Skip to main content

BYUH Information Security Documents

CES SECURITY PROGRAM & CES SECURITY OPERATIONS CENTER CHARTER

This document describes The Church Educational System (CES) Information Security Program and the CES Security Operations Center (SOC) Charter. Specifically, it includes an overview of the purpose, personnel, responsibilities, and measurements used within CES Information Security. It also outlines how the CES SOC interacts with the BYUH campus.

INFORMATION SECURITY PROGRAM

The Information Security Program describes Brigham Young University-Hawaii’s general approach to protecting nonpublic institutional data in support of university policy. The primary objectives of the program are to 1) provide reasonable assurance nonpublic university information will be protected from unauthorized access, use, modification, or disclosure; and 2) comply with applicable state and federal laws and contractual agreements.

MAJOR INFORMATION SECURITY INCIDENT PROCESS

This incident response plan (IRP) outlines procedures related to a major information security event involving confidential or highly confidential (sensitive) institutional and personal data maintained in any form by Brigham Young University-Hawaii. While each information security incident has unique aspects, this plan gives the Incident Response Team (IRT) overall guidelines for its responsibilities and actions.

INFORMATION TECHNOLOGY SECURITY COUNCIL

The Information Technology Security Council (ITSC) is established to ensure that the University’s information assets and technologies are adequately protected against threats, vulnerabilities, and misconfigurations in conjunction with the CES Security Operations Center (CES SOC). They work to assess, measure, prioritize, report, mitigate, and resolve IT security risk.

GLBA SAFEGUARDS ELEMENT 3

Description of how the University is meeting the controls identified in Element 3 of the Gramm-Leech-Bliley Act (GLBA) Safeguards rule.

VENDOR SECURITY RISK ASSESSMENT

Process for completing the assessment described in section 3.4 of the Data Use, Privacy, and Security Policy.