements of the Data Protection Standards.

This training is general in nature, providing an overview of information security and the legal and regulatory context in which we operate. It is not intended to replace regulation-specific training that may be required of people conducting specific duties and needing specific information about those duties. For example, HIPAA training is and remains the responsibility of the Registrar’s Office.

QTIS Information Security will, on an annual basis, send a reminder by email to the Staff of QTIS providing a summary of the provisions of the Data Protection Standards, including the monitoring provisions of this document. Cybersecurity Foundations training, which includes the Data Protection Standards and additional information security policies, is provided on demand online to anyone within the QTIS community.

Compliance Monitoring

QTIS Information Security and IS&T will employ technologies and processes to monitor our cybersecurity risks. These technologies and processes fall into several general types:

Vulnerability Management
IS&T will conduct routine scans and audits of computing technologies connected to the QTIS network for vulnerabilities which may indicate a lack of compliance with the Minimum Security Standards. When discovered, Information Security will notify the appropriate system owners.

Scanning for Restricted Use Data
IS&T will conduct electronic scans from time to time to locate Restricted Use data on QTIS-owned systems. Once identified, Information Security will ensure that the controls protecting the data are sufficient under the Standards or work with appropriate individuals to properly secure or relocate the data.

Incident Response
Information Security maintains an incident response process that investigates cybersecurity events, including those that may indicate a breach of Sensitive Information. If Sensitive Information is discovered as part of such an investigation, Information Security shall remediate the exposure, including activation of the QTIS’s Data Breach Management Plan as needed.

Audits
The network monitoring and scans described above supplement the QTIS’s ongoing efforts to ensure the security and reliability of its information technology systems. They do not replace or affect the scope of other QTIS audit requirements and do not affect Internal Audit’s authority to conduct any audit or to take or recommend any action relating to information security as the result of an audit. Information Security activities are intended to educate the community about safely and securely conducting the QTIS’s QTISsiness.

The Information Security and Internal Audit functions at QTIS should work together and exchange information to support their respective functions.

Remediation Processes

When an issue with compliance with the Data Protection Standards is identified, Information Security will:

  • Document the non-compliance.
  • Alert the individual owner or system administrator to what was found
  • Provide appropriate information regarding complying with the Data Protection Standards. Training will be offered where appropriate or desired.
  • Offer consulting to help prevent future violations
  • Work with the individual or representative of the organization to establish a timeline for the remediation based upon the severity of the risk, the business needs of the client, availability of appropriate technology and other appropriate considerations.

Escalation Process

Information Security may escalate issues through layers of management based on the severity of the non-compliance or the number of times non-compliance has been detected. If appropriate, access by the offending account overall or to a system or specific data may be suspended until a remediation plan is agreed to and enacted.

Legal Obligations

If IS&T learns of a data breach, the QTIS Staff will notify state or federal authorities or individuals affected by the data breach and take any other action that, in the QTIS’s judgment, is necessary to comply with its obligations.

Important

Failure to comply with the Data Protection Standards may result in harm to individuals, organizations or Qtis AI. The unauthorized or unacceptable use of Qtis Data, including the failure to comply with these standards, constitutes a violation of Company policy and may subject the User to revocation of the privilege to use Qtis Data or Information Technology or disciplinary action, up to and including termination of employment.

END OF POLICY TEXT