RECMGMT-L Archives

Records Management

RECMGMT-L@LISTSERV.IGGURU.US
Options: Use Forum View

Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
FW: IS-3 Update Milestone Copy - updated version - Section 9 and Section 1.3
From:
Laurie Sletten <[log in to unmask]>
Reply To:
Records Management Program <[log in to unmask]>
Date:
Wed, 13 May 2015 22:14:49 +0000
Content-Type:
text/plain
Parts/Attachments:
text/plain (116 lines) 
FYI,
Laurie

From: Robert Smith
Sent: Wednesday, May 13, 2015 3:10 PM
To: Robert Smith
Cc: David Rusting
Subject: RE: IS-3 Update Milestone Copy - updated version - Section 9 and Section 1.3

Hello ITPS Members, HIPAA Officers and ITSECPolicy Group,

Ros - please forward to the Privacy Officers - thank you.
Laurie - please forward to the Record Managers - thank you.

A work group made important changes in Section 9 - Access Control.  This led to some alignment changes in Section 1.3 - Scope.  We wanted you to have these changes.  There are other small changes too, but largely administrative.

If you have already started a with the Monday version, it's fine.  Please continue.  If you have not started, please use the attached version.

Comments are requested on or before May 26, end-of-the day.

Thank you!

Have a delightful day,

Robert Smith
IT Policy Director
(510) 541-8103
[log in to unmask]<mailto:[log in to unmask]>


From: Robert Smith
Sent: Monday, May 11, 2015 3:49 PM
To: Robert Smith
Cc: David Rusting
Subject: IS-3 Update Milestone Copy

Hello ITPS, HIPAA-Officers and Privacy Officers,

Happy Monday!  I hope you had a great weekend.

Here is the milestone draft of the IS-3 update both in Word and PDF versions.  The next major update will be sent out on May 28.  We would like your actionable comments on content(*) by May 26th - end of the day.  HIPAA and Privacy - we know this is your first formal look.    Also attached it the current question log - it provides some good background and a list of what's pending if you would like to weigh in.

Some highlights in this version:

1.      If you read the early versions true to the ISO outline, Sections 1 to 6 are completely re-organized to make the ISO material related to ISMP, Risk Management and Policy framing more readable.  In general it aligns with other new UC policies in format/organization.  The pre-amble is still there - we may or may not leave this in.  We separated requirements in their own sections 5 and 6 - so Sections 5 to 18 are now policy requirements.

2.      Many sections are shorter - thank you to the editors and collaborators!  We removed ISO introduced redundancy.

3.      Institutional Information Classification (Data - Confidentiality) AND IT Resource (Availability/Protection) classification are now proposed in one table with two independent ratings.

4.      There is now one role and responsibility table vs. the old two.

5.      The most important open question (or set of questions) hang on these points:

a.      How much goes into policy and how much goes into standards or other supporting documents

b.      Right now we have one policy and 8 standards (listed below my signature)

                                                              i.      To cover a particular topic you would need 1 - 4 documents in front of you.

c.       If we pull policy statements out then we could need 6 or even eight documents per topic.

                                                              i.      Example: Adding a system - IS-3, Min Sec Standard, Risk Management Standard

d.      We need to balance moving material out to new documents and understandability.  The goal is some common understanding about how easy it is to present this to the user and system owner community.

e.      Related to this balancing act - Sections 8, 9, 12 and 13 are most relevant.

6.      Completed a basic compare to the current IS-3, PCI DSS 3.0 requirements and HIPAA implied and express requirements under the security rule - primarily looking for missing policy - this yielded some additions.

7.      A great deal of editing was done by a small and very dedicated group - thank you!

8.      "Objective: statements are from ISO 2700X and the plan is to remove them.  Text in []s are for your information or to remind those working on the document of some key point.  They will be removed in the next version.

The 28th of May version goes to ITLC!  It is very important to review this version of document in the next 10 (ten) business days!

Please send me your actionable feedback/edits or contact me.  We continue work ad-hoc, planned 1:1, in small groups and based on submitted changes or questions.

We would like by the end of Tuesday, 5/26/2015 so it can be reviewed and included in the next draft.  Early responses greatly appreciated and I will send out updates if major progressions occur.

Have a splendid day,

Robert Smith, CISSP, PMP
IT Policy Director
Information Technology Services
University of California Office of the President
(510) 541-8103
[log in to unmask]<mailto:[log in to unmask]>

(*) - we are not worried about formatting, pagination or numbering right now.  We are working in Google Docs and it is primarly a collaboration tool.  Google Docs is weak in formatting and numbering, so those refinements will come later.


1. Minimum security standard - ITPS

2. Software Development Standard - EA

3. Password Management Standard - ITPS

4. Securing Software Standard - EA

5. Test Data Standard - EA

6. Security Incident Response Standard - ITPS

7. Data Classification Standard - ITPS

8. Risk Management Standard




List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance
To unsubscribe from this list, click the below link. If not already present, place UNSUBSCRIBE RECMGMT-L or UNSUB RECMGMT-L in the body of the message.
mailto:[log in to unmask]

ATOM RSS1 RSS2