Statement |
Keeping security in mind for the lifecycle of all services ensures systems and data are accessible, trustworthy and protected from unauthorized access and use. |
Rationale |
- Higher education institutions will continue to be targeted by sophisticated malicious actors in the cybersecurity threat landscape.
- Security measures help minimize risk and reduce the likelihood of adverse events involving unauthorized access and use of systems and data that could have financial, safety, legal, and reputational impacts.
- We are required to be in compliance with existing laws and regulations that require the safeguarding of security and the privacy of data.
- Secure services are available services, reducing the negative impact to the teaching, learning, and research mission caused by compromised systems.
- CU-provided IT resources must protect University data and set a model for adhering to policies and best practices.
|
Implications |
- Unforeseen investment of resources (time, money, and staff) may be necessary to implement foundational security controls based on the risk assessment.
- Balancing the open sharing and release of information against the need to restrict the availability of sensitive information is nuanced and both sides must be considered in decision making. Resources available to help navigate these decisions include the relevant data steward(s), the Data Governance Council, and the OIT security team.
- Services without proper security safeguards may be removed from production until such time that appropriate measures are in place, which could have business impacts.
- Security should be considered ‘early and often’. At inception and as any requirements change or come to light throughout a project or initiative, security checks ensure that appropriate controls are selected and implemented.
|