Eight Schools Information Security Policies:

The Process at Hotchkiss

Information Security…

…not an entirely new idea.

Hotchkiss Strategic Technology Plan

Developed May 2007 through February 2008 by a twenty-member broad-based committee

Comprehensive plan covers academic and administrative technologies

Hotchkiss Strategic Technology Plan

Resulted in action-oriented goals and detailed action plans

After adoption, a workgroup was assigned to begin work on administrative objectives

Progression of Work

Strategic Technology Plan

Administrative Technology

Educational/Instructional Technologies

Administrative Technology Workgroup

Information Security Policy

Project

Administrative Technology Workgroup

Surveyed all departments

Identified systems that process data

Created comprehensive systems list

Diagrammed system and data overviews

Once background work was completed, workgroup evolved into Data Committee

Committee work began before the Eight Schools initiative, but helped to identify

information security needs and to inform the process for Hotchkiss

Application List

Responsibilities for Information Security Project

There is no dedicated information security officer

Information Technology Governance CouncilSchool leaders and IT Director

General IT governance and strategic oversight

Information Security Steering CommitteeCFO, Dean of Faculty, HR Director, IT Operations

Manager, IT Director

Provides oversight for this process

ResponsibilitiesData Committee

Moving forward with recommendations from Administrative Technology Workgroup

Oversee identification and classification of data

Key role in rollout of information security policies

HR Director and Dean of Faculty

Communicate and enforce policies with Staff and Faculty

IT Department

Implementation of technology solutions

ProcessKick-off call with Information Security

Steering CommitteeFishNet overview

Review charter

Discuss site visit and responsibilities

Charter reviewSteering committee

Key members of ITS and other departments

ProcessGathered and shared existing policies

and documentation

FishNet site visitInformation gathering and discussion of the

processMet with several groups of stakeholders

Alumni and Development Information Technology Health Services Business Office Data Committee

AdmissionsHuman ResourcesCommunicationsSecurityDeans

Process

FishNet creates draft policies, solicits feedback per schedule

IT Director shares preliminary policies among groups as appropriate and seeks feedback

Feedback communicated via Eight Schools SharePoint Site and weekly status calls

Implementation

IT will address technical aspects, but this is more than an IT initiative

CFO will address Business Office requirements

Human Resources will address components, and communicate policies to Staff

Dean of Faculty will address components and communicate policies to Faculty

Some ChallengesEnlisting Involvement outside of IT – “It’s an

IT issue.”

Consistency of Eight School policies with existing Hotchkiss policies (Red Flag, AUP, etc.)

Differing timelines and priorities among Eight Schools

Information overload and implementation concerns

Large number of drafts to review (charter, policies)

Sixteen policies to implement; some may already exist, many do not

Summary

Technology Planning process was critical for Hotchkiss

Responsibilities are distributed

Implementation may be intimidating, but will be achieved methodically

Consortium work added tremendous value to policy development process

There are challenges, but the process is valuable and the

policies are essential