1. Information Security Program Program Elements Administration and Oversight Information Security Council Getting Started – Next Steps Logistics

2. Information Security Program Umbrella framework for the ongoing stewardship of personal information, risk management and compliance efforts Developed in order to comply with stated or implied mandates as specified by multiple legal statutes, regulations, executive orders and contractual agreements Incorporates recommendations from the Commonwealth of Massachusetts Office of the State Auditor Formally establishes information security as an institutional priority and a shared responsibility among all academic departments, administrative offices and third party service providers Establish and maintain ongoing practices that mitigate potential financial, legal, operational, and/or reputational consequences of a security breach, system failure, and non-compliance

3. Program Elements Records Management Access Controls Technical and Operational Safeguards Procurement Standards Workforce Hiring and Ongoing Training Risk Management Incident Response

4. Program Administration & Oversight President’s Council (joint oversight of institutional provisions) Information Security Council*(implements, reviews and updates the Program with input and involvement from relevant administrative offices, academic departments and third party service providers) Vice Presidents (ensure appropriate and auditable information security controls implemented within division and job descriptions include individual responsibilities related to information security) Cross Functional Administrative and Student InformationManagement Team (develops, recommends, and implements approved policies that support broad institutional commitment to stewardship of institutional data) Data Incident Response Team (determines what follow-up may be required in response to any major or significant incident that warrants investigation including triage, escalation, and/or notification)

5. Information Security Council Develop action plans based on third party risk assessments, compliance audits and applicable mandates Provide relevant administrative offices and academic departments with support and guidance Ensure that general awareness and training is made available Identify and address (accept, mitigate or transfer) reasonably foreseeable internal and external risks to the security of protected information and systems Evaluate the effectiveness of safeguards for controlling these risks Regularly monitor and evaluate the effectiveness of applied aspects of the Program at least annually, or whenever there is a material change in administrative practices and/or academic programs that may have implications for the security or integrity of PI

6. So Where Do We Start? Develop and/or Update Policies Develop and Rollout Annual Awareness and Training Implement an Identity Management Solution Complete Remaining Payment Card Industry Data Security Standard (PCI DSS) Remediation Complete Annual PCI DSS Risk Assessment and Attestation of Compliance

7. Policies Records Management Online Identity Management* Data Stewardship Security Breach Response Plan* Payment Processing

8. Awareness and Training Increase Awareness - Students Inform and Build Knowledge – Faculty and Staff* Application of Knowledge – Faculty and Staff Master Concepts, Rules and Regulations – Faculty and Staff

9. PCI DSS Remediation (Complete by March 31st) Documentation of Policies and Procedures Awareness and Training Administration of Access Privileges Implementation of Technical and Operational Safeguards Develop and Communicate Incident Response Plan for Suspected or Actual Security Breach

10. PCI DSS Compliance (Complete by April 30th) Lighthouse Audit (Begins April 1st and Ends April 30th) Documentation of Policies and Procedures Documentation of Payment Processing Environment Network Scanning and Vulnerability Test Results Interviews Walkthroughs Third Party Certifications of Compliance Self-Assessment Questionnaire and Attestation of Compliance

11. Logistics Scheduling of Meetings Collaboration Outside of Meetings Gathering Input from the Community Communicating Out to the Community