Information Security Office

The Office of Information Technology Information Security Office leads a robust cybersecurity program to support the university mission of research, teaching and outreach, and securely enable faculty, student and administrative needs. This includes support for university IT compliance efforts across regulatory and contractual agreements including GLBA, HIPAA, FERPA, PCI, NIST 800-171, CMMC, NSPM-33 and others.

Contact

The U of I Information Security Office and security program is overseen by Chief Information Security Officer Mitch Parks (CISSP) since 2014. This includes designation as the qualified individual per GLBA 16 CFR 314.4(a), and HIPAA Security Officer per 45 CFR 164.308.

• For general security assistance or consultation, including research cyber support request service.
• To report an IT security incident or threat, email security@uidaho.edu or report problem.
• To report a suspicious or malicious email, use the “Report Phish” button in Outlook.

Key program elements

• Annual security awareness training and monthly phish training for all employees, and supplemental cybersecurity training for select groups.
• Annual Risk Assessment and testing processes to identify and prioritize remediation for reasonably foreseeable internal and external risks to the security, confidentiality and integrity of university data.
• Data Classification program, per APM 30.11 to track and apply appropriate controls based on data classification and risk.
• Initial and periodic assessment of service providers through Vendor Security Assessments.
• Implementing the incident response plan including tools, services and timely response and recovery from any material security events, as authorized by APM 30.14, Cyber Incident Response and Reporting.
• Implement policies, standards and procedures to enable ongoing success of the security program and all compliance goals.
• Facilitate the creation, tracking and auditing of individual System Security Plans (SSPs) when required for specific compliant systems or enclaves.
• Review and approve secure IT architectures, including required processes, safeguards, controls and mitigations to meet security and compliance requirements.

This security program is implementing controls and is monitoring for finalization of technical standards related to NSPM-33 cybersecurity requirements. See also:

• NSPM-33 FAQ for department grant administrators
• Export Control and related training
• University international travel
• Effective in 2022, Insider Threat training was incorporated into all employee cybersecurity training requirements. Additional relevant training is available through the Office of Research Assurances

Information Security Advisory Board

The Information Security Advisory Board (ISAB), a component of university IT governance, was formed to help advocate for improved security and identify IT Security issues to be addressed across the institution. The ISAB advises the Information Security office on strategies, priorities, potential impacts and effective methods of communication for OIT plans for improving IT security. ISAB meets monthly.